Skip to content

Commit

Permalink
feat(nexus3): Updated init container spec
Browse files Browse the repository at this point in the history 
Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
  • Loading branch information
@stevehipwell
stevehipwell committed Jan 3, 2024
1 parent 5e0f0f1 commit 03f75cd
Show file tree
Hide file tree
Showing 10 changed files with 267 additions and 123 deletions.
8 changes: 8 additions & 0 deletions charts/nexus3/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Added `highAvailability.enabled` & `highAvailability.replicas` values to enable configuring high availability when running _Nexus3_ as a `StatefulSet`.
- Added `license.enabled`, `license.secret` & `license.key` to configure the licence.
- Added `bashImage` & `jdkImage` values to allow configuring the init container images.
- Added init container security contexts.

### Changed

- Updated the defaults for `podSecurityContext` to be more secure.
- Changed the default `fsGroup` to `65534`.
- Updated the `securityContext` to be more secure.

## [v4.37.0] - 2023-12-06

Expand Down
8 changes: 7 additions & 1 deletion charts/nexus3/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ helm upgrade --install --namespace default --values ./my-values.yaml my-release
The following table lists the configurable parameters of the _Nexus 3_ chart and their default values.

| Parameter | Description | Default |
|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
| `image.repository` | Image repository. | `sonatype/nexus3` |
| `image.tag` | Image tag. | `.Chart.AppVersion` |
| `image.pullPolicy` | Image pull policy. | `IfNotPresent` |
Expand Down Expand Up @@ -68,6 +68,12 @@ The following table lists the configurable parameters of the _Nexus 3_ chart and
| `persistence.size` | Size of PVC to create. | `8Gi` |
| `extraVolumeMounts` | Additional volume mounts for the _nexus3_ container. | `[]` |
| `resources` | Resource requests and limits for the _nexus3_ container. | `{}` |
| `bashImage.repository` | Repository for the Bash image. | `cgr.dev/chainguard/bash` |
| `bashImage.tag` | Tag for the Bash image. | `latest` |
| `bashImage.pullPolicy` | Pull policy for the Bash image. | `IfNotPresent` |
| `jdkImage.repository` | Repository for the JDK image. | `cgr.dev/chainguard/jdk-lts` |
| `jdkImage.tag` | Tag for the JDK image. | `latest-dev` |
| `jdkImage.pullPolicy` | Pull policy for the JDK image. | `IfNotPresent` |
| `chownDataDir` | If the `chown` init container should be used. | `true` |
| `extraInitContainers` | Additional init containers for the pod. | `[]` |
| `extraVolumes` | Additional volumes. | `[]` |
Expand Down
4 changes: 4 additions & 0 deletions charts/nexus3/ci/ci-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
deployment: false

metrics:
enabled: true

persistence:
enabled: true

chownDataDir: true

caCerts:
enabled: true
secret: nexus3-cas
Expand Down
2 changes: 2 additions & 0 deletions charts/nexus3/ci/kubeconform.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
deployment: false

