resolve conflict

NEXUS-34871 - Create A records for docker sub domain and configure HTTPS listener for ALB

.gitignore

@@ -0,0 +1,6 @@
+.vs/**
+.idea/**
+
+**/test-output.xml
+
+.DS_Store

Dockerfile

@@ -1,17 +1,20 @@
 #
-# Copyright (c) 2019-present Sonatype, Inc. All rights reserved.
-# Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
-# "Sonatype" is a trademark of Sonatype, Inc.
+# Sonatype Nexus (TM) Open Source Version
+# Copyright (c) 2008-present Sonatype, Inc.
+# All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+#
+# This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+# which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+#
+# Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+# of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+# Eclipse Foundation. All other trademarks are the property of their respective owners.
 #
 
-# FROM docker-all.repo.sonatype.com/alpine:latest
-# LABEL maintainer="operations-group@sontype.com"
+FROM docker-all.repo.sonatype.com/alpine/helm:3.9.3
 
-# RUN apk update
+RUN apk update && apk upgrade && \
+    apk add --no-cache bash git openssh
 
-# WORKDIR /app
-# COPY ./src ./
+RUN mkdir /.local /.cache && chmod 777 /.local /.cache
 
-# EXPOSE 8080
-
-# CMD ["./runit"]

Jenkinsfile

@@ -0,0 +1,31 @@
+/*
+ * Sonatype Nexus (TM) Open Source Version
+ * Copyright (c) 2008-present Sonatype, Inc.
+ * All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+ *
+ * This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+ * which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+ *
+ * Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+ * of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+ * Eclipse Foundation. All other trademarks are the property of their respective owners.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared', 'nxrm-jenkins-shared']) _
+
+dockerizedBuildPipeline(
+  prepare: {
+    githubStatusUpdate('pending')
+  },
+  buildAndTest: {
+    sh './build.sh'
+  },
+  skipVulnerabilityScan: true,
+  archiveArtifacts: 'docs/*',
+  testResults: ['**/test-output.xml'],
+  onSuccess: {
+    nxrmBuildNotifications(currentBuild, env)
+  },
+  onFailure: {
+    nxrmBuildNotifications(currentBuild, env)
+  }
+)

Jenkinsfile-Release

@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2020-present Sonatype, Inc. All rights reserved.
+ *
+ * This program is licensed to you under the Apache License Version 2.0,
+ * and you may not use this file except in compliance with the Apache License Version 2.0.
+ * You may obtain a copy of the Apache License Version 2.0 at http://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the Apache License Version 2.0 is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Apache License Version 2.0 for the specific language governing permissions and limitations there under.
+ */
+@Library(['private-pipeline-library', 'jenkins-shared', 'nxrm-jenkins-shared']) _
+
+final jira = [
+    versionPrefix: '', project: 'NEXUS', projectId: '12410',
+    credentialId : 'jenkins-jira', autoRelease: true, failOnError: true
+]
+
+final jiraVersionMappings = [
+  'nexus-repository-manager': 'helm-nxrm',
+  'nxrm-aws-resiliency': 'helm-nxrm-aws-resiliency'
+]
+
+final chartLocation = [
+  'nexus-repository-manager': 'nexus-repository-manager',
+  'nxrm-aws-resiliency': 'nxrm-aws-resiliency'
+]
+
+properties([
+  parameters([
+    string(
+      name: 'appVersion',
+      description: 'Version of the application image, like "3.41.0"',
+    ),
+    string(
+      name: 'chartVersion',
+      description: '(Optional) Version of the Chart, like "41.0.0". If omitted, it will be calculated from the appVersion.',
+    ),
+  ])
+])
+
+final chartVersion = calculateChartVersion(params.chartVersion, params.appVersion)
+
+dockerizedBuildPipeline(
+  prepare: {
+    if (! params.appVersion) {
+      error('The appVersion is required.')
+    }
+    githubStatusUpdate('pending')
+  },
+  buildAndTest: {
+    sonatypeZionGitConfig()
+    runSafely "git checkout ${gitBranch(env)}"
+    runSafely "./upgrade.sh ./nexus-repository-manager ${chartVersion} ${params.appVersion}"
+    runSafely "./upgrade.sh ./nxrm-aws-resiliency ${chartVersion} ${params.appVersion}"
+    runSafely './build.sh'    
+    runSafely 'git add nxrm-aws-resiliency nexus-repository-manager'
+  },
+  skipVulnerabilityScan: true,
+  archiveArtifacts: 'docs/*',
+  testResults: [],
+  deployCondition: { true },
+  deploy: {
+    runSafely 'git add docs'
+    runSafely "git commit -m 'Release Update for ${chartVersion}'"
+
+    sshagent(credentials: [sonatypeZionCredentialsId()]) {
+      runSafely 'git push'
+    }
+  },
+  postDeploy: {
+    // Create tags
+    String tagName = "${chartVersion}"
+    runSafely "git tag -a ${tagName} -m 'Release Update: ${chartVersion}'"
+    sshagent(credentials: [sonatypeZionCredentialsId()]) {
+      runSafely "git push origin ${tagName}"
+    }
+  },
+  onSuccess: {
+    nxrmBuildNotifications(currentBuild, env)
+  },
+  onFailure: {
+    nxrmBuildNotifications(currentBuild, env)
+  }
+)
+
+String calculateChartVersion(final String chartVersion, final String appVersion) {
+  if (chartVersion) {
+    return chartVersion
+  }
+
+  if (! appVersion) {
+    error 'Failed to calculate chartVersion with no appVersion.'
+  }
+
+  final versionParts = parseVersionString(appVersion)
+  final chartMajor = versionParts[1]
+  final chartMinor = versionParts[2]
+
+  if (! chartMajor || ! chartMinor) {
+    error "Failed to calculate chartVersion from appVersion: ${appVersion}"
+  }
+
+  return [chartMajor, chartMinor, '0'].join('.')
+}

