diff --git a/nxrm-ha/README.md b/nxrm-ha/README.md index b3a5cd3..4fe1bb0 100644 --- a/nxrm-ha/README.md +++ b/nxrm-ha/README.md @@ -106,7 +106,7 @@ The chart provides fours ways of injecting secrets into your Nexus Repository po - Set the `externalsecrets.secrets.database.providerSecretName` to the name of the secret containing your database credentials in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault - Set the `externalsecrets.secrets.database.dbUserKey` to the name of the key in the secret which contains your database username. - Set the `externalsecrets.secrets.database.dbPasswordKey` to the name of the key in the secret which contains your database password. - - Set the `externalsecrets.secrets.database.dbHostKey` to the name of the key in the secret which contains your database host. + - Set the `externalsecrets.secrets.database.dbHostKey` to the name of the key in the secret which contains your database host or exclude it if you don't have a key for the host in your external secret store. - Set the `externalsecrets.secrets.admin.providerSecretName` to the name of the secret containing your Nexus Repository admin password in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault - Set the `externalsecrets.secrets.admin.adminPasswordKey` to the name of the key in the secret which contains your initial Nexus Repository admin password. - Set the `externalsecrets.secrets.license.providerSecretName` to the name of the secret containing your Nexus Repository license in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault @@ -169,6 +169,96 @@ AWS Secret Manager is disabled by default. If you would like to store your datab - You'll need an IAM role with necessary permissions and associate that IAM role with the service account used by your pods: - See [External secrets operator EKS service account credentials](https://external-secrets.io/latest/provider/aws-secrets-manager/#eks-service-account-credentials) for more details. +##### Cert-Manager Configuration + +The `certmanager` section in `values.yaml` allows you to configure the integration with Cert-Manager for managing TLS certificates. Cert-Manager automates the issuance and renewal of certificates from various Certificate Authorities (CAs). + +Follow the [instructions](https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/) for AWS EKS on the cert-manager website to install and configure it. Once configured, you can enable the integration with the nxrm-ha helm chart by configuring the `certmanager.letsencrypt` section using the parameters below. + +##### Parameters + +| Parameter | Description | Default | +|---------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------| +| `certmanager.letsencrypt.dns01Challenge.serviceAccount.name` | The name of the service account for ACME DNS01 challenge | `cert-manager-acme-dns01` | +| `certmanager.letsencrypt.dns01Challenge.serviceAccount.enabled` | Set to true to enable the service account for ACME DNS01 challenge | `false` | +| `certmanager.letsencrypt.dns01Challenge.serviceAccount.annotations` | Annotations for the service account for ACME DNS01 challenge | `{}` | +| `certmanager.letsencrypt.dns01Challenge.rbac.enabled` | Set to true to enable RBAC for the service account for ACME DNS01 challenge | `false` | +| `certmanager.letsencrypt.dns01Challenge.rbac.role.name` | The name of the role for the service account for ACME DNS01 challenge | `cert-manager-acme-dns01-route53-tokenrequest` | +| `certmanager.letsencrypt.dns01Challenge.rbac.roleBinding.name` | The name of the role binding for the service account for ACME DNS01 challenge | `cert-manager-acme-dns01-route53-tokenrequest` | + +##### Example Configuration + +```yaml +certmanager: + letsencrypt: + enabled: true + dns01Challenge: + serviceAccount: + name: cert-manager-acme-dns01 + enabled: true + annotations: {} + rbac: + enabled: true + role: + name: cert-manager-acme-dns01-route53-tokenrequest + roleBinding: + name: cert-manager-acme-dns01-route53-tokenrequest +``` + +In addition to the above configuration in your `values.yaml` you also need to configure the certificate section in your values.yaml. See the configuration table below for more details. Below is an example configuration for the certificate section in your values.yaml + +```yaml +certificate: + apiVersion: cert-manager.io/v1 + enabled: true + issuer: + enabled: true + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod + spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: email@example.com + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - dns01: + route53: + region: us-east-1 + role: arn:aws:iam::111111111111:role/cert-manager-acme-dns01 + hostedZoneID: Z1234567890 + accessKeyID: AWS_ACCESS_KEY_ID + secretAccessKeySecretRef: + name: route53-secret + key: AWS_SECRET_ACCESS_KEY + nexus: + enabled: true + name: nexusrepo-cert + commonName: www.nexusrepo.com + duration: 2160h0m0s # 90 days + renewBefore: 360h0m0s # 15 days + secretName: nexusrepo-example-cert-2048 + revisionHistoryLimit: 1 + privateKey: + enabled: true + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + usages: + - digital signature + - key encipherment + - server auth + dnsNames: + - www.nexusrepo.com + - nexusrepo.com + - dockerrepo1.nexusrepo.com + - dockerrepo2.nexusrepo.com + - dockerrepo3.nexusrepo.com +``` + + ### Azure * Set `azure.enabled` to `true`. @@ -226,6 +316,62 @@ Azure Key Vault is disabled by default. If you would like to store your database * Set `secret.azure.nexusSecret.enabled` and `secret.nexusSecret.enabled` to true * Ensure `secret.aws.nexusSecret.enabled ` and `aws.secretmanager.enabled` are false +##### Cert-Manager Configuration + +The `certmanager` section in `values.yaml` allows you to configure the integration with Cert-Manager for managing TLS certificates. Cert-Manager automates the issuance and renewal of certificates from various Certificate Authorities (CAs). + +Follow the [instructions](https://cert-manager.io/docs/tutorials/getting-started-aks-letsencrypt/) for Azure Kubernetes Service on the cert-manager website to install and configure it. Once configured, you can enable the integration with the nxrm-ha helm chart by configuring the certificate section in your values.yaml. See the configuration table below for more details. +Below is an example configuration for Cert-Manager integration with the nxrm-ha helm chart. + +```yaml +certificate: + apiVersion: cert-manager.io/v1 + enabled: true + issuer: + enabled: true + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod + spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: email@example.com + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - dns01: + azureDNS: + resourceGroupName: my-resource-group + subscriptionID: abcd1111-v511-1111-11ab-i111111yt111 + hostedZoneName: nexusrepo.com + environment: AzurePublicCloud + managedIdentity: + clientID: 11111111-1111-1111-1111-111111111111 + nexus: + enabled: true + name: nexusrepo-cert + commonName: www.nexusrepo.com + duration: 2160h0m0s # 90 days + renewBefore: 360h0m0s # 15 days + secretName: nexusrepo-example-cert-2048 + revisionHistoryLimit: 1 + privateKey: + enabled: true + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + usages: + - digital signature + - key encipherment + - server auth + dnsNames: + - www.nexusrepo.com + - nexusrepo.com + - dockerrepo1.nexusrepo.com + - dockerrepo2.nexusrepo.com + - dockerrepo3.nexusrepo.com +``` ##### External Secrets Operator - Ensure you have installed the [external secrets operator](https://external-secrets.io/latest/) @@ -569,6 +715,56 @@ gcloud projects add-iam-policy-binding \ --role="roles/iam.serviceAccountTokenCreator" ``` +##### Cert-Manager Configuration + +The `certmanager` section in `values.yaml` allows you to configure the integration with Cert-Manager for managing TLS certificates. Cert-Manager automates the issuance and renewal of certificates from various Certificate Authorities (CAs). + +Follow the [instructions](https://cert-manager.io/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/) for Google Kubernetes Service on the cert-manager website to install and configure it. Once configured, you can enable the integration with the nxrm-ha helm chart by configuring the certificate section in your values.yaml. See the configuration table below for more details. Below is an example configuration for Cert-Manager integration with the nxrm-ha helm chart. + +```yaml +certificate: + apiVersion: cert-manager.io/v1 + enabled: true + issuer: + enabled: true + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod + spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: email@example.com + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + name: web-ingress # See the documentation:https://cert-manager.io/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/ for GKE for more information about the configuration of your ingress + nexus: + enabled: true + name: nexusrepo-cert + commonName: www.nexusrepo.com + duration: 2160h0m0s # 90 days + renewBefore: 360h0m0s # 15 days + secretName: nexusrepo-example-cert-2048 + revisionHistoryLimit: 1 + privateKey: + enabled: true + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always + usages: + - digital signature + - key encipherment + - server auth + dnsNames: + - www.nexusrepo.com + - nexusrepo.com + - dockerrepo1.nexusrepo.com + - dockerrepo2.nexusrepo.com + - dockerrepo3.nexusrepo.com +``` ### On-premises @@ -657,9 +853,6 @@ helm install nxha1 \ sonatype/nxrm-ha ``` ---- -## Nexus Secrets - --- ## Health Check @@ -694,168 +887,224 @@ After removing the deployment, ensure that the namespace created by the helm cha The following table lists the configurable parameters of the Nexus chart and their default values. -| Parameter | Description | Default | -|-------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------| -| `namespaces.nexusNs.enabled` | Whether a namespace should be created for the Kubernetes resources needed Nexus Repository pod(s) | `true` | -| `namespaces.nexusNs.name` | The namespace into which Kubernetes resources for Nexus Repository are installed into, if set to `''` the release namespace is used | `nexusrepo` | -| `namespaces.cloudwatchNs.enabled` | Whether a namespace should be created to install the Kubernetes resources needed by fluentbit | `false` | -| `namespaces.cloudwatchNs.name` | The namespace into which Kubernetes resources for fluentbit are installed when fluentbit is enabled | `amazon-cloudwatch` | -| `namespaces.externaldnsNs` | The namespace into which Kubernetes resources for externaldns are installed when externaldns is enabled | `nexus-externaldns` | -| `serviceAccount.enabled` | Whether or not to create a Kubernetes Service Account object | `false` | -| `serviceAccount.name` | The name of a Kubernetes Service Account object to create in order for Nexus Repository pods to access resources as needed | `nexus-repository-deployment-sa` | -| `serviceAccount.annotations` | Annotations for the Kubernetes Service Account object. | `null` | -| `azure.enabled` | Set this to true when installing this chart on Azure | `false` | -| `azure.keyvault.enabled` | Set this to true when installing this chart on Azure and you would like the Nexus Repository pod to pull database credentials and license from azure Key Vault | `false` | -| `aws.enabled` | Set this to