feat(nexus3): Updated init container spec

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
stevehipwell · Jan 4, 2024 · da8be97 · da8be97
1 parent 5e0f0f1
commit da8be97
Show file tree

Hide file tree

Showing 12 changed files with 351 additions and 131 deletions.
diff --git a/charts/nexus3/CHANGELOG.md b/charts/nexus3/CHANGELOG.md
@@ -24,6 +24,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added `highAvailability.enabled` & `highAvailability.replicas` values to enable configuring high availability when running _Nexus3_ as a `StatefulSet`.
 - Added `license.enabled`, `license.secret` & `license.key` to configure the licence.
+- Added `bashImage` & `jdkImage` values to allow configuring the init container images.
+- Added init container security contexts.
+
+### Changed
+
+- Updated the defaults for `podSecurityContext` to be more secure.
+- Changed the default `fsGroup` to `65534`.
+- Updated the `securityContext` to be more secure.
 
 ## [v4.37.0] - 2023-12-06
 

diff --git a/charts/nexus3/README.md b/charts/nexus3/README.md
@@ -21,7 +21,7 @@ helm upgrade --install --namespace default --values ./my-values.yaml my-release
 The following table lists the configurable parameters of the _Nexus 3_ chart and their default values.
 
 | Parameter                                 | Description                                                                                                                                                                      | Default                              |
-|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
+| ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
 | `image.repository`                        | Image repository.                                                                                                                                                                | `sonatype/nexus3`                    |
 | `image.tag`                               | Image tag.                                                                                                                                                                       | `.Chart.AppVersion`                  |
 | `image.pullPolicy`                        | Image pull policy.                                                                                                                                                               | `IfNotPresent`                       |
@@ -68,6 +68,12 @@ The following table lists the configurable parameters of the _Nexus 3_ chart and
 | `persistence.size`                        | Size of PVC to create.                                                                                                                                                           | `8Gi`                                |
 | `extraVolumeMounts`                       | Additional volume mounts for the _nexus3_ container.                                                                                                                             | `[]`                                 |
 | `resources`                               | Resource requests and limits for the _nexus3_ container.                                                                                                                         | `{}`                                 |
+| `bashImage.repository`                    | Repository for the Bash image.                                                                                                                                                   | `cgr.dev/chainguard/bash`            |
+| `bashImage.tag`                           | Tag for the Bash image.                                                                                                                                                          | `latest`                             |
+| `bashImage.pullPolicy`                    | Pull policy for the Bash image.                                                                                                                                                  | `IfNotPresent`                       |
+| `jdkImage.repository`                     | Repository for the JDK image.                                                                                                                                                    | `cgr.dev/chainguard/jdk-lts`         |
+| `jdkImage.tag`                            | Tag for the JDK image.                                                                                                                                                           | `latest-dev`                         |
+| `jdkImage.pullPolicy`                     | Pull policy for the JDK image.                                                                                                                                                   | `IfNotPresent`                       |
 | `chownDataDir`                            | If the `chown` init container should be used.                                                                                                                                    | `true`                               |
 | `extraInitContainers`                     | Additional init containers for the pod.                                                                                                                                          | `[]`                                 |
 | `extraVolumes`                            | Additional volumes.                                                                                                                                                              | `[]`                                 |

diff --git a/charts/nexus3/ci/ci-values.yaml b/charts/nexus3/ci/ci-values.yaml
@@ -1,9 +1,13 @@
+deployment: false
+
 metrics:
   enabled: true
 
 persistence:
   enabled: true
 
+chownDataDir: true
+
 caCerts:
   enabled: true
   secret: nexus3-cas

diff --git a/charts/nexus3/ci/kubeconform.yaml b/charts/nexus3/ci/kubeconform.yaml
@@ -1,3 +1,5 @@
+deployment: false
+
 commonLabels:
   common-label: test
 

diff --git a/charts/nexus3/files/configure.sh b/charts/nexus3/files/configure.sh
@@ -12,8 +12,8 @@ TERMINATION_LOG="${TERMINATION_LOG:-/dev/termination-log}"
 nexus_host="http://localhost:8081"
 root_user="admin"
 base_dir="/opt/sonatype/nexus"
-out_file="/tmp/out.json"
-tmp_file="/tmp/tmp.json"
+out_file="${NEXUS_DATA}/tmp/out.json"
+tmp_file="${NEXUS_DATA}/tmp/tmp.json"
 
 echo "Configuring Nexus3..."
 
