proxy support, saml support, licensing added

65a70884 · Grant Duncklee · 0a5adb12 · 65a70884 · 65a70884 · 65a70884
Commit 65a70884 authored Apr 29, 2021 by Grant Duncklee
9 changed files
--- a/README.md
+++ b/README.md
@@ -11,6 +11,8 @@ minimal changes.
 - Kubernetes Cluster deployed
 - Kubernetes config installed in ~/.kube/config
 - Helm installed
+- Keycloak (Optional - SSO)
+- Sonatype NXIQ License. Required for SAML integration

 ## Iron Bank

@@ -25,3 +27,23 @@ Please reference complete list of providable variables
 git clone https://repo1.dso.mil/platform-one/big-bang/apps/third-party/nexus-iq.git
 helm install nexus-iq chart
 ```
+
+## BigBang Additions, Comments, and Important Information
+### SAML/SSO Integration
+BigBang requires/prefers SAML/SSO integration out of the box, unfortunately, the upstream Helm chart did not have a
+solution at the drafting of this integration. To achieve our goal, we added a Kubernetes job that handles the SAML/SSO
+integration. To enable this functionality, ensure `sso.enabled` is set to `true`; you will additionally require a
+Keycloak instance, the IDP metadata file, along with the other parameters you may define in the `values.yaml`. Our
+implementation closely followed [Sonatype's API](https://help.sonatype.com/iqserver/automating/rest-apis/saml-rest-api---v2#SAMLRESTAPI-v2-ConfigureSAMLIntegration).
+
+### Default Admin Password
+Sonatype's API prevents the changing of a user's password via API. It was deemed more feature-breaking to introduce a
+viable workaround. Please change your admin password immediately.
+
+Sonatype is tracking this issue with an internal ticket.
+
+### License
+We expect you to secure your license; the license will be provided as a binary. Encode the binary file as a base64
+encoded string, secure with sops, and place in `.Values.addons.nexusRepositoryManager.license_key`. The `_helpers.tpl`
+will create a named template and generate the appropriate secret within the namespace. The chart will reference the
+license via a secret volumeMount to ensure the application starts licensed.
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -52,6 +52,12 @@ app.kubernetes.io/name: {{ include "iqserver.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

+{{- define "iq.licenseKey" -}}
+{{- if .Values.license_key }}
+sonatype-license.lic: {{ .Values.license_key }}
+{{- end }}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}

--- a/chart/templates/bigbang/configmap-sso.yaml
+++ b/chart/templates/bigbang/configmap-sso.yaml
+{{- if .Values.sso.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "iqserver.fullname" . }}-sso
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+  idpmetadata.xml: {{ .Values.sso.idp_metadata }}
+  sso_data: {{ .Values.sso.attributes | toJson | quote }}
+{{- end -}}
--- a/chart/templates/bigbang/license.yaml
+++ b/chart/templates/bigbang/license.yaml
+{{- if .Values.license_key }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "iqserver.fullname" . }}-license
+  labels:
+    {{- include "iqserver.labels" . | nindent 4 }}
+    {{- if .Values.iq.extraLabels }}
+      {{- with .Values.iq.extraLabels }}
+        {{ toYaml . | indent 4 }}
+      {{- end }}
+    {{- end }}
+data:
+{{ include "iq.licenseKey" . | indent 2 }}
+{{- end }}
--- a/chart/templates/bigbang/post-install-job.yaml
+++ b/chart/templates/bigbang/post-install-job.yaml
+{{- if and .Values.sso.enabled .Values.license_key }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": post-install
+  name: post-install
+spec:
+  template:
+    metadata:
+      creationTimestamp: null
+    spec:
+      activeDeadlineSeconds: 60
+      volumes:
+      {{- if .Values.sso.enabled }}
+        - name: idp
+          configMap:
+            name: {{ template "iqserver.fullname" . }}-sso
+            items:
+            - key: idpmetadata.xml
+              path: idpmetadata.xml
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.proxy }}
+      serviceAccountName: serviceaccount-post-install
+      {{- end }}
+      containers:
+      - image: "{{ .Values.job_image.repository }}:{{ .Values.job_image.tag }}"
+        imagePullPolicy: {{ .Values.job_image.pullPolicy }}
+        name: post-install
+        volumeMounts:
+          - mountPath: /tmp/
+            name: idp
+        command:
+          - sh
+        args:
+          - -c
+          - |-
+            BASE_URL="http://{{ template "iqserver.fullname" . }}.{{ template "iqserver.fullname" . }}-server.svc.cluster.local:{{ .Values.iq.applicationPort }}";
+            until curl --head localhost:15000; do echo "Waiting for Sidercar"; sleep 10; done; echo "Sidecar available";
+            while [ "$(curl -s "${BASE_URL}/rest/product/license")" == "No valid product license installed." ]; do echo "Waiting for License"; sleep 5; done;
+            curl -X PUT \
+                -u admin:admin123 \
+                "${BASE_URL}/api/v2/config/saml" \
+                -F identityProviderXml=@/tmp/idpmetadata.xml \
+                -F samlConfiguration='{{ .Values.sso.samlConfiguration | toJson }}';
+            curl -fsI -X POST http://localhost:15020/quitquitquit;
+            exit
+        resources: {}
+      restartPolicy: Never
+status: {}
+{{- end }}
--- a/chart/templates/bigbang/virtualservice.yaml
+++ b/chart/templates/bigbang/virtualservice.yaml
@@ -16,7 +16,7 @@ spec:
  gateways:
    - main.istio-system.svc.cluster.local
  hosts:
-    - "nexus-iq-server.{{ .Values.hostname }}"
+    - "{{ .Values.hostname }}.{{ .Values.domain }}"
  http:
    - route:
        - destination:

--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -47,10 +47,16 @@ spec:
            httpGet:
              path: /ping
              port: admin
+            failureThreshold: 5
+            initialDelaySeconds: 60
+            periodSeconds: 5
          readinessProbe:
            httpGet:
              path: /
              port: application
+            failureThreshold: 5
+            initialDelaySeconds: 60
+            periodSeconds: 5
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
@@ -58,7 +64,7 @@ spec:
              name: nxiq-pv-data
            - mountPath: /etc/nexus-iq-server
              name: config-volume
-  {{- if .Values.iq.licenseSecret }}
+  {{- if .Values.license_key }}
            - mountPath: /etc/nexus-iq-license
              name: license-volume
  {{- end }}
@@ -72,7 +78,7 @@ spec:
            items:
              - key: config.yml
                path: config.yml
-  {{- if .Values.iq.licenseSecret }}
+  {{- if .Values.license_key }}
        - name: license-volume
          secret:
            secretName: {{ template "iqserver.fullname" . }}-license

--- a/chart/templates/tests/test-connection.yaml
+++ b/chart/templates/tests/test-connection.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "iqserver.fullname" . }}-test-connection"
-  labels:
-    {{- include "iqserver.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test-success
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "iqserver.fullname" . }}:{{ .Values.iq.applicationPort }}']
-  restartPolicy: Never
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -3,15 +3,40 @@
 # Declare variables to be passed into your templates.

 # Big Bang Additions
-hostname: bigbang.dev
+domain: bigbang.dev
+hostname: nexus-iq-server
+
 istio:
-  enabled: true
+  enabled: false
+
+license_key: ""
+
+sso:
+  enabled: false
+  idp_metadata: ''
+  samlConfiguration: {}
+  # samlConfiguration:
+  #   identityProviderName: My SSO
+  #   entityId: https://nexus-iq-server.example.com/api/v2/config/saml/metadata
+  #   firstNameAttributeName: firstName
+  #   lastNameAttributeName: lastName
+  #   emailAttributeName: email
+  #   usernameAttributeName: username
+  #   groupsAttributeName: groups
+  #   validateResponseSignature: true
+  #   validateAssertionSignature: true
+

 #namespaceOverride: nexus
 replicaCount: 1
 image:
  repository: registry1.dso.mil/ironbank/sonatype/nexus-iq-server/nexus-iq-server
-  tag: latest
+  tag: 1.107.0-01
+  pullPolicy: IfNotPresent
+
+job_image:
+  repository: registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal
+  tag: 8.3
  pullPolicy: IfNotPresent

 iq:
@@ -22,13 +47,18 @@ iq:
  memory: 1Gi
  # base 64 encoded license file with no line breaks
  licenseSecret: ""
-  # add this line with this file path and the `licenseSecret` above to autoconfigure licensing
-  # licenseFile: /etc/nexus-iq-license/license_lic
  extraLabels:
+  # enter appropriate proxy settings as required. NXIQ requires external access
+  # to validate the license
  env:
    - name: JAVA_OPTS
-      value: "-Djava.util.prefs.userRoot=${SONATYPE_WORK}/javaprefs"
-
+      value: |-
+        -Djava.util.prefs.userRoot=$${SONATYPE_WORK}/javaprefs
+   #    -Dhttp.proxyHost=proxyserver
+   #    -Dhttp.proxyPort=proxyport
+   #    -Dhttps.proxyHost=proxyserver
+   #    -Dhttps.proxyPort=proxyport
+   #    -Dhttp.nonProxyHosts=nonproxyhosts

 deploymentStrategy: Recreate
 imagePullSecrets: []
@@ -60,7 +90,7 @@ service:
  port: 80

 ingress:
-  enabled: true
+  enabled: false
  annotations: {kubernetes.io/ingress.class: nginx}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
@@ -112,7 +142,8 @@ persistence:

 # configYaml is the full text of the config.yml file that will be passed to IQ Server
 configYaml:
-  baseUrl: http://iq-server.demo
+  # licenseFile: /etc/nexus-iq-license/sonatype-license.lic
+  # baseUrl: http://iq-server.demo
  sonatypeWork: /sonatype-work
  server:
    applicationConnectors:
@@ -122,14 +153,14 @@ configYaml:
      - type: http
        port: 8071
    # HTTP request log settings.
-    requestLog: 
+    requestLog:
      appenders:
        #All appenders set to console
-        - type: console    
+        - type: console
          # Do not display log statements below this threshold to stdout.
          threshold: INFO
          logFormat: "%clientHost %l %user [%date] \"%requestURL\" %statusCode %bytesSent %elapsedTime \"%header{User-Agent}\""
-  
+
  createSampleData: true

  logging:
@@ -150,23 +181,23 @@ configYaml:
        appenders:
          #All appenders set to console
          - type: console
-    
+
            # Do not display log statements below this threshold to stdout.
            threshold: INFO

      "com.sonatype.insight.policy.violation":
        appenders:
          - type: console
-    
+
            # Do not display log statements below this threshold to stdout.
            threshold: INFO

    appenders:
-  
+
      # Settings for logging to stdout.
      - type: console
-    
+
        # Do not display log statements below this threshold to stdout.
        threshold: INFO
-      
+
        logFormat: "%d{'yyyy-MM-dd HH:mm:ss,SSSZ'} %level [%thread] %X{username} %logger - %msg%n"