true when installing this chart on AWS | `false` | -| `aws.clusterRegion` | The AWS region containing your Kubernetes cluster. | `us-east-1` | -| `aws.secretmanager.enabled` | Set this to true when installing this chart on AWS and you would like the Nexus Repository pod to pull database credentials and license from AWS Secret Manager | `false` | -| `aws.externaldns.enabled` | Set this to true when installing this chart on AWS and you would like to setup [externaldns](https://github.com/kubernetes-sigs/external-dns) | `false` | -| `aws.externaldns.domainFilter` | Domain filter for [externaldns](https://github.com/kubernetes-sigs/external-dns) | `example.com` | -| `aws.externaldns.awsZoneType` | The hosted zone type. See [externaldns](https://github.com/kubernetes-sigs/external-dns) | `private` | -| `aws.fluentbit.enabled` | Set this to true when installing this chart on AWS and you would like to install Fluentbit so that Nexus Repository logs can be sent to AWS Cloud Watch | `false` | -| `aws.fluentbit.fluentbitVersion` | The fluentbit version | `2.28.0` | -| `aws.fluentbit.clusterName` | The name of your Kubernetes cluster. This is required by fluentbit | `nxrm-nexus` | -| `statefulset.replicaCount` | The desired number of Nexus Repository pods | 3 | -| `statefulset.clustered` | Determines whether or not Nexus Repository should be run in clustered/HA mode. When this is set to false, the search differences [here](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/high-availability-deployment-options#HighAvailabilityDeploymentOptions-SearchFeatureDifferences) do not apply. | true | -| `statefulset.additionalVolumes` | Additional volumes to associate with the Nexus Repository container | `null` | -| `statefulset.additionalVolumeMounts` | Additional volume mounts for the additional volumes associated with the Nexus Repository container | `null` | -| `statefulset.additionalContainers` | Additional containers to associate with the Nexus Repository pod | `null` | -| `statefulset.annotations` | Annotations to enhance statefulset configuration | {} | -| `statefulset.podAnnotations` | Pod annotations | {} | -| `statefulset.nodeSelector` | Node selectors | {} | -| `statefulset.hostAliases` | Aliases for IPs in /etc/hosts | [] | -| `statefulset.postStart.command` | Command to run after starting the container | `null` | -| `statefulset.preStart.command` | Command to run before starting the container | `null` | -| `statefulset.initContainers` | Init containers to run before main containers | An init container which creates directories needed for logging and give the Nexus Repository user write permissions | -| `statefulset.container.image.repository` | The Nexus repository image registry URL | sonatype/nexus3 | -| `statefulset.container.image.nexusTag` | The Nexus repository image tag | latest | -| `statefulset.container.resources.requests.cpu` | The minimum cpu the Nexus repository pod can request | 4 | -| `statefulset.container.resources.requests.memory` | The minimum memory the Nexus repository pod can request | 8Gi | -| `statefulset.container.resources.limits.cpu` | The maximum cpu the Nexus repository pod may get. | 4 | -| `statefulset.container.resources.limits.memory` | The maximum memory the Nexus repository pod may get. | 8Gi | -| `statefulset.container.containerPort` | The Nexus Repository container's HTTP port | 8081 | -| `statefulset.container.pullPolicy` | The Nexus Repository docker image pull policy | IfNotPresent | -| `statefulset.container.terminationGracePeriod` | The time given for the pod to gracefully shut down | 120 seconds | -| `statefulset.container.env.nexusDBName` | The name of the PostgreSQL database to use. | nexus | -| `statefulset.container.env.nexusDBPort` | The database port of the PostgreSQL database to use. | 5432 | -| `statefulset.container.env.install4jAddVmParams` | Xmx and Xms settings for JVM | -Xms2703m -Xmx2703m | -| `statefulset.container.env.jdbcUrlParams` | Additional parameters to append to the database url. Expected format is `"?foo=bar&baz=foo"` | null | -| `statefulset.container.additionalEnv` | Additional environment variables for the Nexus Repository container. You can also use this setting to override a default env variable by specifying the same key/name as the default env variable you wish override. Specify this as a block of name and value pairs (e.g., "
additionalEnv:
- name: foo
value: bar
- name: foo2
value: bar2") | null | -| `statefulset.requestLogContainer.image.repository` | Image registry URL for a container which tails Nexus Repository's request log | busybox | -| `statefulset.requestLogContainer.image.tag` | Image tag for a container which tails Nexus Repository's request log | 1.33.1 | -| `statefulset.requestLogContainer.resources.requests.cpu` | The minimum cpu the request log container can request | 0.1 | -| `statefulset.requestLogContainer.resources.requests.memory` | The minimum memory the request log container can request | 256Mi | -| `statefulset.requestLogContainer.resources.limits.cpu` | The maximum cpu the request log container may get. | 0.2 | -| `statefulset.requestLogContainer.resources.limits.memory` | The maximum memory the request log container may get. | 512Mi | -| `statefulset.auditLogContainer.image.repository` | Image registry URL for a container which tails Nexus Repository's audit log | busybox | -| `statefulset.auditLogContainer.image.tag` | Image tagfor a container which tails Nexus Repository's audit log | 1.33.1 | -| `statefulset.auditLogContainer.resources.requests.cpu` | The minimum cpu the audit log container can request | 0.1 | -| `statefulset.auditLogContainer.resources.requests.memory` | The minimum memory the audit log container can request | 256Mi | -| `statefulset.auditLogContainer.resources.limits.cpu` | The maximum cpu the audit log container may get. | 0.2 | -| `statefulset.auditLogContainer.resources.limits.memory` | The maximum memory the reauditquest log container may get. | 512Mi | -| `statefulset.taskLogContainer.image.repository` | Image registry URL for a container which aggregates and tails Nexus Repository's task log | busybox | -| `statefulset.taskLogContainer.image.tag` | Image tag for a container which aggregates and tails Nexus Repository's task log | 1.33.1 | -| `statefulset.taskLogContainer.resources.requests.cpu` | The minimum cpu the task log container can request | 0.1 | -| `statefulset.taskLogContainer.resources.requests.memory` | The minimum memory the task log container can request | 256Mi | -| `statefulset.taskLogContainer.resources.limits.cpu` | The maximum cpu the task log container may get. | 0.2 | -| `statefulset.taskLogContainer.resources.limits.memory` | The maximum memory the task log container may get. | 512Mi | -| `statefulset.startupProbe.initialDelaySeconds` | StartupProbe initial delay | 0 | -| `statefulset.startupProbe.periodSeconds` | Seconds between polls | 10 | -| `statefulset.startupProbe.failureThreshold` | Number of attempts before failure | 180 | -| `statefulset.startupProbe.timeoutSeconds` | Time in seconds after liveness probe times out | 1 | -| `statefulset.startupProbe.path` | Path for StartupProbe | / | -| `statefulset.livenessProbe.initialDelaySeconds` | LivenessProbe initial delay | 0 | -| `statefulset.livenessProbe.periodSeconds` | Seconds between polls | 60 | -| `statefulset.livenessProbe.failureThreshold` | Number of attempts before failure | 6 | -| `statefulset.livenessProbe.timeoutSeconds` | Time in seconds after liveness probe times out | 1 | -| `statefulset.livenessProbe.path` | Path for LivenessProbe | / | -| `statefulset.readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay | 0 | -| `statefulset.readinessProbe.periodSeconds` | Seconds between polls | 60 | -| `statefulset.readinessProbe.failureThreshold` | Number of attempts before failure | 6 | -| `statefulset.readinessProbe.timeoutSeconds` | Time in seconds after readiness probe times out | 1 | -| `statefulset.readinessProbe.path` | Path for ReadinessProbe | / | -| `statefulset.imagePullSecrets` | The pull secret for private image registries | `{}` | -| `ingress.enabled` | Whether or not to create the Ingress | false | -| `ingress.host` | Ingress host | `null` | -| `ingress.hostPath` | Path for ingress rules. | `/` | -| `ingress.dockerSubdomain` | Whether or not to add rules for docker subdomains | `false` | -| `ingress.defaultRule` | Whether or not to add a default rule for the Nexus Repository Ingress which forwards traffic to a Service object | `false` | -| `ingress.additionalRules` | Additional rules to add to the ingress | `null` | -| `ingress.incressClassName` | The ingress class name e.g., nginx, alb etc. | `null` | -| `ingress.tls.secretName` | The name of a Secret object in which to store the TLS secret for ingress | `null` | -| `ingress.tls.hosts` | A list of TLS hosts | `null` | -| `ingress.annotations` | Annotations for the Ingress object | `nil` | -| `storageClass.enabled` | Set to true if you'd like to create your own storage class for persistent volumes and persistent volume claims | `false` | -| `storageClass.name` | The name of a storage class object to create | `nexus-storage` | -| `storageClass.provisioner` | The name of a storage class provisioner | `provisionerName` | -| `storageClass.volumeBindingMode` | The volume binding mode for the storage class | `WaitForFirstConsumer` | -| `storageClass.reclaimPolicy` | The reclaim policy for any volumes which use this storage class | `Retain` | -| `storageClass.parameters` | Volume parameters for the storage class | `nil` | -| `storageClass.allowVolumeExpansion` | Whether or not to allow more storage to be claimed by a Persistent Volume Claim | `false` | -| `storageClass.mountOptions` | Mounting options for volumes using the storage class | `nil` | -| `pvc.accessMode` | The persistent volume claim access mode | ReadWriteOnce | -| `pvc.storage` | The volume size to request for storing Nexus logs | 2Gi | -| `pvc.existingClaim` | The name of an existing Persistent Volume Claim to use for Nexus Repository data. **Important: This is only for single-instance deployments to provide resiliency. Do not use for high availability deployments.