Merge pull request #124 from adamrushuk/develop

Added my Nexus helm chart

.github/workflows/build.yml

@@ -39,7 +39,7 @@ env:
   DEMO_USER_USERNAME: demo_user
   # DEMO_USER_PASSWORD: ${{ secrets.DEMO_USER_PASSWORD }}
   DNS_DOMAIN_NAME: nexus.thehypepipe.co.uk
-  DOCKER_FQDN: docker-nexus.thehypepipe.co.uk
+  DOCKER_FQDN: docker.thehypepipe.co.uk
   EMAIL_ADDRESS: [email protected]
   ENABLE_TLS_INGRESS: true
   FORCE_TEST_FAIL: false
@@ -48,7 +48,7 @@ env:
   ROOT_DOMAIN_NAME: thehypepipe.co.uk
   # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }}
   # STORAGE_KEY: 'env var set by Get-StorageKey.ps1'
-  VELERO_ENABLED: false
+  VELERO_ENABLED: true
 
   # terraform
   TF_IN_AUTOMATION: "true"
@@ -220,7 +220,7 @@ jobs:
     - name: Unregister NuGet proxy repo
       run: pwsh -command "Unregister-PSRepository -Name nuget.org-proxy -Verbose"
 
-    # TODO: https://github.com/zyborg/pester-tests-report/issues/1
+    # Shows at the bottom of a run: https://github.com/adamrushuk/aks-nexus-velero/runs/1035347513?check_suite_focus=true
     - name: Pester report
       uses: zyborg/[email protected]
       with:

.github/workflows/destroy.yml

@@ -31,7 +31,7 @@ env:
 
   # other
   # prod or staging
-  CERT_API_ENVIRONMENT: prod
+  CERT_API_ENVIRONMENT: staging
   DNS_DOMAIN_NAME: nexus.thehypepipe.co.uk
   EMAIL_ADDRESS: [email protected]
   ENABLE_TLS_INGRESS: true

README.md

@@ -69,7 +69,7 @@ Follow the steps below to update AKS credentials, get the Nexus admin password,
 
     ```bash
     # Get pod name
-    pod_name=$(kubectl get pod -n ingress -l app=nexus -o jsonpath="{.items[0].metadata.name}")
+    pod_name=$(kubectl get pod --namespace nexus -l app=nexus -o jsonpath="{.items[0].metadata.name}")
 
     # Get admin password from pod
     admin_password=$(kubectl exec -n ingress -it $pod_name -- cat /nexus-data/admin.password)

ansible/ansible.md

@@ -53,11 +53,11 @@ Before the Ansible playbook can be run, follow the steps below:
 
     ```powershell
     # Get pod name
-    $podName = kubectl get pod -n ingress -l app=nexus -o jsonpath="{.items[0].metadata.name}"
+    $podName = kubectl get pod --namespace nexus -l app.kubernetes.io/name=sonatype-nexus -o jsonpath="{.items[0].metadata.name}"
 
     # Get admin password from pod
     # NOTE: "/nexus-data/admin.password" is deleted after the admin password is changed
-    $adminPassword = kubectl exec -n ingress -it $podName cat /nexus-data/admin.password
+    $adminPassword = kubectl exec --namespace nexus -it $podName cat /nexus-data/admin.password
     echo $adminPassword
     ```
 

ansible/group_vars/all.yml

@@ -2,13 +2,15 @@
 # assign password via environment variable
 admin_password: "{{ lookup('env', 'NEW_ADMIN_PASSWORD') }}"
 ansible_python_interpreter: /usr/bin/python3
+dns_domain_name: ""
 api_base_uri: ""
 api_url: "{{ api_base_uri }}/service/rest"
 api_user: "admin"
 autogenerated_admin_password: "{{ lookup('env', 'AUTOGENERATED_ADMIN_PASSWORD') }}"
 demo_user_username: "{{ lookup('env', 'DEMO_USER_USERNAME') }}"
 demo_user_password: "{{ lookup('env', 'DEMO_USER_PASSWORD') }}"
 enable_debug_output: "{{ lookup('env', 'CI_DEBUG') }}"
+nexus_namespace: "nexus"
 
