From e79560612969511c20d8143c06835f32291a179b Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Tue, 10 Sep 2024 12:40:59 +0100 Subject: [PATCH] feat(nexus3): Updated image to v3.72.0 (#1042) Signed-off-by: Steve Hipwell --- .helmdocsignore | 1 - charts/nexus3/CHANGELOG.md | 39 +- charts/nexus3/Chart.yaml | 53 ++- charts/nexus3/README.md | 272 +++++++------- charts/nexus3/ci/ci-values.yaml | 26 +- charts/nexus3/ci/kubeconform.yaml | 20 +- charts/nexus3/files/configure.sh | 297 --------------- charts/nexus3/files/repo.groovy | 40 --- .../nexus3/{files => scripts}/cleanup.groovy | 0 charts/nexus3/scripts/configure.sh | 254 +++++++++++++ charts/nexus3/{files => scripts}/task.groovy | 0 charts/nexus3/templates/NOTES.txt | 2 +- charts/nexus3/templates/_helpers.tpl | 121 +++++-- charts/nexus3/templates/_test/secret-cas.yaml | 2 + .../_test/secret-root-credentials.yaml | 6 +- .../templates/_test/test-connection.yaml | 18 +- .../nexus3/templates/_test/test-metrics.yaml | 18 +- .../templates/configmap-config-scripts.yaml | 15 + charts/nexus3/templates/configmap-config.yaml | 49 ++- .../nexus3/templates/configmap-logback.yaml | 85 ++++- .../templates/configmap-properties.yaml | 13 +- .../nexus3/templates/configmap-scripts.yaml | 51 +++ charts/nexus3/templates/deployment.yaml | 257 ------------- charts/nexus3/templates/ingress.yaml | 20 +- charts/nexus3/templates/job-config.yaml | 98 +++++ charts/nexus3/templates/pdb.yaml | 24 ++ charts/nexus3/templates/pvc.yaml | 26 -- charts/nexus3/templates/service-headless.yaml | 23 ++ charts/nexus3/templates/service.yaml | 5 +- charts/nexus3/templates/servicemonitor.yaml | 15 +- charts/nexus3/templates/statefulset.yaml | 339 +++++++++++++----- charts/nexus3/values.yaml | 337 ++++++++++++----- 32 files changed, 1455 insertions(+), 1071 deletions(-) delete mode 100644 charts/nexus3/files/configure.sh delete mode 100644 charts/nexus3/files/repo.groovy rename charts/nexus3/{files => scripts}/cleanup.groovy (100%) create mode 100644 charts/nexus3/scripts/configure.sh rename charts/nexus3/{files => scripts}/task.groovy (100%) create mode 100644 charts/nexus3/templates/configmap-config-scripts.yaml create mode 100644 charts/nexus3/templates/configmap-scripts.yaml delete mode 100644 charts/nexus3/templates/deployment.yaml create mode 100644 charts/nexus3/templates/job-config.yaml create mode 100644 charts/nexus3/templates/pdb.yaml delete mode 100644 charts/nexus3/templates/pvc.yaml create mode 100644 charts/nexus3/templates/service-headless.yaml diff --git a/.helmdocsignore b/.helmdocsignore index b07330f6..1fe83222 100644 --- a/.helmdocsignore +++ b/.helmdocsignore @@ -1,4 +1,3 @@ confluence-server jira-software -nexus3 sonarqube diff --git a/charts/nexus3/CHANGELOG.md b/charts/nexus3/CHANGELOG.md index 86166751..1599c6de 100644 --- a/charts/nexus3/CHANGELOG.md +++ b/charts/nexus3/CHANGELOG.md @@ -14,9 +14,43 @@ ## [UNRELEASED] -## [v4.45.1] - 2024-09-06 +## [v5.0.0] - 2024-09-10 + +> [!WARNING] +> The release contains multiple breaking changes including removing support for OrientDB, please pay attention to the removals section. If you were previously using OrientDB you need to make sure you follow the [upgrade guide](https://help.sonatype.com/en/upgrading-to-nexus-repository-3-71-0-and-beyond.html) before upgrading to this version. + +### Added + +- Added `Job` to configure _nexus3_ instead of a lifecycle script, this can be configured via the `config.job` value. +- Added sidecar pods to tail all logs, these can be configured via the `tailLogs` value. +- Added configuration for the Bash & JDK images via the `bashImage` & `jdkImage` values respectively. +- Added support for setting image digests. +- Added `install4jAddVmParams` to configure _Nexus3_ via env variables. +- Added `replicas` value. +- Added `updateStrategy`, `ordinals`, `podManagementPolicy` & `minReadySeconds` values to better configure the `StatefulSet`. +- Added `startupProbe` value. +- Added separate headless `Service`. +- Added support for creating a `PodDisruptionBudget` via the `podDisruptionBudget` value. +- Added support for `StatefulSet` volume cleanup options `retainDeleted` & `retainScaled` via the `persistence.retainDeleted` & `persistence.retainScaled` values respectively. + +### Changed + +- Updated the _Nexus3_ OCI image to [v3.72.0](https://github.com/sonatype/nexus-public/releases/tag/release-3.72.0-04). +- Changed defaults for `podSecurityContext` & `securityContext`. +- Changed defaults for `livenessProbe` & `readinessProbe` to align to the use of a `startupProbe`. +- Increased the default `terminationGracePeriodSeconds` to `120`. +- Change repository config to use the REST API, this means that the configuration structure should be modified to match the API spec (for example no more nesting under `attributes`). Passwords also no longer need a `PASSWORD` placeholder. + +### Removed + +- Removed support for running _Nexus3_ as a `Deployment` by removing the `deployment` value. +- Removed support for beta `Ingress` versions. +- Removed `envVars` value in favour of `install4jAddVmParams`. +- Removed `highAvailability` value, Pro level features are now enabled by setting `licence.enabled` to `true`. +- Removed `image.pullSecrets` value. +- Removed `metrics.serviceMonitor.interval` value. -### Addded +## [v4.45.1] - 2024-09-06 ### Changed @@ -668,6 +702,7 @@ RELEASE LINKS --> [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/nexus3 +[v5.0.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-4.45.0 [v4.45.1]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-4.45.1 [v4.45.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-4.45.0 [v4.44.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-4.44.0 diff --git a/charts/nexus3/Chart.yaml b/charts/nexus3/Chart.yaml index 2370405c..555c14e2 100644 --- a/charts/nexus3/Chart.yaml +++ b/charts/nexus3/Chart.yaml @@ -2,9 +2,9 @@ apiVersion: v2 name: nexus3 description: Helm chart for Sonatype Nexus 3 OSS. type: application -version: 4.45.1 -appVersion: 3.70.2 -home: https://www.sonatype.com/nexus-repository-oss +version: 5.0.0 +appVersion: 3.72.0 +home: https://www.sonatype.com/products/sonatype-nexus-repository icon: https://raw.githubusercontent.com/stevehipwell/helm-charts/main/charts/nexus3/icon.png keywords: - artifacts @@ -14,8 +14,8 @@ keywords: - nexus - repository sources: + - https://github.com/sonatype/nexus-public - https://github.com/sonatype/docker-nexus3 - - https://hub.docker.com/r/sonatype/nexus3 - https://github.com/stevehipwell/helm-charts/ maintainers: - name: stevehipwell @@ -23,5 +23,48 @@ maintainers: annotations: artifacthub.io/alternativeName: nexus artifacthub.io/changes: | + - kind: added + description: "Added `Job` to configure _nexus3_ instead of a lifecycle script, this can be configured via the `config.job` value." + - kind: added + description: "Added sidecar pods to tail all logs, these can be configured via the `tailLogs` value." + - kind: added + description: "Added configuration for the Bash & JDK images via the `bashImage` & `jdkImage` values respectively." + - kind: added + description: "Added support for setting image digests." + - kind: added + description: "Added `install4jAddVmParams` to configure _Nexus3_ via env variables." + - kind: added + description: "Added `replicas` value." + - kind: added + description: "Added `updateStrategy`, `ordinals`, `podManagementPolicy` & `minReadySeconds` values to better configure the `StatefulSet`." + - kind: added + description: "Added `startupProbe` value." + - kind: added + description: "Added separate headless `Service`." + - kind: added + description: "Added support for creating a `PodDisruptionBudget` via the `podDisruptionBudget` value." + - kind: added + description: "Added support for `StatefulSet` volume cleanup options `retainDeleted` & `retainScaled` via the `persistence.retainDeleted` & `persistence.retainScaled` values respectively." - kind: changed - description: "Updated the _Nexus3_ OCI image to v3.70.2" + description: "Updated the _Nexus3_ OCI image to [v3.72.0](https://github.com/sonatype/nexus-public/releases/tag/release-3.72.0-04)." + - kind: changed + description: "Changed defaults for `podSecurityContext` & `securityContext`." + - kind: changed + description: "Changed defaults for `livenessProbe` & `readinessProbe` to align to the use of a `startupProbe`." + - kind: changed + description: "Increased the default `terminationGracePeriodSeconds` to `120`." + - kind: changed + description: "Change repository config to use the REST API, this means that the configuration structure should be modified to match the API - kind: changed + description: spec (for example no more nesting under `attributes`). Passwords also no longer need a `PASSWORD` placeholder." + - kind: removed + description: "Removed support for running _Nexus3_ as a `Deployment` by removing the `deployment` value." + - kind: removed + description: "Removed support for beta `Ingress` versions." + - kind: removed + description: "Removed `envVars` value in favour of `install4jAddVmParams`." + - kind: removed + description: "Removed `highAvailability` value, Pro level features are now enabled by setting `licence.enabled` to `true`." + - kind: removed + description: "Removed `image.pullSecrets` value." + - kind: removed + description: "Removed `metrics.serviceMonitor.interval` value." diff --git a/charts/nexus3/README.md b/charts/nexus3/README.md index f1a67fc9..7096109b 100644 --- a/charts/nexus3/README.md +++ b/charts/nexus3/README.md @@ -1,140 +1,156 @@ -# Nexus 3 +# nexus3 -[Sonatype Nexus 3](https://www.sonatype.com/nexus-repository-oss) is The free artefact repository with universal format support. +![Version: 5.0.0](https://img.shields.io/badge/Version-5.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.72.0](https://img.shields.io/badge/AppVersion-3.72.0-informational?style=flat-square) + +Helm chart for Sonatype Nexus 3 OSS. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| stevehipwell | | | + +## Source Code + +* +* +* ## Installing the Chart -Before you can install the chart you will need to add the `stevehipwell` repo to [Helm](https://helm.sh/). +### OCI Repository + +To install the chart using the recommended OCI method you can use the following command. ```shell -helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/ +helm upgrade --install nexus3 oci://ghcr.io/stevehipwell/helm-charts/nexus3 --version 5.0.0 +``` + +#### Verification + +As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command. + +```shell +cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/nexus3:5.0.0 ``` -After you've installed the repo you can install the chart. +### Non-OCI Repository + +Alternatively you can use the legacy non-OCI method via the following commands. ```shell -helm upgrade --install --namespace default --values ./my-values.yaml my-release stevehipwell/nexus3 +helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/ +helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.0.0 ``` -## Configuration - -The following table lists the configurable parameters of the _Nexus 3_ chart and their default values. - -| Parameter | Description | Default | -| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `image.repository` | Image repository. | `sonatype/nexus3` | -| `image.tag` | Image tag. | `.Chart.AppVersion` | -| `image.pullPolicy` | Image pull policy. | `IfNotPresent` | -| `image.pullSecrets` | **DEPRECATED** Image pull secrets, use `imagePullSecrets` instead. | `[]` | -| `imagePullSecrets` | Image pull secrets, will override `image.pullSecrets`. | `[]` | -| `nameOverride` | Override the name of the chart. | | -| `fullnameOverride` | Override the full name of the chart. | | -| `commonLabels` | Labels to add to all chart resources. | `{}` | -| `serviceAccount.create` | If `true`, create a new service account. | `true` | -| `serviceAccount.labels` | Labels to add to the service account. | `{}` | -| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | | -| `serviceAccount.automountToken` | If `true`, mount the ServiceAccount token. | `false` | -| `deployment` | If `true`, run as a `Deployment`, otherwise run as a `StatefulSet`. | `true` | -| `highAvailability.enabled` | If `true`, enable [high availability](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/high-availability-deployment-options/option-1---manual-high-availability-deployment). This requires the upgrade documentation be followed and only works with `StatefulSet` that has a pro licence, so to use this `deployment` should be set to `false` and the `StatefulSet` will need to be scaled to `0` before upgrading. | `false` | -| `highAvailability.replicas` | Number of replicas for the `StatefulSet` if `highAvailability.enabled` is `true`. | `3` | -| `podLabels` | Labels to add to the pod. | `{}` | -| `podAnnotations` | Annotations to add to the pod. | `{}` | -| `podSecurityContext` | Security context for the pod. | `{ fsGroup: 200 }` | -| `securityContext` | Security context for the _nexus3_ container. | `{}` | -| `priorityClassName` | Priority class name to use. | `""` | -| `livenessProbe` | The liveness probe. | See _values.yaml_ | -| `readinessProbe` | The readiness probe. | See _values.yaml_ | -| `service.type` | Service type. | `ClusterIP` | -| `service.clusterIP` | Service cluster IP. | | -| `service.annotations` | Annotations to add to the service. | `{}` | -| `service.port` | Service port. | `8881` | -| `service.additionalPorts` | Additional ports exposed by the service and used by repository connectors. | | -| `metrics.enabled` | If `true`, metrics will be enabled (with anonymous access configured). | `false` | -| `metrics.serviceMonitor.enabled` | If `true`, create a _Prometheus_ service monitor. | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels to be set on the service monitor. | `{}` | -| `metrics.serviceMonitor.endpointConfig` | Additional endpoint configuration for the ServiceMonitor. | `{}` | -| `metrics.serviceMonitor.interval` | **DEPRECATED** _Prometheus_ scrape frequency, use `metrics.serviceMonitor.endpointConfig.interval` instead. | `""` | -| `ingress.enabled` | If `true`, create an ingress object. | `false` | -| `ingress.annotations` | Ingress annotations. | `{}` | -| `ingress.ingressClassName` | Ingress class to use. | `""` | -| `ingress.hosts` | Ingress hosts. | `[]` | -| `ingress.tls` | Ingress TLS configuration | `[]` | -| `persistence.enabled` | If `true`, create a PVC. | `false` | -| `persistence.annotations` | Annotations to add to the PVC. | `{}` | -| `persistence.existingClaim` | Use an existing PVC to persist data. | | -| `persistence.accessMode` | Persistence access mode. | `ReadWriteOnce` | -| `persistence.storageClass` | PVC storage class (use `-` for default). | `standard` | -| `persistence.size` | Size of PVC to create. | `8Gi` | -| `extraVolumeMounts` | Additional volume mounts for the _nexus3_ container. | `[]` | -| `resources` | Resource requests and limits for the _nexus3_ container. | `{}` | -| `chownDataDir` | If the `chown` init container should be used. | `true` | -| `extraInitContainers` | Additional init containers for the pod. | `[]` | -| `extraVolumes` | Additional volumes. | `[]` | -| `terminationGracePeriodSeconds` | Termination grace period in seconds. | `30` | -| `nodeSelector` | Node labels for pod assignment. | `{}` | -| `affinity` | Affinity settings for pod assignment. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. | `{}` | -| `topologySpreadConstraints` | Topology spread constraints for pod assignment. If an explicit label selector is not provided one will be created from the pod selector labels. | `[]` | -| `tolerations` | Tolerations for pod assignment. | `[]` | -| `caCerts.enabled` | If `true`, add provided CA certificates to the JVM cacerts key store. | `false` | -| `caCerts.secret` | Secret containing the additional CA certificates. | | -| `license.enabled` | If `true`, configure provided license. | `false` | -| `license.secret` | Secret containing the license. | | -| `license.key` | Key containing the license on the secret set in `license.secret`. | `nexus.license` | -| `envVars.jvmMinHeapSize` | JVM min heap size (should match `jvmMaxHeapSize`). | `1024m` | -| `envVars.jvmMaxHeapSize` | JVM max heap size (should match `jvmMinHeapSize`). | `1024m` | -| `envVars.jvmAdditionalMemoryOptions` | Additional JVM memory options. | `-XX:MaxDirectMemorySize=2048m` | -| `envVars.jvmAdditionalOptions` | Additional JVM options. | `""` | -| `env` | Environment variables for the _nexus3_ container. | | -| `logback.maxHistory` | Logback retention period in days. | `30` | -| `properties` | Additional _Nexus_ properties. | `["nexus.scripts.allowCreation=true"]` | -| `storeProperties` | Additional _Nexus_ store properties. | [] | -| `rootPassword.secret` | Secret to set the root password with. | | -| `rootPassword.key` | Key on the secret set in `config.rootPassword.secret`. | `password` | -| `config.enabled` | If `true`, automatically configure _Nexus_. This requires the `rootPassword` values to be set. | `false` | -| `config.rootPassword.secret` | **DEPRECATED** - Use `rootPassword.secret` instead; this has priority. | | -| `config.rootPassword.key` | **DEPRECATED** - Use `rootPassword.key` instead; this has priority. | | -| `config.anonymous.enabled` | If `true`, allow anonymous access. | `false` | -| `config.realms.enabled` | If `true`, realms should be configured. | `false` | -| `config.realms.values` | Realm ids to enable, in priority order (see `values.yaml` for available realms). | `[]` | -| `config.roles` | Roles to be configured (see `values.yaml` for structure). | `[]` | -| `config.users` | Users to be configured (see `values.yaml` for structure). | `[]` | -| `config.ldap.enabled` | If `true`, configure LDAP. | `false` | -| `config.ldap.name` | Unique name for the LDAP configuration. | | -| `config.ldap.protocol` | LDAP protocol, either `ldaps` or `ldap`. | `ldaps` | -| `config.ldap.useTrustStore` | Use _Nexus_ trust store for certificate validation. | `true` | -| `config.ldap.connectionTimeoutSeconds` | LDAP connection timeout. | `30` | -| `config.ldap.connectionRetryDelaySeconds` | LDAP connection retry delay. | `300` | -| `config.ldap.maxIncidentsCount` | LDAP connection max incidents. | `3` | -| `config.ldap.host` | LDAP host. | | -| `config.ldap.port` | LDAP port. | `636` | -| `config.ldap.authScheme` | LDAP authentication schema. | `simple` | -| `config.ldap.authUsername` | Username or DN (Distinguished Name) of an LDAP user, used to connect to the LDAP server. | | -| `config.ldap.authPassword.secret` | Secret containing the password to connect to the LDAP server. | | -| `config.ldap.authPassword.key` | The key on the secret containing the password to connect to the LDAP server. | | -| `config.ldap.authRealm` | LDAP authentication realm. | | -| `config.ldap.searchBase` | LDAP search base. | | -| `config.ldap.userBaseDn` | LDAP user base, relative to the search base. | | -| `config.ldap.userSubtree` | If `true`, LDAP users in trees below the user base are valid. | `false` | -| `config.ldap.userObjectClass` | LDAP object class for users. | `user` | -| `config.ldap.userLdapFilter` | LDAP user filter. | | -| `config.ldap.userIdAttribute` | LDAP user id attribute. | `sAMAccountName` | -| `config.ldap.userRealNameAttribute` | LDAP user real name attribute. | `cn` | -| `config.ldap.userEmailAddressAttribute` | LDAP user email address attribute. | `email` | -| `config.ldap.userPasswordAttribute` | LDAP user password attribute. | | -| `config.ldap.ldapGroupsAsRoles` | If `true`, LDAP user groups will be treated as a _Nexus_ role. | `false` | -| `config.ldap.groupType` | LDAP group type, either `dynamic` or `static`. | `dynamic` | -| `config.ldap.userMemberOfAttribute` | LDAP user member of attribute, required if `groupType` is `dynamic`. | `memberOf` | -| `config.ldap.groupBaseDn` | LDAP group base, required if `groupType` is `static`. | | -| `config.ldap.groupSubtree` | If `true`, LDAP groups in trees below the group base are valid (only used if `groupType` is `static`). | `false` | -| `config.ldap.groupObjectClass` | LDAP group object class, required if `groupType` is `static`. | | -| `config.ldap.groupIdAttribute` | LDAP group id attribute, required if `groupType` is `static`. | | -| `config.ldap.groupMemberAttribute` | LDAP group member attribute, required if `groupType` is `static`. | | -| `config.ldap.groupMemberFormat` | LDAP group member format, required if `groupType` is `static`. | | -| `config.blobStores` | Blob stores to be configured (see `values.yaml` for structure). | `[]` | -| `config.cleanup` | Cleanup policies to be configured (see `values.yaml` for structure). | `[]` | -| `config.repoCredentials.enabled` | If `true`, use the given secret to provide repo credentials. | `false` | -| `config.repoCredentials.secret` | Secret containing repo credentials, where the key should be the repo name and the value the password. | `[]` | -| `config.repos` | Repos to be configured (see `values.yaml` for structure). | `[]` | -| `config.tasks` | Tasks to be configured (see `values.yaml` for structure). | `[]` | -| `testResources` | If `true`, create resources required for testing and enable the resources to be used by the test hook. | `false` | +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Affinity settings for pod scheduling. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. | +| bashImage.digest | string | `nil` | Optional image digest for the bash containers. | +| bashImage.pullPolicy | string | `"IfNotPresent"` | Image pull policy for bash containers. | +| bashImage.repository | string | `"cgr.dev/chainguard/bash"` | Image repository for bash containers. | +| bashImage.tag | string | `"latest"` | Image tag for bash containers, this will be omitted if set to `-`. | +| caCerts.enabled | bool | `false` | If `true`, add the CA certificates in the provided secret to the JVM cacerts key store. | +| caCerts.secret | string | `nil` | Name of the secret containing the CA certificates. | +| commonLabels | object | `{}` | Labels to add to all chart resources. | +| config.anonymous | object | `{"enabled":false,"roles":["nx-anonymous","nx-metrics"]}` | Anonymous access configuration. | +| config.blobStores | list | `[]` | Blob store configuration. | +| config.cleanup | list | `[]` | Cleanup configuration. | +| config.enabled | bool | `false` | If `true`, enable the configuration Job. | +| config.job.affinity | object | `{}` | Affinity settings for scheduling the config job. | +| config.job.image.digest | string | `nil` | Optional image digest for the config container. | +| config.job.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for config container. | +| config.job.image.repository | string | `"cgr.dev/chainguard/min-toolkit-debug"` | Image repository for the config container. | +| config.job.image.tag | string | `"latest"` | Image tag for config container, this will be omitted if set to `-`. | +| config.job.nodeSelector | object | `{}` | Node labels to match for scheduling the config job. | +| config.job.tolerations | list | `[]` | Node taints which will be tolerated for scheduling the config job. | +| config.job.ttlSecondsAfterFinished | int | `600` | The number of seconds to keep the config job after it's finished. | +| config.ldap | object | `{"authPassword":{"key":null,"secret":null},"authRealm":null,"authScheme":"simple","authUsername":null,"connectionRetryDelaySeconds":300,"connectionTimeoutSeconds":30,"enabled":false,"groupBaseDn":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"groupObjectClass":null,"groupSubtree":false,"groupType":"dynamic","host":null,"ldapGroupsAsRoles":false,"maxIncidentsCount":3,"name":null,"port":636,"protocol":"ldaps","searchBase":null,"useTrustStore":true,"userBaseDn":null,"userEmailAddressAttribute":"email","userIdAttribute":"sAMAccountName","userLdapFilter":null,"userMemberOfAttribute":"memberOf","userObjectClass":"user","userPasswordAttribute":null,"userRealNameAttribute":"cn","userSubtree":false}` | LDAP configuration. | +| config.realms | object | `{"enabled":false,"values":[]}` | Realms configuration. | +| config.repoCredentials.enabled | bool | `false` | If `true`, enable repository credentials. | +| config.repoCredentials.secret | string | `nil` | Name of the secret containing the repository credentials. | +| config.repos | list | `[]` | Repository configuration. | +| config.roles | list | `[]` | Roles configuration. | +| config.tasks | list | `[]` | Task configuration. | +| config.users | list | `[]` | Users configuration. | +| env | list | `[]` | Environment variables for the default container. | +| extraInitContainers | list | `[]` | Extra init container to run before the default container. | +| extraVolumeMounts | list | `[]` | Extra volume mounts for the default container. | +| extraVolumes | list | `[]` | Extra volumes for the pod. | +| fullnameOverride | string | `nil` | Override the full name of the chart. | +| image.digest | string | `nil` | Optional image digest for the default container. | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the default container. | +| image.repository | string | `"docker.io/sonatype/nexus3"` | Image repository for the default container. | +| image.tag | string | `nil` | Image tag for the default container, this will default to `.Chart.AppVersion` if not set and will be omitted if set to `-`. | +| imagePullSecrets | list | `[]` | Image pull secrets. | +| ingress.annotations | object | `{}` | Ingress annotations. | +| ingress.enabled | bool | `false` | If `true`, create an `Ingress` resource. | +| ingress.hosts | list | See _values.yaml_ | Ingress hosts. | +| ingress.ingressClassName | string | `nil` | Ingress class name. | +| ingress.tls | list | See _values.yaml_ | Ingress TLS. | +| install4jAddVmParams | string | `"-Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=2048m"` | Env configuration for the _Nexus3_ container. | +| jdkImage.digest | string | `nil` | Optional image digest for the JDK container. | +| jdkImage.