** | `null` | -| `pvc.volumeClaimTemplate.enabled` | You should set this property to true for cloud deployments in order to use dynamic volume provisioning to reserve volumes for Nexus Repository's logs. For on-premises deployment use [Local Persistence Volumen Static Provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) to automatically create persistent volumes for pre-attached disks. | `false` | -| `service.annotations` | Common annotations for all Service objects (nexus, docker-registries, nexus-headless) | `{}` | -| `service.nexus.enabled` | Whether or not to create the Service object | `false` | -| `service.nexus.type` | The type of the Kubernetes Service | "NodePort" | -| `service.nexus.protocol` | The protocol | TCP | -| `service.nexus.port` | The port to listen for incoming requests | `80` | -| `service.headless.annotations` | Annotations for the headless service object | `{}` | -| `service.headless.publishNotReadyAddresses` | Whether or not the service to be discoverable even before the corresponding endpoints are ready | `true` | -| `service.nexus.targetPort` | The port to forward requests to | `8081` | - | `externalsecrets.enabled` | Set this to true if https://external-secrets.io/latest/ is installed in your Kubernetes cluster and you would like to use it for providing needed secrets to your Nexus Repository pods | | - | `externalsecrets.secretstore.spec` | Set this to the SecretStore configuration for your external secret store. See https://external-secrets.io/latest/ for examples. | | - | `externalsecrets.secrets.database.providerSecretName` | Set this to the name of the secret containing your database credentials in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault | | - | `externalsecrets.secrets.database.dbUserKey` | Set this to the name of the key in the secret which contains your database username. | | - | `externalsecrets.secrets.database.dbPasswordKey` | Set this to the name of the key in the secret which contains your database password. | | - | `externalsecrets.secrets.database.dbHostKey` | Set this to the name of the key in the secret which contains your database host. | | - | `externalsecrets.secrets.admin.providerSecretName` | Set this to the name of the secret containing your Nexus Repository admin password in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault | | - | `externalsecrets.secrets.admin.adminPasswordKey` | Set this to the name of the key in the secret which contains your which contains your initial Nexus Repository admin password. | | - | `externalsecrets.secrets.license.providerSecretName` | Set this to the name of the secret containing your Nexus Repository license in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault | | -| `secret.secretProviderClass` | The secret provider class for Kubernetes secret store object. See [secret.yaml](templates%2Fsecret.yaml). Set this when using AWS Secret Manager or Azure Key Vault | secretProviderClass | -| `secret.provider` | The provider (e.g. azure, aws etc) for Kubernetes secret store object. Set this when using AWS Secret Manager or Azure Key Vault | provider | -| `secret.dbSecret.enabled` | Whether or not to install [database-secret.yaml](templates%2Fdatabase-secret.yaml). Set this to `false` when using AWS Secret Manager or Azure Key Vault | `false` | -| `secret.db.user` | The key for secret in AWS Secret manager or Azure Key Vault which contains the database user name. Otherwise if `secret.dbSecret.enabled` is true, set this to the database user name. | nxrm_db_user | -| `secret.db.user-alias` | Applicable to AWS Secret Manager only. An alias to use for the database user secret retrieved from AWS Secret manager. | nxrm_db_user_alias | -| `secret.db.password` | The key for secret in AWS Secret manager or Azure Key Vault which contains the database password. Otherwise if `secret.dbSecret.enabled` is true, set this to the database password. | nxrm_db_password | -| `secret.db.password-alias` | Applicable to AWS Secret Manager only. An alias to use for the database password secret retrieved from AWS Secret manager. | nxrm_db_password_alias | -| `secret.db.host` | The key for secret in AWS Secret manager or Azure Key Vault which contains the database host URL. Otherwise if `secret.dbSecret.enabled` is true, set this to the database host URL. | nxrm_db_host | -| `secret.db.host-alias` | Applicable to AWS Secret Manager only. An alias to use for the database host secret retrieved from AWS Secret manager. | nxrm_db_host_alias | -| `secret.nexusAdminSecret.enabled` | Whether or not to install [nexus-admin-secret.yaml](templates%2Fnexus-admin-secret.yaml). Set this to `false` when using AWS Secret Manager or Azure Key Vault. | `false` | -| `secret.nexusAdminSecret.adminPassword` | When `secret.nexusAdminSecret.enabled` is true, set this to the initial admin password for Nexus Repository. Otherwise ignore. | yourinitialnexuspassword | -| `secret.nexusAdmin.name` | The key for secret in AWS Secret manager or Azure Key Vault which contains the initial Nexus Repository admin password. Otherwise if `secret.nexusAdminSecret.enabled` is true, then set this to the name for [nexus-admin-secret.yaml](templates%2Fnexus-admin-secret.yaml) | `nexusAdminPassword` | -| `secret.nexusAdmin.alias` | Applicable to AWS Secret Manager only. An alias to use for the initial Nexus Repository admin password secret retrieved from AWS Secret manager. | `admin-nxrm-password-alias` | -| `secret.license.name` | The name for [license-config-mapping.yaml](templates%2Flicense-config-mapping.yaml) for storing Nexus Repository license. This is an alternative way of specifying your Nexus Repository Pro license. Use this option when not using Azure Key Vault or AWS Secret Manager | nexus-repo-license.lic | -| `secret.license.licenseSecret.enabled` | Whether or not to install [license-config-mapping.yaml](templates%2Flicense-config-mapping.yaml) | `false` | -| `secret.license.licenseSecret.file` | Name of the nexus file with path. Set this if you're not using AWS Secret Manager or Azure Key Vault to store your Nexus Repository Pro license. | your_license_file_with_full_path | -| `secret.license.licenseSecret.fileContentsBase64` | A base64 representation of your Nexus Repository Pro license. Set this if you're not using AWS Secret Manager or Azure Key Vault to store your Nexus Repository Pro license. | your_license_file_contents_in_base_64 | -| `secret.license.licenseSecret.mountPath` | The path where your Nexus Repository Pro license is mounted in the Nexus Repository container | /var/nexus-repo-license | -| `secret.nexusSecret.name` | The name of the [nexus-secret-mapping.yaml](templates%2Fnexus-secret-mapping.yaml) secret for storing Nexus Repository encryption secrets. | nexus-secret.json | -| `secret.nexusSecret.enabled` | Whether or not to install [nexus-secret-mapping.yaml](templates%2Fnexus-secret-mapping.yaml) secret | `false` | -| `secret.nexusSecret.secretKeyfile` | The name of a file which contains a JSON document of keys to be used for encryption | secretfileName | -| `secret.nexusSecret.mountPath` | The path where your JSON document of keys is mounted in the Nexus Repository container | /var/nexus-repo-secrets | -| `secret.azure.userAssignedIdentityID` | A managed identity or service principal that has `secrets management` access to the key vault. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | userAssignedIdentityID | -| `secret.azure.tenantId` | Your Azure tenant id. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | azureTenantId | -| `secret.azure.keyvaultName` | The name of the Azure Key vault containing database credentials and license. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | yourazurekeyvault | -| `secret.azure.useVMManagedIdentity` | Whether or not to use an Azure virtual machine managed identity. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | `true` | -| `secret.azure.usePodIdentity` | Whether or not to use pod identity. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | `false` | -| `secret.azure.nexusSecret.enabled` | Whether the nexus secrets file should be mounted from Azure key vault | `false` | -| `secret.aws.license.arn` | The Amazon Resource Name for your Nexus Repository Pro license secret stored in AWS Secrets Manager. Only applicable if this chart is installed on AWS and you've stored your Nexus Repository Pro license in AWS Secrets Manager. | `arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license` | -| `secret.aws.adminpassword.arn` | The Amazon Resource Name for the Nexus Repository initial admin secret stored in AWS Secrets Manager. Only applicable if this chart is installed on AWS and you've stored your Nexus Repository initial admin password in AWS Secrets Manager. | `arn:aws:secretsmanager:us-east-1:000000000000:secret:admin-nxrm-password` | -| `secret.aws.rds.arn` | The Amazon Resource Name for the database secrets stored in AWS Secrets Manager. Only applicable if this chart is installed on AWS and you've stored your database credentials in AWS Secrets Manager. | `arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrmrds-cred-nexus` | -| `secret.aws.nexusSecret.enabled` | Whether the nexus secrets file should be mounted from AWS secrets manager | `false` | -| `secret.aws.nexusSecret.arn` | The Amazon Resource Name for the nexus secret JSON secret stored in AWS secrets manager | `arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-secrets-file` | | -| `nexus.securityContext.runAsUser` | The user to run the Nexus Repository pod as | `200` | -| `nexus.properties.override` | Whether or not to mount config map which contains overrides for default nexus properties | `false` | -| `nexus.properties.data` | A list of key and values to override default nexus.properties | `null` | -| `nexus.extraLabels` | Extra labels to apply to all objects | `{}` | -| `nexus.extraSelectorLabels` | Extra selector labels to apply to all services and Nexus Repository pods. See [services.yaml](templates%2Fservices.yaml) and [statefulset.yaml](templates%2Fstatefulset.yaml) | `{}` | -| `nexus.docker.enabled` | Whether or not to create a Kubernetes Service object for a given docker repository within Nexus Repository | `false` | -| `nexus.docker.type` | The type of the Kubernetes Service | `NodePort` | -| `nexus.docker.protocol` | The protocol | TCP | -| `nexus.docker.registries` | The docker registries to create ingresses and services for. See the [ingress.yaml](templates%2Fingress.yaml) and [services.yaml](templates%2Fservices.yaml) for how it's used | `null` | -| `config.enabled` | Enable and mount a config map containing arbitrary data i.e. key value pairs | `false` | -| `config.data` | The data for the config map | `{}` | -| `config.mountPath` | The file path to mount the config map into. Each key value pair in the config map is put on a separate line in the file | `/sonatype-nexus-conf` | +| Parameter | Description | Default | +|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------| +| `namespaces.nexusNs.enabled` | Whether a namespace should be created for the Kubernetes resources needed Nexus Repository pod(s) | `true` | +| `namespaces.nexusNs.name` | The namespace into which Kubernetes resources for Nexus Repository are installed into, if set to `''` the release namespace is used | `nexusrepo` | +| `namespaces.cloudwatchNs.enabled` | Whether a namespace should be created to install the Kubernetes resources needed by fluentbit | `false` | +| `namespaces.cloudwatchNs.name` | The namespace into which Kubernetes resources for fluentbit are installed when fluentbit is enabled | `amazon-cloudwatch` | +| `namespaces.externaldnsNs` | The namespace into which Kubernetes resources for externaldns are installed when externaldns is enabled | `nexus-externaldns` | +| `certmanager.letsencrypt.dns01Challenge.serviceAccount.name` | The name of the service account for ACME DNS01 challenge | `cert-manager-acme-dns01` | +| `certmanager.letsencrypt.dns01Challenge.serviceAccount.enabled` | Set to true to enable the service account for ACME DNS01 challenge | `false` | +| `certmanager.letsencrypt.dns01Challenge.serviceAccount.annotations` | Annotations for the service account for ACME DNS01 challenge | `{}` | +| `certmanager.letsencrypt.dns01Challenge.rbac.enabled` | Set to true to enable RBAC for the service account for ACME DNS01 challenge | `false` | +| `certmanager.letsencrypt.dns01Challenge.rbac.role.name` | The name of the role for the service account for ACME DNS01 challenge | `cert-manager-acme-dns01-route53-tokenrequest` | +| `certmanager.letsencrypt.dns01Challenge.rbac.roleBinding.name` | The name of the role binding for the service account for ACME DNS01 challenge | `cert-manager-acme-dns01-route53-tokenrequest` | +| `serviceAccount.enabled` | Whether or not to create a Kubernetes Service Account object | `false` | +| `serviceAccount.name` | The name of a Kubernetes Service Account object to create in order for Nexus Repository pods to access resources as needed | `nexus-repository-deployment-sa` | +| `serviceAccount.annotations` | Annotations for the Kubernetes Service Account object. | `null` | +| `azure.enabled` | Set this to true when installing this chart on Azure | `false` | +| `azure.keyvault.enabled` | Set this to true when installing this chart on Azure and you would like the Nexus Repository pod to pull database credentials and license from azure Key Vault | `false` | +| `aws.enabled` | Set this to true when installing this chart on AWS | `false` | +| `aws.clusterRegion` | The AWS region containing your Kubernetes cluster. | `us-east-1` | +| `aws.secretmanager.enabled` | Set this to true when installing this chart on AWS and you would like the Nexus Repository pod to pull database credentials and license from AWS Secret Manager | `false` | +| `aws.externaldns.enabled` | Set this to true when installing this chart on AWS and you would like to setup [externaldns](https://github.com/kubernetes-sigs/external-dns) | `false` | +| `aws.externaldns.domainFilter` | Domain filter for [externaldns](https://github.com/kubernetes-sigs/external-dns) | `example.com` | +| `aws.externaldns.awsZoneType` | The hosted zone type. See [externaldns](https://github.com/kubernetes-sigs/external-dns) | `private` | +| `aws.fluentbit.enabled` | Set this to true when installing this chart on AWS and you would like to install Fluentbit so that Nexus Repository logs can be sent to AWS Cloud Watch | `false` | +| `aws.fluentbit.fluentbitVersion` | The fluentbit version | `2.28.0` | +| `aws.fluentbit.clusterName` | The name of your Kubernetes cluster. This is required by fluentbit | `nxrm-nexus` | +| `statefulset.replicaCount` | The desired number of Nexus Repository pods | 3 | +| `statefulset.clustered` | Determines whether or not Nexus Repository should be run in clustered/HA mode. When this is set to false, the search differences [here](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/high-availability-deployment-options#HighAvailabilityDeploymentOptions-SearchFeatureDifferences) do not apply. | true | +| `statefulset.additionalVolumes` | Additional volumes to associate with the Nexus Repository container | `null` | +| `statefulset.additionalVolumeMounts` | Additional volume mounts for the additional volumes associated with the Nexus Repository container | `null` | +| `statefulset.additionalContainers` | Additional containers to associate with the Nexus Repository pod | `null` | +| `statefulset.annotations` | Annotations to enhance statefulset configuration | {} | +| `statefulset.podAnnotations` | Pod annotations | {} | +| `statefulset.nodeSelector` | Node selectors | {} | +| `statefulset.hostAliases` | Aliases for IPs in /etc/hosts | [] | +| `statefulset.postStart.command` | Command to run after starting the container | `null` | +| `statefulset.preStart.command` | Command to run before starting the container | `null` | +| `statefulset.initContainers` | Init containers to run before main containers | An init container which creates directories needed for logging and give the Nexus Repository user write permissions | +| `statefulset.container.image.repository` | The Nexus repository image registry URL | sonatype/nexus3 | +| `statefulset.container.image.nexusTag` | The Nexus repository image tag | latest | +| `statefulset.container.resources.requests.cpu` | The minimum cpu the Nexus repository pod can request | 4 | +| `statefulset.container.resources.requests.memory` | The minimum memory the Nexus repository pod can request | 8Gi | +| `statefulset.container.resources.limits.cpu` | The maximum cpu the Nexus repository pod may get. | 4 | +| `statefulset.container.resources.limits.memory` | The maximum memory the Nexus repository pod may get. | 8Gi | +| `statefulset.container.containerPort` | The Nexus Repository container's HTTP port | 8081 | +| `statefulset.container.pullPolicy` | The Nexus Repository docker image pull policy | IfNotPresent | +| `statefulset.container.terminationGracePeriod` | The time given for the pod to gracefully shut down | 120 seconds | +| `statefulset.container.env.nexusDBName` | The name of the PostgreSQL database to use. | nexus | +| `statefulset.container.env.nexusDBPort` | The database port of the PostgreSQL database to use. | 5432 | +| `statefulset.container.env.install4jAddVmParams` | Xmx and Xms settings for JVM | -Xms2703m -Xmx2703m | +| `statefulset.container.env.dbHost` | Your database host or set it to null if you wish to source it from a secret i.e. `{{ template "nexus.name" . }}-dbsecret` | null | +| `statefulset.container.env.jdbcUrlParams` | Additional parameters to append to the database url. Expected format is `"?foo=bar&baz=foo"` | null | +| `statefulset.container.additionalEnv` | Additional environment variables for the Nexus Repository container. You can also use this setting to override a default env variable by specifying the same key/name as the default env variable you wish override. Specify this as a block of name and value pairs (e.g., "
additionalEnv:
- name: foo
value: bar
- name: foo2
value: bar2") | null | +| `statefulset.requestLogContainer.image.repository` | Image registry URL for a container which tails Nexus Repository's request log | busybox | +| `statefulset.requestLogContainer.image.tag` | Image tag for a container which tails Nexus Repository's request log | 1.33.1 | +| `statefulset.requestLogContainer.resources.requests.cpu` | The minimum cpu the request log container can request | 0.1 | +| `statefulset.requestLogContainer.resources.requests.memory` | The minimum memory the request log container can request | 256Mi | +| `statefulset.requestLogContainer.resources.limits.cpu` | The maximum cpu the request log container may get. | 0.2 | +| `statefulset.requestLogContainer.resources.limits.memory` | The maximum memory the request log container may get. | 512Mi | +| `statefulset.auditLogContainer.image.repository` | Image registry URL for a container which tails Nexus Repository's audit log | busybox | +| `statefulset.auditLogContainer.image.tag` | Image tagfor a container which tails Nexus Repository's audit log | 1.33.1 | +| `statefulset.auditLogContainer.resources.requests.cpu` | The minimum cpu the audit log container can request | 0.1 | +| `statefulset.auditLogContainer.resources.requests.memory` | The minimum memory the audit log container can request | 256Mi | +| `statefulset.auditLogContainer.resources.limits.cpu` | The maximum cpu the audit log container may get. | 0.2 | +| `statefulset.auditLogContainer.resources.limits.memory` | The maximum memory the reauditquest log container may get. | 512Mi | +| `statefulset.taskLogContainer.image.repository` | Image registry URL for a container which aggregates and tails Nexus Repository's task log | busybox | +| `statefulset.taskLogContainer.image.tag` | Image tag for a container which aggregates and tails Nexus Repository's task log | 1.33.1 | +| `statefulset.taskLogContainer.resources.requests.cpu` | The minimum cpu the task log container can request | 0.1 | +| `statefulset.taskLogContainer.resources.requests.memory` | The minimum memory the task log container can request | 256Mi | +| `statefulset.taskLogContainer.resources.limits.cpu` | The maximum cpu the task log container may get. | 0.2 | +| `statefulset.taskLogContainer.resources.limits.memory` | The maximum memory the task log container may get. | 512Mi | +| `statefulset.startupProbe.initialDelaySeconds` | StartupProbe initial delay | 0 | +| `statefulset.startupProbe.periodSeconds` | Seconds between polls | 10 | +| `statefulset.startupProbe.failureThreshold` | Number of attempts before failure | 180 | +| `statefulset.startupProbe.timeoutSeconds` | Time in seconds after liveness probe times out | 1 | +| `statefulset.startupProbe.path` | Path for StartupProbe | / | +| `statefulset.livenessProbe.initialDelaySeconds` | LivenessProbe initial delay | 0 | +| `statefulset.livenessProbe.periodSeconds` | Seconds between polls | 60 | +| `statefulset.livenessProbe.failureThreshold` | Number of attempts before failure | 6 | +| `statefulset.livenessProbe.timeoutSeconds` | Time in seconds after liveness probe times out | 1 | +| `statefulset.livenessProbe.path` | Path for LivenessProbe | / | +| `statefulset.readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay | 0 | +| `statefulset.readinessProbe.periodSeconds` | Seconds between polls | 60 | +| `statefulset.readinessProbe.failureThreshold` | Number of attempts before failure | 6 | +| `statefulset.readinessProbe.timeoutSeconds` | Time in seconds after readiness probe times out | 1 | +| `statefulset.readinessProbe.path` | Path for ReadinessProbe | / | +| `statefulset.imagePullSecrets` | The pull secret for private image registries | `{}` | +| `ingress.name` | The name of the Ingress resource | false | +| `ingress.enabled` | Whether or not to create the Ingress | false | +| `ingress.host` | Ingress host | `null` | +| `ingress.hostPath` | Path for ingress rules. | `/` | +| `ingress.dockersubdomain` | Whether or not to add rules to the main ingress i.e. [ingress.yaml](templates%2Fingress.yaml) for docker subdomain routing | `false` | +| `ingress.dockersubdomains` | A list of subdomains for which rules should be added to the main ingress i.e. [ingress.yaml](templates%2Fingress.yaml) for docker subdomain routing | `null` | +| `ingress.subdomainWildcard` | Creates a wildcard rule in your ingress for docker subdomain routing | `null` | +| `ingress.defaultRule` | Whether or not to add a default rule for the main Ingress (i.e. [ingress.yaml](templates%2Fingress.yaml) ) which forwards traffic to a Service object | `false` | +| `ingress.additionalRules` | Additional rules to add to the ingress | `null` | +| `ingress.incressClassName` | The ingress class name e.g., nginx, alb etc. | `null` | +| `ingress.tls.secretName` | The name of a Secret object in which to store the TLS secret for ingress | `null` | +| `ingress.tls.hosts` | A list of TLS hosts | `null` | +| `ingress.annotations` | Annotations for the Ingress object | `nil` | +| `storageClass.enabled` | Set to true if you'd like to create your own storage class for persistent volumes and persistent volume claims | `false` | +| `storageClass.name` | The name of a storage class object to create | `nexus-storage` | +| `storageClass.provisioner` | The name of a storage class provisioner | `provisionerName` | +| `storageClass.volumeBindingMode` | The volume binding mode for the storage class | `WaitForFirstConsumer` | +| `storageClass.reclaimPolicy` | The reclaim policy for any volumes which use this storage class | `Retain` | +| `storageClass.parameters` | Volume parameters for the storage class | `nil` | +| `storageClass.allowVolumeExpansion` | Whether or not to allow more storage to be claimed by a Persistent Volume Claim | `false` | +| `storageClass.mountOptions` | Mounting options for volumes using the storage class | `nil` | +| `pvc.accessMode` | The persistent volume claim access mode | ReadWriteOnce | +| `pvc.storage` | The volume size to request for storing Nexus logs | 2Gi | +| `pvc.existingClaim` | The name of an existing Persistent Volume Claim to use for Nexus Repository data. **Important: This is only for single-instance deployments to provide resiliency. Do not use for high availability deployments.