 active_realms: [
   "NexusAuthenticatingRealm",

ansible/roles/docker_repo/defaults/main.yml

@@ -8,4 +8,4 @@ docker_repo_request_body:
   docker:
     v1Enabled: false
     forceBasicAuth: false
-    httpPort: 8123
+    httpPort: 5000

ansible/roles/helm_repo/tasks/main.yml

@@ -23,7 +23,7 @@
 
 - name: Upload Helm Charts to Nexus
   shell:
-    cmd: "curl -v -u {{ api_user }}:{{ admin_password }} {{ api_base_uri }}/repository/{{ helm_repo_request_body.name }}/ --upload-file {{ item.name }}-{{ item.version }}.tgz"
+    cmd: "curl --insecure -v -u {{ api_user }}:{{ admin_password }} {{ api_base_uri }}/repository/{{ helm_repo_request_body.name }}/ --upload-file {{ item.name }}-{{ item.version }}.tgz"
     warn: false
   with_items:
     - "{{ helm_charts }}"

ansible/roles/init/tasks/main.yml

@@ -2,11 +2,11 @@
 # INIT
 - name: get auto-generated admin password from pod - timeout {{ admin_password_script_timeout_mins }} mins
   shell: |
-    podName=$(kubectl get pod -n ingress -l app=nexus -o jsonpath="{.items[0].metadata.name}")
+    podName=$(kubectl get pod --namespace {{ nexus_namespace }} -l app.kubernetes.io/name=sonatype-nexus -o jsonpath="{.items[0].metadata.name}")
 
-    kubectl cp -n ingress {{role_path}}/files/get_admin_password.sh "$podName":/tmp/get_admin_password.sh
+    kubectl cp --namespace {{ nexus_namespace }} {{role_path}}/files/get_admin_password.sh "$podName":/tmp/get_admin_password.sh
 
-    kubectl exec -n ingress "$podName" -- sh -c "chmod +x /tmp/get_admin_password.sh; timeout {{ admin_password_script_timeout_mins }}m /tmp/get_admin_password.sh"
+    kubectl exec --namespace {{ nexus_namespace }} "$podName" -- sh -c "chmod +x /tmp/get_admin_password.sh; timeout {{ admin_password_script_timeout_mins }}m /tmp/get_admin_password.sh"
 
   # ignore_errors: yes
   register: admin_password_result
@@ -22,13 +22,15 @@
 
 - name: wait for Nexus API to respond
   uri:
-    url: "{{ api_url }}/v1/status/"
+    url: "{{ api_url }}/v1/status/writable"
     status_code: 200
+    validate_certs: false
   register: result
   until:
     - result.status == 200
-  retries: 30
-  delay: 60
+  # 90 x 10secs = 15mins
+  retries: 90
+  delay: 10
   # reset module defaults for this simple check
   module_defaults:
     uri: {}
@@ -65,9 +67,9 @@
 
 - name: set admin password changed marker file
   shell: |
-    podName=$(kubectl get pod -n ingress -l app=nexus -o jsonpath="{.items[0].metadata.name}")
+    podName=$(kubectl get pod --namespace {{ nexus_namespace }} -l app.kubernetes.io/name=sonatype-nexus -o jsonpath="{.items[0].metadata.name}")
 
-    kubectl exec -n ingress "$podName" -- sh -c "touch /nexus-data/admin-password-changed"
+    kubectl exec --namespace {{ nexus_namespace }} "$podName" -- sh -c "touch /nexus-data/admin-password-changed"
   when: admin_password_response.status is defined and admin_password_response.status == 204
 
 - name: set active realms

ansible/roles/pypi_repo/files/upload_package.sh

@@ -6,9 +6,12 @@
 set -euo pipefail
 trap "echo 'error: Script failed: see failed command above'" ERR
 
+# disable ssl cert verification
+export PYTHONHTTPSVERIFY=0
+
 # install twine
 echo "installing twine..."
-pip3 install --user twine
+pip3 install --user twine --trusted-host "$DNS_DOMAIN_NAME"
 