@@ -98,7 +98,7 @@ do
       echo "Updating user '${id}'..."
 
       status_code=$(curl -s -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${root_user}:${root_password}" "${nexus_host}/service/rest/v1/security/users/?userId=${id}&source=${source}")
-      if [[ "${status_code}" -eq 200 ]] && [[ -n "$(grep -r 'userId' ${out_file} || true)" ]]
+      if [[ "${status_code}" -eq 200 ]] && [[ -n "$(grep -r 'userId' "${out_file}" || true)" ]]
       then
         status_code="$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${root_user}:${root_password}" -d "@${json_file}" "${nexus_host}/service/rest/v1/security/users/${id}")"
         if [[ "${status_code}" -ne 204 ]]
@@ -144,7 +144,7 @@ do
 
     if [[ -f "${base_dir}/secret/ldap.password" ]]
     then
-      ldap_password=$(cat "${base_dir}/secret/ldap.password" | sed 's|"|\\"|g;s|/|\\/|g')
+      ldap_password=$(sed 's|"|\\"|g;s|/|\\/|g' "${base_dir}/secret/ldap.password")
       sed -i "s/PASSWORD/${ldap_password}/g" "${json_file}"
     fi
 

diff --git a/charts/nexus3/templates/configmap-config.yaml b/charts/nexus3/templates/configmap-config.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.config.enabled -}}
-{{ $root := . }}
+{{- $root := . }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -8,50 +8,50 @@ metadata:
   labels:
     {{- include "nexus3.labels" . | nindent 4 }}
 data:
-  {{- range $path, $bytes := .Files.Glob "files/*" }}
+{{- range $path, $bytes := .Files.Glob "files/*" }}
   {{ $path | base }}: |
     {{- $root.Files.Get $path | nindent 4 }}
-  {{- end }}
+{{- end }}
   anonymous.json: |
     {"enabled":{{ .Values.config.anonymous.enabled }}}
-  {{- if .Values.config.realms.enabled }}
+{{- if .Values.config.realms.enabled }}
   realms.json: |
     {{- .Values.config.realms.values | toJson | nindent 4 }}
-  {{- end }}
+{{- end }}
   nx-metrics-role.json: |
     {"id":"nx-metrics","source":"default","name":"nx-metrics","description":"Metrics Role","privileges":["nx-metrics-all"],"roles":[]}
-  {{- range .Values.config.roles }}
+{{- range .Values.config.roles }}
   {{ .id }}-role.json: |
     {{- . | toJson | nindent 4 }}
-  {{- end }}
-  {{- if .Values.config.anonymous.enabled }}
+{{- end }}
+{{- if .Values.config.anonymous.enabled }}
   anonymous-user.json: |
     {"userId":"anonymous","firstName":"Anonymous","lastName":"User","emailAddress":"anonymous@example.org","source":"default","status":"active","roles":{{ .Values.config.anonymous.roles | toJson }},"externalRoles":[]}
-  {{- end }}
-  {{- range .Values.config.users }}
+{{- end }}
+{{- range .Values.config.users }}
   {{ .userId }}-user.json: |
     {{- . | toJson | nindent 4 }}
-  {{- end }}
-  {{- if .Values.config.ldap.enabled }}
+{{- end }}
+{{- if .Values.config.ldap.enabled }}
   ldap.json: |
-    {{- with omit .Values.config.ldap "enabled" "authPassword" }}
+{{- with omit .Values.config.ldap "enabled" "authPassword" }}
     {{-  set . "authPassword" "PASSWORD" | toJson | nindent 4 }}
-    {{- end }}
-  {{- end }}
-  {{- range $index, $blobStore := .Values.config.blobStores }}
+{{- end }}
+{{- end }}
+{{- range $index, $blobStore := .Values.config.blobStores }}
   {{ $index | add 1000 | toString | substr 1 -1 }}-blobstore.json: |
     {{- $blobStore | toJson | nindent 4 }}
-  {{- end }}
-  {{- range $index, $cleanup := .Values.config.cleanup }}
+{{- end }}
+{{- range $index, $cleanup := .Values.config.cleanup }}
   {{ $index | add 1000 | toString | substr 1 -1 }}-cleanup.json: |
     {{- $cleanup | toJson | nindent 4 }}
-  {{- end }}
-  {{- range $index, $repo := .Values.config.repos }}
+{{- end }}
+{{- range $index, $repo := .Values.config.repos }}
   {{ $index | add 1000 | toString | substr 1 -1 }}-repo.json: |
     {{- $repo | toJson | nindent 4 }}
-  {{- end }}
-  {{- range $index, $task := .Values.config.tasks }}
+{{- end }}
+{{- range $index, $task := .Values.config.tasks }}
   {{ $index | add 1000 | toString | substr 1 -1 }}-task.json: |
     {{- $task | toJson | nindent 4 }}
-  {{- end }}
+{{- end }}
 {{- end }}
diff --git a/charts/nexus3/templates/configmap-logback.yaml b/charts/nexus3/templates/configmap-logback.yaml
@@ -23,6 +23,7 @@ data:
 