** | `null` | +| `pvc.volumeClaimTemplate.enabled` | You should set this property to true for cloud deployments in order to use dynamic volume provisioning to reserve volumes for Nexus Repository's logs. For on-premises deployment use [Local Persistence Volumen Static Provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) to automatically create persistent volumes for pre-attached disks. | `false` | +| `service.annotations` | Common annotations for all Service objects (nexus, docker-registries, nexus-headless) | `{}` | +| `service.nexus.enabled` | Whether or not to create the Service object | `false` | +| `service.nexus.type` | The type of the Kubernetes Service | "NodePort" | +| `service.nexus.protocol` | The protocol | TCP | +| `service.nexus.port` | The port to listen for incoming requests | `80` | +| `service.headless.annotations` | Annotations for the headless service object | `{}` | +| `service.headless.publishNotReadyAddresses` | Whether or not the service to be discoverable even before the corresponding endpoints are ready | `true` | +| `service.nexus.targetPort` | The port to forward requests to | `8081` | +| `externalsecrets.enabled` | Set this to true if https://external-secrets.io/latest/ is installed in your Kubernetes cluster and you would like to use it for providing needed secrets to your Nexus Repository pods | | +| `externalsecrets.secretstore.name` | Set this to the name of the SecretStore configuration for your external secret store. | `nexus-secret-store` | +| `externalsecrets.secretstore.spec` | Set this to the SecretStore configuration for your external secret store. See https://external-secrets.io/latest/ for examples. | | +| `externalsecrets.secrets.nexusSecret.enabled` | Set this to true to enable the external secret for Nexus Repository secrets | `false` | +| `externalsecrets.secrets.nexusSecret.refreshInterval` | The interval at which the external secret should be refreshed | `1h` | +| `externalsecrets.secrets.nexusSecret.providerSecretName` | The name of the secret containing your Nexus Repository secrets in your external secret store | `nexus-secret.json` | +| `externalsecrets.secrets.nexusSecret.decodingStrategy` | The decoding strategy for the secret. For Azure, set this to `Base64` | `null` | +| `externalsecrets.secrets.database.refreshInterval` | The interval at which the external secret should be refreshed | `1h` | +| `externalsecrets.secrets.database.valueIsJson` | Set this to true if the secret value is in JSON format | `false` | +| `externalsecrets.secrets.database.providerSecretName` | Set this to the name of the secret containing your database credentials in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault | | +| `externalsecrets.secrets.database.dbUserKey` | Set this to the name of the key in the secret which contains your database username. | | +| `externalsecrets.secrets.database.dbPasswordKey` | Set this to the name of the key in the secret which contains your database password. | | +| `externalsecrets.secrets.database.dbHostKey` | Set this to the name of the key in the secret which contains your database host or exclude it if you don't have a key for the host in your external secret store. | host | +| `externalsecrets.secrets.admin.refreshInterval` | The interval at which the external secret should be refreshed | `1h` | +| `externalsecrets.secrets.admin.valueIsJson` | Set this to true if the secret value is in JSON format | `false` | +| `externalsecrets.secrets.admin.providerSecretName` | Set this to the name of the secret containing your Nexus Repository admin password in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault | | +| `externalsecrets.secrets.admin.adminPasswordKey` | Set this to the name of the key in the secret which contains your which contains your initial Nexus Repository admin password. | | +| `externalsecrets.secrets.license.providerSecretName` | Set this to the name of the secret containing your Nexus Repository license in your external secret store. E.g. if using AWS, this should be the name of the secret in your AWS Secrets Manager. If using Azure, this should be the name of the secret in your Azure Key Vault | | +| `externalsecrets.secrets.license.decodingStrategy` | The decoding strategy for the secret. Can be `Base64` | `null` | +| `externalsecrets.secrets.license.refreshInterval` | The interval at which the external secret should be refreshed | `1h` | +| `secret.secretProviderClass` | The secret provider class for Kubernetes secret store object. See [secret.yaml](templates%2Fsecret.yaml). Set this when using AWS Secret Manager or Azure Key Vault | secretProviderClass | +| `secret.provider` | The provider (e.g. azure, aws etc) for Kubernetes secret store object. Set this when using AWS Secret Manager or Azure Key Vault | provider | +| `secret.dbSecret.enabled` | Whether or not to install [database-secret.yaml](templates%2Fdatabase-secret.yaml). Set this to `false` when using AWS Secret Manager or Azure Key Vault | `false` | +| `secret.db.user` | The key for secret in AWS Secret manager or Azure Key Vault which contains the database user name. Otherwise if `secret.dbSecret.enabled` is true, set this to the database user name. | nxrm_db_user | +| `secret.db.user-alias` | Applicable to AWS Secret Manager only. An alias to use for the database user secret retrieved from AWS Secret manager. | nxrm_db_user_alias | +| `secret.db.password` | The key for secret in AWS Secret manager or Azure Key Vault which contains the database password. Otherwise if `secret.dbSecret.enabled` is true, set this to the database password. | nxrm_db_password | +| `secret.db.password-alias` | Applicable to AWS Secret Manager only. An alias to use for the database password secret retrieved from AWS Secret manager. | nxrm_db_password_alias | +| `secret.db.host` | The key for secret in AWS Secret manager or Azure Key Vault which contains the database host URL. Otherwise if `secret.dbSecret.enabled` is true, set this to the database host URL. | nxrm_db_host | +| `secret.db.host-alias` | Applicable to AWS Secret Manager only. An alias to use for the database host secret retrieved from AWS Secret manager. | nxrm_db_host_alias | +| `secret.nexusAdminSecret.enabled` | Whether or not to install [nexus-admin-secret.yaml](templates%2Fnexus-admin-secret.yaml). Set this to `false` when using AWS Secret Manager or Azure Key Vault. | `false` | +| `secret.nexusAdminSecret.adminPassword` | When `secret.nexusAdminSecret.enabled` is true, set this to the initial admin password for Nexus Repository. Otherwise ignore. | yourinitialnexuspassword | +| `secret.nexusAdmin.name` | The key for secret in AWS Secret manager or Azure Key Vault which contains the initial Nexus Repository admin password. Otherwise if `secret.nexusAdminSecret.enabled` is true, then set this to the name for [nexus-admin-secret.yaml](templates%2Fnexus-admin-secret.yaml) | `nexusAdminPassword` | +| `secret.nexusAdmin.alias` | Applicable to AWS Secret Manager only. An alias to use for the initial Nexus Repository admin password secret retrieved from AWS Secret manager. | `admin-nxrm-password-alias` | +| `secret.license.name` | The name for [license-config-mapping.yaml](templates%2Flicense-config-mapping.yaml) for storing Nexus Repository license. This is an alternative way of specifying your Nexus Repository Pro license. Use this option when not using Azure Key Vault or AWS Secret Manager | nexus-repo-license.lic | +| `secret.license.licenseSecret.enabled` | Whether or not to install [license-config-mapping.yaml](templates%2Flicense-config-mapping.yaml) | `false` | +| `secret.license.licenseSecret.file` | Name of the nexus file with path. Set this if you're not using AWS Secret Manager or Azure Key Vault to store your Nexus Repository Pro license. | your_license_file_with_full_path | +| `secret.license.licenseSecret.fileContentsBase64` | A base64 representation of your Nexus Repository Pro license. Set this if you're not using AWS Secret Manager or Azure Key Vault to store your Nexus Repository Pro license. | your_license_file_contents_in_base_64 | +| `secret.license.licenseSecret.mountPath` | The path where your Nexus Repository Pro license is mounted in the Nexus Repository container | /var/nexus-repo-license | +| `secret.nexusSecret.name` | The name of the [nexus-secret-mapping.yaml](templates%2Fnexus-secret-mapping.yaml) secret for storing Nexus Repository encryption secrets. | nexus-secret.json | +| `secret.nexusSecret.enabled` | Whether or not to install [nexus-secret-mapping.yaml](templates%2Fnexus-secret-mapping.yaml) secret | `false` | +| `secret.nexusSecret.secretKeyfile` | The name of a file which contains a JSON document of keys to be used for encryption | secretfileName | +| `secret.nexusSecret.mountPath` | The path where your JSON document of keys is mounted in the Nexus Repository container | /var/nexus-repo-secrets | +| `secret.azure.userAssignedIdentityID` | A managed identity or service principal that has `secrets management` access to the key vault. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | userAssignedIdentityID | +| `secret.azure.tenantId` | Your Azure tenant id. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | azureTenantId | +| `secret.azure.keyvaultName` | The name of the Azure Key vault containing database credentials and license. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | yourazurekeyvault | +| `secret.azure.useVMManagedIdentity` | Whether or not to use an Azure virtual machine managed identity. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | `true` | +| `secret.azure.usePodIdentity` | Whether or not to use pod identity. Only applicable if this chart is installed on Azure and you've stored database credentials, Nexus Repository initial admin password and your Nexus Repository Pro license in Azure Key Vault. | `false` | +| `secret.azure.nexusSecret.enabled` | Whether the nexus secrets file should be mounted from Azure key vault | `false` | +| `secret.aws.license.arn` | The Amazon Resource Name for your Nexus Repository Pro license secret stored in AWS Secrets Manager. Only applicable if this chart is installed on AWS and you've stored your Nexus Repository Pro license in AWS Secrets Manager. | `arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license` | +| `secret.aws.adminpassword.arn` | The Amazon Resource Name for the Nexus Repository initial admin secret stored in AWS Secrets Manager. Only applicable if this chart is installed on AWS and you've stored your Nexus Repository initial admin password in AWS Secrets Manager. | `arn:aws:secretsmanager:us-east-1:000000000000:secret:admin-nxrm-password` | +| `secret.aws.rds.arn` | The Amazon Resource Name for the database secrets stored in AWS Secrets Manager. Only applicable if this chart is installed on AWS and you've stored your database credentials in AWS Secrets Manager. | `arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrmrds-cred-nexus` | +| `secret.aws.nexusSecret.enabled` | Whether the nexus secrets file should be mounted from AWS secrets manager | `false` | +| `secret.aws.nexusSecret.arn` | The Amazon Resource Name for the nexus secret JSON secret stored in AWS secrets manager | `arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-secrets-file` | | +| `nexus.securityContext.runAsUser` | The user to run the Nexus Repository pod as | `200` | +| `nexus.properties.override` | Whether or not to mount config map which contains overrides for default nexus properties | `false` | +| `nexus.properties.data` | A list of key and values to override default nexus.properties | `null` | +| `nexus.extraLabels` | Extra labels to apply to all objects | `{}` | +| `nexus.extraSelectorLabels` | Extra selector labels to apply to all services and Nexus Repository pods. See [services.yaml](templates%2Fservices.yaml) and [statefulset.yaml](templates%2Fstatefulset.yaml) | `{}` | +| `nexus.docker.enabled` | Whether or not to create a Kubernetes Service object for a given docker repository within Nexus Repository | `false` | +| `nexus.docker.createIngress` | Set to true to create an Ingress for each docker registry | `true` | +| `nexus.docker.exposeDockerPorts` | Set to true to expose HTTP ports on the container that are used by docker registries (i.e. `nexus.docker.registries`) | `true` | +| `nexus.docker.createDockerRulesOnMainIngress` | Set to true to create rules for docker registries on the main ingress ingress i.e. `ingress.name` ingress instead of having separate ingresses for the docker registries | `false` | +| `certificate.apiVersion` | The API version for the certificate resource | `cert-manager.io/v1` | +| `certificate.enabled` | Set to true to configure issuing and renewal of certificates using cert-manager | `false` | +| `certificate.issuer.enabled` | Set to true to enable the certificate issuer configuration | `false` | +| `certificate.issuer.group` | The group of the certificate issuer | `cert-manager.io` | +| `certificate.issuer.kind` | The kind of the certificate issuer | `ClusterIssuer` | +| `certificate.issuer.name` | The name of the certificate issuer | `demo-letsencrypt` | +| `certificate.issuer.spec.acme.server` | The ACME server URL for the certificate issuer | `https://certificate-issuer-server-url` | +| `certificate.issuer.spec.acme.email` | The email address for the ACME account | `email@example.com` | +| `certificate.issuer.spec.acme.privateKeySecretRef.name` | The name of the ClusterIssuer resource (see [cluster-issuer.yaml](templates%2Fcluster-issuer.yaml) ) | `letsencrypt-staging` | +| `certificate.issuer.spec.acme.solvers` | The solvers configuration for the ACME challenges | `[]` | +| `certificate.nexus.enabled` | Set to true to enable the Nexus certificate configuration | `false` | +| `certificate.nexus.name` | The name of the Certificate | `nexusrepo-cert` | +| `certificate.nexus.commonName` | The common name to associate with the certificate | `www.nexusrepo.com` | +| `certificate.nexus.duration` | The duration for which the certificate is valid | `2160h0m0s` | +| `certificate.nexus.renewBefore` | The duration before the certificate expiry when it should be renewed | `360h0m0s` | +| `certificate.nexus.secretName` | The name of the secret to store the certificate | `nexusrepo-example-cert-2048` | +| `certificate.nexus.revisionHistoryLimit` | The number of old certificate revisions to retain | `1` | +| `certificate.nexus.secretTemplate` | The template for the secret | `null` | +| `certificate.nexus.privateKey.enabled` | Set to true to enable the private key configuration | `false` | +| `certificate.nexus.privateKey.algorithm` | The algorithm for the private key | `null` | +| `certificate.nexus.privateKey.encoding` | The encoding for the private key | `null` | +| `certificate.nexus.privateKey.size` | The size of the private key | `null` | +| `certificate.nexus.privateKey.rotationPolicy` | The rotation policy for the private key | `Always` | +| `certificate.nexus.keystores` | The keystores configuration for the certificate | `null` | +| `certificate.nexus.usages` | The usages for the certificate | `["digital signature", "key encipherment", "server auth"]` | +| `certificate.nexus.subject` | The subject for the certificate | `null` | +| `certificate.nexus.dnsNames` | The DNS names for the certificate | `["www.nexusrepo.com", "nexusrepo.com", "dockerrepo1.nexusrepo.com", "dockerrepo2.nexusrepo.com", "dockerrepo3.nexusrepo.com"]` | +| `certificate.nexus.otherNames` | The other names for the certificate | `null` | +| `certificate.nexus.ipAddresses` | The IP addresses for the certificate | `null` | +| `certificate.nexus.emailAddresses` | The email addresses for the certificate | `null` | +| `certificate.nexus.uris` | The URIs for the certificate | `null` | +| `certificate.nexus.isCa` | Set to true if the certificate is a CA certificate | | +| `nexus.docker.type` | The type of the Kubernetes Service | `NodePort` | +| `nexus.docker.protocol` | The protocol | TCP | +| `nexus.docker.registries` | The docker registries to create ingresses and services for. See the [ingress.yaml](templates%2Fingress.yaml) and [services.yaml](templates%2Fservices.yaml) for how it's used | `null` | +| `config.enabled` | Enable and mount a config map containing arbitrary data i.e. key value pairs | `false` | +| `config.data` The data for the config map | `{}` | | +| `config.mountPath` | The file path to mount the config map into. Each key value pair in the config map is put on a separate line in the file | `/sonatype-nexus-conf` | diff --git a/nxrm-ha/templates/cert-manager-rbac b/nxrm-ha/templates/cert-manager-rbac new file mode 100644 index 0000000..84d4c6b --- /dev/null +++ b/nxrm-ha/templates/cert-manager-rbac @@ -0,0 +1,26 @@ +{{ if .Values.certmanager.letsencrypt.dns01Challenge.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.certmanager.letsencrypt.dns01Challenge.rbac.role.name }} + namespace: {{ .Values.namespaces.certmanagerNs.name }} +rules: + - apiGroups: [''] + resources: ['serviceaccounts/token'] + resourceNames: [ {{ .Values.certmanager.letsencrypt.dns01Challenge.serviceAccount.name | quote }} ] + verbs: ['create'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.certmanager.letsencrypt.dns01Challenge.rbac.roleBinding.name }} + namespace: {{ .Values.namespaces.certmanagerNs.name }} +subjects: + - kind: ServiceAccount + name: cert-manager + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.certmanager.letsencrypt.dns01Challenge.rbac.role.name }} +{{ end }} \ No newline at end of file diff --git a/nxrm-ha/templates/certificate.yaml b/nxrm-ha/templates/certificate.yaml new file mode 100644 index 0000000..8f0ba36 --- /dev/null +++ b/nxrm-ha/templates/certificate.yaml @@ -0,0 +1,87 @@ +{{- if .Values.certificate.enabled }} +{{- if .Values.certificate.nexus.enabled }} +apiVersion: {{ .Values.certificate.apiVersion }} +kind: Certificate +metadata: + name: {{ .Values.certificate.nexus.name }} + namespace: {{ default .Release.Namespace .Values.namespaces.nexusNs.name | quote }} +spec: + secretName: {{ .Values.certificate.nexus.secretName }} + revisionHistoryLimit: {{ .Values.certificate.nexus.revisionHistoryLimit }} + {{ if .Values.certificate.nexus.secretTemplate }} + secretTemplate: + {{- with .Values.certificate.nexus.secretTemplate }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + {{ if .Values.certificate.nexus.privateKey.enabled }} + privateKey: + {{ if .Values.certificate.nexus.privateKey.algorithm }} + algorithm: {{ .Values.certificate.nexus.privateKey.algorithm }} + {{ end }} + {{ if .Values.certificate.nexus.privateKey.encoding }} + encoding: {{ .Values.certificate.nexus.privateKey.encoding }} + {{ end }} + {{ if .Values.certificate.nexus.privateKey.size }} + size: {{ .Values.certificate.nexus.privateKey.size }} + {{ end }} + {{ if .Values.certificate.nexus.privateKey.rotationPolicy }} + rotationPolicy: {{ .Values.certificate.nexus.privateKey.rotationPolicy }} + {{ end }} + {{ end }} + {{ if .Values.certificate.nexus.keystores }} + keystores: + {{- with .Values.certificate.nexus.keystores }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + duration: {{ .Values.certificate.nexus.duration }} + renewBefore: {{ .Values.certificate.nexus.renewBefore }} + isCA: {{ .Values.certificate.nexus.isCa }} + usages: + {{- with .Values.certificate.nexus.usages }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ if .Values.certificate.nexus.subject }} + subject: + {{- with .Values.certificate.nexus.subject }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + {{ if .Values.certificate.nexus.commonName }} + commonName: {{ .Values.certificate.nexus.commonName }} + {{ end }} + dnsNames: + {{- with .Values.certificate.nexus.dnsNames }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ if .Values.certificate.nexus.uris }} + uris: + {{- with .Values.certificate.nexus.uris }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + {{ if .Values.certificate.nexus.emailAddresses }} + emailAddresses: + {{- with .Values.certificate.nexus.emailAddresses }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + {{ if .Values.certificate.nexus.ipAddresses }} + ipAddresses: + {{- with .Values.certificate.nexus.ipAddresses }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + {{ if .Values.certificate.nexus.otherNames }} + otherNames: + {{- with .Values.certificate.nexus.otherNames }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{ end }} + issuerRef: + name: {{ .Values.certificate.issuer.name }} + kind: {{ .Values.certificate.issuer.kind }} + group: {{ .Values.certificate.issuer.group }} +{{ end }} +{{ end }} \ No newline at end of file diff --git a/nxrm-ha/templates/cluster-issuer.yaml b/nxrm-ha/templates/cluster-issuer.yaml new file mode 100644 index 0000000..1fa5560 --- /dev/null +++ b/nxrm-ha/templates/cluster-issuer.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certificate.issuer.enabled }} +apiVersion: {{ .Values.certificate.apiVersion }} +kind: {{ .Values.certificate.issuer.kind }} +metadata: + name: {{ .Values.certificate.issuer.name }} +spec: + {{- with .Values.certificate.issuer.spec }} + {{ toYaml . | nindent 2 }} + {{ end }} +{{ end }} \ No newline at end of file diff --git a/nxrm-ha/templates/docker-connector-ingress.yaml b/nxrm-ha/templates/docker-connector-ingress.yaml new file mode 100644 index 0000000..c56b766 --- /dev/null +++ b/nxrm-ha/templates/docker-connector-ingress.yaml @@ -0,0 +1,45 @@ +{{- if .Values.nexus.docker.enabled }} +{{- if .Values.nexus.docker.createIngress }} +{{- $fullName := include "nexus.fullname" . -}} +{{- range $registry := .Values.nexus.docker.registries }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + namespace: {{ default $.Release.Namespace $.Values.namespaces.nexusNs.name | quote }} + name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + labels: + {{- include "nexus.labels" $ | nindent 4 }} + {{- if $.Values.nexus.extraLabels }} + {{- with $.Values.nexus.extraLabels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- with $registry.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if $.Values.ingress.ingressClassName }} + ingressClassName: {{ $.Values.ingress.ingressClassName }} + {{ end }} + {{- if $registry.enableTLS }} + tls: + - hosts: + - {{ $registry.host | quote }} + secretName: {{ $registry.secretName }} + {{ end }} + rules: + - host: {{ $registry.