LICENSE

@@ -1,21 +1,13 @@
-MIT License
+Copyright (c) 2020-present Sonatype, Inc.
 
-Copyright (c) 2020 Sonatype
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+    http://www.apache.org/licenses/LICENSE-2.0
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

OPSDOC.md

@@ -1,65 +0,0 @@
-<!--
-Copyright (c) 2019-present Sonatype, Inc. All rights reserved.
-Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
-"Sonatype" is a trademark of Sonatype, Inc.
--->
-
-## Overview
-Overview of the service: what is it, why do we have it, who are the primary
-contacts, how to report bugs, links to design docs and other relevant
-information.
-
-### Public Facing Endpoints
-The URLs (or IPs) and ports used by the service and what they are used for
-(ALB? SSH? FTP?) and notes about any certificates and their location.
-
-## Monitoring
-
-Monitoring dashboards / logging / introspection & obseverbility info.
-
-### Runbooks
-
-A list of every alert your monitoring system may generate for this service and
-a step-by-step "what do to when..." for each of them.
-
-###  SLO
-Service Level Objectives in a succinct format: a target value or range of
-values for a service level that is measured by an SLI. A natural structure for
-SLOs is thus SLI ≤ target, or lower bound ≤ SLI ≤ upper bound. For example, we
-might decide that we will return Shakespeare search results "quickly," adopting
-an SLO that our average search request latency should be less than 100
-milliseconds.
-
-For more detailed information, please check out the Service Level Objectives
-doc. If you're still unsure of what your SLOs should be, please reach out to
-the SREs at #ops-sre-chat. 
-
-Optionally but recommended, have a section of monitoring and dashboards for SLO
-tracking (see the auth-service OpsDoc for examples of dashboards).
-
-## Build
-
-How to build the software that makes the service. Where to download it from,
-where the source code repository is, steps for building and making a package or
-other distribution mechanisms. If it is software that you modify in any way
-(open source project you contribute to or a local project) include instructions
-for how a new developer gets started. Ideally the end result is a package that
-can be copied to other machines for installation.
-
-## Deploy
-
-How to deploy the service. How to build something from scratch: RAM/disk
-requirements, OS version and configuration, what packages to install, and so
-on. If this is automated with a configuration management tool like ansible/etc,
-then say so.
-
-## Common Tasks
-
-Step-by-step instructions for common things like provisioning
-(add/change/delete), common problems and their solutions, and so on.
-
-## DR
-Where are backups of data stored?  What are disaster / data recovery
-procedures?
-
-

README.md

@@ -1,13 +1,28 @@
+<!--
+
+    Sonatype Nexus (TM) Open Source Version
+    Copyright (c) 2008-present Sonatype, Inc.
+    All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+    This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+    which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+    Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+    of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+    Eclipse Foundation. All other trademarks are the property of their respective owners.
+
+-->
+
 ## Helm Charts for Sonatype Nexus Repository Manager 3
 
