Helm/Nexus: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
  helm repo add sonatype https://sonatype.github.io/helm3-charts
  helm repo add sonatype https://sonatype.github.io/helm3-charts
  helm repo update && helm repo list
  helm repo update && helm repo list
kubectl config get-contexts


==Config==
==Config==
Line 11: Line 12:
==Install==
==Install==
{|
{|
|valign='top'|
<syntaxhighlight lang="sql">
kubectl -n postgresql exec -it svc/postgresql -c postgresql -- bash
echo -n password: ;read -s PGPASSWORD;export PGPASSWORD;echo
# -- drop if schema exists
cat << DDL | psql -U postgres
DROP DATABASE IF EXISTS nexus;
DROP USER    IF EXISTS nexus;
DDL
# -- create nexus schema
cat << DDL | psql -U postgres
CREATE DATABASE nexus;
CREATE USER nexus WITH ENCRYPTED PASSWORD 'sadaqah!';
GRANT ALL PRIVILEGES ON DATABASE nexus TO nexus;
ALTER USER nexus WITH SUPERUSER;
DDL
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
kubectl delete namespace nexus
helm show values sonatype/nexus-repository-manager --version 64.2.0|less
</syntaxhighlight>
|valign='top'|
<syntaxhighlight lang="bash">
kubectl get ns|grep nexus
kubectl create namespace nexus
</syntaxhighlight>
----
<syntaxhighlight lang="yaml">
cat << YML | kubectl -n nexus apply -f -
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app.kubernetes.io/name: nexus
  name: nexus-pvc
spec:
  storageClassName: standard
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
YML
</syntaxhighlight>
|-
|colspan="2"|
----
|-
|colspan="2"|
|colspan="2"|
<syntaxhighlight lang="yaml" highlight="25" line>
<syntaxhighlight lang="yaml" highlight="25" line>
kubectl create namespace nexus
helm show values sonatype/nexus-repository-manager --version 64.2.0|less
cat <<YML | helm -n nexus install nexus sonatype/nexus-repository-manager --version 64.2.0 -f -
cat <<YML | helm -n nexus install nexus sonatype/nexus-repository-manager --version 64.2.0 -f -
fullnameOverride: nexus-repository-manager
---
ingress:
ingress:
   enabled: true
   enabled: true
Line 24: Line 77:
   hostPath: /
   hostPath: /
   hostRepo: nexus.k8s.local
   hostRepo: nexus.k8s.local
serviceAccount:
fullnameOverride: nexus
  create: true
  name: "nexsu-sa"
persistence:
  storageClass: "standard"
nexus:
nexus:
  docker:
    enabled: false
    registries:
    - host: docker.k8s.local
      port: 8082
   env:
   env:
   - name: INSTALL4J_ADD_VM_PARAMS
   - name: INSTALL4J_ADD_VM_PARAMS
Line 41: Line 95:
   - name: NEXUS_SECURITY_RANDOMPASSWORD
   - name: NEXUS_SECURITY_RANDOMPASSWORD
     value: "true"
     value: "true"
  resources:
    requests:
      cpu: 2
      memory: 2Gi
    limits:
      cpu: 4
      memory: 4Gi
persistence:
  enabled: true
  storageSize: 10Gi
  storageClass: standard
  existingClaim: nexus-pvc
  accessMode: ReadWriteOnce
serviceAccount:
  create: true
  name: nexsu-sa
YML
YML
</syntaxhighlight>
</syntaxhighlight>
Line 84: Line 154:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
NEXUS_POD_NAME="$(kubectl -n nexus get pod -l 'app.kubernetes.io/name=nexus-repository-manager' -o json|jq -r '.items[0].metadata.name')"
NEXUS_POD_NAME="$(kubectl -n nexus get pod -l 'app.kubernetes.io/name=nexus-repository-manager' -o json|jq -r '.items[0].metadata.name')"
kubectl -n nexus exec -it svc/nexus-repository-manager -c nexus-repository-manager -- cat /nexus-data/admin.password;echo
kubectl -n nexus exec -it svc/nexus -c nexus-repository-manager -- cat /nexus-data/admin.password;echo
kubectl -n nexus exec -it svc/nexus-repository-manager -c nexus-repository-manager -- bash
kubectl -n nexus exec -it svc/nexus -c nexus-repository-manager -- bash
</syntaxhighlight>
</syntaxhighlight>