 # info
 echo "show version info..."
@@ -31,7 +34,7 @@ python3 -m twine upload --username "$USERNAME" --password "$PASSWORD" --reposito
 # install from private pypi repo
 # pip3 install --index-url http://my.package.repo/simple/ SomePackage
 echo "installing package..."
-pip3 install --user --index-url "$REPO_URL/simple" "$PACKAGE_NAME"
+pip3 install --user --index-url "$REPO_URL/simple" "$PACKAGE_NAME" --trusted-host "$DNS_DOMAIN_NAME"
 pip3 list --local | grep "$PACKAGE_NAME"
 
 # uninstall

ansible/roles/pypi_repo/tasks/main.yml

@@ -14,7 +14,7 @@
   when: enable_debug_output == "true"
 
 - name: search pypi repo
-  shell: "pip search --index {{ pypi_repo_url }}/pypi {{ pypi_package_name }}"
+  shell: "PYTHONHTTPSVERIFY=0 pip search --index {{ pypi_repo_url }}/pypi {{ pypi_package_name }} --trusted-host {{ dns_domain_name }}"
   ignore_errors: yes
   register: search_result
 
@@ -28,6 +28,7 @@
   args:
     chdir: "{{ role_path }}/files/hello"
   environment:
+    DNS_DOMAIN_NAME: "{{ dns_domain_name }}"
     USERNAME: "{{ api_user }}"
     PASSWORD: "{{ admin_password }}"
     REPO_URL: "{{ pypi_repo_url }}"

ansible/site.yml

@@ -24,6 +24,7 @@
       password: "{{ admin_password }}"
       force_basic_auth: yes
       timeout: 10
+      validate_certs: false
 
   tasks:
   # ROLES

cert-manager/cert-manager-tshoot.ps1

@@ -47,7 +47,7 @@ curl -i -k $nexusBaseUrl
 # openssl s_client
 # to prevent hanging, use "echo Q | " at the start
 # openssl s_client -connect host:port -status [-showcerts]
-echo Q | openssl s_client -connect docker-nexus.thehypepipe.co.uk:443 | sls "CN =|error"
+echo Q | openssl s_client -connect docker.thehypepipe.co.uk:443 | sls "CN =|error"
 echo Q | openssl s_client -connect "$($nexusHost):443" | sls "CN =|error"
 echo Q | openssl s_client -connect "$($nexusHost):443" -status -showcerts
 echo Q | openssl s_client -connect "$($nexusHost):443" -status

manifests/ingress-http.yml

@@ -28,5 +28,5 @@ spec:
       paths:
       - backend:
           serviceName: nexus
-          servicePort: 8123
+          servicePort: 5000
         path: /

manifests/ingress-tls.yml

@@ -33,5 +33,5 @@ spec:
       paths:
       - backend:
           serviceName: nexus
-          servicePort: 8123
+          servicePort: 5000
         path: /

manifests/nexus.yml

@@ -39,7 +39,7 @@ spec:
         # http-web
         - containerPort: 8081
         # http-docker
-        - containerPort: 8123
+        - containerPort: 5000
         # These volume mounts are persistent. They are like inline claims,
         # but not exactly because the names need to match exactly one of
         # the stateful pod volumes.
@@ -71,6 +71,6 @@ spec:
   - name: http-web
     port: 8081
   - name: http-docker
-    port: 8123
+    port: 5000
   selector:
       app: nexus

nexus/repositories/docker/nexus-docker-notes.md

@@ -45,7 +45,7 @@ Follow the [Login to Nexus Console](./../../../README.md#login-to-nexus-console)
 1. Click `Create repository`.
 1. Select `docker (hosted)` recipe.
 1. Enter repo name: `docker-repo`
-1. Tick `http` Repository Connector and enter port: `8123`
+1. Tick `http` Repository Connector and enter port: `5000`
 1. Tick `Allow anonymous docker pull`.
 1. Leave the rest of the settings as default, and click `Create repository` at the bottom.
 1. When configured correctly, the following command should return the `Error 400 Not a Docker request`:
@@ -86,7 +86,7 @@ Follow the [Login to Nexus Console](./../../../README.md#login-to-nexus-console)
 
