diff --git a/LICENSE b/LICENSE index 19c6e7d..84cbff0 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,13 @@ -MIT License +Copyright (c) 2020-present Sonatype, Inc. -Copyright (c) 2020 Sonatype +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + http://www.apache.org/licenses/LICENSE-2.0 -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/nexus-repository-manager/.DS_Store b/nexus-repository-manager/.DS_Store deleted file mode 100644 index 0823931..0000000 Binary files a/nexus-repository-manager/.DS_Store and /dev/null differ diff --git a/nxrm-aws-resiliency/templates/external-dns-rbac.yml b/nxrm-aws-resiliency/templates/external-dns-rbac.yml new file mode 100644 index 0000000..70edb95 --- /dev/null +++ b/nxrm-aws-resiliency/templates/external-dns-rbac.yml @@ -0,0 +1,66 @@ +# comment out sa if it was previously created +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-dns + namespace: {{ .Values.namespaces.externaldnsNs }} + labels: + app.kubernetes.io/name: external-dns +rules: + - apiGroups: [""] + resources: ["services","endpoints","pods","nodes"] + verbs: ["get","watch","list"] + - apiGroups: ["extensions","networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get","watch","list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer + namespace: {{ .Values.namespaces.externaldnsNs }} + labels: + app.kubernetes.io/name: external-dns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.externaldns.name }} + namespace: {{ .Values.namespaces.externaldnsNs }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns + namespace: {{ .Values.namespaces.externaldnsNs }} + labels: + app.kubernetes.io/name: external-dns +spec: + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: external-dns + template: + metadata: + labels: + app.kubernetes.io/name: external-dns + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + image: k8s.gcr.io/external-dns/external-dns:v0.11.0 + args: + - --source=service + - --source=ingress + - --domain-filter={{ .Values.externaldns.domainFilter }} # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones + - --provider=aws + - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization + - --aws-zone-type={{ .Values.externaldns.awsZoneType }} # only look at public hosted zones (valid values are public, private or no value for both) + - --registry=txt + - --txt-owner-id=external-dns + env: + - name: AWS_DEFAULT_REGION + value: {{ .Values.deployment.clusterRegion }} diff --git a/nxrm-aws-resiliency/templates/fluent-bit.yaml b/nxrm-aws-resiliency/templates/fluent-bit.yaml index 8556edf..4a5ce7a 100644 --- a/nxrm-aws-resiliency/templates/fluent-bit.yaml +++ b/nxrm-aws-resiliency/templates/fluent-bit.yaml @@ -77,7 +77,7 @@ data: [INPUT] Name tail Tag nexus.nexus-log - Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log + Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log Parser docker DB /var/fluent-bit/state/flb_container.db Mem_Buf_Limit 5MB @@ -112,7 +112,7 @@ data: [INPUT] Name tail Tag nexus.request-log - Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_request-log-*.log + Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_request-log-*.log Parser docker DB /var/fluent-bit/state/flb_container.db Mem_Buf_Limit 5MB @@ -147,7 +147,7 @@ data: [INPUT] Name tail Tag nexus.audit-log - Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_audit-log-*.log + Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_audit-log-*.log Parser docker DB /var/fluent-bit/state/flb_container.db Mem_Buf_Limit 5MB @@ -182,7 +182,7 @@ data: [INPUT] Name tail Tag nexus.tasks-log - Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_tasks-log-*.log + Path /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log Parser docker DB /var/fluent-bit/state/flb_container.db Mem_Buf_Limit 5MB @@ -263,7 +263,7 @@ spec: spec: containers: - name: fluent-bit - image: amazon/aws-for-fluent-bit:2.10.0 + image: amazon/aws-for-fluent-bit:{{ .Values.deployment.fluentBitVersion }} imagePullPolicy: Always env: - name: AWS_REGION diff --git a/nxrm-aws-resiliency/templates/ingress.yaml b/nxrm-aws-resiliency/templates/ingress.yaml index 3b75be4..40a6043 100644 --- a/nxrm-aws-resiliency/templates/ingress.yaml +++ b/nxrm-aws-resiliency/templates/ingress.yaml @@ -48,4 +48,4 @@ spec: service: name: {{ .Chart.Name }}-docker-service port: - number: {{ .Values.ingress.dockerIngress.port }} + number: {{ .Values.service.docker.port }} diff --git a/nxrm-aws-resiliency/templates/namespaces.yaml b/nxrm-aws-resiliency/templates/namespaces.yaml index 5bfb6df..6c72ee7 100644 --- a/nxrm-aws-resiliency/templates/namespaces.yaml +++ b/nxrm-aws-resiliency/templates/namespaces.yaml @@ -8,3 +8,8 @@ kind: Namespace metadata: name: {{ .Values.namespaces.cloudwatchNs }} --- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.namespaces.externaldnsNs }} +--- diff --git a/nxrm-aws-resiliency/templates/serviceaccount.yaml b/nxrm-aws-resiliency/templates/serviceaccount.yaml index 9c0e499..bca6cf4 100644 --- a/nxrm-aws-resiliency/templates/serviceaccount.yaml +++ b/nxrm-aws-resiliency/templates/serviceaccount.yaml @@ -5,3 +5,12 @@ metadata: namespace: {{ .Values.namespaces.nexusNs }} annotations: eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.externaldns.name }} + namespace: {{ .Values.namespaces.externaldnsNs }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.externaldns.role }} +--- diff --git a/nxrm-aws-resiliency/templates/services.yaml b/nxrm-aws-resiliency/templates/services.yaml index 5061ea5..5192e85 100644 --- a/nxrm-aws-resiliency/templates/services.yaml +++ b/nxrm-aws-resiliency/templates/services.yaml @@ -26,7 +26,7 @@ spec: selector: app: nxrm ports: - - name: docker-connector + - name: docker-service protocol: {{ .Values.service.docker.protocol }} port: {{ .Values.service.docker.port }} targetPort: {{ .Values.service.docker.targetPort }} diff --git a/nxrm-aws-resiliency/values.yaml b/nxrm-aws-resiliency/values.yaml index 55dd3fa..6eba08e 100644 --- a/nxrm-aws-resiliency/values.yaml +++ b/nxrm-aws-resiliency/values.yaml @@ -1,52 +1,64 @@ # Declare variables to be passed into your templates. namespaces: - nexusNs: nexusrepo - cloudwatchNs: amazon-cloudwatch + nexusNs: nexusrepo + cloudwatchNs: amazon-cloudwatch + externaldnsNs: nexus-externaldns +externaldns: + domainFilter: example.com #your root domain e.g example.com + awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both) deployment: - name: nxrm.deployment - clusterName: nxrm-nexus - logsRegion: us-east-1 - initContainer: - image: - repository: busybox - tag: 1.33.1 - container: - image: - repository: sonatype/nexus3 - tag: 3.41.1 - containerPort: 8081 - pullPolicy: IfNotPresent - env: - nexusDBName: nexus - nexusDBPort: 3306 - requestLogContainer: - image: - repository: busybox - tag: 1.33.1 - auditLogContainer: - image: - repository: busybox - tag: 1.33.1 - taskLogContainer: - image: - repository: busybox - tag: 1.33.1 + clusterRegion: us-east-1 + name: nxrm.deployment + clusterName: nxrm-nexus + logsRegion: us-east-1 + fluentBitVersion: 2.28.0 + initContainer: + image: + repository: busybox + tag: 1.33.1 + container: + image: + repository: sonatype/nexus3 + tag: 3.41.1 + containerPort: 8081 + pullPolicy: IfNotPresent + env: + nexusDBName: nexus + nexusDBPort: 3306 + requestLogContainer: + image: + repository: busybox + tag: 1.33.1 + auditLogContainer: + image: + repository: busybox + tag: 1.33.1 + taskLogContainer: + image: + repository: busybox + tag: 1.33.1 serviceAccount: - name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager" - role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions + name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager" + role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions + externaldns: + name: external-dns + role: arn:aws:iam::000000000000:role/nexusrepo-external-dns-irsa-role #Role with route53 permissions needed by external-dns ingress: - #host: "nexus.ingress.rule.host" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish + #host: "example.com" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internal # scheme alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids - dockerIngress: #Ingress for Docker Connector - #host: "docker.ingress.rule.host" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444 # The AWS Certificate Manager ARN for your HTTPS certificate + dockerIngress: #Ingress for Docker Connector - comment out if you don't use docker repositories annotations: - kubernetes.io/ingress.class: alb - alb.ingress.kubernetes.io/scheme: internal # scheme - alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids - port: 9090 + kubernetes.io/ingress.class: alb # comment out if you don't use docker repositories + alb.ingress.kubernetes.io/scheme: internal # scheme comment out if you don't use docker repositories + alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids, comment out if you don't use docker repositories + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #comment out if you don't use docker repositories + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444 # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate + external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories pv: storage: 120Gi volumeMode: Filesystem @@ -66,11 +78,11 @@ service: #Nexus Repo NodePort Service protocol: TCP port: 80 targetPort: 8081 - docker: #Nodeport Service for Docker connector + docker: #Nodeport Service for Docker Service type: NodePort protocol: TCP port: 9090 - targetPort: 9090 + targetPort: 8081 secret: license: arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license