       <appender-ref ref="request.logfile"/>
     </configuration>
+
   logback.xml: |
     <?xml version="1.0" encoding="UTF-8"?>
     <configuration>
@@ -43,6 +44,11 @@ data:
         </encoder>
       </appender>
 
+      <appender name="jvm" class="ch.qos.logback.core.FileAppender">
+        <File>${karaf.data}/log/jvm.log</File>
+        <append>true</append>
+      </appender>
+
       <appender name="logfile" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <File>${karaf.data}/log/nexus.log</File>
         <Append>true</Append>
@@ -85,6 +91,42 @@ data:
         </sift>
       </appender>
 
+      <appender name="replicationlogfile" class="ch.qos.logback.classic.sift.SiftingAppender">
+        <filter class="org.sonatype.nexus.pax.logging.ReplicationLogsFilter" />
+        <discriminator>
+          <key>repositoryName</key>
+          <defaultValue>unknown</defaultValue>
+        </discriminator>
+        <sift>
+          <appender name="replicationAppender" class="ch.qos.logback.core.rolling.RollingFileAppender">
+            <file>${karaf.data}/log/replication/replication-${repositoryName}.log</file>
+            <encoder class="org.sonatype.nexus.pax.logging.NexusLayoutEncoder">
+              <pattern>%d{"yyyy-MM-dd HH:mm:ss,SSSZ"} %-5p [%thread] %node %mdc{userId:-*SYSTEM} %c - %m%n</pattern>
+            </encoder>
+            <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+              <fileNamePattern>${karaf.data}/log/replication/replication-${repositoryName}-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+              <maxHistory>{{ .Values.logback.maxHistory }}</maxHistory>
+            </rollingPolicy>
+          </appender>
+        </sift>
+      </appender>
+
+      <appender name="outboundRequestslogfile" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${karaf.data}/log/outbound-request.log</File>
+        <Append>true</Append>
+        <encoder>
+          <pattern>%msg%n</pattern>
+        </encoder>
+        <filter class="org.sonatype.nexus.pax.logging.OutboundRequestsLogFilter" />
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+          <fileNamePattern>${karaf.data}/log/outbound-request-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+          <maxHistory>{{ .Values.logback.maxHistory }}</maxHistory>
+        </rollingPolicy>
+      </appender>
+      <logger name="outboundRequests">
+        <appender-ref ref="outboundRequestslogfile"/>
+      </logger>
+
       <appender name="auditlogfile" class="ch.qos.logback.core.rolling.RollingFileAppender">
         <File>${karaf.data}/log/audit/audit.log</File>
         <Append>true</Append>
@@ -102,6 +144,27 @@ data:
         <appender-ref ref="auditlogfile"/>
       </logger>
 
+      <appender name="blobstore-reconciliation-log-file" class="ch.qos.logback.classic.sift.SiftingAppender">
+        <discriminator>
+          <key>blobstore-reconciliation-path</key>
+          <defaultValue>unknown</defaultValue>
+        </discriminator>
+        <sift>
+          <appender name="FILE-${blobstore}" class="ch.qos.logback.core.rolling.RollingFileAppender">
+            <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+              <Pattern>%d{"yyyy-MM-dd HH:mm:ss"},%msg%n</Pattern>
+            </encoder>
+            <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+              <fileNamePattern>${blobstore-reconciliation-path}/%d</fileNamePattern>
+              <maxHistory>{{ .Values.logback.maxHistory }}</maxHistory>
+            </rollingPolicy>
+          </appender>
+        </sift>
+      </appender>
+      <logger name="blobstore-reconciliation-log" additivity="false">
+        <appender-ref ref="blobstore-reconciliation-log-file"/>
+      </logger>
+
       <appender name="metrics" class="org.sonatype.nexus.pax.logging.InstrumentedAppender"/>
 