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the JDK container. | +| jdkImage.repository | string | `"docker.io/eclipse-temurin"` | Image repository for the JDK container. | +| jdkImage.tag | string | `"17-jdk"` | Image tag for the JDK container, this will be omitted if set to `-`. | +| license.enabled | bool | `false` | If `true`, use the license in the provided secret. This must be set to enable [Pro features](https://help.sonatype.com/en/repository-manager-pro-features.html). | +| license.key | string | `"nexus.license"` | Key in the secret containing the license. | +| license.secret | string | `nil` | Name of the secret containing the license. | +| livenessProbe | object | See _values.yaml_ | Liveness probe configuration for the default container. | +| logback.maxHistory | int | `30` | Maximum history for log files. | +| metrics.enabled | bool | `false` | If `true`, enable metrics. | +| metrics.serviceMonitor.additionalLabels | object | `{}` | Additional labels for the `ServiceMonitor`. | +| metrics.serviceMonitor.enabled | bool | `false` | If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_. | +| metrics.serviceMonitor.endpointConfig | object | `{}` | Additional endpoint configuration for the `ServiceMonitor`. | +| minReadySeconds | int | `nil` | Min ready seconds for the `StatefulSet`. | +| nameOverride | string | `nil` | Override the name of the chart. | +| nodeSelector | object | `{}` | Node labels to match for pod scheduling. | +| ordinals | object | `{}` | Ordinals configuration for the `StatefulSet`. | +| persistence.accessMode | string | `"ReadWriteOnce"` | Access mode for the `PersistentVolumeClaim`. | +| persistence.annotations | object | `{}` | Annotations for the `PersistentVolumeClaim`. | +| persistence.enabled | bool | `false` | If `true`, persistence should be enabled for the `StatefulSet`. | +| persistence.retainDeleted | bool | `true` | If `true`, keep `PersistentVolumeClaims` when the `StatefulSet` is deleted. | +| persistence.retainScaled | bool | `true` | If `true`, keep `PersistentVolumeClaim` when the `StatefulSet` is scaled down. | +| persistence.size | string | `"8Gi"` | Size of the `PersistentVolumeClaim`. | +| persistence.storageClass | string | `nil` | Storage class for the `PersistentVolumeClaim`, if not set the default will be used. | +| plugins | list | `[]` | List of plugins to install. | +| podAnnotations | object | `{}` | Annotations to add to the pod. | +| podDisruptionBudget.enabled | bool | `false` | If `true`, create a `PodDisruptionBudget` resource. | +| podDisruptionBudget.maxUnavailable | string | `nil` | Minimum number of unavailable pods, either a number or a percentage. | +| podDisruptionBudget.minAvailable | string | `nil` | Minimum number of available pods, either a number or a percentage. | +| podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealthy pod eviction policy for the PDB. | +| podLabels | object | `{}` | Labels to add to the pod. | +| podManagementPolicy | string | `nil` | Pod management policy for the `StatefulSet`. | +| podSecurityContext | object | `{"fsGroup":200,"runAsNonRoot":false,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the pod. | +| priorityClassName | string | `nil` | Priority class name for the pod. | +| properties | string | `nil` | _Nexus3_ properties. | +| readinessProbe | object | See _values.yaml_ | Readiness probe configuration for the default container. | +| replicas | int | `1` | Number of replicas to create; modifying this requires the license to be configured. | +| resources | object | `{}` | Resources for the default container. | +| rootPassword.key | string | `"password"` | Key in the secret containing the root password. | +| rootPassword.secret | string | `nil` | Name of the secret containing the root password. | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":200,"runAsNonRoot":true,"runAsUser":200}` | Security context for the default container. | +| service.additionalPorts | list | See _values.yaml_ | Additional ports to expose. | +| service.annotations | object | `{}` | Service annotations. | +| service.port | int | `8081` | Default port. | +| service.type | string | `"ClusterIP"` | Service type. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | +| serviceAccount.automountToken | bool | `false` | If `true`, mount the `ServiceAccount` token. | +| serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. | +| serviceAccount.labels | object | `{}` | Labels to add to the service account. | +| serviceAccount.name | string | `nil` | If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use. | +| startupProbe | object | See _values.yaml_ | Startup probe configuration for the default container. | +| storeProperties | list | `[]` | _Nexus3_ store properties. | +| tailLogs.resources | object | `{}` | Resources for the log tailing containers. | +| terminationGracePeriodSeconds | int | `120` | Termination grace period for the pod in seconds. | +| tolerations | list | `[]` | Node taints which will be tolerated for pod scheduling. | +| topologySpreadConstraints | list | `[]` | Topology spread constraints for pod scheduling. If an explicit label selector is not provided one will be created from the pod selector labels. | +| updateStrategy | object | `{}` | Update strategy for the `StatefulSet`. | + +---------------------------------------------- + +Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/). diff --git a/charts/nexus3/ci/ci-values.yaml b/charts/nexus3/ci/ci-values.yaml index fad55007..7bced8e3 100644 --- a/charts/nexus3/ci/ci-values.yaml +++ b/charts/nexus3/ci/ci-values.yaml @@ -3,14 +3,16 @@ metrics: persistence: enabled: true + retainDeleted: false + retainScaled: false caCerts: enabled: true secret: nexus3-cas -plugins: - - name: nexus-repository-composer - url: https://repo1.maven.org/maven2/org/sonatype/nexus/plugins/nexus-repository-composer/0.0.29/nexus-repository-composer-0.0.29-bundle.kar +plugins: [] +# - name: nexus-repository-composer +# url: https://repo1.maven.org/maven2/org/sonatype/nexus/plugins/nexus-repository-composer/0.0.29/nexus-repository-composer-0.0.29-bundle.kar rootPassword: secret: nexus3-root-credentials @@ -66,16 +68,16 @@ config: enabled: false repos: - name: test-repo - type: raw-hosted + format: raw + type: hosted online: true - attributes: - storage: - blobStoreName: default - strictContentTypeValidation: false - writePolicy: ALLOW - cleanup: - policyName: - - ExampleCleanup + storage: + blobStoreName: default + strictContentTypeValidation: false + writePolicy: allow + cleanup: + policyNames: + - ExampleCleanup tasks: - name: "Cleanup service" typeId: repository.cleanup diff --git a/charts/nexus3/ci/kubeconform.yaml b/charts/nexus3/ci/kubeconform.yaml index 9c7950a1..39924738 100644 --- a/charts/nexus3/ci/kubeconform.yaml +++ b/charts/nexus3/ci/kubeconform.yaml @@ -64,6 +64,8 @@ persistence: accessMode: ReadWriteOnce storageClass: standard size: 8Gi + retainDeleted: false + retainScaled: false resources: requests: @@ -167,16 +169,16 @@ config: secret: nexus3-repo-creds repos: - name: test-repo - type: raw-hosted + format: raw + type: hosted online: true - attributes: - storage: - blobStoreName: default - strictContentTypeValidation: false - writePolicy: ALLOW - cleanup: - policyName: - - ExampleCleanup + storage: + blobStoreName: default + strictContentTypeValidation: false + writePolicy: allow + cleanup: + policyNames: + - ExampleCleanup tasks: - name: "Cleanup service" typeId: repository.cleanup diff --git a/charts/nexus3/files/configure.sh b/charts/nexus3/files/configure.sh deleted file mode 100644 index 55c4186b..00000000 --- a/charts/nexus3/files/configure.sh +++ /dev/null @@ -1,297 +0,0 @@ -#!/usr/bin/env bash -set -eu - -function error() { - msg="ERROR: $*" - >&2 echo "${msg}" - echo "${msg}" > "${TERMINATION_LOG}" - exit 1 -} - -TERMINATION_LOG="${TERMINATION_LOG:-/dev/termination-log}" -nexus_host="http://localhost:8081" -root_user="admin" -base_dir="/opt/sonatype/nexus" -out_file="/tmp/out.json" -tmp_file="/tmp/tmp.json" - -echo "Configuring Nexus3..." - -root_password="${NEXUS_SECURITY_INITIAL_PASSWORD:-}" - -if [[ -z "${root_password:-}" ]] -then - error "No root password was provided." -fi - -while /bin/true -do - if [[ "$(curl -s -o /dev/null -w "%{http_code}" "${nexus_host}/service/rest/v1/status")" -ne "200" ]] - then - echo "Waiting for Nexus..." - sleep 15 - continue - fi - - json_file="${base_dir}/conf/anonymous.json" - if [[ -f "${json_file}" ]] - then - echo "Updating anonymous access..." - - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/anonymous")" - if [[ "${status_code}" -ne 200 ]] - then - error "Could not configure anonymous access." - fi - - echo "Anonymous access configured." - fi - - json_file="${base_dir}/conf/realms.json" - if [[ -f "${json_file}" ]] - then - echo "Updating realms..." - - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/realms/active")" - if [[ "${status_code}" -ne 204 ]] - then - error "Could not configure realms." - fi - - echo "Realms configured." - fi - - for json_file in "${base_dir}"/conf/*-role.json - do - if [[ -f "${json_file}" ]] - then - id="$(grep -Pio '(?<="id":)\s*\"[^"]+\"' "${json_file}" | xargs)" - source="$(grep -Pio '(?<="source":)\s*\"[^"]+\"' "${json_file}" | xargs)" - echo "Updating role '${id}'..." - - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${root_user}:${root_password}" "${nexus_host}/service/rest/v1/security/roles/${id}?source=${source}") - if [[ "${status_code}" -eq 200 ]] - then - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/roles/${id}")" - if [[ "${status_code}" -ne 204 ]] - then - error "Could not configure role." - fi - else - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/roles")" - if [[ "${status_code}" -ne 200 ]] - then - error "Could not configure role." - fi - fi - - echo "Role configured." - fi - done - - for json_file in "${base_dir}"/conf/*-user.json - do - if [[ -f "${json_file}" ]] - then - id="$(grep -Pio '(?<="userId":)\s*\"[^"]+\"' "${json_file}" | xargs)" - source="$(grep -Pio '(?<="source":)\s*\"[^"]+\"' "${json_file}" | xargs)" - echo "Updating user '${id}'..." - - status_code=$(curl -s -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${root_user}:${root_password}" "${nexus_host}/service/rest/v1/security/users/?userId=${id}&source=${source}") - if [[ "${status_code}" -eq 200 ]] && [[ -n "$(grep -r 'userId' ${out_file} || true)" ]] - then - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/users/${id}")" - if [[ "${status_code}" -ne 204 ]] - then - error "Could not configure user." - fi - else - password="$(echo "${RANDOM}" | md5sum | head -c 20)" - sed "s/\"userId\"/\"password\":\"${password}\",\"userId\"/" "${json_file}" > "${tmp_file}" - json_file="${tmp_file}" - - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/users")" - if [[ "${status_code}" -ne 200 ]] - then - error "Could not configure user." - fi - fi - - rm -f "${tmp_file}" - echo "User configured." - fi - done - - json_file="${base_dir}/conf/anonymous-user.json" - if [[ -f "${json_file}" ]] - then - echo "Configuring anonymous user..." - - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/users/anonymous")" - if [[ "${status_code}" -ne 204 ]] - then - error "Could not configure anonymous user." - fi - - echo "Anonymous user configured." - fi - - json_file="${base_dir}/conf/ldap.json" - if [[ -f "${json_file}" ]] - then - cp -f "${json_file}" "${tmp_file}" - json_file="${tmp_file}" - - if [[ -f "${base_dir}/secret/ldap.password" ]] - then - ldap_password=$(sed 's|"|\\"|g;s|&|\\&|g;s|/|\\/|g;s|\\|\\\\\\\\|g' "${base_dir}/secret/ldap.password") - sed -i "s/PASSWORD/${ldap_password//&/\\&}/g" "${json_file}" - fi - - name="$(grep -Pio '(?<="name":)\s*\"[^"]+\"' "${json_file}" | xargs)" - - status_code=$(curl -s -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${root_user}:${root_password}" "${nexus_host}/service/rest/v1/security/ldap/${name// /%20}") - if [[ "${status_code}" -eq 200 ]] - then - echo "Updating LDAP configuration for '${name}'..." - - id="$(grep -Pio '(?<="id"\s:)\s*\"[^"]+\"' "${out_file}" | xargs)" - sed -i "s/{\"/{\"id\":\"${id}\",\"/g" "${json_file}" - - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/ldap/${name// /%20}")" - if [[ "${status_code}" -ne 204 ]] - then - error "Could not configure LDAP." - fi - else - echo "Adding LDAP configuration for '${name}'..." - - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/ldap")" - if [[ "${status_code}" -ne 201 ]] - then - error "Could not configure LDAP." - fi - fi - - rm -f "${json_file}" - echo "LDAP configured." - fi - - for json_file in "${base_dir}"/conf/*-blobstore.json - do - if [[ -f "${json_file}" ]] - then - type="$(grep -Pio '(?<="type":)\s*\"[^"]+\"' "${json_file}" | head -1 | xargs)" - if [[ "${type}" = "s3" ]] - then - name="$(grep -Pio '(?<="name":)(\s*\"[^"]+\")(?=,"type":\"s3\")' "${json_file}" | xargs)" - else - name="$(grep -Pio '(?<="name":)\s*\"[^"]+\"' "${json_file}" | xargs)" - fi - echo "Updating blob store '${name}'..." - - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${root_user}:${root_password}" "${nexus_host}/service/rest/v1/blobstores/${type}/${name}") - if [[ "${status_code}" -eq 200 ]] - then - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/blobstores/${type}/${name}")" - if [[ "${status_code}" -ne 204 ]] - then - error "Could not configure blob store." - fi - else - status_code="$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/blobstores/${type}")" - if [[ "${status_code}" -ne 204 ]] && [[ "${status_code}" -ne 201 ]] - then - error "Could not configure blob store." - fi - fi - - echo "Blob store configured." - fi - done - - for script_file in "${base_dir}"/conf/*.groovy - do - echo "Updating script ${script_file}." - - name="$(basename "${script_file}" .groovy)" - content="$(sed 's/\"/\\\"/g' "${script_file}" | sed ':a;N;$!ba;s/\n/\\n/g')" - data="{ \"name\": \"${name}\", \"type\": \"groovy\", \"content\": \"${content}\" }" - - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X GET -u "${root_user}:${root_password}" "${nexus_host}/service/rest/v1/script/${name}") - if [[ "${status_code}" -eq 200 ]] - then - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "${data}" "${nexus_host}/service/rest/v1/script/${name}") - else - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "${data}" "${nexus_host}/service/rest/v1/script") - fi - - if [[ "${status_code}" -ne 204 ]] - then - error "Could not update script ${name}." - fi - - echo "Script ${script_file} updated." - done - - for json_file in "${base_dir}"/conf/*-cleanup.json - do - if [[ -f "${json_file}" ]] - then - echo "Configuring cleanup policy..." - - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/script/cleanup/run") - if [[ "${status_code}" -ne 200 ]] - then - error "Could not set cleanup policy." - fi - - echo "Cleanup policy configured." - fi - done - - for json_file in "${base_dir}"/conf/*-repo.json - do - if [[ -f "${json_file}" ]] - then - echo "Configuring repo..." - - cp -f "${json_file}" "${tmp_file}" - json_file="${tmp_file}" - - repo_name="$(grep -Pio '(?