diff --git a/clusters/core/addons/nexus-ce/.helmignore b/clusters/core/addons/nexus-ce/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/clusters/core/addons/nexus-ce/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/clusters/core/addons/nexus-ce/Chart.yaml b/clusters/core/addons/nexus-ce/Chart.yaml new file mode 100644 index 0000000..441dce0 --- /dev/null +++ b/clusters/core/addons/nexus-ce/Chart.yaml @@ -0,0 +1,31 @@ +apiVersion: v2 +name: nexus-ce +description: Nexus Community Edition chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" + + +dependencies: + - name: oauth2-proxy + version: 6.16.1 + repository: https://oauth2-proxy.github.io/manifests/ + condition: oauth2-proxy.enabled \ No newline at end of file diff --git a/clusters/core/addons/nexus-ce/README.md b/clusters/core/addons/nexus-ce/README.md new file mode 100644 index 0000000..eaf9fb8 --- /dev/null +++ b/clusters/core/addons/nexus-ce/README.md @@ -0,0 +1,95 @@ +# nexus-ce + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +Nexus Community Edition chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://oauth2-proxy.github.io/manifests/ | oauth2-proxy | 6.16.1 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| database | object | `{"existigSecret":"nexus-ce-pguser-nexus-ce","keys":{"dbname":"dbname","password":"password","port":"5432","url":"host","username":"user"},"pgo":{"enable":true}}` | This block configure database connections for Nexus CE. | +| database.existigSecret | string | `"nexus-ce-pguser-nexus-ce"` | Name of the secret that contains the database credentials. | +| database.keys | object | `{"dbname":"dbname","password":"password","port":"5432","url":"host","username":"user"}` | This block configures the database connection secret fields name for Nexus CE. | +| database.pgo | object | `{"enable":true}` | Use PostgreSQL operator to create and manage database. | +| docker.enabled | bool | `true` | | +| docker.registries[0].host | string | `"nexus-ce-ci-container.eks-sandbox.aws.main.edp.projects.epam.com"` | | +| docker.registries[0].port | int | `5000` | | +| eso.enabled | bool | `true` | Install components of the ESO. | +| eso.generic.secretStore.providerConfig | object | `{}` | Defines SecretStore provider configuration. | +| eso.roleArn | string | `"arn:aws:iam::093899590031:role/AWSIRSASandboxExternalSecretOperatorAccess"` | Role ARN for the ExternalSecretOperator to assume. | +| eso.secretName | string | `"/edp/eks-sandbox/addons/nexus-ce"` | Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. | +| eso.secretStoreName | string | `"aws-parameterstore"` | Defines Secret Store name. | +| eso.type | string | `"aws"` | Defines provider type. One of `aws` or `generic`. | +| fullnameOverride | string | `"nexus-ce"` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"sonatype/nexus3"` | | +| image.tag | string | `"3.77.1"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations."nginx.ingress.kubernetes.io/proxy-body-size" | string | `"900m"` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `true` | | +| ingress.hosts[0].host | string | `"nexus-ce-ci.eks-sandbox.aws.main.edp.projects.epam.com"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | +| ingress.tls | list | `[]` | | +| livenessProbe.failureThreshold | int | `6` | | +| livenessProbe.initialDelaySeconds | int | `0` | | +| livenessProbe.path | string | `"/"` | | +| livenessProbe.periodSeconds | int | `60` | | +| livenessProbe.timeoutSeconds | int | `1` | | +| nameOverride | string | `""` | | +| nexusAdminPassword | object | `{"secret":{"key":"password","name":"nexus-admin-password"}}` | Initial Nexus CE admin password. | +| nodeSelector | object | `{}` | | +| oauth2-proxy.config.configFile | string | `"allowed_roles = [\"administrator\", \"developer\"]\nclient_id = \"nexus-ce\"\ncode_challenge_method=\"S256\"\ncookie_csrf_expire=\"5m\"\ncookie_csrf_per_request=\"true\"\ncookie_secure = \"false\"\nemail_domains = [ \"*\" ]\ninsecure_oidc_allow_unverified_email = \"true\"\noidc_issuer_url = \"https://idp.core.kuberocketci.io/realms/sandbox\"\npass_access_token = \"true\"\npass_authorization_header = \"true\"\npass_basic_auth = \"false\"\nprovider = \"keycloak-oidc\"\nredirect_url = \"https://nexus-ce.eks-sandbox.aws.main.edp.projects.epam.com/oauth2/callback\"\nskip_jwt_bearer_tokens = \"true\"\nupstreams = [ \"http://nexus-ce:8081\" ]\nwhitelist_domains = [\"*\"]\nsilence_ping_logging = \"true\""` | | +| oauth2-proxy.config.existingSecret | string | `"oauth2-proxy"` | | +| oauth2-proxy.enabled | bool | `true` | | +| oauth2-proxy.ingress.enabled | bool | `true` | | +| oauth2-proxy.ingress.hosts[0] | string | `"nexus-ce.eks-sandbox.aws.main.edp.projects.epam.com"` | | +| oauth2-proxy.redis.enabled | bool | `false` | | +| oauth2-proxy.redis.replica.replicaCount | int | `1` | | +| oauth2-proxy.sessionStorage.redis.clientType | string | `"standalone"` | | +| oauth2-proxy.sessionStorage.redis.cluster.connectionUrls | list | `[]` | | +| oauth2-proxy.sessionStorage.redis.existingSecret | string | `""` | | +| oauth2-proxy.sessionStorage.redis.password | string | `""` | | +| oauth2-proxy.sessionStorage.redis.passwordKey | string | `"redis-password"` | | +| oauth2-proxy.sessionStorage.redis.sentinel.connectionUrls | list | `[]` | | +| oauth2-proxy.sessionStorage.redis.sentinel.existingSecret | string | `""` | | +| oauth2-proxy.sessionStorage.redis.sentinel.masterName | string | `""` | | +| oauth2-proxy.sessionStorage.redis.sentinel.password | string | `""` | | +| oauth2-proxy.sessionStorage.redis.sentinel.passwordKey | string | `"redis-sentinel-password"` | | +| oauth2-proxy.sessionStorage.redis.standalone.connectionUrl | string | `""` | | +| oauth2-proxy.sessionStorage.type | string | `"cookie"` | | +| persistentVolume.accessMode | string | `"ReadWriteOnce"` | Access mode for the Persistent Volume. | +| persistentVolume.enabled | bool | `true` | | +| persistentVolume.existingClaim | string | `""` | Existing Persistent Volume Claim. | +| persistentVolume.storageClass | string | `"ebs-sc"` | Storage class for the Persistent Volume. | +| persistentVolume.storageSize | string | `"20Gi"` | Storage size for the Persistent Volume. | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| readinessProbe.failureThreshold | int | `6` | | +| readinessProbe.initialDelaySeconds | int | `0` | | +| readinessProbe.path | string | `"/"` | | +| readinessProbe.periodSeconds | int | `60` | | +| readinessProbe.timeoutSeconds | int | `1` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `8081` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations."eks.amazonaws.com/role-arn" | string | `"arn:aws:iam::093899590031:role/NexusS3BlobStorePolicy"` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | + diff --git a/clusters/core/addons/nexus-ce/templates/_helpers.tpl b/clusters/core/addons/nexus-ce/templates/_helpers.tpl new file mode 100644 index 0000000..6716822 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "nexus-ce.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nexus-ce.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nexus-ce.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nexus-ce.labels" -}} +helm.sh/chart: {{ include "nexus-ce.chart" . }} +{{ include "nexus-ce.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nexus-ce.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nexus-ce.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "nexus-ce.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "nexus-ce.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/external-secret/nexus-admin-password-secret.yaml b/clusters/core/addons/nexus-ce/templates/external-secret/nexus-admin-password-secret.yaml new file mode 100644 index 0000000..4203844 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/external-secret/nexus-admin-password-secret.yaml @@ -0,0 +1,27 @@ +{{- if .Values.eso.enabled }} +{{- $secretName := .Values.eso.secretName }} +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: nexus-admin-password +spec: + refreshInterval: 1h + secretStoreRef: + kind: SecretStore + name: {{ .Values.eso.secretStoreName }} + data: + - secretKey: user + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ $secretName }} + metadataPolicy: None + property: nexus.user + - secretKey: password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ $secretName }} + metadataPolicy: None + property: nexus.password +{{- end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-ce/templates/external-secret/oauth2-proxy-secret.yaml b/clusters/core/addons/nexus-ce/templates/external-secret/oauth2-proxy-secret.yaml new file mode 100644 index 0000000..fd2a8a3 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/external-secret/oauth2-proxy-secret.yaml @@ -0,0 +1,37 @@ +{{- if .Values.eso.enabled }} +{{- $secretName := .Values.eso.secretName }} +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: oauth2-proxy +spec: + data: + - remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ $secretName }} + metadataPolicy: None + property: oauth2-proxy.client-id + secretKey: client-id + - remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ $secretName }} + metadataPolicy: None + property: oauth2-proxy.client-secret + secretKey: client-secret + - remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ $secretName }} + metadataPolicy: None + property: oauth2-proxy.cookie-secret + secretKey: cookie-secret + refreshInterval: 1h + secretStoreRef: + kind: SecretStore + name: {{ .Values.eso.secretStoreName }} + target: + creationPolicy: Owner + deletionPolicy: Retain +{{- end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-ce/templates/external-secret/sa.yaml b/clusters/core/addons/nexus-ce/templates/external-secret/sa.yaml new file mode 100644 index 0000000..d23b07f --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/external-secret/sa.yaml @@ -0,0 +1,10 @@ +{{- if .Values.eso.enabled }} +{{- if eq .Values.eso.type "aws" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + eks.amazonaws.com/role-arn: {{ .Values.eso.roleArn }} + name: externalsecrets-aws-nexus +{{- end }} +{{- end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-ce/templates/external-secret/secretstore.yaml b/clusters/core/addons/nexus-ce/templates/external-secret/secretstore.yaml new file mode 100644 index 0000000..ba8903e --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/external-secret/secretstore.yaml @@ -0,0 +1,17 @@ +{{- if .Values.eso.enabled }} +{{- if eq .Values.eso.type "aws" }} +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: {{ .Values.eso.secretStoreName }} +spec: + provider: + aws: + service: ParameterStore + region: eu-central-1 + auth: + jwt: + serviceAccountRef: + name: externalsecrets-aws-nexus +{{- end }} +{{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/configmap.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/configmap.yaml new file mode 100644 index 0000000..cf83f01 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nexus-ce.name" . }}-properties +data: + nexus.properties: | + nexus.scripts.allowCreation=true + jetty.request.header.size=100000 diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/deployment.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/deployment.yaml new file mode 100644 index 0000000..71ef530 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/deployment.yaml @@ -0,0 +1,155 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nexus-ce.fullname" . }} + labels: + {{- include "nexus-ce.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nexus-ce.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "nexus-ce.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "nexus-ce.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + # chown nexus-data to 'nexus' user and init log directories/files for a new pod + # otherwise the side car containers will crash a couple of times and backoff whilst waiting + # for nxrm-app to start and this increases the total start up time. + - name: chown-nexusdata-owner-to-nexus-and-init-log-dir + image: busybox:1.33.1 + command: [/bin/sh] + args: + - -c + - >- + mkdir -p /nexus-data/etc/logback && + mkdir -p /nexus-data/log/tasks && + mkdir -p /nexus-data/log/audit && + touch -a /nexus-data/log/tasks/allTasks.log && + touch -a /nexus-data/log/audit/audit.log && + touch -a /nexus-data/log/request.log && + chown -R '200:200' /nexus-data + volumeMounts: + - name: {{ include "nexus-ce.fullname" . }}-data + mountPath: /nexus-data + resources: + limits: + cpu: "0.2" + memory: "512Mi" + requests: + cpu: "0.1" + memory: "256Mi" + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: {{ template "nexus-ce.name" . }}-properties + mountPath: /nexus-data/etc/nexus.properties + subPath: nexus.properties + - name: {{ include "nexus-ce.fullname" . }}-data + mountPath: /nexus-data + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + {{- if .Values.docker.enabled }} + {{- range .Values.docker.registries }} + - name: docker-{{ .port }} + containerPort: {{ .port }} + {{- end }} + {{- end }} + env: + - name: NEXUS_SECURITY_INITIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.nexusAdminPassword.secret.name }} + key: {{ .Values.nexusAdminPassword.secret.key }} + - name: DB_NAME + valueFrom: + secretKeyRef: + name: {{ .Values.database.existigSecret }} + key: {{ .Values.database.keys.dbname }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.existigSecret }} + key: {{ .Values.database.keys.password }} + - name: DB_USER + valueFrom: + secretKeyRef: + name: {{ .Values.database.existigSecret }} + key: {{ .Values.database.keys.username }} + - name: DB_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.database.existigSecret }} + key: {{ .Values.database.keys.url }} + - name: INSTALL4J_ADD_VM_PARAMS + value: "-Xms2703m -Xmx2703m \ + -Dnexus.datastore.enabled=true -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs \ + -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://${DB_HOST}:{{ .Values.database.keys.port }}/${DB_NAME} \ + -Dnexus.datastore.nexus.username=${DB_USER} \ + -Dnexus.datastore.nexus.password=${DB_PASSWORD}" + livenessProbe: + httpGet: + path: {{ .Values.livenessProbe.path }} + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: {{ .Values.readinessProbe.path }} + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: {{ template "nexus-ce.name" . }}-properties + configMap: + name: {{ template "nexus-ce.name" . }}-properties + items: + - key: nexus.properties + path: nexus.properties + - name: {{ include "nexus-ce.fullname" . }}-data + {{- if .Values.