Merge pull request #14 from sonatype/NEXUS-34871-configure-external-dns-to-create-docker-sub-domain-records-and-https-listener

NEXUS-34871 - Create A records for docker sub domain and configure HTTPS listener for ALB

LICENSE

@@ -1,21 +1,13 @@
-MIT License
+Copyright (c) 2020-present Sonatype, Inc.
 
-Copyright (c) 2020 Sonatype
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
+    http://www.apache.org/licenses/LICENSE-2.0
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all
+Unless required by applicable law or agreed to in writing, software
-copies or substantial portions of the Software.
+distributed under the License is distributed on an "AS IS" BASIS,
-
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+See the License for the specific language governing permissions and
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+limitations under the License.
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

nxrm-aws-resiliency/templates/external-dns-rbac.yml

@@ -0,0 +1,66 @@
+# comment out sa if it was previously created
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+  namespace: {{ .Values.namespaces.externaldnsNs }}
+  labels:
+    app.kubernetes.io/name: external-dns
+rules:
+  - apiGroups: [""]
+    resources: ["services","endpoints","pods","nodes"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["extensions","networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get","watch","list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+  namespace: {{ .Values.namespaces.externaldnsNs }}  
+  labels:
+    app.kubernetes.io/name: external-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.externaldns.name }}
+    namespace: {{ .Values.namespaces.externaldnsNs }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: {{ .Values.namespaces.externaldnsNs }}  
+  labels:
+    app.kubernetes.io/name: external-dns
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-dns
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: k8s.gcr.io/external-dns/external-dns:v0.11.0
+          args:
+            - --source=service
+            - --source=ingress
+            - --domain-filter={{ .Values.externaldns.domainFilter }} # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+            - --provider=aws
+            - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
+            - --aws-zone-type={{ .Values.externaldns.awsZoneType }} # only look at public hosted zones (valid values are public, private or no value for both)
+            - --registry=txt
+            - --txt-owner-id=external-dns
+          env:
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.deployment.clusterRegion }}

nxrm-aws-resiliency/templates/fluent-bit.yaml

@@ -77,7 +77,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.nexus-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -112,7 +112,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.request-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_request-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_request-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -147,7 +147,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.audit-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_audit-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_audit-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -182,7 +182,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.tasks-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -263,7 +263,7 @@ spec:
     spec:
       containers:
         - name: fluent-bit
-          image: amazon/aws-for-fluent-bit:2.10.0
+          image: amazon/aws-for-fluent-bit:{{ .Values.deployment.fluentBitVersion }}
           imagePullPolicy: Always
           env:
             - name: AWS_REGION

nxrm-aws-resiliency/templates/ingress.yaml

@@ -48,4 +48,4 @@ spec:
               service:
                 name: {{ .Chart.Name }}-docker-service
                 port:
-                  number: {{ .Values.ingress.dockerIngress.port }}
+                  number: {{ .Values.service.docker.port }}

nxrm-aws-resiliency/templates/namespaces.yaml

@@ -8,3 +8,8 @@ kind: Namespace
 metadata:
   name: {{ .Values.namespaces.cloudwatchNs }}
 ---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespaces.externaldnsNs }}
+---

nxrm-aws-resiliency/templates/serviceaccount.yaml

@@ -5,3 +5,12 @@ metadata:
   namespace: {{ .Values.namespaces.nexusNs }}
   annotations:
     eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.externaldns.name }}
+  namespace: {{ .Values.namespaces.externaldnsNs }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.externaldns.role }}
+---

nxrm-aws-resiliency/templates/services.yaml

@@ -26,7 +26,7 @@ spec:
   selector:
     app: nxrm
   ports:
-    - name: docker-connector
+    - name: docker-service
       protocol: {{ .Values.service.docker.protocol }}
       port: {{ .Values.service.docker.port }}
       targetPort: {{ .Values.service.docker.targetPort }}

nxrm-aws-resiliency/values.yaml

@@ -1,52 +1,64 @@
 # Declare variables to be passed into your templates.
 namespaces:
-    nexusNs: nexusrepo
+  nexusNs: nexusrepo
-    cloudwatchNs: amazon-cloudwatch
+  cloudwatchNs: amazon-cloudwatch
+  externaldnsNs: nexus-externaldns
+externaldns:
+  domainFilter: example.com #your root domain e.g example.com
+  awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both)
 deployment:
-   name: nxrm.deployment
+  clusterRegion: us-east-1
-   clusterName: nxrm-nexus
+  name: nxrm.deployment
-   logsRegion: us-east-1
+  clusterName: nxrm-nexus
-   initContainer:
+  logsRegion: us-east-1
-        image:
+  fluentBitVersion: 2.28.0
-          repository: busybox
+  initContainer:
-          tag: 1.33.1
+    image:
-   container:
+      repository: busybox
-        image:
+      tag: 1.33.1
-          repository: sonatype/nexus3
+  container:
-          tag: 3.41.1
+    image:
-        containerPort: 8081
+      repository: sonatype/nexus3
-        pullPolicy: IfNotPresent
+      tag: 3.41.1
-        env:
+    containerPort: 8081
-          nexusDBName: nexus
+    pullPolicy: IfNotPresent
-          nexusDBPort: 3306
+    env:
-   requestLogContainer:
+      nexusDBName: nexus
-        image:
+      nexusDBPort: 3306
-          repository: busybox
+  requestLogContainer:
-          tag: 1.33.1
+    image:
-   auditLogContainer:
+      repository: busybox
-        image:
+      tag: 1.33.1
-          repository: busybox
+  auditLogContainer:
-          tag: 1.33.1
+    image:
-   taskLogContainer:
+      repository: busybox
-        image:
+      tag: 1.33.1
-          repository: busybox
+  taskLogContainer:
-          tag: 1.33.1
+    image:
+      repository: busybox
+      tag: 1.33.1
 serviceAccount:
-     name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager"
+  name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager"
-     role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions
+  role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions
+  externaldns:
+    name: external-dns
+    role: arn:aws:iam::000000000000:role/nexusrepo-external-dns-irsa-role #Role with route53 permissions needed by external-dns     
 ingress:
-  #host: "nexus.ingress.rule.host" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish
+  #host: "example.com" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish
   annotations:
     kubernetes.io/ingress.class: alb
     alb.ingress.kubernetes.io/scheme: internal # scheme
     alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids
-  dockerIngress:  #Ingress for Docker Connector
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
-    #host: "docker.ingress.rule.host" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # The AWS Certificate Manager ARN for your HTTPS certificate    
+  dockerIngress:  #Ingress for Docker Connector - comment out if you don't use docker repositories
     annotations:
-      kubernetes.io/ingress.class: alb
+      kubernetes.io/ingress.class: alb # comment out if you don't use docker repositories
-      alb.ingress.kubernetes.io/scheme: internal # scheme
+      alb.ingress.kubernetes.io/scheme: internal # scheme comment out if you don't use docker repositories
-      alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids
+      alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids, comment out if you don't use docker repositories
-    port: 9090
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #comment out if you don't use docker repositories
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate
+      external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories
 pv:
   storage: 120Gi
   volumeMode: Filesystem
@@ -66,11 +78,11 @@ service:  #Nexus Repo NodePort Service
    protocol: TCP
    port: 80
    targetPort: 8081
-  docker:  #Nodeport Service for Docker connector
+  docker:  #Nodeport Service for Docker Service
    type: NodePort
    protocol: TCP
    port: 9090
-   targetPort: 9090
+   targetPort: 8081
 secret:
   license:
    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license