<="name":)\s*\"[^"]+\"' "${json_file}" | xargs)" - repo_password_file="${base_dir}/secret/repo-credentials/${repo_name}" - if [[ -f "${repo_password_file}" ]] - then - repo_password="$(cat "${repo_password_file}")" - sed -i "s/PASSWORD/${repo_password}/g" "${json_file}" - fi - - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/script/repo/run") - if [[ "${status_code}" -ne 200 ]] - then - error "Could not set repo." - fi - - rm -f "${json_file}" - echo "Repo configured." - fi - done - - for json_file in "${base_dir}"/conf/*-task.json - do - if [[ -f "${json_file}" ]] - then - status_code=$(curl -s -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/script/task/run") - if [[ "${status_code}" -ne 200 ]] - then - error "Could not set task." - fi - - echo "Task configured." - fi - done - - echo "Nexus3 configured successfully!" - exit 0 -done diff --git a/charts/nexus3/files/repo.groovy b/charts/nexus3/files/repo.groovy deleted file mode 100644 index aa6baa64..00000000 --- a/charts/nexus3/files/repo.groovy +++ /dev/null @@ -1,40 +0,0 @@ -import groovy.json.JsonSlurper -import groovy.json.JsonOutput -import org.sonatype.nexus.repository.config.Configuration - -def repositoryManager = repository.repositoryManager - -def params = new JsonSlurper().parseText(args) -if (params.attributes?.cleanup?.policyName) { - params.attributes.cleanup.policyName = params.attributes.cleanup.policyName.toSet() -} - -def existingRepository = repositoryManager.get(params.name) -Configuration configuration -if (existingRepository == null) { - configuration = repositoryManager.newConfiguration() - configuration.repositoryName = params.name - configuration.recipeName = params.type - configuration.online = params.online - configuration.attributes = params.attributes -} else { - configuration = existingRepository.getConfiguration() - if (params.containsKey("type")) { - if (configuration.getRecipeName() != params.type) { - throw new Exception("Tried to change recipe for repo ${params.name} to ${params.type}") - } - } - - configuration.setOnline(params.online) - if (params.containsKey("attributes")) { - configuration.setAttributes(params.attributes) - } -} - -if (existingRepository == null) { - repositoryManager.create(configuration) -} else { - repositoryManager.update(configuration) -} - -return true diff --git a/charts/nexus3/files/cleanup.groovy b/charts/nexus3/scripts/cleanup.groovy similarity index 100% rename from charts/nexus3/files/cleanup.groovy rename to charts/nexus3/scripts/cleanup.groovy diff --git a/charts/nexus3/scripts/configure.sh b/charts/nexus3/scripts/configure.sh new file mode 100644 index 00000000..fee2903c --- /dev/null +++ b/charts/nexus3/scripts/configure.sh @@ -0,0 +1,254 @@ +#!/usr/bin/env bash +set -euo pipefail + +NEXUS_HOST="${NEXUS_HOST:-http://localhost:8081}" +NEXUS_USER="${NEXUS_USER:-admin}" +CONFIG_DIR="${CONFIG_DIR:-/opt/sonatype/nexus/config}" + +function error() { + echo >&2 "ERROR: $*" + exit 1 +} + +echo "Configuring Nexus3..." +sleep 5 + +tmp_dir="$(mktemp -d)" +trap 'rm -rf -- "${tmp_dir}"' EXIT + +password="${NEXUS_PASSWORD:-}" +out_file="${tmp_dir}/out.json" +tmp_file="${tmp_dir}/tmp.json" + +if [[ -z "${password:-}" ]]; then + error "No password was provided." +fi + +while [[ "$(curl -s -o /dev/null -w "%{http_code}" "${NEXUS_HOST}/service/rest/v1/status")" -ne "200" ]]; do + echo "Waiting for Nexus..." + sleep 15 +done + +json_file="${CONFIG_DIR}/conf/anonymous.json" +if [[ -f "${json_file}" ]]; then + echo "Configuring anonymous access..." + + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/anonymous")" + if [[ "${status_code}" -ne 200 ]]; then + error "Could not configure anonymous access." + fi + + echo "Anonymous access configured." +fi + +json_file="${CONFIG_DIR}/conf/realms.json" +if [[ -f "${json_file}" ]]; then + echo "Configuring realms..." + + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/realms/active")" + if [[ "${status_code}" -ne 204 ]]; then + error "Could not configure realms." + fi + + echo "Realms configured." +fi + +echo "Configuring roles..." +for json_file in "${CONFIG_DIR}"/conf/*-role.json; do + if [[ -f "${json_file}" ]]; then + id="$(jq -r '.id' "${json_file}")" + source="$(jq -r '.source' "${json_file}")" + + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/roles/${id}?source=${source}") + if [[ "${status_code}" -eq 200 ]]; then + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/roles/${id}")" + if [[ "${status_code}" -ne 204 ]]; then + error "Could not update role '${id}'." + fi + else + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/roles")" + if [[ "${status_code}" -ne 200 ]]; then + error "Could not create role '${id}'." + fi + fi + + echo "Role '${id}' configured." + fi +done + +echo "Configuring users..." +for json_file in "${CONFIG_DIR}"/conf/*-user.json; do + if [[ -f "${json_file}" ]]; then + id="$(jq -r '.userId' "${json_file}")" + source="$(jq -r '.source' "${json_file}")" + + out_file="$(mktemp -p "${tmp_dir}")" + status_code=$(curl -sS -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/users/?userId=${id}&source=${source}") + if [[ "${status_code}" -eq 200 ]] && [[ -n "$(jq -r 'first(.[]).userId // empty' "${out_file}")" ]]; then + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users/${id}")" + if [[ "${status_code}" -ne 204 ]]; then + error "Could not update user '${id}'." + fi + else + tmp_file="$(mktemp -p "${tmp_dir}")" + jq -r --arg password "$(echo "${RANDOM}" | md5sum | head -c 20)" '. + {password: $password}' "${json_file}" >"${tmp_file}" + json_file="${tmp_file}" + + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users")" + if [[ "${status_code}" -ne 200 ]]; then + error "Could not create user '${id}'." + fi + fi + + echo "User '${id}' configured." + fi +done + +json_file="${CONFIG_DIR}/conf/ldap.json" +if [[ -f "${json_file}" ]]; then + echo "Configuring LDAP..." + + name="$(jq -r '.name' "${json_file}")" + + if [[ -f "${CONFIG_DIR}/secret/ldap.password" ]]; then + tmp_file="$(mktemp -p "${tmp_dir}")" + jq -r --arg password "$(sed 's|"|\\"|g;s|/|\\/|g' "${CONFIG_DIR}/secret/ldap.password")" '. + {authPassword: $password}' "${json_file}" >"${tmp_file}" + json_file="${tmp_file}" + fi + + out_file="$(mktemp -p "${tmp_dir}")" + status_code=$(curl -sS -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/ldap/${name// /%20}") + if [[ "${status_code}" -eq 200 ]]; then + tmp_file="$(mktemp -p "${tmp_dir}")" + jq -r --arg id "$(jq -r '.id' "${out_file}")" '. + {id: $id}' "${json_file}" >"${tmp_file}" + json_file="${tmp_file}" + + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/ldap/${name// /%20}")" + if [[ "${status_code}" -ne 204 ]]; then + error "Could not update LDAP '${name}'." + fi + else + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/ldap")" + if [[ "${status_code}" -ne 201 ]]; then + error "Could not create LDAP '${name}'." + fi + fi + + echo "LDAP '${name}' configured." +fi + +echo "Configuring blob stores..." +for json_file in "${CONFIG_DIR}"/conf/*-blobstore.json; do + if [[ -f "${json_file}" ]]; then + type="$(jq -r '.type' "${json_file}")" + name="$(jq -r '.name' "${json_file}")" + + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/blobstores/${type}/${name}") + if [[ "${status_code}" -eq 200 ]]; then + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/blobstores/${type}/${name}")" + if [[ "${status_code}" -ne 204 ]]; then + error "Could not update blob store '${name}'." + fi + else + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/blobstores/${type}")" + if [[ "${status_code}" -ne 204 ]] && [[ "${status_code}" -ne 201 ]]; then + error "Could not create blob store '${name}'." + fi + fi + + echo "Blob store '${name}' configured." + fi +done + +echo "Configuring scripts..." +for script_file in /scripts/*.groovy; do + if [[ -f "${script_file}" ]]; then + name="$(basename "${script_file}" .groovy)" + content="$(sed 's/\"/\\\"/g' "${script_file}" | sed ':a;N;$!ba;s/\n/\\n/g')" + data="{ \"name\": \"${name}\", \"type\": \"groovy\", \"content\": \"${content}\" }" + + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X GET -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/script/${name}") + if [[ "${status_code}" -eq 200 ]]; then + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "${data}" "${NEXUS_HOST}/service/rest/v1/script/${name}") + + if [[ "${status_code}" -ne 204 ]]; then + error "Could not update script '${name}'." + fi + else + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "${data}" "${NEXUS_HOST}/service/rest/v1/script") + + if [[ "${status_code}" -ne 204 ]]; then + error "Could not create script '${name}'." + fi + fi + + echo "Script '${name}' updated." + fi +done + +echo "Configuring cleanup policies..." +for json_file in "${CONFIG_DIR}"/conf/*-cleanup.json; do + if [[ -f "${json_file}" ]]; then + name="$(jq -r '.name' "${json_file}")" + + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/script/cleanup/run") + if [[ "${status_code}" -ne 200 ]]; then + error "Could not configure cleanup policy '${name}'." + fi + + echo "Cleanup policy '${name}' configured." + fi +done + +echo "Configuring repositories..." +for json_file in "${CONFIG_DIR}"/conf/*-repo.json; do + if [[ -f "${json_file}" ]]; then + name="$(jq -r '.name' "${json_file}")" + format="$(jq -r '.format' "${json_file}")" + type="$(jq -r '.type' "${json_file}")" + + tmp_file="$(mktemp -p "${tmp_dir}")" + jq -r 'del(.format,.type)' "${json_file}" >"${tmp_file}" + json_file="${tmp_file}" + + if [[ "${type}" == "proxy" ]]; then + password_file="${CONFIG_DIR}/secret/repo-credentials/${name}" + if [[ -f "${password_file}" ]]; then + tmp_file="$(mktemp -p "${tmp_dir}")" + jq -r --arg password "$(cat "${password_file}")" '. * {httpClient: {authentication: {password: $password}}}' "${json_file}" >"${tmp_file}" + json_file="${tmp_file}" + fi + fi + + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/repositories/${format}/${type}/${name}") + if [[ "${status_code}" -eq 200 ]]; then + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/repositories/${format}/${type}/${name}")" + if [[ "${status_code}" -ne 204 ]]; then + error "Could not update repository '${name}'." + fi + else + status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/repositories/${format}/${type}")" + if [[ "${status_code}" -ne 201 ]]; then + error "Could not create repository '${name}'." + fi + fi + + echo "Repository '${name}' configured." + fi +done + +echo "Configuring tasks..." +for json_file in "${CONFIG_DIR}"/conf/*-task.json; do + if [[ -f "${json_file}" ]]; then + name="$(jq -r '.name' "${json_file}")" + + status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/script/task/run") + if [[ "${status_code}" -ne 200 ]]; then + error "Could not configure task '${name}'." + fi + + echo "Task '${name}' configured." + fi +done + +echo "Nexus3 configured successfully!" diff --git a/charts/nexus3/files/task.groovy b/charts/nexus3/scripts/task.groovy similarity index 100% rename from charts/nexus3/files/task.groovy rename to charts/nexus3/scripts/task.groovy diff --git a/charts/nexus3/templates/NOTES.txt b/charts/nexus3/templates/NOTES.txt index e2c30bcf..f5b380c8 100644 --- a/charts/nexus3/templates/NOTES.txt +++ b/charts/nexus3/templates/NOTES.txt @@ -3,5 +3,5 @@ *********************************************************************** Chart version: {{ .Chart.Version }} App version: {{ .Chart.AppVersion }} - Image tag: {{ include "nexus3.image" . }} + Image: {{ include "nexus3.image" (merge .Values.image (dict "tag" (printf "%s-java17-ubi" .Chart.AppVersion))) }} *********************************************************************** diff --git a/charts/nexus3/templates/_helpers.tpl b/charts/nexus3/templates/_helpers.tpl index fda1b62a..92e6a1a6 100644 --- a/charts/nexus3/templates/_helpers.tpl +++ b/charts/nexus3/templates/_helpers.tpl @@ -52,6 +52,16 @@ Selector labels {{- define "nexus3.selectorLabels" -}} app.kubernetes.io/name: {{ include "nexus3.