Line 131: Line 201:
| valign="top" |
| valign="top" |
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
kubectl -n nexus logs -f svc/nexus-repository-manager -c nexus-repository-manager
kubectl -n nexus exec -it svc/nexus -- cat /nexus-data/admin.password;echo
kubectl -n nexus exec -it  ${NEXUS_POD_NAME} -- bash
kubectl -n nexus logs -f svc/nexus -c nexus-repository-manager
kubectl -n nexus logs -f ${NEXUS_POD_NAME}
kubectl -n nexus logs -f ${NEXUS_POD_NAME}
</syntaxhighlight>
</syntaxhighlight>
Line 142: Line 212:
| valign="top" |
| valign="top" |
* [https://stackoverflow.com/questions/75596795/ Helm » Pass YAML/JSON using <code>stdin</code>]
* [https://stackoverflow.com/questions/75596795/ Helm » Pass YAML/JSON using <code>stdin</code>]
* [https://github.com/sonatype/nxrm3-ha-repository/tree/main/nxrm-ha Helm » Nexus HA & Resilient]
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]]
* [[Helm/Prometheus Stack|Helm » Prometheus Stack]]
* [[Helm/Cert Manager|Helm » Cert Manager]]
* [[Helm/Cert Manager|Helm » Cert Manager]]
* [https://artifacthub.io/packages/helm/sonatype/nexus-repository-manager/64.2.0  Helm » Nexus » 64.2.0]
* [[Helm/Nexus HA|Helm » Nexus HA]]
* [https://artifacthub.io/packages/helm/sonatype/nexus-repository-manager Helm » Nexus]
* [[Helm]]
* [[Helm]]


Line 156: Line 228:
|-
|-
| valign="top" |
| valign="top" |
* [https://support.sonatype.com/hc/en-us/articles/29412417068819-Mitigations-for-CVE-2024-4956-Nexus-Repository-3-Vulnerability Nexus » 🪲 » CVE-2024-4956 » Fix]
* [https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16 Nexus » 🐞 » CVE-2024-4956]
* [https://github.com/sonatype/nexus-public/releases Nexus » Releases]
* [https://github.com/sonatype/nexus-public/releases Nexus » Releases]
* [[Nexus]]
* [[Nexus]]
Line 181: Line 255:
| valign="top" |
| valign="top" |
* [https://kubernetes.io/docs/reference/kubectl/generated/kubectl_rollout/ K8s » <code>kubectl rollout</code>]
* [https://kubernetes.io/docs/reference/kubectl/generated/kubectl_rollout/ K8s » <code>kubectl rollout</code>]
* [[K8s/CSI Hostpath Driver|K8s » CSI Hostpath Driver]]


| valign="top" |
| valign="top" |


|}
|}

Latest revision as of 06:41, 9 September 2024

helm repo add sonatype https://sonatype.github.io/helm3-charts
helm repo update && helm repo list
kubectl config get-contexts

Config

export KUBECONFIG="${HOME}/.kube/dev-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/gcp-kubeconfig.yaml"
export KUBECONFIG="${HOME}/.kube/config"

Install

kubectl -n postgresql exec -it svc/postgresql -c postgresql -- bash
echo -n password: ;read -s PGPASSWORD;export PGPASSWORD;echo

# -- drop if schema exists
cat << DDL | psql -U postgres
DROP DATABASE IF EXISTS nexus;
DROP USER     IF EXISTS nexus;
DDL