commonLabels:
common-label: test

Expand Down
46 changes: 23 additions & 23 deletions charts/nexus3/templates/configmap-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.config.enabled -}}
{{ $root := . }}
{{- $root := . }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -8,50 +8,50 @@ metadata:
labels:
{{- include "nexus3.labels" . | nindent 4 }}
data:
{{- range $path, $bytes := .Files.Glob "files/*" }}
{{- range $path, $bytes := .Files.Glob "files/*" }}
{{ $path | base }}: |
{{- $root.Files.Get $path | nindent 4 }}
{{- end }}
{{- end }}
anonymous.json: |
{"enabled":{{ .Values.config.anonymous.enabled }}}
{{- if .Values.config.realms.enabled }}
{{- if .Values.config.realms.enabled }}
realms.json: |
{{- .Values.config.realms.values | toJson | nindent 4 }}
{{- end }}
{{- end }}
nx-metrics-role.json: |
{"id":"nx-metrics","source":"default","name":"nx-metrics","description":"Metrics Role","privileges":["nx-metrics-all"],"roles":[]}
{{- range .Values.config.roles }}
{{- range .Values.config.roles }}
{{ .id }}-role.json: |
{{- . | toJson | nindent 4 }}
{{- end }}
{{- if .Values.config.anonymous.enabled }}
{{- end }}
{{- if .Values.config.anonymous.enabled }}
anonymous-user.json: |
{"userId":"anonymous","firstName":"Anonymous","lastName":"User","emailAddress":"anonymous@example.org","source":"default","status":"active","roles":{{ .Values.config.anonymous.roles | toJson }},"externalRoles":[]}
{{- end }}
{{- range .Values.config.users }}
{{- end }}
{{- range .Values.config.users }}
{{ .userId }}-user.json: |
{{- . | toJson | nindent 4 }}
{{- end }}
{{- if .Values.config.ldap.enabled }}
{{- end }}
{{- if .Values.config.ldap.enabled }}
ldap.json: |
{{- with omit .Values.config.ldap "enabled" "authPassword" }}
{{- with omit .Values.config.ldap "enabled" "authPassword" }}
{{- set . "authPassword" "PASSWORD" | toJson | nindent 4 }}
{{- end }}
{{- end }}
{{- range $index, $blobStore := .Values.config.blobStores }}
{{- end }}
{{- end }}
{{- range $index, $blobStore := .Values.config.blobStores }}
{{ $index | add 1000 | toString | substr 1 -1 }}-blobstore.json: |
{{- $blobStore | toJson | nindent 4 }}
{{- end }}
{{- range $index, $cleanup := .Values.config.cleanup }}
{{- end }}
{{- range $index, $cleanup := .Values.config.cleanup }}
{{ $index | add 1000 | toString | substr 1 -1 }}-cleanup.json: |
{{- $cleanup | toJson | nindent 4 }}
{{- end }}
{{- range $index, $repo := .Values.config.repos }}
{{- end }}
{{- range $index, $repo := .Values.config.repos }}
{{ $index | add 1000 | toString | substr 1 -1 }}-repo.json: |
{{- $repo | toJson | nindent 4 }}
{{- end }}
{{- range $index, $task := .Values.config.tasks }}
{{- end }}
{{- range $index, $task := .Values.config.tasks }}
{{ $index | add 1000 | toString | substr 1 -1 }}-task.json: |
{{- $task | toJson | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
12 changes: 6 additions & 6 deletions charts/nexus3/templates/configmap-properties.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@ metadata:
{{- include "nexus3.labels" . | nindent 4 }}
data:
nexus.properties: |
{{- if .Values.license.enabled }}
{{- if .Values.license.enabled }}
nexus.licenseFile=/nexus-data/etc/nexus.license
{{- end }}
{{- if and (not .Values.deployment) .Values.highAvailability.enabled }}
{{- end }}
{{- if and (not .Values.deployment) .Values.highAvailability.enabled }}
nexus.datastore.clustered.enabled=true
{{- end }}
{{- range .Values.properties }}
{{- end }}
{{- range .Values.properties }}
{{ . }}
{{- end }}
{{- end }}
34 changes: 34 additions & 0 deletions charts/nexus3/templates/configmap-scripts.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{{- if or .Values.caCerts.enabled .Values.plugins .Values.chownDataDir -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "nexus3.fullname" . }}-scripts
namespace: {{ .Release.Namespace }}
labels:
{{- include "nexus3.labels" . | nindent 4 }}
data:
import-ca-certs.sh: |
#!/usr/bin/env bash
set -euo pipefail
mkdir -p /nexus-data/keystores
cp -f "${JAVA_HOME}/jre/lib/security/cacerts" /nexus-data/keystores/cacerts
for f in /nexus-data/secrets/cas/*
do
keytool -importcert -file "${f}" -alias "$(basename "${f}")" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt
done
download-plugins.sh: |
#!/usr/bin/env bash
set -euo pipefail
{{- range .Values.plugins }}
curl -sSLo /deploy/{{ .name }}.kar {{ .url }}
{{- end }}
chown-data-dir.sh: |
#!/usr/bin/env bash
set -euo pipefail
mkdir -p /nexus-data/etc
chown -R {{ .Values.podSecurityContext.fsGroup }}:{{ .Values.podSecurityContext.fsGroup }} /nexus-data;
{{- end }}
121 changes: 78 additions & 43 deletions charts/nexus3/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,51 +44,80 @@ spec:
{{- if or .Values.caCerts.enabled .Values.plugins .Values.extraInitContainers .Values.chownDataDir }}
initContainers:
{{- if .Values.caCerts.enabled }}
- name: ca-certs
image: adoptopenjdk:8-jdk-hotspot
- name: import-ca-certs
image: {{ printf "%s:%s" .Values.jdkImage.repository .Values.jdkImage.tag }}
imagePullPolicy: {{ .Values.jdkImage.pullPolicy }}
