diff --git a/charts/nexus3/CHANGELOG.md b/charts/nexus3/CHANGELOG.md index e2dbe07f..3bbb4890 100644 --- a/charts/nexus3/CHANGELOG.md +++ b/charts/nexus3/CHANGELOG.md @@ -24,6 +24,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added `highAvailability.enabled` & `highAvailability.replicas` values to enable configuring high availability when running _Nexus3_ as a `StatefulSet`. - Added `license.enabled`, `license.secret` & `license.key` to configure the licence. +- Added `bashImage` & `jdkImage` values to allow configuring the init container images. +- Added init container security contexts. + +### Changed + +- Updated the defaults for `podSecurityContext` to be more secure. +- Changed the default `fsGroup` to `65534`. +- Updated the `securityContext` to be more secure. ## [v4.37.0] - 2023-12-06 diff --git a/charts/nexus3/README.md b/charts/nexus3/README.md index fa8104ab..044b1c83 100644 --- a/charts/nexus3/README.md +++ b/charts/nexus3/README.md @@ -21,7 +21,7 @@ helm upgrade --install --namespace default --values ./my-values.yaml my-release The following table lists the configurable parameters of the _Nexus 3_ chart and their default values. | Parameter | Description | Default | -|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------| +| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | | `image.repository` | Image repository. | `sonatype/nexus3` | | `image.tag` | Image tag. | `.Chart.AppVersion` | | `image.pullPolicy` | Image pull policy. | `IfNotPresent` | @@ -68,6 +68,12 @@ The following table lists the configurable parameters of the _Nexus 3_ chart and | `persistence.size` | Size of PVC to create. | `8Gi` | | `extraVolumeMounts` | Additional volume mounts for the _nexus3_ container. | `[]` | | `resources` | Resource requests and limits for the _nexus3_ container. | `{}` | +| `bashImage.repository` | Repository for the Bash image. | `cgr.dev/chainguard/bash` | +| `bashImage.tag` | Tag for the Bash image. | `latest` | +| `bashImage.pullPolicy` | Pull policy for the Bash image. | `IfNotPresent` | +| `jdkImage.repository` | Repository for the JDK image. | `cgr.dev/chainguard/jdk-lts` | +| `jdkImage.tag` | Tag for the JDK image. | `latest-dev` | +| `jdkImage.pullPolicy` | Pull policy for the JDK image. | `IfNotPresent` | | `chownDataDir` | If the `chown` init container should be used. | `true` | | `extraInitContainers` | Additional init containers for the pod. | `[]` | | `extraVolumes` | Additional volumes. | `[]` | diff --git a/charts/nexus3/ci/ci-values.yaml b/charts/nexus3/ci/ci-values.yaml index a838061c..e15f9960 100644 --- a/charts/nexus3/ci/ci-values.yaml +++ b/charts/nexus3/ci/ci-values.yaml @@ -1,9 +1,13 @@ +deployment: false + metrics: enabled: true persistence: enabled: true +chownDataDir: true + caCerts: enabled: true secret: nexus3-cas diff --git a/charts/nexus3/ci/kubeconform.yaml b/charts/nexus3/ci/kubeconform.yaml index 5f723c50..d82f52b4 100644 --- a/charts/nexus3/ci/kubeconform.yaml +++ b/charts/nexus3/ci/kubeconform.yaml @@ -1,3 +1,5 @@ +deployment: false + commonLabels: common-label: test diff --git a/charts/nexus3/templates/configmap-config.yaml b/charts/nexus3/templates/configmap-config.yaml index c4aeb57d..387f0631 100644 --- a/charts/nexus3/templates/configmap-config.yaml +++ b/charts/nexus3/templates/configmap-config.yaml @@ -1,5 +1,5 @@ {{- if .Values.config.enabled -}} -{{ $root := . }} +{{- $root := . }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,50 +8,50 @@ metadata: labels: {{- include "nexus3.labels" . | nindent 4 }} data: - {{- range $path, $bytes := .Files.Glob "files/*" }} +{{- range $path, $bytes := .Files.Glob "files/*" }} {{ $path | base }}: | {{- $root.Files.Get $path | nindent 4 }} - {{- end }} +{{- end }} anonymous.json: | {"enabled":{{ .Values.config.anonymous.enabled }}} - {{- if .Values.config.realms.enabled }} +{{- if .Values.config.realms.enabled }} realms.json: | {{- .Values.config.realms.values | toJson | nindent 4 }} - {{- end }} +{{- end }} nx-metrics-role.json: | {"id":"nx-metrics","source":"default","name":"nx-metrics","description":"Metrics Role","privileges":["nx-metrics-all"],"roles":[]} - {{- range .Values.config.roles }} +{{- range .Values.config.roles }} {{ .id }}-role.json: | {{- . | toJson | nindent 4 }} - {{- end }} - {{- if .Values.config.anonymous.enabled }} +{{- end }} +{{- if .Values.config.anonymous.enabled }} anonymous-user.json: | {"userId":"anonymous","firstName":"Anonymous","lastName":"User","emailAddress":"anonymous@example.org","source":"default","status":"active","roles":{{ .Values.config.anonymous.roles | toJson }},"externalRoles":[]} - {{- end }} - {{- range .Values.config.users }} +{{- end }} +{{- range .Values.config.users }} {{ .userId }}-user.json: | {{- . | toJson | nindent 4 }} - {{- end }} - {{- if .Values.config.ldap.enabled }} +{{- end }} +{{- if .Values.config.ldap.enabled }} ldap.json: | - {{- with omit .Values.config.ldap "enabled" "authPassword" }} +{{- with omit .Values.config.ldap "enabled" "authPassword" }} {{- set . "authPassword" "PASSWORD" | toJson | nindent 4 }} - {{- end }} - {{- end }} - {{- range $index, $blobStore := .Values.config.blobStores }} +{{- end }} +{{- end }} +{{- range $index, $blobStore := .Values.config.blobStores }} {{ $index | add 1000 | toString | substr 1 -1 }}-blobstore.json: | {{- $blobStore | toJson | nindent 4 }} - {{- end }} - {{- range $index, $cleanup := .Values.config.cleanup }} +{{- end }} +{{- range $index, $cleanup := .Values.config.cleanup }} {{ $index | add 1000 | toString | substr 1 -1 }}-cleanup.json: | {{- $cleanup | toJson | nindent 4 }} - {{- end }} - {{- range $index, $repo := .Values.config.repos }} +{{- end }} +{{- range $index, $repo := .Values.config.repos }} {{ $index | add 1000 | toString | substr 1 -1 }}-repo.json: | {{- $repo | toJson | nindent 4 }} - {{- end }} - {{- range $index, $task := .Values.config.tasks }} +{{- end }} +{{- range $index, $task := .Values.config.tasks }} {{ $index | add 1000 | toString | substr 1 -1 }}-task.json: | {{- $task | toJson | nindent 4 }} - {{- end }} +{{- end }} {{- end }} diff --git a/charts/nexus3/templates/configmap-properties.yaml b/charts/nexus3/templates/configmap-properties.yaml index e59a2ea2..5f00902b 100644 --- a/charts/nexus3/templates/configmap-properties.yaml +++ b/charts/nexus3/templates/configmap-properties.yaml @@ -7,12 +7,12 @@ metadata: {{- include "nexus3.labels" . | nindent 4 }} data: nexus.properties: | - {{- if .Values.license.enabled }} +{{- if .Values.license.enabled }} nexus.licenseFile=/nexus-data/etc/nexus.license - {{- end }} - {{- if and (not .Values.deployment) .Values.highAvailability.enabled }} +{{- end }} +{{- if and (not .Values.deployment) .Values.highAvailability.enabled }} nexus.datastore.clustered.enabled=true - {{- end }} - {{- range .Values.properties }} +{{- end }} +{{- range .Values.properties }} {{ . }} - {{- end }} +{{- end }} diff --git a/charts/nexus3/templates/configmap-scripts.yaml b/charts/nexus3/templates/configmap-scripts.yaml new file mode 100644 index 00000000..49346349 --- /dev/null +++ b/charts/nexus3/templates/configmap-scripts.yaml @@ -0,0 +1,34 @@ +{{- if or .Values.caCerts.enabled .Values.plugins .Values.chownDataDir -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nexus3.fullname" . }}-scripts + namespace: {{ .Release.Namespace }} + labels: + {{- include "nexus3.labels" . | nindent 4 }} +data: + import-ca-certs.sh: | + #!/usr/bin/env bash + set -euo pipefail + + mkdir -p /nexus-data/keystores + cp -f "${JAVA_HOME}/jre/lib/security/cacerts" /nexus-data/keystores/cacerts + + for f in /nexus-data/secrets/cas/* + do + keytool -importcert -file "${f}" -alias "$(basename "${f}")" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt + done + download-plugins.sh: | + #!/usr/bin/env bash + set -euo pipefail + +{{- range .Values.plugins }} + curl -sSLo /deploy/{{ .name }}.kar {{ .url }} +{{- end }} + chown-data-dir.sh: | + #!/usr/bin/env bash + set -euo pipefail + + mkdir -p /nexus-data/etc + chown -R {{ .Values.podSecurityContext.fsGroup }}:{{ .Values.podSecurityContext.fsGroup }} /nexus-data; +{{- end }} diff --git a/charts/nexus3/templates/deployment.yaml b/charts/nexus3/templates/deployment.yaml index 0fbfd1e2..a7c680ca 100644 --- a/charts/nexus3/templates/deployment.yaml +++ b/charts/nexus3/templates/deployment.yaml @@ -44,51 +44,80 @@ spec: {{- if or .Values.caCerts.enabled .Values.plugins .Values.extraInitContainers .Values.chownDataDir }} initContainers: {{- if .Values.caCerts.enabled }} - - name: ca-certs - image: adoptopenjdk:8-jdk-hotspot + - name: import-ca-certs + image: {{ printf "%s:%s" .Values.jdkImage.repository .Values.jdkImage.tag }} + imagePullPolicy: {{ .Values.jdkImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/keystores; cp -f \"${JAVA_HOME}/jre/lib/security/cacerts\" /nexus-data/keystores/cacerts; for f in /nexus-data/secrets/cas/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt; done;"] + command: ["/bin/bash", "-c"] + args: ["/scripts/import-ca-certs.sh"] volumeMounts: + - mountPath: /scripts/import-ca-certs.sh + name: scripts + subPath: import-ca-certs.sh - mountPath: /nexus-data name: {{ include "nexus3.pvcname" . }} - mountPath: /nexus-data/secrets/cas - name: nexus3-cas + name: ca-certs {{- end }} {{- if .Values.plugins }} - name: download-plugins - image: alpine:3 + image: {{ printf "%s:%s" .Values.bashImage.repository .Values.bashImage.tag }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: - - -c - - | - {{- range .Values.plugins }} - wget -O /deploy/{{ .name }}.kar {{ .url }} - {{- end }} + args: ["/scripts/download-plugins.sh"] volumeMounts: + - mountPath: /scripts/download-plugins.sh + name: scripts + subPath: download-plugins.sh - mountPath: /deploy - name: nexus-deploy + name: deploy {{- end }} {{- with .Values.extraInitContainers }} {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.chownDataDir }} - - name: volume-mount - image: alpine:3 + - name: chown-data-dir + image: {{ printf "%s:%s" .Values.bashImage.repository .Values.bashImage.tag }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/etc; chown -R 200:200 /nexus-data;"] + args: ["/scripts/chown-data-dir.sh"] volumeMounts: + - mountPath: /scripts/chown-data-dir.sh + name: scripts + subPath: chown-data-dir.sh - mountPath: /nexus-data name: {{ include "nexus3.pvcname" . }} {{- end }} @@ -144,30 +173,28 @@ spec: - mountPath: /nexus-data name: {{ include "nexus3.pvcname" . }} - mountPath: /opt/sonatype/nexus/etc/logback - name: {{ include "nexus3.fullname" . }}-logback - readOnly: true + name: logback - mountPath: /nexus-data/etc/nexus.properties - name: {{ include "nexus3.fullname" . }}-properties + name: properties subPath: nexus.properties - readOnly: true + - name: tmp + mountPath: /tmp + readOnly: false {{- if .Values.plugins }} - mountPath: /opt/sonatype/nexus/deploy - name: nexus-deploy + name: deploy {{- end }} {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - mountPath: /opt/sonatype/nexus/conf - name: {{ include "nexus3.fullname" . }}-conf - readOnly: true + name: config {{- if .Values.config.ldap.enabled }} - mountPath: /opt/sonatype/nexus/secret/ldap.password - name: {{ .Values.config.ldap.authPassword.secret }} + name: ldap-password subPath: {{ .Values.config.ldap.authPassword.key }} - readOnly: true {{- end }} {{- if .Values.config.repoCredentials.enabled }} - mountPath: /opt/sonatype/nexus/secret/repo-credentials - name: {{ .Values.config.repoCredentials.secret }} - readOnly: true + name: repo-credentials {{- end }} {{- end }} {{- with .Values.extraVolumeMounts }} @@ -178,6 +205,16 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: + - name: logback + configMap: + name: {{ include "nexus3.fullname" . }}-logback + defaultMode: 0440 + - name: properties + configMap: + name: {{ include "nexus3.fullname" . }}-properties + defaultMode: 0440 + - name: tmp + emptyDir: {} - name: {{ include "nexus3.pvcname" . }} {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -185,35 +222,33 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if or .Values.caCerts.enabled .Values.plugins .Values.chownDataDir }} + - name: scripts + configMap: + name: {{ include "nexus3.fullname" . }}-scripts + defaultMode: 0550 + {{- end }} {{- if .Values.caCerts.enabled }} - - name: nexus3-cas + - name: ca-certs secret: secretName: {{ .Values.caCerts.secret }} {{- end }} - - name: {{ include "nexus3.fullname" . }}-logback - configMap: - name: {{ include "nexus3.fullname" . }}-logback - defaultMode: 0755 - - name: {{ include "nexus3.fullname" . }}-properties - configMap: - name: {{ include "nexus3.fullname" . }}-properties - defaultMode: 0755 {{- if .Values.plugins }} - - name: nexus-deploy + - name: deploy emptyDir: {} {{- end }} {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - - name: {{ include "nexus3.fullname" . }}-conf + - name: config configMap: name: {{ include "nexus3.fullname" . }}-conf - defaultMode: 0755 + defaultMode: 0550 {{- if and .Values.config.ldap.enabled }} - - name: {{ .Values.config.ldap.authPassword.secret }} + - name: ldap-password secret: secretName: {{ .Values.config.ldap.authPassword.secret }} {{- end }} {{- if .Values.config.repoCredentials.enabled }} - - name: {{ .Values.config.repoCredentials.secret }} + - name: repo-credentials secret: secretName: {{ .Values.config.repoCredentials.secret }} {{- end }} diff --git a/charts/nexus3/templates/statefulset.yaml b/charts/nexus3/templates/statefulset.yaml index 02bb4749..befb9ed4 100644 --- a/charts/nexus3/templates/statefulset.yaml +++ b/charts/nexus3/templates/statefulset.yaml @@ -47,51 +47,80 @@ spec: {{- if or .Values.caCerts.enabled .Values.plugins .Values.extraInitContainers .Values.chownDataDir }} initContainers: {{- if .Values.caCerts.enabled }} - - name: ca-certs - image: adoptopenjdk:8-jdk-hotspot + - name: import-ca-certs + image: {{ printf "%s:%s" .Values.jdkImage.repository .Values.jdkImage.tag }} + imagePullPolicy: {{ .Values.jdkImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/keystores; cp -f \"${JAVA_HOME}/jre/lib/security/cacerts\" /nexus-data/keystores/cacerts; for f in /nexus-data/secrets/cas/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt; done;"] + command: ["/bin/bash", "-c"] + args: ["/scripts/import-ca-certs.sh"] volumeMounts: + - mountPath: /scripts/import-ca-certs.sh + name: scripts + subPath: import-ca-certs.sh - mountPath: /nexus-data name: {{ include "nexus3.pvcname" . }} - mountPath: /nexus-data/secrets/cas - name: nexus3-cas + name: ca-certs {{- end }} {{- if .Values.plugins }} - name: download-plugins - image: alpine:3 + image: {{ printf "%s:%s" .Values.bashImage.repository .Values.bashImage.tag }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + capabilities: + drop: + - ALL {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: - - -c - - | - {{- range .Values.plugins }} - wget -O /deploy/{{ .name }}.kar {{ .url }} - {{- end }} + args: ["/scripts/download-plugins.sh"] volumeMounts: + - mountPath: /scripts/download-plugins.sh + name: scripts + subPath: download-plugins.sh - mountPath: /deploy - name: nexus-deploy + name: deploy {{- end }} {{- with .Values.extraInitContainers }} {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.chownDataDir }} - - name: volume-mount - image: alpine:3 + - name: chown-data-dir + image: {{ printf "%s:%s" .Values.bashImage.repository .Values.bashImage.tag }} + imagePullPolicy: {{ .Values.bashImage.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 {{- with .Values.env }} env: {{- toYaml . | nindent 12 }} {{- end }} - command: ["/bin/sh"] - args: ["-c", "mkdir -p /nexus-data/etc; chown -R 200:200 /nexus-data;"] + args: ["/scripts/chown-data-dir.sh"] volumeMounts: + - mountPath: /scripts/chown-data-dir.sh + name: scripts + subPath: chown-data-dir.sh - mountPath: /nexus-data name: {{ include "nexus3.pvcname" . }} {{- end }} @@ -147,12 +176,13 @@ spec: - mountPath: /nexus-data name: {{ include "nexus3.pvcname" . }} - mountPath: /opt/sonatype/nexus/etc/logback - name: {{ include "nexus3.fullname" . }}-logback - readOnly: true + name: logback - mountPath: /nexus-data/etc/nexus.properties - name: {{ include "nexus3.fullname" . }}-properties + name: properties subPath: nexus.properties - readOnly: true + - name: tmp + mountPath: /tmp + readOnly: false {{- if .Values.license.enabled}} - mountPath: /nexus-data/etc/nexus.license name: license @@ -161,22 +191,19 @@ spec: {{- end }} {{- if .Values.plugins }} - mountPath: /opt/sonatype/nexus/deploy - name: nexus-deploy + name: deploy {{- end }} {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - mountPath: /opt/sonatype/nexus/conf - name: {{ include "nexus3.fullname" . }}-conf - readOnly: true + name: config {{- if .Values.config.ldap.enabled }} - mountPath: /opt/sonatype/nexus/secret/ldap.password - name: {{ .Values.config.ldap.authPassword.secret }} + name: ldap-password subPath: {{ .Values.config.ldap.authPassword.key }} - readOnly: true {{- end }} {{- if .Values.config.repoCredentials.enabled }} - mountPath: /opt/sonatype/nexus/secret/repo-credentials - name: {{ .Values.config.repoCredentials.secret }} - readOnly: true + name: repo-credentials {{- end }} {{- end }} {{- with .Values.extraVolumeMounts }} @@ -187,6 +214,16 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumes: + - name: logback + configMap: + name: {{ include "nexus3.fullname" . }}-logback + defaultMode: 0440 + - name: properties + configMap: + name: {{ include "nexus3.fullname" . }}-properties + defaultMode: 0440 + - name: tmp + emptyDir: {} {{- if not .Values.persistence.enabled }} - name: {{ include "nexus3.pvcname" . }} emptyDir: {} @@ -196,35 +233,33 @@ spec: secret: secretName: {{ .Values.license.secret }} {{- end }} + {{- if or .Values.caCerts.enabled .Values.plugins .Values.chownDataDir }} + - name: scripts + configMap: + name: {{ include "nexus3.fullname" . }}-scripts + defaultMode: 0550 + {{- end }} {{- if .Values.caCerts.enabled }} - - name: nexus3-cas + - name: ca-certs secret: secretName: {{ .Values.caCerts.secret }} {{- end }} - - name: {{ include "nexus3.fullname" . }}-logback - configMap: - name: {{ include "nexus3.fullname" . }}-logback - defaultMode: 0755 - - name: {{ include "nexus3.fullname" . }}-properties - configMap: - name: {{ include "nexus3.fullname" . }}-properties - defaultMode: 0755 {{- if .Values.plugins }} - - name: nexus-deploy + - name: deploy emptyDir: {} {{- end }} {{- if and .Values.config.enabled (or .Values.rootPassword.secret .Values.config.rootPassword.secret) }} - - name: {{ include "nexus3.fullname" . }}-conf + - name: config configMap: name: {{ include "nexus3.fullname" . }}-conf - defaultMode: 0755 + defaultMode: 0550 {{- if and .Values.config.ldap.enabled }} - - name: {{ .Values.config.ldap.authPassword.secret }} + - name: ldap-password secret: secretName: {{ .Values.config.ldap.authPassword.secret }} {{- end }} {{- if .Values.config.repoCredentials.enabled }} - - name: {{ .Values.config.repoCredentials.secret }} + - name: repo-credentials secret: secretName: {{ .Values.config.repoCredentials.secret }} {{- end }} diff --git a/charts/nexus3/values.yaml b/charts/nexus3/values.yaml index 27080669..73775bee 100644 --- a/charts/nexus3/values.yaml +++ b/charts/nexus3/values.yaml @@ -1,14 +1,14 @@ image: repository: sonatype/nexus3 # Overrides the image tag whose default is {{ .Chart.AppVersion }} - tag: "" + tag: pullPolicy: IfNotPresent pullSecrets: [] imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" +nameOverride: +fullnameOverride: commonLabels: {} @@ -21,7 +21,7 @@ serviceAccount: annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: "" + name: automountToken: false deployment: true @@ -36,13 +36,23 @@ podLabels: {} podAnnotations: {} podSecurityContext: + runAsNonRoot: false fsGroup: 200 + seccompProfile: + type: RuntimeDefault securityContext: - runAsGroup: 200 + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true runAsUser: 200 + runAsGroup: 200 + capabilities: + drop: + - ALL -priorityClassName: "" +priorityClassName: livenessProbe: httpGet: @@ -88,7 +98,7 @@ metrics: ingress: enabled: false annotations: {} - ingressClassName: "" + ingressClassName: hosts: [] # - nexus.local tls: [] @@ -120,6 +130,16 @@ resources: {} # cpu: 100m # memory: 128Mi +bashImage: + repository: cgr.dev/chainguard/bash + tag: latest + pullPolicy: IfNotPresent + +jdkImage: + repository: cgr.dev/chainguard/jdk-lts + tag: latest-dev + pullPolicy: IfNotPresent + chownDataDir: true extraInitContainers: []