# -- create nexus schema
cat << DDL | psql -U postgres
CREATE DATABASE nexus;
CREATE USER nexus WITH ENCRYPTED PASSWORD 'sadaqah!';
GRANT ALL PRIVILEGES ON DATABASE nexus TO nexus;
ALTER USER nexus WITH SUPERUSER;
DDL

kubectl delete namespace nexus
helm show values sonatype/nexus-repository-manager --version 64.2.0|less
kubectl get ns|grep nexus
kubectl create namespace nexus

cat << YML | kubectl -n nexus apply -f -
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  labels:
    app.kubernetes.io/name: nexus
  name: nexus-pvc
spec:
  storageClassName: standard
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
YML

cat <<YML | helm -n nexus install nexus sonatype/nexus-repository-manager --version 64.2.0 -f -
---
ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
  hostPath: /
  hostRepo: nexus.k8s.local
fullnameOverride: nexus
nexus:
  docker:
    enabled: false
    registries:
    - host: docker.k8s.local
      port: 8082
  env:
  - name: INSTALL4J_ADD_VM_PARAMS
    value: |-
      -Xms2703M -Xmx2703M
      -XX:MaxDirectMemorySize=2703M
      -XX:+UnlockExperimentalVMOptions
      -XX:+UseCGroupMemoryLimitForHeap
      -Djava.util.prefs.userRoot=/nexus-data/javaprefs
      -XX:LogFile=/nexus-data/home/log/jvm.log
  - name: NEXUS_SECURITY_RANDOMPASSWORD
    value: "true"
  resources:
    requests:
      cpu: 2
      memory: 2Gi
    limits:
      cpu: 4
      memory: 4Gi
persistence:
  enabled: true
  storageSize: 10Gi
  storageClass: standard
  existingClaim: nexus-pvc
  accessMode: ReadWriteOnce
serviceAccount:
  create: true
  name: nexsu-sa
YML

xdg-open http://nexus.k8s.local &>/dev/null &
gnome-open http://nexus.k8s.local &>/dev/null &
x-www-browser http://nexus.k8s.local &>/dev/null &
sensible-browser http://nexus.k8s.local &>/dev/null &

Uninstall

helm uninstall -n nexus nexus
kubectl delete namespace nexus

Playground

helm -n nexus install    nexus sonatype/nexus-repository-manager --version 64.2.0
helm -n nexus upgrade -i nexus sonatype/nexus-repository-manager --version 64.2.0
helm show values sonatype/nexus-repository-manager --version 64.2.0|less

NEXUS_POD_NAME="$(kubectl -n nexus get pod -l 'app.kubernetes.io/name=nexus-repository-manager' -o json|jq -r '.items[0].metadata.name')"
kubectl -n nexus exec -it svc/nexus -c nexus-repository-manager -- cat /nexus-data/admin.password;echo
kubectl -n nexus exec -it svc/nexus -c nexus-repository-manager -- bash

kubectl config --kubeconfig=${HOME}/.kube/aws-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/dev-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/gcp-kubeconfig.yaml view --flatten
kubectl config --kubeconfig=${HOME}/.kube/config view --flatten

kubectl -n nexus delete all --all
kubectl -n nexus delete ing --all
kubectl -n nexus delete sts --all
kubectl -n nexus delete svc --all
kubectl -n nexus delete pvc --all
kubectl -n nexus delete pv  --all

kubectl -n nexus rollout history deploy nexus-repository-manager
kubectl -n nexus rollout restart deploy nexus-repository-manager
kubectl -n nexus rollout status  deploy nexus-repository-manager
kubectl -n nexus exec -it svc/nexus -- cat /nexus-data/admin.password;echo
kubectl -n nexus logs -f svc/nexus -c nexus-repository-manager
kubectl -n nexus logs -f ${NEXUS_POD_NAME}

References