Merge pull request #14 from sonatype/NEXUS-34871-configure-external-dns-to-create-docker-sub-domain-records-and-https-listener
NEXUS-34871 - Create A records for docker sub domain and configure HTTPS listener for ALB
This commit is contained in:
		
							
								
								
									
										28
									
								
								LICENSE
									
									
									
									
									
								
							
							
						
						
									
										28
									
								
								LICENSE
									
									
									
									
									
								
							| @@ -1,21 +1,13 @@ | |||||||
| MIT License | Copyright (c) 2020-present Sonatype, Inc. | ||||||
|  |  | ||||||
| Copyright (c) 2020 Sonatype | Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
|  | you may not use this file except in compliance with the License. | ||||||
|  | You may obtain a copy of the License at | ||||||
|  |  | ||||||
| Permission is hereby granted, free of charge, to any person obtaining a copy |     http://www.apache.org/licenses/LICENSE-2.0 | ||||||
| of this software and associated documentation files (the "Software"), to deal |  | ||||||
| in the Software without restriction, including without limitation the rights |  | ||||||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |  | ||||||
| copies of the Software, and to permit persons to whom the Software is |  | ||||||
| furnished to do so, subject to the following conditions: |  | ||||||
|  |  | ||||||
| The above copyright notice and this permission notice shall be included in all | Unless required by applicable law or agreed to in writing, software | ||||||
| copies or substantial portions of the Software. | distributed under the License is distributed on an "AS IS" BASIS, | ||||||
|  | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | See the License for the specific language governing permissions and | ||||||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | limitations under the License. | ||||||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |  | ||||||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |  | ||||||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |  | ||||||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |  | ||||||
| SOFTWARE. |  | ||||||
|   | |||||||
							
								
								
									
										
											BIN
										
									
								
								nexus-repository-manager/.DS_Store
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										
											BIN
										
									
								
								nexus-repository-manager/.DS_Store
									
									
									
									
										vendored
									
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										66
									
								
								nxrm-aws-resiliency/templates/external-dns-rbac.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										66
									