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ include "nexus-ce.fullname" . }}-data + {{- else }} + emptyDir: + sizeLimit: {{ .Values.persistentVolume.storageSize | quote }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/ingress-container.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/ingress-container.yaml new file mode 100644 index 0000000..05d1e4c --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/ingress-container.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled -}} +{{ if .Values.docker.enabled }} +{{- $fullName := include "nexus-ce.fullname" $ -}} +{{ range $registry := .Values.docker.registries }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-container-{{ $registry.port }} + labels: + {{- include "nexus-ce.labels" $ | nindent 4 }} + {{- if $.Values.ingress.annotations }} + annotations: + {{- toYaml $.Values.ingress.annotations | nindent 4 }} + {{- end }} +spec: + tls: + - hosts: + - {{ $registry.host | quote }} + secretName: {{ $registry.secretName }} + rules: + - host: {{ $registry.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName | trunc 49 }}-container + port: + number: {{ $registry.port }} +{{- end }} +{{- end }} +{{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/ingress.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/ingress.yaml new file mode 100644 index 0000000..21e9e77 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "nexus-ce.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "nexus-ce.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/pvc.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/pvc.yaml new file mode 100644 index 0000000..587b232 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/pvc.yaml @@ -0,0 +1,22 @@ +{{- if .Values.persistentVolume.enabled }} +{{- $fullName := include "nexus-ce.fullname" . -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ $fullName }}-data + labels: + {{- include "nexus-ce.labels" $ | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistentVolume.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistentVolume.storageSize | quote }} +{{- if .Values.persistentVolume.storageClass }} +{{- if (eq "-" .Values.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/service-container.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/service-container.yaml new file mode 100644 index 0000000..0975310 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/service-container.yaml @@ -0,0 +1,20 @@ +{{- if .Values.docker.enabled }} +{{- range $registry := .Values.docker.registries }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nexus-ce.fullname" $ }}-container + labels: + {{- include "nexus-ce.labels" $ | nindent 4 }} +spec: + type: {{ $.Values.service.type }} + ports: + - port: {{ $registry.port }} + protocol: TCP + name: docker-{{ $registry.port }} + selector: + {{- include "nexus-ce.selectorLabels" $ | nindent 4 }} + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/service.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/service.yaml new file mode 100644 index 0000000..f366736 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nexus-ce.fullname" . }} + labels: + {{- include "nexus-ce.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "nexus-ce.selectorLabels" . | nindent 4 }} diff --git a/clusters/core/addons/nexus-ce/templates/nexus-ce/serviceaccount.yaml b/clusters/core/addons/nexus-ce/templates/nexus-ce/serviceaccount.yaml new file mode 100644 index 0000000..603245f --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/nexus-ce/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nexus-ce.serviceAccountName" . }} + labels: + {{- include "nexus-ce.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/clusters/core/addons/nexus-ce/templates/oidc/keycloak-client-secret.yaml b/clusters/core/addons/nexus-ce/templates/oidc/keycloak-client-secret.yaml new file mode 100644 index 0000000..8db3133 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/oidc/keycloak-client-secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.eso.enabled }} +{{ if index .Values "oauth2-proxy" "enabled" }} +{{- $secretName := .Values.eso.secretName }} +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: keycloak-client-nexus-secret +spec: + refreshInterval: 1h + secretStoreRef: + kind: SecretStore + name: {{ .Values.eso.secretStoreName }} + data: + # should be clientSecret, since keycloak operator uses this key for secret + - secretKey: clientSecret + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: {{ $secretName }} + metadataPolicy: None + property: keycloak-client-nexus-secret.clientSecret +{{ end }} +{{ end }} diff --git a/clusters/core/addons/nexus-ce/templates/oidc/keycloak-client.yaml b/clusters/core/addons/nexus-ce/templates/oidc/keycloak-client.yaml new file mode 100644 index 0000000..4011814 --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/oidc/keycloak-client.yaml @@ -0,0 +1,17 @@ +{{ if index .Values "oauth2-proxy" "enabled" }} +apiVersion: v1.edp.epam.com/v1 +kind: KeycloakClient +metadata: + name: nexus-ce +spec: + advancedProtocolMappers: true + clientId: nexus-ce + defaultClientScopes: + - groups + - edp + secret: '$keycloak-client-nexus-secret:clientSecret' + realmRef: + kind: ClusterKeycloakRealm + name: sandbox + webUrl: https://{{ (first (index .Values "oauth2-proxy" "ingress" "hosts")) }} +{{ end }} diff --git a/clusters/core/addons/nexus-ce/templates/pgo/postgresql.yaml b/clusters/core/addons/nexus-ce/templates/pgo/postgresql.yaml new file mode 100644 index 0000000..38c915b --- /dev/null +++ b/clusters/core/addons/nexus-ce/templates/pgo/postgresql.yaml @@ -0,0 +1,67 @@ +{{- if .Values.database.pgo.enable }} +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: nexus-ce +spec: + image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.7-0 + postgresVersion: 14 + port: 5432 + instances: + - name: pgha1 + replicas: 1 + dataVolumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + + backups: + pgbackrest: + image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-4 + global: + log-level-console: info + log-level-file: info + repo1-retention-diff: '7' + repo1-retention-full: '7' + repo1-retention-full-type: time + manual: + options: + - '--type=full' + repoName: repo1 + repos: + - name: repo1 + schedules: + full: 5 2 * * * + volume: + volumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + + patroni: + dynamicConfiguration: + postgresql: + parameters: + jit: false + maintenance_work_mem: 256MB + max_connections: '100' + random_page_cost: 1.1 + shared_buffers: 256MB + shared_preload_libraries: 'pgaudit,pg_stat_statements,pgnodemx' + temp_buffers: 8MB + work_mem: 32MB + pg_hba: + - local all "postgres" peer + - hostssl replication "_crunchyrepl" all cert + - hostssl "postgres" "_crunchyrepl" all cert + - host all "_crunchyrepl" all reject + - hostssl all all all md5 + use_pg_rewind: true + leaderLeaseDurationSeconds: 30 + port: 8008 + syncPeriodSeconds: 10 +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-ce/values.yaml b/clusters/core/addons/nexus-ce/values.yaml new file mode 100644 index 0000000..0161358 --- /dev/null +++ b/clusters/core/addons/nexus-ce/values.yaml @@ -0,0 +1,261 @@ +# Default values for nexus-ce. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: sonatype/nexus3 + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "3.77.1" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "nexus-ce" + +# -- Initial Nexus CE admin password. +nexusAdminPassword: + secret: + name: "nexus-admin-password" + key: "password" + +docker: + enabled: true + registries: + - host: nexus-ce-ci-container.eks-sandbox.aws.main.edp.projects.epam.com + port: 5000 + +# -- This block configure database connections for Nexus CE. +database: + # -- Name of the secret that contains the database credentials. + existigSecret: "nexus-ce-pguser-nexus-ce" + # -- This block configures the database connection secret fields name for Nexus CE. + keys: + dbname: "dbname" + url: "host" + username: "user" + password: "password" + port: "5432" + # -- Use PostgreSQL operator to create and manage database. + pgo: + enable: true + +persistentVolume: + enabled: true + # -- Access mode for the Persistent Volume. + accessMode: ReadWriteOnce + # -- Storage size for the Persistent Volume. + storageSize: 20Gi + # -- Storage class for the Persistent Volume. + storageClass: "ebs-sc" + # -- Existing Persistent Volume Claim. + existingClaim: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: #{} + # Add role annotation to use S3 blob store type + eks.amazonaws.com/role-arn: arn:aws:iam::093899590031:role/NexusS3BlobStorePolicy + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +livenessProbe: + initialDelaySeconds: 0 + periodSeconds: 60 + timeoutSeconds: 1 + failureThreshold: 6 + path: / +readinessProbe: + initialDelaySeconds: 0 + periodSeconds: 60 + timeoutSeconds: 1 + failureThreshold: 6 + path: / + + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8081 + +ingress: + enabled: true + className: "" + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "900m" + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: nexus-ce-ci.eks-sandbox.aws.main.edp.projects.epam.com + paths: + - path: / + pathType: Prefix + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Configuration for setting up resources in Keycloak to enable OIDC authentication. +# Prerequisite: Ensure that the Keycloak Operator is installed and integrated with Keycloak. +# Refer to the installation guide for the Keycloak Operator: +# https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/keycloak-operator +# +# Additionally, necessary Keycloak resources such as realms, roles, and groups must be created +# to support component functionality. This can be done using the provided add-ons or manually: +# https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/kuberocketci-rbac +oauth2-proxy: + enabled: true + config: + configFile: |- + allowed_roles = ["administrator", "developer"] + client_id = "nexus-ce" + code_challenge_method="S256" + cookie_csrf_expire="5m" + cookie_csrf_per_request="true" + cookie_secure = "false" + email_domains = [ "*" ] + insecure_oidc_allow_unverified_email = "true" + oidc_issuer_url = "https://idp.core.kuberocketci.io/realms/sandbox" + pass_access_token = "true" + pass_authorization_header = "true" + pass_basic_auth = "false" + provider = "keycloak-oidc" + redirect_url = "https://nexus-ce.eks-sandbox.aws.main.edp.projects.epam.com/oauth2/callback" + skip_jwt_bearer_tokens = "true" + upstreams = [ "http://nexus-ce:8081" ] + whitelist_domains = ["*"] + silence_ping_logging = "true" + + existingSecret: oauth2-proxy + + ingress: + enabled: true + hosts: + - nexus-ce.eks-sandbox.aws.main.edp.projects.epam.com + + + # Configure the session storage type, between cookie and redis + sessionStorage: + # Can be one of the supported session storage cookie|redis + type: cookie + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value. If you use the redis sub chart, make sure + # this password matches the one used in redis.global.redis.password (see below). + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "standalone" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs. Array or single string allowed. + connectionUrls: [] + # - "redis://127.0.0.1:8000" + # - "redis://127.0.0.1:8001" + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-sentinel-password" + # Redis sentinel master name + masterName: "" + # List of Redis cluster connection URLs. Array or single string allowed. + connectionUrls: [] + # - "redis://127.0.0.1:8000" + # - "redis://127.0.0.1:8001" + + # Enables and configure the automatic deployment of the redis subchart + redis: + # provision an instance of the redis sub-chart + enabled: false + replica: + replicaCount: 1 + # Redis specific helm chart settings, please see: + # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters + # global: + # redis: + # password: yourpassword + # If you install Redis using this sub chart, make sure that the password of the sub chart matches the password + # you set in sessionStorage.redis.password (see above). + # redisPort: 6379 + # architecture: standalone + + + + + + + +# This section enables configuration for using External Secrets Operator (ESO) as the secret manager. +# Prerequisite: Ensure that ESO is installed in the cluster. +# Refer to the EDP cluster add-on for ESO installation and setup: +# https://github.com/epam/edp-cluster-add-ons/tree/main/clusters/core/addons/external-secrets +# +# Ensure that you have created the necessary roles for ESO integration. +# Follow the detailed instructions here: +# https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration#aws-parameter-store-scenario-in-kuberocketci +eso: + # -- Install components of the ESO. + enabled: true + # -- Defines provider type. One of `aws` or `generic`. + type: "aws" + # -- Defines Secret Store name. + secretStoreName: "aws-parameterstore" + # -- Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. + secretName: "/edp/eks-sandbox/addons/nexus-ce" + # -- Role ARN for the ExternalSecretOperator to assume. + roleArn: arn:aws:iam::093899590031:role/AWSIRSASandboxExternalSecretOperatorAccess + # Defines Secret Store configuration. Used when eso.type is set to "generic". + generic: + secretStore: + # -- Defines SecretStore provider configuration. + providerConfig: {} + # gcpsm: + # projectID: "alphabet-123" diff --git a/clusters/core/addons/nexus-operator/README.md b/clusters/core/addons/nexus-operator/README.md index 7cf1853..d554841 100644 --- a/clusters/core/addons/nexus-operator/README.md +++ b/clusters/core/addons/nexus-operator/README.md @@ -66,3 +66,7 @@ AWS Parameter Store structure: | eso.secretName | string | `"/infra/core/addons/nexus-operator"` | Value name in AWS ParameterStore, AWS SecretsManager or other Secret Store. | | eso.secretStoreName | string | `"aws-parameterstore"` | Defines Secret Store