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
{{- with .Values.env }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
command: ["/bin/sh"]
args: ["-c", "mkdir -p /nexus-data/keystores; cp -f \"${JAVA_HOME}/jre/lib/security/cacerts\" /nexus-data/keystores/cacerts; for f in /nexus-data/secrets/cas/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt; done;"]
command: ["/bin/bash", "-c"]
args: ["/scripts/import-ca-certs.sh"]
volumeMounts:
- mountPath: /scripts/import-ca-certs.sh
name: scripts
subPath: import-ca-certs.sh
- mountPath: /nexus-data
name: {{ include "nexus3.pvcname" . }}
- mountPath: /nexus-data/secrets/cas
name: nexus3-cas
name: ca-certs
{{- end }}
{{- if .Values.plugins }}
- name: download-plugins
image: alpine:3
image: {{ printf "%s:%s" .Values.bashImage.repository .Values.bashImage.tag }}
imagePullPolicy: {{ .Values.bashImage.pullPolicy }}
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
capabilities:
drop:
- ALL
{{- with .Values.env }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
command: ["/bin/sh"]
args:
- -c
- |
{{- range .Values.plugins }}
wget -O /deploy/{{ .name }}.kar {{ .url }}
{{- end }}
args: ["/scripts/download-plugins.sh"]
volumeMounts:
- mountPath: /scripts/download-plugins.sh
name: scripts
subPath: download-plugins.sh
- mountPath: /deploy
name: nexus-deploy
name: deploy
{{- end }}
{{- with .Values.extraInitContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.chownDataDir }}
- name: volume-mount
image: alpine:3
- name: chown-data-dir
image: {{ printf "%s:%s" .Values.bashImage.repository .Values.bashImage.tag }}
imagePullPolicy: {{ .Values.bashImage.pullPolicy }}
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
{{- with .Values.env }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
command: ["/bin/sh"]
args: ["-c", "mkdir -p /nexus-data/etc; chown -R 200:200 /nexus-data;"]
args: ["/scripts/chown-data-dir.sh"]
volumeMounts:
- mountPath: /scripts/chown-data-dir.sh
name: scripts
subPath: chown-data-dir.sh
- mountPath: /nexus-data
name: {{ include "nexus3.pvcname" . }}
{{- end }}
Expand Down Expand Up @@ -144,30 +173,28 @@ spec:
- mountPath: /nexus-data
name: {{ include "nexus3.pvcname" . }}
- mountPath: /opt/sonatype/nexus/etc/logback
name: {{ include "nexus3.fullname" . }}-logback
readOnly: true
name: logback
- mountPath: /nexus-data/etc/nexus.properties
name: {{ include "nexus3.fullname" . }}-properties
name: properties
subPath: nexus.properties
readOnly: true
- name: tmp
mountPath: /tmp
readOnly: false
{{- if .Values.plugins }}
- mountPath: /opt/sonatype/nexus/deploy
name: nexus-deploy
name: deploy
{{- end }}
{{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }}
- mountPath: /opt/sonatype/nexus/conf
name: {{ include "nexus3.fullname" . }}-conf
readOnly: true
name: config
{{- if .Values.config.ldap.enabled }}
- mountPath: /opt/sonatype/nexus/secret/ldap.password
name: {{ .Values.config.ldap.authPassword.secret }}
name: ldap-password
subPath: {{ .Values.config.ldap.authPassword.key }}
readOnly: true
{{- end }}
{{- if .Values.config.repoCredentials.enabled }}
- mountPath: /opt/sonatype/nexus/secret/repo-credentials
name: {{ .Values.config.repoCredentials.secret }}
readOnly: true
name: repo-credentials
{{- end }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
Expand All @@ -178,42 +205,50 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: logback
configMap:
name: {{ include "nexus3.fullname" . }}-logback
defaultMode: 0440
- name: properties
configMap:
name: {{ include "nexus3.fullname" . }}-properties
defaultMode: 0440
- name: tmp
emptyDir: {}
- name: {{ include "nexus3.pvcname" . }}
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "nexus3.pvcname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if or .Values.caCerts.enabled .Values.plugins .Values.chownDataDir }}
- name: scripts
configMap:
name: {{ include "nexus3.fullname" . }}-scripts
defaultMode: 0550
{{- end }}
{{- if .Values.caCerts.enabled }}
- name: nexus3-cas
- name: ca-certs
secret:
secretName: {{ .Values.caCerts.secret }}
{{- end }}
- name: {{ include "nexus3.fullname" . }}-logback
configMap:
name: {{ include "nexus3.fullname" . }}-logback
defaultMode: 0755
- name: {{ include "nexus3.fullname" . }}-properties
configMap:
name: {{ include "nexus3.fullname" . }}-properties
defaultMode: 0755
{{- if .Values.plugins }}
- name: nexus-deploy
- name: deploy
emptyDir: {}
{{- end }}
{{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }}
- name: {{ include "nexus3.fullname" . }}-conf
- name: config
configMap:
name: {{ include "nexus3.fullname" . }}-conf
defaultMode: 0755
defaultMode: 0550
{{- if and .Values.config.ldap.enabled }}
- name: {{ .Values.config.ldap.authPassword.secret }}
- name: ldap-password
secret:
secretName: {{ .Values.config.ldap.authPassword.secret }}
{{- end }}
{{- if .Values.config.repoCredentials.enabled }}
- name: {{ .Values.config.repoCredentials.secret }}
- name: repo-credentials
secret:
secretName: {{ .Values.config.repoCredentials.secret }}
{{- end }}
Expand Down
Loading

0 comments on commit 03f75cd

Please sign in to comment.