       <logger name="org.eclipse.jetty.webapp" level="INFO"/>
@@ -111,14 +174,33 @@ data:
       <logger name="org.apache.felix" level="WARN"/>
       <logger name="org.apache.karaf" level="WARN"/>
 
+      <include file="/opt/sonatype/nexus/etc/logback/logback-tasklogfile-appender-override.xml" optional="true"/>
       <include file="${karaf.data}/etc/logback/logback-overrides.xml" optional="true"/>
 
       <root level="${root.level:-INFO}">
         <appender-ref ref="osgi"/>
         <appender-ref ref="console"/>
+        <appender-ref ref="jvm"/>
         <appender-ref ref="logfile"/>
         <appender-ref ref="clusterlogfile"/>
         <appender-ref ref="tasklogfile"/>
+        <appender-ref ref="replicationlogfile"/>
         <appender-ref ref="metrics"/>
       </root>
     </configuration>
+
+  logback-tasklogfile-appender-override.xml: |
+    <included>
+      <appender name="tasklogfile" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${karaf.data}/log/tasks/allTasks.log</File>
+        <filter class="org.sonatype.nexus.pax.logging.TaskLogsFilter" />
+        <Append>true</Append>
+        <encoder class="org.sonatype.nexus.pax.logging.NexusLayoutEncoder">
+          <pattern>%d{"yyyy-MM-dd HH:mm:ss,SSSZ"} %-5p [%thread] %node %mdc{userId:-*SYSTEM} %c - %m%n</pattern>
+        </encoder>
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+          <fileNamePattern>${karaf.data}/log/tasks/allTasks-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+          <maxHistory>{{ .Values.logback.maxHistory }}</maxHistory>
+        </rollingPolicy>
+      </appender>
+    </included>
diff --git a/charts/nexus3/templates/configmap-properties.yaml b/charts/nexus3/templates/configmap-properties.yaml
@@ -7,12 +7,12 @@ metadata:
     {{- include "nexus3.labels" . | nindent 4 }}
 data:
   nexus.properties: |
-    {{- if .Values.license.enabled }}
+{{- if .Values.license.enabled }}
     nexus.licenseFile=/nexus-data/etc/nexus.license
-    {{- end }}
-    {{- if and (not .Values.deployment) .Values.highAvailability.enabled }}
+{{- end }}
+{{- if and (not .Values.deployment) .Values.highAvailability.enabled }}
     nexus.datastore.clustered.enabled=true
-    {{- end }}
-    {{- range .Values.properties }}
+{{- end }}
+{{- range .Values.properties }}
     {{ . }}
-    {{- end }}
+{{- end }}
diff --git a/charts/nexus3/templates/configmap-scripts.yaml b/charts/nexus3/templates/configmap-scripts.yaml
@@ -0,0 +1,34 @@
+{{- if or .Values.caCerts.enabled .Values.plugins .Values.chownDataDir -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "nexus3.fullname" . }}-scripts
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nexus3.labels" . | nindent 4 }}
+data:
+  import-ca-certs.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    mkdir -p /nexus-data/keystores
+    cp -f "${JAVA_HOME}/jre/lib/security/cacerts" /nexus-data/keystores/cacerts
+
+    for f in /nexus-data/secrets/cas/*
+    do
+      keytool -importcert -file "${f}" -alias "$(basename "${f}")" -keystore /nexus-data/keystores/cacerts -storepass changeit -trustcacerts -noprompt
+    done
+  download-plugins.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+{{- range .Values.plugins }}
+      curl -sSLo /deploy/{{ .name }}.kar {{ .url }}
+{{- end }}
+  chown-data-dir.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    mkdir -p /nexus-data/etc
+    chown -R {{ .Values.podSecurityContext.fsGroup }}:{{ .Values.podSecurityContext.fsGroup }} /nexus-data;
+{{- end }}