     ```json
     {
-      "insecure-registries": [ "docker-nexus.domain.com" ]
+      "insecure-registries": [ "docker.domain.com" ]
     }
     ```
 
@@ -110,9 +110,9 @@ Follow the [Login to Nexus Console](./../../../README.md#login-to-nexus-console)
     $dockerSysInfoJson = docker system info --format '{{json .}}' | ConvertFrom-Json
     $dockerSysInfoJson.RegistryConfig.IndexConfigs
 
-    http://docker-nexus.domain.com
+    http://docker.domain.com
     ------------------------------
-    @{Name=docker-nexus.domain.com; Mirrors=System.Object[]; Secure=False; Official=False}
+    @{Name=docker.domain.com; Mirrors=System.Object[]; Secure=False; Official=False}
     ```
 
 ## Login to Docker Repo

scripts/ansible.sh

@@ -28,6 +28,6 @@ nexusBaseUrl="$protocol://$DNS_DOMAIN_NAME"
 message="Running Ansible playbook"
 echo "STARTED: $message..."
 pushd ansible
-ansible-playbook site.yml --extra-vars "api_base_uri=$nexusBaseUrl"
+ansible-playbook site.yml --extra-vars "api_base_uri=$nexusBaseUrl dns_domain_name=$DNS_DOMAIN_NAME"
 popd
 echo "FINISHED: $message."

scripts/k8s_manifests_apply.sh

@@ -25,35 +25,6 @@ kubectl version --short
 # Apply manifests
 message="Applying Kubernetes manifests"
 echo "STARTED: $message..."
-echo "ENABLE_TLS_INGRESS: [$ENABLE_TLS_INGRESS]"
-
-# ClusterIssuers
-if [[ $ENABLE_TLS_INGRESS == "true" ]]; then
-    echo "APPLYING: ClusterIssuers..."
-    kubectl apply -f "./manifests/cluster-issuer-staging.yml"
-    kubectl apply -f "./manifests/cluster-issuer-prod.yml"
-else
-    echo "SKIPPING: ClusterIssuers..."
-fi
-
-# Applications
-echo "APPLYING: Applications..."
-kubectl apply -n ingress -f "./manifests/nexus.yml"
-
-# Ingress
-# ConfigMap - NGINX Configuration options
-# https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
-# kubectl apply -n ingress -f ./manifests/nginx-configmap.yml
-
-# default to basic http
-ingressFilename="ingress-http.yml"
-if [[ $ENABLE_TLS_INGRESS == "true" ]]; then
-    ingressFilename="ingress-tls.yml"
-fi
-echo "APPLYING: Ingress [$ingressFilename]..."
-kubectl apply -n ingress -f "./manifests/$ingressFilename"
-echo "FINISHED: $message."
-
 
 # external-dns
 kubectl apply -n ingress -f ./manifests/external-dns.yml

scripts/wait.sh

@@ -16,8 +16,8 @@ echo -e "FINISHED: $message.\n"
 kubectl version --short
 
 # Wait
-pod_name="nexus-0"
+pod_name=$(kubectl get pod --namespace nexus -l app.kubernetes.io/name=sonatype-nexus -o jsonpath="{.items[0].metadata.name}")
 message="Waiting for Ready condition on pod: [$pod_name]"
 echo -e "\nSTARTED: $message..."
-kubectl --namespace ingress wait pod $pod_name --for condition=ready --timeout=5m
+kubectl --namespace nexus wait pod "$pod_name" --for condition=ready --timeout=5m
 echo -e "FINISHED: $message."

terraform/helm/nexus_values.yaml

@@ -0,0 +1,27 @@
+# Default values for nexus.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nexus:
+  # The ports should only be changed if the nexus image uses a different port
+  dockerPort: 5000
+  nexusPort: 8081
+
+  storageSize: 8Gi
+
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  # GitHub Action helm/kind-action uses: "standard"
+  # Azure uses: "default"
+  storageClass: "default"
+
+# https://hub.docker.com/r/sonatype/nexus3/tags
+image:
+  repository: sonatype/nexus3
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "3.27.0"