								
								nxrm-aws-resiliency/templates/external-dns-rbac.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,66 @@ | |||||||
|  | # comment out sa if it was previously created | ||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRole | ||||||
|  | metadata: | ||||||
|  |   name: external-dns | ||||||
|  |   namespace: {{ .Values.namespaces.externaldnsNs }} | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: external-dns | ||||||
|  | rules: | ||||||
|  |   - apiGroups: [""] | ||||||
|  |     resources: ["services","endpoints","pods","nodes"] | ||||||
|  |     verbs: ["get","watch","list"] | ||||||
|  |   - apiGroups: ["extensions","networking.k8s.io"] | ||||||
|  |     resources: ["ingresses"] | ||||||
|  |     verbs: ["get","watch","list"] | ||||||
|  | --- | ||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRoleBinding | ||||||
|  | metadata: | ||||||
|  |   name: external-dns-viewer | ||||||
|  |   namespace: {{ .Values.namespaces.externaldnsNs }}   | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: external-dns | ||||||
|  | roleRef: | ||||||
|  |   apiGroup: rbac.authorization.k8s.io | ||||||
|  |   kind: ClusterRole | ||||||
|  |   name: external-dns | ||||||
|  | subjects: | ||||||
|  |   - kind: ServiceAccount | ||||||
|  |     name: {{ .Values.serviceAccount.externaldns.name }} | ||||||
|  |     namespace: {{ .Values.namespaces.externaldnsNs }} | ||||||
|  | --- | ||||||
|  | apiVersion: apps/v1 | ||||||
|  | kind: Deployment | ||||||
|  | metadata: | ||||||
|  |   name: external-dns | ||||||
|  |   namespace: {{ .Values.namespaces.externaldnsNs }}   | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: external-dns | ||||||
|  | spec: | ||||||
|  |   strategy: | ||||||
|  |     type: Recreate | ||||||
|  |   selector: | ||||||
|  |     matchLabels: | ||||||
|  |       app.kubernetes.io/name: external-dns | ||||||
|  |   template: | ||||||
|  |     metadata: | ||||||
|  |       labels: | ||||||
|  |         app.kubernetes.io/name: external-dns | ||||||
|  |     spec: | ||||||
|  |       serviceAccountName: external-dns | ||||||
|  |       containers: | ||||||
|  |         - name: external-dns | ||||||
|  |           image: k8s.gcr.io/external-dns/external-dns:v0.11.0 | ||||||
|  |           args: | ||||||
|  |             - --source=service | ||||||
|  |             - --source=ingress | ||||||
|  |             - --domain-filter={{ .Values.externaldns.domainFilter }} # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones | ||||||
|  |             - --provider=aws | ||||||
|  |             - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization | ||||||
|  |             - --aws-zone-type={{ .Values.externaldns.awsZoneType }} # only look at public hosted zones (valid values are public, private or no value for both) | ||||||
|  |             - --registry=txt | ||||||
|  |             - --txt-owner-id=external-dns | ||||||
|  |           env: | ||||||
|  |             - name: AWS_DEFAULT_REGION | ||||||
|  |               value: {{ .Values.deployment.clusterRegion }} | ||||||
| @@ -77,7 +77,7 @@ data: | |||||||
|     [INPUT] |     [INPUT] | ||||||
|         Name                tail |         Name                tail | ||||||
|         Tag                 nexus.nexus-log |         Tag                 nexus.nexus-log | ||||||
|         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log |         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log | ||||||
|         Parser              docker |         Parser              docker | ||||||
|         DB                  /var/fluent-bit/state/flb_container.db |         DB                  /var/fluent-bit/state/flb_container.db | ||||||
|         Mem_Buf_Limit       5MB |         Mem_Buf_Limit       5MB | ||||||
| @@ -112,7 +112,7 @@ data: | |||||||
|     [INPUT] |     [INPUT] | ||||||
|         Name                tail |         Name                tail | ||||||
|         Tag                 nexus.request-log |         Tag                 nexus.request-log | ||||||
|         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_request-log-*.log |         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_request-log-*.log | ||||||
|         Parser              docker |         Parser              docker | ||||||
|         DB                  /var/fluent-bit/state/flb_container.db |         DB                  /var/fluent-bit/state/flb_container.db | ||||||
|         Mem_Buf_Limit       5MB |         Mem_Buf_Limit       5MB | ||||||
| @@ -147,7 +147,7 @@ data: | |||||||
|     [INPUT] |     [INPUT] | ||||||
|         Name                tail |         Name                tail | ||||||
|         Tag                 nexus.audit-log |         Tag                 nexus.audit-log | ||||||
|         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_audit-log-*.log |         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_audit-log-*.log | ||||||
|         Parser              docker |         Parser              docker | ||||||
|         DB                  /var/fluent-bit/state/flb_container.db |         DB                  /var/fluent-bit/state/flb_container.db | ||||||
|         Mem_Buf_Limit       5MB |         Mem_Buf_Limit       5MB | ||||||
| @@ -182,7 +182,7 @@ data: | |||||||
|     [INPUT] |     [INPUT] | ||||||
|         Name                tail |         Name                tail | ||||||
|         Tag                 nexus.tasks-log |         Tag                 nexus.tasks-log | ||||||
|         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_tasks-log-*.log |         Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log | ||||||
|         Parser              docker |         Parser              docker | ||||||
|         DB                  /var/fluent-bit/state/flb_container.db |         DB                  /var/fluent-bit/state/flb_container.db | ||||||
|         Mem_Buf_Limit       5MB |         Mem_Buf_Limit       5MB | ||||||
| @@ -263,7 +263,7 @@ spec: | |||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - name: fluent-bit |         - name: fluent-bit | ||||||
|           image: amazon/aws-for-fluent-bit:2.10.0 |           image: amazon/aws-for-fluent-bit:{{ .Values.deployment.fluentBitVersion }} | ||||||
|           imagePullPolicy: Always |           imagePullPolicy: Always | ||||||
|           env: |           env: | ||||||
|             - name: AWS_REGION |             - name: AWS_REGION | ||||||