name. | | eso.type | string | `"aws"` | Defines provider type. One of `aws` or `generic`. | +| storageType | object | `{"container":{"bucketName":"krci-container","type":"pvc"},"dotnet":{"bucketName":"krci-container","type":"pvc"},"maven":{"bucketName":"krci-container","type":"pvc"},"npm":{"bucketName":"krci-container","type":"pvc"},"python":{"bucketName":"krci-container","type":"pvc"},"region":"us-east-1","yum":{"bucketName":"krci-container","type":"pvc"}}` | To enable the S3 storage type, must be define role for Nexus service account. | +| storageType.container.bucketName | string | `"krci-container"` | Defines the name of the S3 bucket. | +| storageType.container.type | string | `"pvc"` | Could be one of the following: "pvc", "s3". | +| storageType.region | string | `"us-east-1"` | Mandatory field for S3 storage type. | diff --git a/clusters/core/addons/nexus-operator/templates/nexus/repository/container/krci-container-blobstore.yaml b/clusters/core/addons/nexus-operator/templates/nexus/repository/container/krci-container-blobstore.yaml index 40fdcc9..e4cb5d9 100644 --- a/clusters/core/addons/nexus-operator/templates/nexus/repository/container/krci-container-blobstore.yaml +++ b/clusters/core/addons/nexus-operator/templates/nexus/repository/container/krci-container-blobstore.yaml @@ -1,3 +1,17 @@ +{{ if eq .Values.storageType.container.type "s3"}} +apiVersion: edp.epam.com/v1alpha1 +kind: NexusBlobStore +metadata: + name: krci-container +spec: + s3: + bucket: + name: {{ .Values.storageType.container.bucketName }} + region: {{ .Values.storageType.region}} + name: krci-container + nexusRef: + name: nexus +{{ else }} apiVersion: edp.epam.com/v1alpha1 kind: NexusBlobStore metadata: @@ -8,3 +22,4 @@ spec: path: krci-container nexusRef: name: nexus +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-operator/templates/nexus/repository/dotnet/krci-dotnet-blobstore.yaml b/clusters/core/addons/nexus-operator/templates/nexus/repository/dotnet/krci-dotnet-blobstore.yaml index 681a149..a348861 100644 --- a/clusters/core/addons/nexus-operator/templates/nexus/repository/dotnet/krci-dotnet-blobstore.yaml +++ b/clusters/core/addons/nexus-operator/templates/nexus/repository/dotnet/krci-dotnet-blobstore.yaml @@ -1,3 +1,17 @@ +{{ if eq .Values.storageType.dotnet.type "s3"}} +apiVersion: edp.epam.com/v1alpha1 +kind: NexusBlobStore +metadata: + name: krci-dotnet +spec: + s3: + bucket: + name: {{ .Values.storageType.dotnet.bucketName }} + region: {{ .Values.storageType.region}} + name: krci-dotnet + nexusRef: + name: nexus +{{ else }} apiVersion: edp.epam.com/v1alpha1 kind: NexusBlobStore metadata: @@ -8,3 +22,4 @@ spec: path: krci-dotnet nexusRef: name: nexus +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-operator/templates/nexus/repository/maven/krci-maven-blobstore.yaml b/clusters/core/addons/nexus-operator/templates/nexus/repository/maven/krci-maven-blobstore.yaml index 0c018a1..6b43f54 100644 --- a/clusters/core/addons/nexus-operator/templates/nexus/repository/maven/krci-maven-blobstore.yaml +++ b/clusters/core/addons/nexus-operator/templates/nexus/repository/maven/krci-maven-blobstore.yaml @@ -1,3 +1,17 @@ +{{ if eq .Values.storageType.maven.type "s3"}} +apiVersion: edp.epam.com/v1alpha1 +kind: NexusBlobStore +metadata: + name: krci-maven +spec: + s3: + bucket: + name: {{ .Values.storageType.maven.bucketName }} + region: {{ .Values.storageType.region}} + name: krci-maven + nexusRef: + name: nexus +{{ else }} apiVersion: edp.epam.com/v1alpha1 kind: NexusBlobStore metadata: @@ -8,3 +22,4 @@ spec: path: krci-maven nexusRef: name: nexus +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-operator/templates/nexus/repository/npm/krci-npm-blobstore.yaml b/clusters/core/addons/nexus-operator/templates/nexus/repository/npm/krci-npm-blobstore.yaml index 1d9b2e2..eb7cbb5 100644 --- a/clusters/core/addons/nexus-operator/templates/nexus/repository/npm/krci-npm-blobstore.yaml +++ b/clusters/core/addons/nexus-operator/templates/nexus/repository/npm/krci-npm-blobstore.yaml @@ -1,3 +1,17 @@ +{{ if eq .Values.storageType.npm.type "s3"}} +apiVersion: edp.epam.com/v1alpha1 +kind: NexusBlobStore +metadata: + name: krci-npm +spec: + s3: + bucket: + name: {{ .Values.storageType.npm.bucketName }} + region: {{ .Values.storageType.region}} + name: krci-npm + nexusRef: + name: nexus +{{ else }} apiVersion: edp.epam.com/v1alpha1 kind: NexusBlobStore metadata: @@ -8,3 +22,4 @@ spec: path: krci-npm nexusRef: name: nexus +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-operator/templates/nexus/repository/python/krci-python-blobstore.yaml b/clusters/core/addons/nexus-operator/templates/nexus/repository/python/krci-python-blobstore.yaml index 822976d..fab9b50 100644 --- a/clusters/core/addons/nexus-operator/templates/nexus/repository/python/krci-python-blobstore.yaml +++ b/clusters/core/addons/nexus-operator/templates/nexus/repository/python/krci-python-blobstore.yaml @@ -1,3 +1,17 @@ +{{ if eq .Values.storageType.python.type "s3"}} +apiVersion: edp.epam.com/v1alpha1 +kind: NexusBlobStore +metadata: + name: krci-python +spec: + s3: + bucket: + name: {{ .Values.storageType.python.bucketName }} + region: {{ .Values.storageType.region}} + name: krci-python + nexusRef: + name: nexus +{{ else }} apiVersion: edp.epam.com/v1alpha1 kind: NexusBlobStore metadata: @@ -8,3 +22,4 @@ spec: path: krci-python nexusRef: name: nexus +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-operator/templates/nexus/repository/yum/krci-yum-blobstore.yaml b/clusters/core/addons/nexus-operator/templates/nexus/repository/yum/krci-yum-blobstore.yaml index 60ffa8f..fa39b5d 100644 --- a/clusters/core/addons/nexus-operator/templates/nexus/repository/yum/krci-yum-blobstore.yaml +++ b/clusters/core/addons/nexus-operator/templates/nexus/repository/yum/krci-yum-blobstore.yaml @@ -1,3 +1,17 @@ +{{ if eq .Values.storageType.yum.type "s3"}} +apiVersion: edp.epam.com/v1alpha1 +kind: NexusBlobStore +metadata: + name: krci-yum +spec: + s3: + bucket: + name: {{ .Values.storageType.yum.bucketName }} + region: {{ .Values.storageType.region}} + name: krci-yum + nexusRef: + name: nexus +{{ else }} apiVersion: edp.epam.com/v1alpha1 kind: NexusBlobStore metadata: @@ -8,3 +22,4 @@ spec: path: krci-yum nexusRef: name: nexus +{{ end }} \ No newline at end of file diff --git a/clusters/core/addons/nexus-operator/values.yaml b/clusters/core/addons/nexus-operator/values.yaml index e70a848..5099b46 100644 --- a/clusters/core/addons/nexus-operator/values.yaml +++ b/clusters/core/addons/nexus-operator/values.yaml @@ -26,3 +26,28 @@ eso: providerConfig: {} # gcpsm: # projectID: "alphabet-123" + +# -- To enable the S3 storage type, must be define role for Nexus service account. +storageType: + # -- Mandatory field for S3 storage type. + region: "us-east-1" + container: + # -- Could be one of the following: "pvc", "s3". + type: "pvc" + # -- Defines the name of the S3 bucket. + bucketName: "krci-container" + dotnet: + type: "pvc" + bucketName: "krci-container" + maven: + type: "pvc" + bucketName: "krci-container" + npm: + type: "pvc" + bucketName: "krci-container" + python: + type: "pvc" + bucketName: "krci-container" + yum: + type: "pvc" + bucketName: "krci-container" \ No newline at end of file diff --git a/clusters/core/apps/README.md b/clusters/core/apps/README.md index 0cbcf20..30d6cb8 100644 --- a/clusters/core/apps/README.md +++ b/clusters/core/apps/README.md @@ -103,6 +103,9 @@ EDP Cluster Addons that extend the Kubernetes Cluster Functionality | minio-operator.createNamespace | bool | `false` | | | minio-operator.enable | bool | `false` | | | minio-operator.namespace | string | `"minio-operator"` | | +| nexus-ce.createNamespace | bool | `false` | | +| nexus-ce.enable | bool | `false` | | +| nexus-ce.namespace | string | `"nexus"` | | | nexus-operator.createNamespace | bool | `false` | | | nexus-operator.enable | bool | `false` | | | nexus-operator.namespace | string | `"nexus"` | | diff --git a/clusters/core/apps/templates/nexus-ce.yaml b/clusters/core/apps/templates/nexus-ce.yaml new file mode 100644 index 0000000..ace9405 --- /dev/null +++ b/clusters/core/apps/templates/nexus-ce.yaml @@ -0,0 +1,29 @@ +{{- if and (index .Values "nexus-ce") (index .Values "nexus-ce" "enable") -}} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: {{ .Values.destinationServer}}-nexus-ce + namespace: {{ .Values.argoNamespace | default "argocd" }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: {{ .Values.repoUrl }} + path: clusters/{{ .Values.clusterName }}/addons/nexus-ce + targetRevision: {{ .Values.targetRevision }} + helm: + releaseName: nexus-ce + destination: + name: {{ .Values.destinationServer | default "in-cluster" }} + namespace: {{ index .Values "nexus-ce" "namespace" }} + syncPolicy: + syncOptions: + - CreateNamespace={{ (index .Values "nexus-ce" "createNamespace") }} + retry: + limit: 1 + backoff: + duration: 5s + factor: 2 + maxDuration: 1m +{{- end -}} diff --git a/clusters/core/apps/values.yaml b/clusters/core/apps/values.yaml index b9e53a0..b6701c0 100644 --- a/clusters/core/apps/values.yaml +++ b/clusters/core/apps/values.yaml @@ -183,7 +183,7 @@ minio-operator: enable: false namespace: minio-operator -nexus: +nexus-ce: createNamespace: false enable: false namespace: nexus @@ -193,6 +193,11 @@ nexus-operator: enable: false namespace: nexus +nexus: + createNamespace: false + enable: false + namespace: nexus + # OAuth2 Proxy for tekton dashboard oauth2-proxy: createNamespace: false