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} + port: + number: {{ $registry.port }} +--- +{{ end }} +{{ end }} +{{ end }} diff --git a/nxrm-ha/templates/eso-database-secrets.yaml b/nxrm-ha/templates/eso-database-secrets.yaml index 8a9858b..7c1dda3 100644 --- a/nxrm-ha/templates/eso-database-secrets.yaml +++ b/nxrm-ha/templates/eso-database-secrets.yaml @@ -36,6 +36,7 @@ spec: {{ else }} key: {{ .Values.externalsecrets.secrets.database.dbPasswordKey}} {{- end }} + {{ if .Values.externalsecrets.secrets.database.dbHostKey }} - secretKey: db-host remoteRef: {{- if .Values.externalsecrets.secrets.database.valueIsJson }} @@ -44,6 +45,7 @@ spec: {{ else }} key: {{ .Values.externalsecrets.secrets.database.dbHostKey}} {{- end }} + {{ end }} {{- end }} {{- end }} diff --git a/nxrm-ha/templates/external-dns.yaml b/nxrm-ha/templates/external-dns.yaml index 8736f3f..a6366fb 100644 --- a/nxrm-ha/templates/external-dns.yaml +++ b/nxrm-ha/templates/external-dns.yaml @@ -27,7 +27,7 @@ roleRef: name: external-dns subjects: - kind: ServiceAccount - name: {{ include "nexus.serviceAccountName" . }} + name: {{ .Values.serviceAccount.externaldns.name }} namespace: {{ .Values.namespaces.externaldnsNs | quote }} --- apiVersion: apps/v1 @@ -48,10 +48,10 @@ spec: labels: app.kubernetes.io/name: external-dns spec: - serviceAccountName: {{ include "nexus.serviceAccountName" . }} + serviceAccountName: {{ .Values.serviceAccount.externaldns.name }} containers: - name: external-dns - image: k8s.gcr.io/external-dns/external-dns:v0.11.0 + image: {{ .Values.externaldns.image }} args: - --source=service - --source=ingress diff --git a/nxrm-ha/templates/ingress.yaml b/nxrm-ha/templates/ingress.yaml index 7c19b32..463c3a2 100644 --- a/nxrm-ha/templates/ingress.yaml +++ b/nxrm-ha/templates/ingress.yaml @@ -10,16 +10,26 @@ metadata: {{- if .Values.nexus.extraLabels }} {{- with .Values.nexus.extraLabels }} {{ toYaml . | nindent 4 }} - {{- end }} - {{- end }} + {{- end }} # end with extra labels + {{- end }} # end if extra labels {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} # end with annotations spec: {{- if .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName }} - {{ end }} + {{ end }} # end if ingress class name + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} # end range hosts + secretName: {{ .secretName }} + {{- end }} # range tls + {{- end }} # end if tls rules: {{- if .Values.ingress.defaultRule }} {{- if .Values.ingress.host }} @@ -41,6 +51,7 @@ spec: {{ toYaml . | nindent 4 }} {{- end }} {{- if and .Values.ingress.host .Values.ingress.dockersubdomain }} + {{- if .Values.ingress.subdomainWildcard }} - host: "*.{{ .Values.ingress.host }}" http: paths: @@ -51,48 +62,26 @@ spec: name: {{ $fullName }} port: number: {{ .Values.service.nexus.port }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} -{{- end}} + {{ else }} + {{ range $dockerSubDomain := .Values.ingress.dockersubdomains }} + - host: "{{ $dockerSubDomain }}" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $.Values.service.nexus.port }} + {{ end }} + {{ end }} + {{ end }} {{- if .Values.nexus.docker.enabled }} -{{ range $registry := .Values.nexus.docker.registries }} -{{- $fullName := include "nexus.fullname" $ -}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - namespace: {{ default $.Release.Namespace $.Values.namespaces.nexusNs.name | quote }} - name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} - labels: - {{- include "nexus.labels" $ | nindent 4 }} - {{- if $.Values.nexus.extraLabels }} - {{- with $.Values.nexus.extraLabels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- with $registry.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if $.Values.ingress.ingressClassName }} - ingressClassName: {{ $.Values.ingress.ingressClassName }} - {{ end }} - tls: - - hosts: - - {{ $registry.host | quote }} - secretName: {{ $registry.secretName }} - rules: - - host: {{ $registry.host }} + {{- if .Values.nexus.docker.createDockerRulesOnMainIngress }} + {{ range $registry := .Values.nexus.docker.registries }} + {{- $fullName := include "nexus.fullname" $ -}} + - host: {{ $registry.host | quote }} http: paths: - path: / @@ -102,6 +91,7 @@ spec: name: {{ $fullName | trunc 49 }}-docker-{{ $registry.port }} port: number: {{ $registry.port }} ---- + {{ end }} +{{- end }} {{- end }} {{- end }} diff --git a/nxrm-ha/templates/serviceaccount.yaml b/nxrm-ha/templates/serviceaccount.yaml index c371daa..57cd689 100644 --- a/nxrm-ha/templates/serviceaccount.yaml +++ b/nxrm-ha/templates/serviceaccount.yaml @@ -19,4 +19,40 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +--- +{{- if .Values.aws.externaldns.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.externaldns.name }} + namespace: {{ .Values.namespaces.externaldnsNs }} + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.serviceAccount.externaldns.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- if .Values.certmanager.letsencrypt.dns01Challenge.serviceAccount.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.certmanager.letsencrypt.dns01Challenge.serviceAccount.name }} + namespace: {{ .Values.namespaces.certmanagerNs.name }} + labels: {{- include "nexus.labels" . | nindent 4 }} + {{- if .Values.nexus.extraLabels }} + {{- with .Values.nexus.extraLabels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.certmanager.letsencrypt.dns01Challenge.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} {{- end }} diff --git a/nxrm-ha/templates/statefulset.yaml b/nxrm-ha/templates/statefulset.yaml index a82f91d..a463c5e 100644 --- a/nxrm-ha/templates/statefulset.yaml +++ b/nxrm-ha/templates/statefulset.yaml @@ -85,7 +85,7 @@ spec: ports: - name: nexus-ui containerPort: {{ .Values.statefulset.container.containerPort }} - {{- if .Values.nexus.docker.enabled }} + {{- if and .Values.nexus.docker.enabled .Values.nexus.docker.exposeDockerPorts }} {{- range .Values.nexus.docker.registries }} - name: docker-{{ .port }} containerPort: {{ .port }} @@ -131,10 +131,14 @@ spec: name: {{ template "nexus.name" . }}-dbsecret key: db-user - name: DB_HOST + {{- if .Values.statefulset.container.env.dbHost }} + value: {{ .Values.statefulset.container.env.dbHost }} + {{ else }} valueFrom: secretKeyRef: name: {{ template "nexus.name" . }}-dbsecret key: db-host + {{- end }} - name: NEXUS_SECURITY_INITIAL_PASSWORD valueFrom: secretKeyRef: diff --git a/nxrm-ha/tests/docker-ingress_test.yaml b/nxrm-ha/tests/docker-ingress_test.yaml new file mode 100644 index 0000000..b3a76c2 --- /dev/null +++ b/nxrm-ha/tests/docker-ingress_test.yaml @@ -0,0 +1,141 @@ +suite: test docker connector ingress +templates: + - docker-connector-ingress.yaml +release: + name: "test-release" + namespace: "test-namespace" +chart: + version: "latest" + appVersion: latest +tests: + - it: should create docker ingress with a HTTP rule which has its host set + set: + ingress: + ingressClassName: nginx + nexus: + docker: + enabled: true + registries: + - host: chart.local + port: 5000 + secretName: registry-secret + targetPort: 8081 + annotations: + jar: box + super: ted + extraLabels: + foo: bar + baz: bay + + asserts: + - isKind: + of: Ingress + + - equal: + path: metadata.name + value: "test-release-nxrm-ha-docker-5000" + + - equal: + path: metadata.namespace + value: "nexusrepo" + + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nxrm-ha + app.kubernetes.io/version: latest + helm.sh/chart: nxrm-ha-latest + foo: bar + baz: bay + + - equal: + path: metadata.annotations + value: + jar: box + super: ted + + - equal: + path: spec.ingressClassName + value: + nginx + + - equal: + path: spec.rules + value: + - host: "chart.local" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "test-release-nxrm-ha-docker-5000" + port: + number: 5000 + + - it: should create docker ingress TLS section + set: + ingress: + ingressClassName: nginx + nexus: + docker: + enabled: true + registries: + - host: chart.local + enableTLS: true + secretName: registry-secret + asserts: + - equal: + path: spec.tls[0].hosts + value: + - chart.local + + - equal: + path: spec.tls[0].secretName + value: registry-secret + + - it: should create docker ingress with no TLS section + set: + ingress: + ingressClassName: nginx + nexus: + docker: + enabled: true + registries: + - host: chart.local + port: 5000 + enableTLS: false + asserts: + - isKind: + of: Ingress + + - equal: + path: metadata.name + value: "test-release-nxrm-ha-docker-5000" + + - equal: + path: metadata.namespace + value: "nexusrepo" + + - isNull: + path: spec.tls + + - it: should create docker ingress in release namespace when namespaces.nexusNs.name is empty + set: + namespaces: + nexusNs: + name: "" + nexus: + docker: + enabled: true + registries: + - host: chart.local + port: 5000 + secretName: registry-secret + targetPort: 8081 + asserts: + - equal: + path: metadata.namespace + value: "test-namespace" \ No newline at end of file diff --git a/nxrm-ha/tests/ingress_test.yaml b/nxrm-ha/tests/ingress_test.yaml index 715d839..24fae40 100644 --- a/nxrm-ha/tests/ingress_test.yaml +++ b/nxrm-ha/tests/ingress_test.yaml @@ -351,6 +351,10 @@ tests: enabled: true host: example.com dockersubdomain: true + subdomainWildcard: false + dockersubdomains: + - dockerrepo1.example.com + - dockerrepo2.example.com defaultRule: true ingressClassName: nginx annotations: @@ -390,7 +394,17 @@ tests: name: "test-release-nxrm-ha" port: number: 80 - - host: "*.example.com" + - host: "dockerrepo1.example.com" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "test-release-nxrm-ha" + port: + number: 80 + - host: "dockerrepo2.example.com" http: paths: - path: / @@ -400,7 +414,78 @@ tests: name: "test-release-nxrm-ha" port: number: 80 + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nxrm-ha + app.kubernetes.io/version: latest + helm.sh/chart: nxrm-ha-latest + foo: bar + baz: bay + + - equal: + path: metadata.annotations + value: + jar: box + super: ted + + - it: nexus ingress should have a default and wildcard docker subdomain routing rules + set: + ingress: + enabled: true + host: example.com + dockersubdomain: true + defaultRule: true + ingressClassName: nginx + annotations: + jar: box + super: ted + nexus: + extraLabels: + foo: bar + baz: bay + asserts: + - isKind: + of: Ingress + - equal: + path: metadata.name + value: "test-release-nxrm-ha" + + - equal: + path: metadata.namespace + value: "nexusrepo" + + - equal: + path: spec.ingressClassName + value: + nginx + + - equal: + path: spec.rules + value: + - host: "example.com" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "test-release-nxrm-ha" + port: + number: 80 + - host: "*.example.com" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "test-release-nxrm-ha" + port: + number: 80 - equal: path: metadata.labels value: @@ -469,81 +554,6 @@ tests: path: spec.tls[1].secretName value: tlsSecretName2 - - it: should create docker ingress with a HTTP rule which has its host set - set: - ingress: - ingressClassName: nginx - nexus: - docker: - enabled: true - registries: - - host: chart.local - port: 5000 - secretName: registry-secret - targetPort: 8081 - annotations: - jar: box - super: ted - extraLabels: - foo: bar - baz: bay - - asserts: - - isKind: - of: Ingress - - - equal: - path: metadata.name - value: "test-release-nxrm-ha-docker-5000" - - - equal: - path: metadata.namespace - value: "nexusrepo" - - - equal: - path: metadata.labels - value: - app.kubernetes.io/instance: test-release - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: nxrm-ha - app.kubernetes.io/version: latest - helm.sh/chart: nxrm-ha-latest - foo: bar - baz: bay - - - equal: - path: metadata.annotations - value: - jar: box - super: ted - - - equal: - path: spec.ingressClassName - value: - nginx - - - equal: - path: spec.rules - value: - - host: "chart.local" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: "test-release-nxrm-ha-docker-5000" - port: - number: 5000 - - equal: - path: spec.tls[0].hosts - value: - - chart.local - - - equal: - path: spec.tls[0].secretName - value: registry-secret - - it: should create nexus ingress in release namespace when namespaces.nexusNs.name is empty set: namespaces: @@ -555,21 +565,3 @@ tests: - equal: path: metadata.namespace value: "test-namespace" - - - it: should create docker ingress in release namespace when namespaces.nexusNs.name is empty - set: - namespaces: - nexusNs: - name: "" - nexus: - docker: - enabled: true - registries: - - host: chart.local - port: 5000 - secretName: registry-secret - targetPort: 8081 - asserts: - - equal: - path: metadata.namespace - value: "test-namespace" \ No newline at end of file diff --git a/nxrm-ha/tests/statefulset_test.yaml b/nxrm-ha/tests/statefulset_test.yaml index c4c54e4..211a02f 100644 --- a/nxrm-ha/tests/statefulset_test.yaml +++ b/nxrm-ha/tests/statefulset_test.yaml @@ -1125,3 +1125,34 @@ tests: value: - name: nexus-data mountPath: /nexus-data + + - it: should set DB_HOST from container.env.dbHost when specified + template: statefulset.yaml + set: + statefulset: + container: + env: + dbHost: mydatabasehost.foo.com + asserts: + - isKind: + of: StatefulSet + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: DB_HOST + value: mydatabasehost.foo.com + + + - it: should set DB_HOST from dbsecret when container.env.dbHost is null + template: statefulset.yaml + asserts: + - isKind: + of: StatefulSet + - equal: + path: spec.template.spec.containers[0].env[3] + value: + name: DB_HOST + valueFrom: + secretKeyRef: + key: db-host + name: nxrm-ha-dbsecret diff --git a/nxrm-ha/values.yaml b/nxrm-ha/values.yaml index ed65edc..4478427 100644 --- a/nxrm-ha/values.yaml +++ b/nxrm-ha/values.yaml @@ -7,6 +7,28 @@ namespaces: enabled: false name: amazon-cloudwatch externaldnsNs: nexus-externaldns + certmanagerNs: + name: "cert-manager" +externaldns: + image: k8s.gcr.io/external-dns/external-dns:v0.13.1 +certmanager: + letsencrypt: + # service account details for ACME DNS01 challenge + # See https://letsencrypt.org/docs/challenge-types/#dns-01-challenge for more information + # See https://cert-manager.io/docs/tutorials/getting-started-aws-letsencrypt/#create-an-iam-role-and-associate-it-with-a-kubernetes-service-account for AWS example + dns01Challenge: + serviceAccount: + name: "cert-manager-acme-dns01" # service account for ACME DNS01 challenge + enabled: false + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/cert-manager-acme-dns01 + rbac: + enabled: false + role: + name: cert-manager-acme-dns01-route53-tokenrequest + roleBinding: + name: cert-manager-acme-dns01-route53-tokenrequest + serviceAccount: enabled: false name: nexus-repository-deployment-sa #This service account in managed by Helm @@ -16,6 +38,10 @@ serviceAccount: # and secrets manager is enabled then this role should have permissions for using secret manager. # If using externaldns, role with route53 permissions needed by external-dns # eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/nxrm-nexus-role + externaldns: + name: nexus-repository-dev-ha-externaldns + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::000000000000:role/external-dns-role azure: enabled: false #set to true to enable azure specific yamls/snippets keyvault: @@ -27,7 +53,7 @@ aws: enabled: false # set to true to pull license, db and nexus admin password secrets from aws secret manager externaldns: enabled: false - domainFilter: example.com #your root domain e.g example.com + domainFilter: nexusrepo.com #your root domain e.g nexusrepo.com awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both) fluentbit: enabled: false #set this to true to enable sending of logs to CloudWatch @@ -49,8 +75,8 @@ statefulset: hostAliases: [] # - ip: "192.168.1.10" # hostnames: - # - "example.com" - # - "www.example.com" + # - "nexusrepo.com" + # - "www.nexusrepo.com" # Uncomment and modify this to run a command after starting the nexus container. postStart: @@ -108,6 +134,7 @@ statefulset: install4jAddVmParams: "-Xms2703m -Xmx2703m" jdbcUrlParams: null # Must start with a '?' e.g. "?foo=bar&baz=foo" zeroDowntimeEnabled: false + dbHost: null # Set this to the host of your database or set to null if you want to source it from {{ template "nexus.name" . }}-dbsecret additionalEnv: null requestLogContainer: image: @@ -164,17 +191,29 @@ statefulset: ingress: name: "nexus-ingress" enabled: false - host: null #host to apply this ingress rule to e.g. example.com. Set it as you wish + host: null # host to apply this ingress rule to e.g. www.nexusrepo.com. Set it as you wish. must match hosts in tls section hostPath: / - dockersubdomain: false # uncomment this if you'd like to create a wildcard rule in your ingress for docker sub domain routing. This will result in the creation of routing rules in your load balancer for sub domains of your host. Thus, you must also set the host + dockersubdomain: false + dockersubdomains: +# - dockerrepo1.nexusrepo.com +# - dockerrepo2.nexusrepo.com +# - dockerrepo3.nexusrepo.com + subdomainWildcard: true # Creates a wildcard rule in your ingress for docker subdomain routing. This will result in the creation of routing rules in your load balancer for sub domains of your host. Thus, you must also set the host defaultRule: false additionalRules: null ingressClassName: null # e.g. nginx, alb # tls: +# - secretName: "nexusrepo-example-cert-2048" The name of the secret to store the certificate. Use this same name for the certificate.nexus.secretName to secure the certificate with this certificate +# hosts: +# - www.nexusrepo.com must match hosts in ingress.host +# - nexusrepo.com you can put an additional rule which routes to the same backend service for this host as well +# - dockerrepo1.nexusrepo.com +# - dockerrepo2.nexusrepo.com +# - dockerrepo3.nexusrepo.com # - secretName: "tlsSecretName1" # hosts: -# - repo.foo1 -# - repo.bar1 +# - repo.foo2 +# - repo.bar2 # - secretName: "tlsSecretName2" # hosts: # - repo.foo2 @@ -182,12 +221,14 @@ ingress: annotations: # Note: the annotations below are just a guide; delete or insert more as needed depending on your use case: aws, azure, on prem # nginx.ingress.kubernetes.io/ssl-redirect: "false" -# alb.ingress.kubernetes.io/scheme: internal # scheme +# nginx.ingress.kubernetes.io/proxy-body-size: "0" # For docker push to work when using nginx. See https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-max-body-size for more info + # alb.ingress.kubernetes.io/scheme: internal # scheme # alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids # alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444 # The AWS Certificate Manager ARN for your HTTPS certificate # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444 # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate -# external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com +# external-dns.alpha.kubernetes.io/hostname: dockerrepo1.nexusrepo.com, dockerrepo2.nexusrepo.com, dockerrepo3.nexusrepo.com + # acme.cert-manager.io/http01-edit-in-place: "true" #See https://cert-manager.io/docs/usage/certificate/#issuance-behavior-temporary-certificates-while-issuing logStorage: tailSecondaryLogs: true combineTaskLogs: true @@ -337,14 +378,92 @@ nexus: extraSelectorLabels: {} docker: enabled: false + createIngress: true #set to true to create dedicated ingresses for docker connector + exposeDockerPorts: true + createDockerRulesOnMainIngress: false type: NodePort protocol: TCP - # registries: - # - host: chart.local - # port: 5000 - # secretName: registry-secret - # targetPort: 8081 - # annotations: {} +# registries: +# - host: docker1.nexusrepo.com +# port: 5000 +# secretName: nexusrepo-example-cert-2048 +# targetPort: 5000 # if using subdomains should be container port i.e. 8081 +# annotations: { } +# enableTLS: true +# - host: docker2.nexusrepo.com +# port: 5001 +# secretName: nexusrepo-example-cert-2048 +# targetPort: 5001 # if using subdomains should be container port i.e. 8081 +# annotations: { } +# enableTLS: true +certificate: + apiVersion: cert-manager.io/v1 + enabled: false + issuer: + enabled: false + group: cert-manager.io + kind: ClusterIssuer + name: demo-letsencrypt + spec: + acme: + server: https://certificate-issuer-server-url # e.g. for letsencrypt https://acme-staging-v02.api.letsencrypt.org/directory + email: email@example.com + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: +# Example for AWS Route53 +# route53: +# region: us-east-1 +# # For AWS IAM Role which gives cert manager needed route 53 permissions. +# # This must be the same role specified in certmanager.letsencrypt.dns01Challenge.serviceAccount.annotations +# role: arn:aws:iam::111111111:role/cert-manager-acme-dns01 +# auth: +# kubernetes: +# serviceAccountRef: +# # The name of the K8 service account to use to gain needed permissions for the dns01 challenge +# # This must be the same service account specified in certmanager.letsencrypt.dns01Challenge.serviceAccount.name +# name: cert-manager-acme-dns01 +# Example for Azure DNS +# azureDNS: +# resourceGroupName: my-resource-group # your_own_resource_group_name which contains your DNS zone +# subscriptionID: abcd1111-v511-1111-11ab-i111111yt111 +# hostedZoneName: nexusrepo.com +# environment: AzurePublicCloud +# managedIdentity: +# clientID: 11111111-1111-1111-1111-111111111111 + nexus: + enabled: false + name: "nexusrepo-cert" + commonName: "www.nexusrepo.com" + duration: 2160h0m0s # 90 days + renewBefore: 360h0m0s # 15 days + secretName: nexusrepo-example-cert-2048 # The name of the secret to store the certificate. Use this same name for the ingress tls.secretName to secure the ingress with this certificate + revisionHistoryLimit: 1 + secretTemplate: null + privateKey: + enabled: false + algorithm: null # e.g. "RSA" + encoding: null # e.g "PKCS1" + size: null # e.g. 2048 + rotationPolicy: "Always" + keystores: null + usages: + - digital signature + - key encipherment + - server auth + subject: null + dnsNames: + - www.nexusrepo.com + - nexusrepo.com + - dockerrepo1.nexusrepo.com + - dockerrepo2.nexusrepo.com + - dockerrepo3.nexusrepo.com + otherNames: null + ipAddresses: null + emailAddresses: null + uris: null + isCa: false # Enable configmap and add arbitrary data in configmap config: diff --git a/sample-aws-ha-yamls/aws-ha-external-dns-rbac.yaml b/sample-aws-ha-yamls/aws-ha-external-dns-rbac.yaml index 1fe1ab2..e45c954 100644 --- a/sample-aws-ha-yamls/aws-ha-external-dns-rbac.yaml +++ b/sample-aws-ha-yamls/aws-ha-external-dns-rbac.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: external-dns containers: - name: external-dns - image: k8s.gcr.io/external-dns/external-dns:v0.11.0 + image: k8s.gcr.io/external-dns/external-dns:v0.13.1 args: - --source=service - --source=ingress