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: repository +{{- end }} + +{{/* +Create an image +*/}} +{{- define "nexus3.image" -}} +{{- $tag := ternary (printf ":%s" .tag) "" (ne .tag "-") }} +{{- $digest := ternary (printf "@%s" .digest) "" (not (empty .digest)) }} +{{- printf "%s%s%s" .repository $tag $digest }} {{- end }} {{/* @@ -66,39 +76,59 @@ Create the name of the service account to use {{- end }} {{/* -The image to use +Define the Service name */}} -{{- define "nexus3.image" -}} -{{- printf "%s:%s" .Values.image.repository (default (printf "%s-java11-ubi" .Chart.AppVersion) .Values.image.tag) }} +{{- define "nexus3.serviceName" -}} +{{- include "nexus3.fullname" . }} {{- end }} {{/* -Create pvc name. +Define the headless Service name */}} -{{- define "nexus3.pvcname" -}} -{{- template "nexus3.fullname" . -}}-data -{{- end -}} +{{- define "nexus3.headlessServiceName" -}} +{{- printf "%s-hl" ((include "nexus3.serviceName" .) | trunc 60 | trimSuffix "-") }} +{{- end }} -{{/* Get Ingress API Version */}} -{{- define "nexus3.ingress.apiVersion" -}} - {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} - {{- print "networking.k8s.io/v1" -}} - {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} - {{- print "networking.k8s.io/v1beta1" -}} - {{- else -}} - {{- print "extensions/v1beta1" -}} - {{- end -}} -{{- end -}} +{{/* +Define the config scripts ConfigMap name +*/}} +{{- define "nexus3.configScriptsConfigMapName" -}} +{{- printf "%s-conf-scripts" ((include "nexus3.fullname" .) | trunc 50 | trimSuffix "-") }} +{{- end }} -{{/* Check Ingress stability */}} -{{- define "nexus3.ingress.isStable" -}} - {{- eq (include "nexus3.ingress.apiVersion" .) "networking.k8s.io/v1" -}} -{{- end -}} +{{/* +Define the config ConfigMap name +*/}} +{{- define "nexus3.configConfigMapName" -}} +{{- printf "%s-conf" ((include "nexus3.fullname" .) | trunc 58 | trimSuffix "-") }} +{{- end }} + +{{/* +Define the Logback ConfigMap name +*/}} +{{- define "nexus3.logbackConfigMapName" -}} +{{- printf "%s-logback" ((include "nexus3.fullname" .) | trunc 55 | trimSuffix "-") }} +{{- end }} + +{{/* +Define the properties ConfigMap name +*/}} +{{- define "nexus3.propertiesConfigMapName" -}} +{{- printf "%s-props" ((include "nexus3.fullname" .) | trunc 57 | trimSuffix "-") }} +{{- end }} + +{{/* +Define the scripts ConfigMap name +*/}} +{{- define "nexus3.scriptsConfigMapName" -}} +{{- printf "%s-scripts" ((include "nexus3.fullname" .) | trunc 55 | trimSuffix "-") }} +{{- end }} -{{/* Check Ingress supports pathType */}} -{{/* pathType was added to networking.k8s.io/v1beta1 in Kubernetes 1.18 */}} -{{- define "nexus3.ingress.supportsPathType" -}} - {{- or (eq (include "nexus3.ingress.isStable" .) "true") (and (eq (include "nexus3.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{/* +Define pvc name. +*/}} +{{- define "nexus3.pvcName" -}} +{{- printf "%s-data" ((include "nexus3.fullname" .) | trunc 58 | trimSuffix "-") }} {{- end -}} {{/* @@ -131,11 +161,13 @@ Patch pod affinity Patch affinity */}} {{- define "nexus3.patchAffinity" -}} -{{- if (hasKey .Values.affinity "podAffinity") }} -{{- include "nexus3.patchPodAffinity" (merge (dict "_podAffinity" .Values.affinity.podAffinity) .) }} +{{- $podAffinity := dig "podAffinity" nil .Values.affinity }} +{{- $podAntiAffinity := dig "podAntiAffinity" nil .Values.affinity }} +{{- if $podAffinity }} +{{- include "nexus3.patchPodAffinity" (merge (dict "_podAffinity" $podAffinity) .) }} {{- end }} -{{- if (hasKey .Values.affinity "podAntiAffinity") }} -{{- include "nexus3.patchPodAffinity" (merge (dict "_podAffinity" .Values.affinity.podAntiAffinity) .) }} +{{- if $podAntiAffinity }} +{{- include "nexus3.patchPodAffinity" (merge (dict "_podAffinity" $podAntiAffinity) .) }} {{- end }} {{- end }} @@ -147,3 +179,34 @@ Patch topology spread constraints {{- include "nexus3.patchLabelSelector" (merge (dict "_target" $constraint) $) }} {{- end }} {{- end }} + +{{/* +Common labels +*/}} +{{- define "nexus3.configJob.labels" -}} +helm.sh/chart: {{ include "nexus3.chart" . }} +{{ include "nexus3.configJob.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nexus3.configJob.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nexus3.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: config-job +{{- end }} + +{{/* +Define config Job name. +*/}} +{{- define "nexus3.configJob.name" -}} +{{- printf "%s-config-%s" ((include "nexus3.fullname" .) | trunc 52 | trimSuffix "-") (toString .Release.Revision) }} +{{- end -}} diff --git a/charts/nexus3/templates/_test/secret-cas.yaml b/charts/nexus3/templates/_test/secret-cas.yaml index 579f79fa..62178af7 100644 --- a/charts/nexus3/templates/_test/secret-cas.yaml +++ b/charts/nexus3/templates/_test/secret-cas.yaml @@ -17,6 +17,8 @@ metadata: labels: {{- include "nexus3.labels" . | nindent 4 }} test-resource: "true" + annotations: + "helm.sh/hook": "pre-install" type: Opaque data: {{ $caName }}: {{ $caCert | quote}} diff --git a/charts/nexus3/templates/_test/secret-root-credentials.yaml b/charts/nexus3/templates/_test/secret-root-credentials.yaml index 676c9eac..511a4bb6 100644 --- a/charts/nexus3/templates/_test/secret-root-credentials.yaml +++ b/charts/nexus3/templates/_test/secret-root-credentials.yaml @@ -1,5 +1,5 @@ -{{- if and .Values.testResources (or .Values.rootPassword.secret .Values.config.rootPassword.secret) -}} -{{- $secretName := default .Values.rootPassword.secret .Values.config.rootPassword.secret -}} +{{- if and .Values.testResources .Values.rootPassword.secret -}} +{{- $secretName := .Values.rootPassword.secret -}} {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} {{- $password := (randAlpha 16) | b64enc -}} {{- if $secret -}} @@ -13,6 +13,8 @@ metadata: labels: {{- include "nexus3.labels" . | nindent 4 }} test-resource: "true" + annotations: + "helm.sh/hook": "pre-install" type: Opaque data: password: {{ $password | quote}} diff --git a/charts/nexus3/templates/_test/test-connection.yaml b/charts/nexus3/templates/_test/test-connection.yaml index c74e637e..6bb9aeb9 100644 --- a/charts/nexus3/templates/_test/test-connection.yaml +++ b/charts/nexus3/templates/_test/test-connection.yaml @@ -12,9 +12,19 @@ metadata: "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" spec: containers: - - name: wget - image: busybox - command: ['wget'] - args: ['-O-', '{{ include "nexus3.fullname" . }}:{{ .Values.service.port }}'] + - name: test + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL + args: ["sleep 30; curl -sS {{ printf "http://%s.%s.svc.cluster.local:%s" (include "nexus3.serviceName" .) .Release.Namespace (toString .Values.service.port) }}"] restartPolicy: Never {{- end }} diff --git a/charts/nexus3/templates/_test/test-metrics.yaml b/charts/nexus3/templates/_test/test-metrics.yaml index 43f75828..96f0dd26 100644 --- a/charts/nexus3/templates/_test/test-metrics.yaml +++ b/charts/nexus3/templates/_test/test-metrics.yaml @@ -12,9 +12,19 @@ metadata: "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" spec: containers: - - name: wget - image: busybox - command: ['wget'] - args: ['-O-', '{{ include "nexus3.fullname" . }}:{{ .Values.service.port }}/service/metrics/prometheus'] + - name: test + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL + args: ["sleep 30; curl -sS {{ printf "http://%s.%s.svc.cluster.local:%s/service/metrics/prometheus" (include "nexus3.serviceName" .) .Release.Namespace (toString .Values.service.port) }}"] restartPolicy: Never {{- end }} diff --git a/charts/nexus3/templates/configmap-config-scripts.yaml b/charts/nexus3/templates/configmap-config-scripts.yaml new file mode 100644 index 00000000..90edee0e --- /dev/null +++ b/charts/nexus3/templates/configmap-config-scripts.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.config.enabled .Values.rootPassword.secret -}} +{{- $root := . }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nexus3.configScriptsConfigMapName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nexus3.labels" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "scripts/*" }} + {{ $path | base }}: | + {{- $root.Files.Get $path | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/nexus3/templates/configmap-config.yaml b/charts/nexus3/templates/configmap-config.yaml index c4aeb57d..b6b94f00 100644 --- a/charts/nexus3/templates/configmap-config.yaml +++ b/charts/nexus3/templates/configmap-config.yaml @@ -1,57 +1,52 @@ {{- if .Values.config.enabled -}} -{{ $root := . }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "nexus3.fullname" . }}-conf + name: {{ include "nexus3.configConfigMapName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nexus3.labels" . | nindent 4 }} data: - {{- range $path, $bytes := .Files.Glob "files/*" }} - {{ $path | base }}: | - {{- $root.Files.Get $path | nindent 4 }} - {{- end }} anonymous.json: | {"enabled":{{ .Values.config.anonymous.enabled }}} - {{- if .Values.config.realms.enabled }} +{{- if .Values.config.realms.enabled }} realms.json: | {{- .Values.config.realms.values | toJson | nindent 4 }} - {{- end }} +{{- end }} nx-metrics-role.json: | {"id":"nx-metrics","source":"default","name":"nx-metrics","description":"Metrics Role","privileges":["nx-metrics-all"],"roles":[]} - {{- range .Values.config.roles }} +{{- range .Values.config.roles }} {{ .id }}-role.json: | {{- . | toJson | nindent 4 }} - {{- end }} - {{- if .Values.config.anonymous.enabled }} +{{- end }} +{{- if .Values.config.anonymous.enabled }} anonymous-user.json: | {"userId":"anonymous","firstName":"Anonymous","lastName":"User","emailAddress":"anonymous@example.org","source":"default","status":"active","roles":{{ .Values.config.anonymous.roles | toJson }},"externalRoles":[]} - {{- end }} - {{- range .Values.config.users }} +{{- end }} +{{- range .Values.config.users }} {{ .userId }}-user.json: | {{- . | toJson | nindent 4 }} - {{- end }} - {{- if .Values.config.ldap.enabled }} +{{- end }} +{{- if .Values.config.ldap.enabled }} ldap.json: | - {{- with omit .Values.config.ldap "enabled" "authPassword" }} - {{- set . "authPassword" "PASSWORD" | toJson | nindent 4 }} - {{- end }} - {{- end }} - {{- range $index, $blobStore := .Values.config.blobStores }} +{{- with omit .Values.config.ldap "enabled" "authPassword" }} + {{- toJson | nindent 4 }} +{{- end }} +{{- end }} +{{- range $index, $blobStore := .Values.config.blobStores }} {{ $index | add 1000 | toString | substr 1 -1 }}-blobstore.json: | {{- $blobStore | toJson | nindent 4 }} - {{- end }} - {{- range $index, $cleanup := .Values.config.cleanup }} +{{- end }} +{{- range $index, $cleanup := .Values.config.cleanup }} {{ $index | add 1000 | toString | substr 1 -1 }}-cleanup.json: | {{- $cleanup | toJson | nindent 4 }} - {{- end }} - {{- range $index, $repo := .Values.config.repos }} +{{- end }} +{{- range $index, $repo := .Values.config.repos }} {{ $index | add 1000 | toString | substr 1 -1 }}-repo.json: | {{- $repo | toJson | nindent 4 }} - {{- end }} - {{- range $index, $task := .Values.config.tasks }} +{{- end }} +{{- range $index, $task := .Values.config.tasks }} {{ $index | add 1000 | toString | substr 1 -1 }}-task.json: | {{- $task | toJson | nindent 4 }} - {{- end }} +{{- end }} {{- end }} diff --git a/charts/nexus3/templates/configmap-logback.yaml b/charts/nexus3/templates/configmap-logback.yaml index bd44ff49..067f3109 100644 --- a/charts/nexus3/templates/configmap-logback.yaml +++ b/charts/nexus3/templates/configmap-logback.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "nexus3.fullname" . }}-logback + name: {{ include "nexus3.logbackConfigMapName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nexus3.labels" . | nindent 4 }} @@ -23,6 +23,7 @@ data: + logback.xml: | @@ -43,6 +44,11 @@ data: + + ${karaf.data}/log/jvm.log + true + + ${karaf.data}/log/nexus.log true @@ -85,6 +91,42 @@ data: + + + + repositoryName + unknown + + + + ${karaf.data}/log/replication/replication-${repositoryName}.log + + %d{"yyyy-MM-dd HH:mm:ss,SSSZ"} %-5p [%thread] %node %mdc{userId:-*SYSTEM} %c - %m%n + + + ${karaf.data}/log/replication/replication-${repositoryName}-%d{yyyy-MM-dd}.log.gz + {{ .Values.logback.maxHistory }} + + + + + + + ${karaf.data}/log/outbound-request.log + true + + %msg%n + + + + ${karaf.data}/log/outbound-request-%d{yyyy-MM-dd}.log.gz + {{ .Values.logback.maxHistory }} + + + + + + ${karaf.data}/log/audit/audit.log true @@ -102,6 +144,27 @@ data: + + + blobstore-reconciliation-path + unknown + + + + + %d{"yyyy-MM-dd HH:mm:ss"},%msg%n + + + ${blobstore-reconciliation-path}/%d + {{ .Values.logback.maxHistory }} + + + + + + + + @@ -111,14 +174,32 @@ data: - + + + + + logback-tasklogfile-appender-override.xml: | + + + ${karaf.data}/log/tasks/allTasks.log + + true + + %d{"yyyy-MM-dd HH:mm:ss,SSSZ"} %-5p [%thread] %node %mdc{userId:-*SYSTEM} %c - %m%n + + + ${karaf.data}/log/tasks/allTasks-%d{yyyy-MM-dd}.log.gz + {{ .Values.logback.maxHistory }} + + + diff --git a/charts/nexus3/templates/configmap-properties.yaml b/charts/nexus3/templates/configmap-properties.yaml index 034bac41..74bfead4 100644 --- a/charts/nexus3/templates/configmap-properties.yaml +++ b/charts/nexus3/templates/configmap-properties.yaml @@ -1,22 +1,27 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "nexus3.fullname" . }}-properties + name: {{ include "nexus3.propertiesConfigMapName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nexus3.labels" . | nindent 4 }} data: nexus.properties: | + nexus.datastore.enabled=true +{{- if gt (int .Values.replicas) 1 }} + nexus.datastore.clustered.enabled=true +{{- end }} {{- if .Values.license.enabled }} nexus.licenseFile=/var/opt/sonatype/nexus.license +{{- else }} + nexus.loadAsOSS=true {{- end }} -{{- if and (not .Values.deployment) .Values.highAvailability.enabled }} - nexus.datastore.clustered.enabled=true +{{- if .Values.config.enabled }} + nexus.scripts.allowCreation=true {{- end }} {{- range .Values.properties }} {{ . }} {{- end }} - nexus-store.properties: | {{- range .Values.storeProperties }} {{ . }} diff --git a/charts/nexus3/templates/configmap-scripts.yaml b/charts/nexus3/templates/configmap-scripts.yaml new file mode 100644 index 00000000..45212e11 --- /dev/null +++ b/charts/nexus3/templates/configmap-scripts.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nexus3.scriptsConfigMapName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nexus3.labels" . | nindent 4 }} +data: + import-ca-certs.sh: | + #!/usr/bin/env bash + set -euo pipefail + mkdir -p /nexus-data/keystores + cp -f "${JAVA_HOME}/lib/security/cacerts" /nexus-data/keystores/cacerts + for f in /nexus-data/secrets/cas/* + do + keytool -importcert -file "${f}" -alias "$(basename "${f}")" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt + done + download-plugins.sh: | + #!/usr/bin/env bash + set -euo pipefail + +{{- range .Values.plugins }} + curl -sSLo /deploy/{{ .name }}.kar {{ .url }} +{{- end }} + chown-data-dir.sh: | + #!