|   | |||||||
| @@ -48,4 +48,4 @@ spec: | |||||||
|               service: |               service: | ||||||
|                 name: {{ .Chart.Name }}-docker-service |                 name: {{ .Chart.Name }}-docker-service | ||||||
|                 port: |                 port: | ||||||
|                   number: {{ .Values.ingress.dockerIngress.port }} |                   number: {{ .Values.service.docker.port }} | ||||||
|   | |||||||
| @@ -8,3 +8,8 @@ kind: Namespace | |||||||
| metadata: | metadata: | ||||||
|   name: {{ .Values.namespaces.cloudwatchNs }} |   name: {{ .Values.namespaces.cloudwatchNs }} | ||||||
| --- | --- | ||||||
|  | apiVersion: v1 | ||||||
|  | kind: Namespace | ||||||
|  | metadata: | ||||||
|  |   name: {{ .Values.namespaces.externaldnsNs }} | ||||||
|  | --- | ||||||
|   | |||||||
| @@ -5,3 +5,12 @@ metadata: | |||||||
|   namespace: {{ .Values.namespaces.nexusNs }} |   namespace: {{ .Values.namespaces.nexusNs }} | ||||||
|   annotations: |   annotations: | ||||||
|     eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }} |     eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }} | ||||||
|  | --- | ||||||
|  | apiVersion: v1 | ||||||
|  | kind: ServiceAccount | ||||||
|  | metadata: | ||||||
|  |   name: {{ .Values.serviceAccount.externaldns.name }} | ||||||
|  |   namespace: {{ .Values.namespaces.externaldnsNs }} | ||||||
|  |   annotations: | ||||||
|  |     eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.externaldns.role }} | ||||||
|  | --- | ||||||
|   | |||||||
| @@ -26,7 +26,7 @@ spec: | |||||||
|   selector: |   selector: | ||||||
|     app: nxrm |     app: nxrm | ||||||
|   ports: |   ports: | ||||||
|     - name: docker-connector |     - name: docker-service | ||||||
|       protocol: {{ .Values.service.docker.protocol }} |       protocol: {{ .Values.service.docker.protocol }} | ||||||
|       port: {{ .Values.service.docker.port }} |       port: {{ .Values.service.docker.port }} | ||||||
|       targetPort: {{ .Values.service.docker.targetPort }} |       targetPort: {{ .Values.service.docker.targetPort }} | ||||||
|   | |||||||
| @@ -2,10 +2,16 @@ | |||||||
| namespaces: | namespaces: | ||||||
|   nexusNs: nexusrepo |   nexusNs: nexusrepo | ||||||
|   cloudwatchNs: amazon-cloudwatch |   cloudwatchNs: amazon-cloudwatch | ||||||
|  |   externaldnsNs: nexus-externaldns | ||||||
|  | externaldns: | ||||||
|  |   domainFilter: example.com #your root domain e.g example.com | ||||||
|  |   awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both) | ||||||
| deployment: | deployment: | ||||||
|  |   clusterRegion: us-east-1 | ||||||
|   name: nxrm.deployment |   name: nxrm.deployment | ||||||
|   clusterName: nxrm-nexus |   clusterName: nxrm-nexus | ||||||
|   logsRegion: us-east-1 |   logsRegion: us-east-1 | ||||||
|  |   fluentBitVersion: 2.28.0 | ||||||
|   initContainer: |   initContainer: | ||||||
|     image: |     image: | ||||||
|       repository: busybox |       repository: busybox | ||||||
| @@ -34,19 +40,25 @@ deployment: | |||||||
| serviceAccount: | serviceAccount: | ||||||
|   name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager" |   name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager" | ||||||
|   role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions |   role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions | ||||||
|  |   externaldns: | ||||||
|  |     name: external-dns | ||||||
|  |     role: arn:aws:iam::000000000000:role/nexusrepo-external-dns-irsa-role #Role with route53 permissions needed by external-dns      | ||||||
| ingress: | ingress: | ||||||
|   #host: "nexus.ingress.rule.host" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish |   #host: "example.com" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish | ||||||
|   annotations: |   annotations: | ||||||
|     kubernetes.io/ingress.class: alb |     kubernetes.io/ingress.class: alb | ||||||
|     alb.ingress.kubernetes.io/scheme: internal # scheme |     alb.ingress.kubernetes.io/scheme: internal # scheme | ||||||
|     alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids |     alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids | ||||||
|   dockerIngress:  #Ingress for Docker Connector |     alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' | ||||||
|     #host: "docker.ingress.rule.host" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish |     alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # The AWS Certificate Manager ARN for your HTTPS certificate     | ||||||
|  |   dockerIngress:  #Ingress for Docker Connector - comment out if you don't use docker repositories | ||||||
|     annotations: |     annotations: | ||||||
|       kubernetes.io/ingress.class: alb |       kubernetes.io/ingress.class: alb # comment out if you don't use docker repositories | ||||||
|       alb.ingress.kubernetes.io/scheme: internal # scheme |       alb.ingress.kubernetes.io/scheme: internal # scheme comment out if you don't use docker repositories | ||||||
|       alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids |       alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids, comment out if you don't use docker repositories | ||||||
|     port: 9090 |       alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #comment out if you don't use docker repositories | ||||||
|  |       alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate | ||||||
|  |       external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories | ||||||
| pv: | pv: | ||||||
|   storage: 120Gi |   storage: 120Gi | ||||||
|   volumeMode: Filesystem |   volumeMode: Filesystem | ||||||
| @@ -66,11 +78,11 @@ service:  #Nexus Repo NodePort Service | |||||||
|    protocol: TCP |    protocol: TCP | ||||||
|    port: 80 |    port: 80 | ||||||
|    targetPort: 8081 |    targetPort: 8081 | ||||||
|   docker:  #Nodeport Service for Docker connector |   docker:  #Nodeport Service for Docker Service | ||||||
|    type: NodePort |    type: NodePort | ||||||
|    protocol: TCP |    protocol: TCP | ||||||
|    port: 9090 |    port: 9090 | ||||||
|    targetPort: 9090 |    targetPort: 8081 | ||||||
| secret: | secret: | ||||||
|   license: |   license: | ||||||
|    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license |    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Olu Shiyanbade
					Olu Shiyanbade