/usr/bin/env bash + set -euo pipefail + + mkdir -p /nexus-data/etc/logback + mkdir -p /nexus-data/log/tasks + mkdir -p /nexus-data/log/audit + + touch -a /nexus-data/log/tasks/allTasks.log + touch -a /nexus-data/log/audit/audit.log + touch -a /nexus-data/log/request.log + + chown -R {{ .Values.podSecurityContext.fsGroup }}:{{ .Values.podSecurityContext.fsGroup }} /nexus-data + tail-logs.sh: | + #!/usr/bin/env bash + set -euo pipefail + + _term() { + kill -TERM "${child}" 2>/dev/null + } + + trap _term SIGTERM + + tail -F -n+1 "${LOG_FILE}" & + + child=$! + wait "${child}" diff --git a/charts/nexus3/templates/deployment.yaml b/charts/nexus3/templates/deployment.yaml deleted file mode 100644 index 5ab93f9d..00000000 --- a/charts/nexus3/templates/deployment.yaml +++ /dev/null @@ -1,257 +0,0 @@ -{{- if .Values.deployment -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "nexus3.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nexus3.labels" . | nindent 4 }} -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - {{- include "nexus3.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "nexus3.selectorLabels" . | nindent 8 }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - annotations: - checksum/logback: {{ include (print $.Template.BasePath "/configmap-logback.yaml") . | sha256sum }} - checksum/properties: {{ include (print $.Template.BasePath "/configmap-properties.yaml") . | sha256sum }} - checksum/config: {{ include (print $.Template.BasePath "/configmap-config.yaml") . | sha256sum }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with default .Values.image.pullSecrets .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "nexus3.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . | quote }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- if or .Values.caCerts.enabled .Values.plugins .Values.extraInitContainers .Values.chownDataDir }} - initContainers: - {{- if .Values.caCerts.enabled }} - - name: ca-certs - image: adoptopenjdk:8-jdk-hotspot - {{- with .Values.env }} - env: - {{- toYaml . | nindent 12 }} - {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/keystores; cp -f \"${JAVA_HOME}/jre/lib/security/cacerts\" /nexus-data/keystores/cacerts; for f in /nexus-data/secrets/cas/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt; done;"] - volumeMounts: - - mountPath: /nexus-data - name: {{ include "nexus3.pvcname" . }} - - mountPath: /nexus-data/secrets/cas - name: nexus3-cas - {{- end }} - {{- if .Values.plugins }} - - name: download-plugins - image: alpine:3 - {{- with .Values.env }} - env: - {{- toYaml . | nindent 12 }} - {{- end }} - command: ["/bin/sh"] - args: - - -c - - | - {{- range .Values.plugins }} - wget -O /deploy/{{ .name }}.kar {{ .url }} - {{- end }} - volumeMounts: - - mountPath: /deploy - name: nexus-deploy - {{- end }} - {{- with .Values.extraInitContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.chownDataDir }} - - name: volume-mount - image: alpine:3 - {{- with .Values.env }} - env: - {{- toYaml . | nindent 12 }} - {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/etc; chown -R 200:200 /nexus-data;"] - volumeMounts: - - mountPath: /nexus-data - name: {{ include "nexus3.pvcname" . }} - {{- end }} - {{- end }} - containers: - - name: nexus3 - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - image: {{ include "nexus3.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - {{- with .Values.env }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if or .Values.rootPassword.secret .Values.config.rootPassword.secret }} - - name: NEXUS_SECURITY_INITIAL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ default .Values.rootPassword.secret .Values.config.rootPassword.secret }} - key: {{ default .Values.rootPassword.key .Values.config.rootPassword.key }} - {{- end }} - - name: INSTALL4J_ADD_VM_PARAMS - {{- if .Values.caCerts.enabled }} - value: {{ printf "-Xms%s -Xmx%s %s -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs -Djavax.net.ssl.trustStore=${NEXUS_DATA}/keystores/cacerts %s" .Values.envVars.jvmMinHeapSize .Values.envVars.jvmMaxHeapSize .Values.envVars.jvmAdditionalMemoryOptions .Values.envVars.jvmAdditionalOptions | quote }} - {{- else }} - value: {{ printf "-Xms%s -Xmx%s %s -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs %s" .Values.envVars.jvmMinHeapSize .Values.envVars.jvmMaxHeapSize .Values.envVars.jvmAdditionalMemoryOptions .Values.envVars.jvmAdditionalOptions | quote }} - {{- end }} - {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - lifecycle: - postStart: - exec: - command: - - "/bin/bash" - - "-c" - - "${SONATYPE_DIR}/nexus/conf/configure.sh > /proc/1/fd/1 2>/proc/1/fd/2" - {{- end }} - ports: - - name: http - containerPort: 8081 - protocol: TCP - {{- range .Values.service.additionalPorts }} - - name: {{ .name }} - containerPort: {{ .containerPort }} - protocol: TCP - {{- end }} - livenessProbe: - {{- toYaml .Values.livenessProbe | nindent 12 }} - readinessProbe: - {{- toYaml .Values.readinessProbe | nindent 12 }} - volumeMounts: - - mountPath: /nexus-data - name: {{ include "nexus3.pvcname" . }} - - mountPath: /opt/sonatype/nexus/etc/logback - name: {{ include "nexus3.fullname" . }}-logback - readOnly: true - - mountPath: /nexus-data/etc/nexus.properties - name: {{ include "nexus3.fullname" . }}-properties - subPath: nexus.properties - readOnly: true - - mountPath: /nexus-data/etc/fabric/nexus-store.properties - name: {{ include "nexus3.fullname" . }}-properties - subPath: nexus-store.properties - readOnly: true - {{- if .Values.license.enabled }} - - mountPath: /var/opt/sonatype/nexus.license - name: license - subPath: {{ .Values.license.key }} - readOnly: true - {{- end }} - {{- if .Values.plugins }} - - mountPath: /opt/sonatype/nexus/deploy - name: nexus-deploy - {{- end }} - {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - - mountPath: /opt/sonatype/nexus/conf - name: {{ include "nexus3.fullname" . }}-conf - readOnly: true - {{- if .Values.config.ldap.enabled }} - - mountPath: /opt/sonatype/nexus/secret/ldap.password - name: {{ .Values.config.ldap.authPassword.secret }} - subPath: {{ .Values.config.ldap.authPassword.key }} - readOnly: true - {{- end }} - {{- if .Values.config.repoCredentials.enabled }} - - mountPath: /opt/sonatype/nexus/secret/repo-credentials - name: {{ .Values.config.repoCredentials.secret }} - readOnly: true - {{- end }} - {{- end }} - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - volumes: - - name: {{ include "nexus3.pvcname" . }} - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (include "nexus3.pvcname" .) }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.license.enabled }} - - name: license - secret: - secretName: {{ .Values.license.secret }} - {{- end }} - {{- if .Values.caCerts.enabled }} - - name: nexus3-cas - secret: - secretName: {{ .Values.caCerts.secret }} - {{- end }} - - name: {{ include "nexus3.fullname" . }}-logback - configMap: - name: {{ include "nexus3.fullname" . }}-logback - defaultMode: 0755 - - name: {{ include "nexus3.fullname" . }}-properties - configMap: - name: {{ include "nexus3.fullname" . }}-properties - defaultMode: 0755 - {{- if .Values.plugins }} - - name: nexus-deploy - emptyDir: {} - {{- end }} - {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - - name: {{ include "nexus3.fullname" . }}-conf - configMap: - name: {{ include "nexus3.fullname" . }}-conf - defaultMode: 0755 - {{- if and .Values.config.ldap.enabled }} - - name: {{ .Values.config.ldap.authPassword.secret }} - secret: - secretName: {{ .Values.config.ldap.authPassword.secret }} - {{- end }} - {{- if .Values.config.repoCredentials.enabled }} - - name: {{ .Values.config.repoCredentials.secret }} - secret: - secretName: {{ .Values.config.repoCredentials.secret }} - {{- end }} - {{- end }} - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - {{- $_ := include "nexus3.patchAffinity" $ }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - {{- $_ := include "nexus3.patchTopologySpreadConstraints" $ }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/nexus3/templates/ingress.yaml b/charts/nexus3/templates/ingress.yaml index f3c59dc4..ed554042 100644 --- a/charts/nexus3/templates/ingress.yaml +++ b/charts/nexus3/templates/ingress.yaml @@ -1,8 +1,6 @@ {{- if .Values.ingress.enabled -}} -{{- $apiIsStable := eq (include "nexus3.ingress.isStable" .) "true" -}} -{{- $ingressSupportsPathType := eq (include "nexus3.ingress.supportsPathType" .) "true" -}} {{- $serviceName := include "nexus3.fullname" . -}} -apiVersion: {{ include "nexus3.ingress.apiVersion" . }} +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ $serviceName }} @@ -14,28 +12,19 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: -{{- if and $apiIsStable .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName }} -{{- end }} rules: {{- range .Values.ingress.hosts }} - host: {{ . | quote }} http: paths: - path: / - {{- if $ingressSupportsPathType }} pathType: Prefix - {{- end }} backend: - {{- if $apiIsStable }} service: name: {{ $serviceName }} port: name: http - {{- else }} - serviceName: {{ $serviceName }} - servicePort: http - {{- end }} {{- end }} {{- range $additionalPort := .Values.service.additionalPorts }} {{- range ternary $additionalPort.hosts (list $additionalPort.host) (empty $additionalPort.host) }} @@ -43,19 +32,12 @@ spec: http: paths: - path: / - {{- if $ingressSupportsPathType }} pathType: Prefix - {{- end }} backend: - {{- if $apiIsStable }} service: name: {{ $serviceName }} port: name: {{ $additionalPort.name }} - {{- else }} - serviceName: {{ $serviceName }} - servicePort: {{ $additionalPort.name }} - {{- end }} {{- end }} {{- end }} {{- if .Values.ingress.tls }} diff --git a/charts/nexus3/templates/job-config.yaml b/charts/nexus3/templates/job-config.yaml new file mode 100644 index 00000000..4557fad8 --- /dev/null +++ b/charts/nexus3/templates/job-config.yaml @@ -0,0 +1,98 @@ +{{- if and .Values.config.enabled .Values.rootPassword.secret -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "nexus3.configJob.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nexus3.labels" . | nindent 4 }} +spec: + template: + metadata: + name: {{ include "nexus3.configJob.name" . }} + labels: + {{- include "nexus3.configJob.selectorLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap-config.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/configmap-scripts.yaml") . | sha256sum }} + spec: + restartPolicy: Never + containers: + - name: config + image: {{ include "nexus3.image" .Values.config.job.image }} + imagePullPolicy: {{ .Values.config.job.image.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL + env: + - name: NEXUS_HOST + value: {{ printf "http://%s.%s.svc.cluster.local:%s" (include "nexus3.serviceName" .) .Release.Namespace (toString .Values.service.port) }} + - name: NEXUS_USER + value: admin + - name: NEXUS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.rootPassword.secret }} + key: {{ .Values.rootPassword.key }} + - name: CONFIG_DIR + value: /opt/sonatype/nexus/config + args: ["/scripts/configure.sh"] + volumeMounts: + - mountPath: /tmp + name: temp + - mountPath: /scripts + name: scripts + - mountPath: /opt/sonatype/nexus/config/conf + name: config + {{- if .Values.config.ldap.enabled }} + - mountPath: /opt/sonatype/nexus/config/secret/ldap.password + name: ldap-password + subPath: {{ .Values.config.ldap.authPassword.key }} + {{- end }} + {{- if .Values.config.repoCredentials.enabled }} + - mountPath: /opt/sonatype/nexus/config/secret/repo-credentials + name: repo-credentials + {{- end }} + volumes: + - name: temp + emptyDir: {} + - name: scripts + configMap: + name: {{ include "nexus3.configScriptsConfigMapName" . }} + defaultMode: 0555 + - name: config + configMap: + name: {{ include "nexus3.configConfigMapName" . }} + defaultMode: 0444 + {{- if .Values.config.ldap.enabled }} + - name: ldap-password + secret: + secretName: {{ .Values.config.ldap.authPassword.secret }} + {{- end }} + {{- if .Values.config.repoCredentials.enabled }} + - name: repo-credentials + secret: + secretName: {{ .Values.config.repoCredentials.secret }} + {{- end }} + {{- with .Values.config.job.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.config.job.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.config.job.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + backoffLimit: 0 + ttlSecondsAfterFinished: {{ .Values.config.job.ttlSecondsAfterFinished }} + {{- end -}} diff --git a/charts/nexus3/templates/pdb.yaml b/charts/nexus3/templates/pdb.yaml new file mode 100644 index 00000000..d85ed24c --- /dev/null +++ b/charts/nexus3/templates/pdb.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.podDisruptionBudget.enabled (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable) -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nexus3.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nexus3.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nexus3.selectorLabels" . | nindent 6 }} +{{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} +{{- end }} +{{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} +{{- end }} +{{- if (semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version) }} +{{- with .Values.podDisruptionBudget.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ . }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/nexus3/templates/pvc.yaml b/charts/nexus3/templates/pvc.yaml deleted file mode 100644 index 13a6b05e..00000000 --- a/charts/nexus3/templates/pvc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.deployment .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "nexus3.pvcname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nexus3.labels" . | nindent 4 }} - {{- with .Values.persistence.annotations }} - annotations: - {{ . | toYaml | trim | nindent 4 }} - {{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- with .Values.persistence.storageClass }} - {{- if (eq "-" .) }} - storageClassName: "" - {{- else }} - storageClassName: {{ . | quote }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/nexus3/templates/service-headless.yaml b/charts/nexus3/templates/service-headless.yaml new file mode 100644 index 00000000..652f04e9 --- /dev/null +++ b/charts/nexus3/templates/service-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nexus3.headlessServiceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nexus3.labels" . | nindent 4 }} + prometheus.io/service-monitor: "false" + {{- with .Values.service.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "nexus3.selectorLabels" . | nindent 4 }} diff --git a/charts/nexus3/templates/service.yaml b/charts/nexus3/templates/service.yaml index 871b3d95..efc69c7c 100644 --- a/charts/nexus3/templates/service.yaml +++ b/charts/nexus3/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "nexus3.fullname" . }} + name: {{ include "nexus3.serviceName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nexus3.labels" . | nindent 4 }} @@ -11,9 +11,6 @@ metadata: {{- end }} spec: type: {{ .Values.service.type }} - {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} - {{- end }} ports: - port: {{ .Values.service.port }} targetPort: http diff --git a/charts/nexus3/templates/servicemonitor.yaml b/charts/nexus3/templates/servicemonitor.yaml index e4d52456..699c8b43 100644 --- a/charts/nexus3/templates/servicemonitor.yaml +++ b/charts/nexus3/templates/servicemonitor.yaml @@ -2,7 +2,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ include "nexus3.fullname" . }} + name: {{ include "nexus3.serviceName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nexus3.labels" . | nindent 4 }} @@ -17,14 +17,15 @@ spec: selector: matchLabels: {{- include "nexus3.selectorLabels" . | nindent 6 }} + matchExpressions: + - key: prometheus.io/service-monitor + operator: NotIn + values: + - "false" endpoints: - port: http path: /service/metrics/prometheus - {{- if .Values.metrics.serviceMonitor.endpointConfig }} - {{- toYaml .Values.metrics.serviceMonitor.endpointConfig | nindent 6 }} - {{- else }} - {{- with .Values.metrics.serviceMonitor.interval }} - interval: {{ . }} - {{- end }} + {{- with .Values.metrics.serviceMonitor.endpointConfig }} + {{- toYaml . | nindent 6 }} {{- end }} {{- end }} diff --git a/charts/nexus3/templates/statefulset.yaml b/charts/nexus3/templates/statefulset.yaml index 449cac00..472412e4 100644 --- a/charts/nexus3/templates/statefulset.yaml +++ b/charts/nexus3/templates/statefulset.yaml @@ -1,4 +1,3 @@ -{{- if not .Values.deployment -}} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -8,11 +7,25 @@ metadata: {{- include "nexus3.labels" . | nindent 4 }} spec: serviceName: {{ include "nexus3.fullname" . }} - {{- if .Values.highAvailability.enabled }} - replicas: {{ .Values.highAvailability.replicas }} + {{- if .Values.license.enabled }} + replicas: {{ .Values.replicas }} {{- else }} replicas: 1 {{- end }} + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ordinals }} + ordinals: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.podManagementPolicy }} + podManagementPolicy: {{ . }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} selector: matchLabels: {{- include "nexus3.selectorLabels" . | nindent 6 }} @@ -26,12 +39,12 @@ spec: annotations: checksum/logback: {{ include (print $.Template.BasePath "/configmap-logback.yaml") . | sha256sum }} checksum/properties: {{ include (print $.Template.BasePath "/configmap-properties.yaml") . | sha256sum }} - checksum/config: {{ include (print $.Template.BasePath "/configmap-config.yaml") . | sha256sum }} + checksum/scripts: {{ include (print $.Template.BasePath "/configmap-scripts.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with default .Values.image.pullSecrets .Values.imagePullSecrets }} + {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} @@ -44,57 +57,150 @@ spec: priorityClassName: {{ . | quote }} {{- end }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- if or .Values.caCerts.enabled .Values.plugins .Values.extraInitContainers .Values.chownDataDir }} initContainers: {{- if .Values.caCerts.enabled }} - - name: ca-certs - image: adoptopenjdk:8-jdk-hotspot + - name: import-ca-certs + image: {{ include "nexus3.image" .Values.jdkImage }} + imagePullPolicy: {{ .Values.jdkImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/keystores; cp -f \"${JAVA_HOME}/jre/lib/security/cacerts\" /nexus-data/keystores/cacerts; for f in /nexus-data/secrets/cas/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt; done;"] + command: ["/bin/bash", "-c"] + args: ["/scripts/import-ca-certs.sh"] volumeMounts: + - mountPath: /scripts/import-ca-certs.sh + name: scripts + subPath: import-ca-certs.sh - mountPath: /nexus-data - name: {{ include "nexus3.pvcname" . }} + name: data - mountPath: /nexus-data/secrets/cas - name: nexus3-cas + name: ca-certs {{- end }} {{- if .Values.plugins }} - name: download-plugins - image: alpine:3 + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: - - -c - - | - {{- range .Values.plugins }} - wget -O /deploy/{{ .name }}.kar {{ .url }} - {{- end }} + args: ["/scripts/download-plugins.sh"] volumeMounts: + - mountPath: /scripts/download-plugins.sh + name: scripts + subPath: download-plugins.sh - mountPath: /deploy - name: nexus-deploy + name: deploy {{- end }} {{- with .Values.extraInitContainers }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.chownDataDir }} - - name: volume-mount - image: alpine:3 + - name: chown-data-dir + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/etc; chown -R 200:200 /nexus-data;"] + args: ["/scripts/chown-data-dir.sh"] volumeMounts: + - mountPath: /scripts/chown-data-dir.sh + name: scripts + subPath: chown-data-dir.sh - mountPath: /nexus-data - name: {{ include "nexus3.pvcname" . }} - {{- end }} + name: data + {{- if (semverCompare ">= 1.29-0" .Capabilities.KubeVersion.Version) }} + - name: tail-request-log + restartPolicy: Always + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: LOG_FILE + value: /nexus-data/log/request.log + args: ["/scripts/tail-logs.sh"] + volumeMounts: + - mountPath: /scripts/tail-logs.sh + name: scripts + subPath: tail-logs.sh + - mountPath: /nexus-data + name: data + {{- with .Values.tailLogs.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: tail-audit-log + restartPolicy: Always + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: LOG_FILE + value: /nexus-data/log/audit/audit.log + args: ["/scripts/tail-logs.sh"] + volumeMounts: + - mountPath: /scripts/tail-logs.sh + name: scripts + subPath: tail-logs.sh + - mountPath: /nexus-data + name: data + {{- with .Values.tailLogs.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: tail-tasks-log + restartPolicy: Always + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: LOG_FILE + value: /nexus-data/log/tasks/allTasks.log + args: ["/scripts/tail-logs.sh"] + volumeMounts: + - mountPath: /scripts/tail-logs.sh + name: scripts + subPath: tail-logs.sh + - mountPath: /nexus-data + name: data + {{- with .Values.tailLogs.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} {{- end }} containers: - name: nexus3 @@ -102,34 +208,26 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - image: {{ include "nexus3.image" . }} + image: {{ include "nexus3.image" (merge .Values.image (dict "tag" (printf "%s-java17-ubi" .Chart.AppVersion))) }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: INSTALL4J_ADD_VM_PARAMS - {{- if .Values.caCerts.enabled }} - value: {{ printf "-Xms%s -Xmx%s %s -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs -Djavax.net.ssl.trustStore=${NEXUS_DATA}/keystores/cacerts %s" .Values.envVars.jvmMinHeapSize .Values.envVars.jvmMaxHeapSize .Values.envVars.jvmAdditionalMemoryOptions .Values.envVars.jvmAdditionalOptions | quote }} - {{- else }} - value: {{ printf "-Xms%s -Xmx%s %s -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs %s" .Values.envVars.jvmMinHeapSize .Values.envVars.jvmMaxHeapSize .Values.envVars.jvmAdditionalMemoryOptions .Values.envVars.jvmAdditionalOptions | quote }} - {{- end }} - {{- if or .Values.rootPassword.secret .Values.config.rootPassword.secret }} + value: {{ printf "-Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs%s %s" (ternary " -Djavax.net.ssl.trustStore=${NEXUS_DATA}/keystores/cacerts" "" .Values.caCerts.enabled) .Values.install4jAddVmParams }} + {{- if .Values.rootPassword.secret }} + - name: NEXUS_SECURITY_RANDOMPASSWORD + value: "false" - name: NEXUS_SECURITY_INITIAL_PASSWORD valueFrom: secretKeyRef: - name: {{ default .Values.rootPassword.secret .Values.config.rootPassword.secret }} - key: {{ default .Values.rootPassword.key .Values.config.rootPassword.key }} + name: {{ .Values.rootPassword.secret }} + key: {{ .Values.rootPassword.key }} + {{- else }} + - name: NEXUS_SECURITY_RANDOMPASSWORD + value: "true" {{- end }} {{- with .Values.env }} {{- toYaml . | nindent 12 }} {{- end }} - {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - lifecycle: - postStart: - exec: - command: - - "/bin/bash" - - "-c" - - "${SONATYPE_DIR}/nexus/conf/configure.sh > /proc/1/fd/1 2>/proc/1/fd/2" - {{- end }} ports: - name: http containerPort: 8081 @@ -139,24 +237,28 @@ spec: containerPort: {{ .containerPort }} protocol: TCP {{- end }} + startupProbe: + {{- toYaml .Values.startupProbe | nindent 12 }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} readinessProbe: {{- toYaml .Values.readinessProbe | nindent 12 }} volumeMounts: + - mountPath: /tmp + name: temp - mountPath: /nexus-data - name: {{ include "nexus3.pvcname" . }} + name: data - mountPath: /opt/sonatype/nexus/etc/logback - name: {{ include "nexus3.fullname" . }}-logback - readOnly: true + name: logback - mountPath: /nexus-data/etc/nexus.properties - name: {{ include "nexus3.fullname" . }}-properties + name: properties subPath: nexus.properties - readOnly: true + {{- if .Values.storeProperties }} - mountPath: /nexus-data/etc/fabric/nexus-store.properties - name: {{ include "nexus3.fullname" . }}-properties + name: properties subPath: nexus-store.properties readOnly: true + {{- end }} {{- if .Values.license.enabled }} - mountPath: /var/opt/sonatype/nexus.license name: license @@ -165,34 +267,97 @@ spec: {{- end }} {{- if .Values.plugins }} - mountPath: /opt/sonatype/nexus/deploy - name: nexus-deploy + name: deploy {{- end }} - {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - - mountPath: /opt/sonatype/nexus/conf - name: {{ include "nexus3.fullname" . }}-conf - readOnly: true - {{- if .Values.config.ldap.enabled }} - - mountPath: /opt/sonatype/nexus/secret/ldap.password - name: {{ .Values.config.ldap.authPassword.secret }} - subPath: {{ .Values.config.ldap.authPassword.key }} - readOnly: true + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.config.repoCredentials.enabled }} - - mountPath: /opt/sonatype/nexus/secret/repo-credentials - name: {{ .Values.config.repoCredentials.secret }} - readOnly: true + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} + {{- if (semverCompare "< 1.29-0" .Capabilities.KubeVersion.Version) }} + - name: tail-request-log + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.extraVolumeMounts }} + env: + - name: LOG_FILE + value: /nexus-data/log/request.log + args: ["/scripts/tail-logs.sh"] + volumeMounts: + - mountPath: /scripts/tail-logs.sh + name: scripts + subPath: tail-logs.sh + - mountPath: /nexus-data + name: data + {{- with .Values.tailLogs.resources }} + resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.resources }} + - name: tail-audit-log + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: LOG_FILE + value: /nexus-data/log/audit/audit.log + args: ["/scripts/tail-logs.sh"] + volumeMounts: + - mountPath: /scripts/tail-logs.sh + name: scripts + subPath: tail-logs.sh + - mountPath: /nexus-data + name: data + {{- with .Values.tailLogs.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: tail-tasks-log + image: {{ include "nexus3.image" .Values.bashImage }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: LOG_FILE + value: /nexus-data/log/tasks/allTasks.log + args: ["/scripts/tail-logs.sh"] + volumeMounts: + - mountPath: /scripts/tail-logs.sh + name: scripts + subPath: tail-logs.sh + - mountPath: /nexus-data + name: data + {{- with .Values.tailLogs.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- end }} volumes: + - name: temp + emptyDir: {} + - name: scripts + configMap: + name: {{ include "nexus3.scriptsConfigMapName" . }} + defaultMode: 0555 + - name: logback + configMap: + name: {{ include "nexus3.logbackConfigMapName" . }} + defaultMode: 0444 + - name: properties + configMap: + name: {{ include "nexus3.propertiesConfigMapName" . }} + defaultMode: 0444 {{- if not .Values.persistence.enabled }} - - name: {{ include "nexus3.pvcname" . }} + - name: data emptyDir: {} {{- end }} {{- if .Values.license.enabled }} @@ -201,38 +366,14 @@ spec: secretName: {{ .Values.license.secret }} {{- end }} {{- if .Values.caCerts.enabled }} - - name: nexus3-cas + - name: ca-certs secret: secretName: {{ .Values.caCerts.secret }} {{- end }} - - name: {{ include "nexus3.fullname" . }}-logback - configMap: - name: {{ include "nexus3.fullname" . }}-logback - defaultMode: 0755 - - name: {{ include "nexus3.fullname" . }}-properties - configMap: - name: {{ include "nexus3.fullname" . }}-properties - defaultMode: 0755 {{- if .Values.plugins }} - - name: nexus-deploy + - name: deploy emptyDir: {} {{- end }} - {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - - name: {{ include "nexus3.fullname" . }}-conf - configMap: - name: {{ include "nexus3.fullname" . }}-conf - defaultMode: 0755 - {{- if and .Values.config.ldap.enabled }} - - name: {{ .Values.config.ldap.authPassword.secret }} - secret: - secretName: {{ .Values.config.ldap.authPassword.secret }} - {{- end }} - {{- if .Values.config.repoCredentials.enabled }} - - name: {{ .Values.config.repoCredentials.secret }} - secret: - secretName: {{ .Values.config.repoCredentials.secret }} - {{- end }} - {{- end }} {{- with .Values.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} @@ -257,7 +398,7 @@ spec: {{- if .Values.persistence.enabled }} volumeClaimTemplates: - metadata: - name: {{ include "nexus3.pvcname" . }} + name: data labels: {{- include "nexus3.labels" . | nindent 10 }} {{- with .Values.persistence.annotations }} @@ -277,5 +418,9 @@ spec: resources: requests: storage: {{ .Values.persistence.size | quote }} + {{- if semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ ternary "Retain" "Delete" .Values.persistence.retainDeleted }} + whenScaled: {{ ternary "Retain" "Delete" .Values.persistence.retainScaled }} + {{- end }} {{- end }} -{{- end }} diff --git a/charts/nexus3/values.yaml b/charts/nexus3/values.yaml index fab91580..62ca4b7c 100644 --- a/charts/nexus3/values.yaml +++ b/charts/nexus3/values.yaml @@ -1,72 +1,70 @@ +# Default values for nexus3. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + image: + # -- Image repository for the default container. repository: docker.io/sonatype/nexus3 - # Overrides the image tag whose default is {{ .Chart.AppVersion }} - tag: "" + # -- (string) Image tag for the default container, this will default to `.Chart.AppVersion` if not set and will be omitted if set to `-`. + tag: + # -- (string) Optional image digest for the default container. + digest: + # -- Image pull policy for the default container. + pullPolicy: IfNotPresent + +bashImage: + # -- Image repository for bash containers. + repository: cgr.dev/chainguard/bash + # -- Image tag for bash containers, this will be omitted if set to `-`. + tag: latest + # -- (string) Optional image digest for the bash containers. + digest: + # -- Image pull policy for bash containers. pullPolicy: IfNotPresent - pullSecrets: [] +jdkImage: + # -- Image repository for the JDK container. + repository: docker.io/eclipse-temurin + # -- Image tag for the JDK container, this will be omitted if set to `-`. + tag: 17-jdk + # -- (string) Optional image digest for the JDK container. + digest: + # -- Image pull policy for the JDK container. + pullPolicy: IfNotPresent + +# -- Image pull secrets. imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" +# -- (string) Override the name of the chart. +nameOverride: + +# -- (string) Override the full name of the chart. +fullnameOverride: +# -- Labels to add to all chart resources. commonLabels: {} serviceAccount: - # Specifies whether a service account should be created + # -- If `true`, create a new `ServiceAccount`. create: true - # Labels to add to the service account + # -- Labels to add to the service account. labels: {} - # Annotations to add to the service account + # -- Annotations to add to the service account. annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" + # -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use. + name: + # -- If `true`, mount the `ServiceAccount` token. automountToken: false -deployment: true - -# highAvailability only supported in StatefulSet mode (to use that mode set deployment = false) -# Be aware that you need to fulfill a few prerequisites for a HA deployment. Please check sonatype documentation! -highAvailability: - enabled: false - replicas: 3 - -podLabels: {} -podAnnotations: {} - -podSecurityContext: - fsGroup: 200 - -securityContext: - runAsGroup: 200 - runAsUser: 200 - -priorityClassName: "" - -livenessProbe: - httpGet: - path: /service/rest/v1/status - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - failureThreshold: 10 - timeoutSeconds: 1 - -readinessProbe: - httpGet: - path: /service/rest/v1/status - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - failureThreshold: 10 - timeoutSeconds: 1 - service: + # -- Service type. type: ClusterIP - clusterIP: + # -- Service annotations. annotations: {} + # -- Default port. port: 8081 + # -- Additional ports to expose. + # @default -- See _values.yaml_ additionalPorts: [] # - port: 8082 # name: docker-group @@ -80,20 +78,19 @@ service: # - nexus-docker-hosted-1.local # - nexus-docker-hosted-2.local -metrics: - enabled: false - serviceMonitor: - enabled: false - additionalLabels: {} - endpointConfig: {} - interval: - ingress: + # -- If `true`, create an `Ingress` resource. enabled: false + # -- Ingress annotations. annotations: {} - ingressClassName: "" + # -- (string) Ingress class name. + ingressClassName: + # -- (list) Ingress hosts. + # @default -- See _values.yaml_ hosts: [] # - nexus.local + # -- (list) Ingress TLS. + # @default -- See _values.yaml_ tls: [] # - hosts: # - nexus.local @@ -102,16 +99,124 @@ ingress: # - nexus-docker-hosted-2.local # secretName: nexus-local-tls +# -- Number of replicas to create; modifying this requires the license to be configured. +replicas: 1 + +# -- Update strategy for the `StatefulSet`. +updateStrategy: {} + +# -- Ordinals configuration for the `StatefulSet`. +ordinals: {} + +# -- Pod management policy for the `StatefulSet`. +podManagementPolicy: + +# -- (int) Min ready seconds for the `StatefulSet`. +minReadySeconds: + +podDisruptionBudget: + # -- If `true`, create a `PodDisruptionBudget` resource. + enabled: false + # -- (string) Minimum number of available pods, either a number or a percentage. + minAvailable: + # -- (string) Minimum number of unavailable pods, either a number or a percentage. + maxUnavailable: + # -- (string) Unhealthy pod eviction policy for the PDB. + unhealthyPodEvictionPolicy: + +# -- Labels to add to the pod. +podLabels: {} + +# -- Annotations to add to the pod. +podAnnotations: {} + +# -- Security context for the pod. +podSecurityContext: + runAsNonRoot: false + fsGroup: 200 + seccompProfile: + type: RuntimeDefault + +# -- (string) Priority class name for the pod. +priorityClassName: + +# -- Termination grace period for the pod in seconds. +terminationGracePeriodSeconds: 120 + +# -- Security context for the default container. +securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 200 + runAsGroup: 200 + capabilities: + drop: + - ALL + +# -- Environment variables for the default container. +env: [] + +# -- Startup probe configuration for the default container. +# @default -- See _values.yaml_ +startupProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 180 + +# -- Liveness probe configuration for the default container. +# @default -- See _values.yaml_ +livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 6 + +# -- Readiness probe configuration for the default container. +# @default -- See _values.yaml_ +readinessProbe: + httpGet: + path: /service/rest/v1/status + port: http + initialDelaySeconds: 0 + periodSeconds: 60 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 6 + persistence: + # -- If `true`, persistence should be enabled for the `StatefulSet`. enabled: false + # -- Annotations for the `PersistentVolumeClaim`. annotations: {} - # existingClaim: existing-pvc + # -- Access mode for the `PersistentVolumeClaim`. accessMode: ReadWriteOnce - storageClass: standard + # -- Storage class for the `PersistentVolumeClaim`, if not set the default will be used. + storageClass: + # -- Size of the `PersistentVolumeClaim`. size: 8Gi + # -- If `true`, keep `PersistentVolumeClaims` when the `StatefulSet` is deleted. + retainDeleted: true + # -- If `true`, keep `PersistentVolumeClaim` when the `StatefulSet` is scaled down. + retainScaled: true + +# -- Extra volumes for the pod. +extraVolumes: [] +# -- Extra volume mounts for the default container. extraVolumeMounts: [] +# -- Resources for the default container. resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -124,69 +229,103 @@ resources: {} # cpu: 100m # memory: 128Mi -chownDataDir: true - +# -- Extra init container to run before the default container. extraInitContainers: [] -extraVolumes: [] - -terminationGracePeriodSeconds: 30 - +# -- Node labels to match for pod scheduling. nodeSelector: {} +# -- Affinity settings for pod scheduling. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. affinity: {} +# -- Topology spread constraints for pod scheduling. If an explicit label selector is not provided one will be created from the pod selector labels. topologySpreadConstraints: [] +# -- Node taints which will be tolerated for pod scheduling. tolerations: [] -caCerts: +metrics: + # -- If `true`, enable metrics. enabled: false - secret: + serviceMonitor: + # -- If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_. + enabled: false + # -- Additional labels for the `ServiceMonitor`. + additionalLabels: {} + # -- Additional endpoint configuration for the `ServiceMonitor`. + endpointConfig: {} -# if secret is provided, the license will be configured via properties, otherwise a license can still be entered manually via UI license: + # -- If `true`, use the license in the provided secret. This must be set to enable [Pro features](https://help.sonatype.com/en/repository-manager-pro-features.html). enabled: false + # -- (string) Name of the secret containing the license. secret: + # -- (string) Key in the secret containing the license. key: nexus.license -envVars: - jvmMinHeapSize: 1024m - jvmMaxHeapSize: 1024m - jvmAdditionalMemoryOptions: "-XX:MaxDirectMemorySize=2048m" - jvmAdditionalOptions: "" +# -- _Nexus3_ properties. +properties: + # - nexus.golang.hosted=true -env: [] -# - name: VARIABLE -# value: my-value +# -- _Nexus3_ store properties. +storeProperties: [] logback: + # -- Maximum history for log files. maxHistory: 30 -properties: - - nexus.scripts.allowCreation=true - # - nexus.golang.hosted=true +tailLogs: + # -- Resources for the log tailing containers. + resources: {} -storeProperties: [] +# -- Env configuration for the _Nexus3_ container. +install4jAddVmParams: -Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=2048m +caCerts: + # -- If `true`, add the CA certificates in the provided secret to the JVM cacerts key store. + enabled: false + # -- (string) Name of the secret containing the CA certificates. + secret: + +# -- List of plugins to install. plugins: [] # - name: nexus-repository-composer # url: https://repo1.maven.org/maven2/org/sonatype/nexus/plugins/nexus-repository-composer/0.0.29/nexus-repository-composer-0.0.29-bundle.kar rootPassword: + # -- (string) Name of the secret containing the root password. secret: + # -- Key in the secret containing the root password. key: password config: + # -- If `true`, enable the configuration Job. enabled: false - rootPassword: - secret: - key: + job: + image: + # -- Image repository for the config container. + repository: cgr.dev/chainguard/min-toolkit-debug + # -- Image tag for config container, this will be omitted if set to `-`. + tag: latest + # -- (string) Optional image digest for the config container. + digest: + # -- Image pull policy for config container. + pullPolicy: IfNotPresent + # -- The number of seconds to keep the config job after it's finished. + ttlSecondsAfterFinished: 600 + # -- Node labels to match for scheduling the config job. + nodeSelector: {} + # -- Affinity settings for scheduling the config job. + affinity: {} + # -- Node taints which will be tolerated for scheduling the config job. + tolerations: [] + # -- Anonymous access configuration. anonymous: enabled: false roles: - nx-anonymous - nx-metrics + # -- Realms configuration. realms: enabled: false values: [] @@ -196,6 +335,7 @@ config: # - NpmToken # - NuGetApiKey # - rutauth-realm + # -- Roles configuration. roles: [] # - id: nexus-administrators # source: default @@ -204,6 +344,7 @@ config: # privileges: [] # roles: # - nx-admin + # -- Users configuration. users: [] # - userId: test # firstName: Test @@ -214,6 +355,7 @@ config: # roles: # - nx-anonymous # externalRoles: [] + # -- LDAP configuration. ldap: enabled: false name: @@ -248,6 +390,7 @@ config: groupIdAttribute: groupMemberAttribute: groupMemberFormat: + # -- Blob store configuration. blobStores: [] # Reference the Nexus Blob store REST API for supported types and expected request body structures of each # - name: ExampleFileBlobStore @@ -267,6 +410,7 @@ config: # #bucketSecurity: # If not using Instance Profile # # accessKeyId: access-key-id # # secretAccessKey: secret-access-key + # -- Cleanup configuration. cleanup: [] # - name: ExampleCleanup # notes: "Cleanup content that hasn't been updated in 14 days downloaded in 28 days." @@ -278,20 +422,24 @@ config: # lastDownloaded: "2419200" # regex: repoCredentials: + # -- If `true`, enable repository credentials. enabled: false + # -- (string) Name of the secret containing the repository credentials. secret: + # -- Repository configuration. repos: [] # - name: test-repo - # type: raw-hosted + # format: raw + # type: hosted # online: true - # attributes: - # storage: - # blobStoreName: default - # strictContentTypeValidation: false - # writePolicy: ALLOW - # cleanup: - # policyName: - # - ExampleCleanup + # storage: + # blobStoreName: default + # strictContentTypeValidation: false + # writePolicy: allow + # cleanup: + # policyNames: + # - ExampleCleanup + # -- Task configuration. tasks: [] # - name: "Cleanup service" # typeId: repository.cleanup @@ -312,4 +460,5 @@ config: # attributes: # blobStoreName: "default" +# @ignored testResources: false