 We provide Helm charts for two different deployment scenarios:
 
-See the [AWS Single-Instance Resiliency Chart](./https://github.com/sonatype/nxrm3-helm-repository/tree/main/aws-single-instance-resiliency) if you are doing the following:
+See the [AWS Single-Instance Resiliency Chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nxrm-aws-resiliency) if you are doing the following:
 * Deploying Nexus Repository Pro to an AWS cloud environment with the desire for automatic failover across Availability Zones (AZs) within a single region
 * Planning to configure a single Nexus Repository Pro instance within your Kubernetes/EKS cluster with two or more nodes spread across different AZs within an AWS region
 * Using an external PostgreSQL database (required)
 
-See the [Single-Instance OSS/Pro Kubernetes Chart](./https://github.com/sonatype/nxrm3-helm-repository/tree/main/single-inst-oss-pro-kubernetes) if you are doing the following:
+See the [Single-Instance OSS/Pro Kubernetes Chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nexus-repository-manager) if you are doing the following:
 * Using embedded OrientDB (required)
 * Deploying either Nexus Repository Pro or OSS to an on-premises environment with bare metal/VM server (Node)
 * Deploying a single Nexus Repository instance within a Kubernetes cluster that has a single Node configured

SECURITY.md

@@ -1,11 +1,17 @@
 <!--
 
-    Copyright (c) 2019-present Sonatype, Inc. All rights reserved.
-    Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
-    "Sonatype" is a trademark of Sonatype, Inc.
+    Sonatype Nexus (TM) Open Source Version
+    Copyright (c) 2008-present Sonatype, Inc.
+    All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+    This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+    which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+    Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+    of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+    Eclipse Foundation. All other trademarks are the property of their respective owners.
 
 -->
-
 # Reporting Security Vulnerabilities
 
 ## When to report

aws-single-instance-resiliency/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2020 Sonatype
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

aws-single-instance-resiliency/templates/serviceaccount.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.serviceAccount.name }}
-  namespace: {{ .Values.namespaces.nexusNs }}
-  annotations:
-    eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }}

aws-single-instance-resiliency/values.yaml

@@ -1,79 +0,0 @@
-# Declare variables to be passed into your templates.
-namespaces:
-    nexusNs: nexusrepo
-    cloudwatchNs: amazon-cloudwatch
-deployment:
-   name: nxrm.deployment
-   clusterName: nxrm-nexus
-   logsRegion: us-east-1
-   initContainer:
-        image:
-          repository: busybox
-          tag: 1.33.1
-   container:
-        image:
-          repository: sonatype/nexus3
-          tag: 3.41.1
-        containerPort: 8081
-        pullPolicy: IfNotPresent
-        env:
-          nexusDBName: nexus
-          nexusDBPort: 3306
-   requestLogContainer:
-        image:
-          repository: busybox
-          tag: 1.33.1
-   auditLogContainer:
-        image:
-          repository: busybox
-          tag: 1.33.1
-   taskLogContainer:
-        image:
-          repository: busybox
-          tag: 1.33.1
-serviceAccount:
-     name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager"
-     role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions
-ingress:
-  annotations:
-    kubernetes.io/ingress.class: alb
-    alb.ingress.kubernetes.io/scheme: internal # scheme
-    alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids
-  dockerIngress:  #Ingress for Docker Connector
-    annotations:
-      kubernetes.io/ingress.class: alb
-      alb.ingress.kubernetes.io/scheme: internal # scheme
-      alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids
-    port: 9090
-pv:
-  storage: 120Gi
-  volumeMode: Filesystem
-  accessModes: ReadWriteOnce
-  reclaimPolicy: Retain
-  path: /mnt
-  zones:
-    zone1: us-east-1a
-    zone2: us-east-1b
-pvc:
-  accessModes: ReadWriteOnce
-  storage: 100Gi
-
-service:  #Nexus Repo NodePort Service
-  nexus:
-   type: NodePort
-   protocol: TCP
-   port: 80
-   targetPort: 8081
-  docker:  #Nodeport Service for Docker connector
-   type: NodePort
-   protocol: TCP
-   port: 9090
-   targetPort: 9090
-secret:
-  license:
-   arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license
-   alias: nxrm-license.lic
-  rds:
-    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrmrds-cred-nexus
-  adminpassword:
-    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:admin-nxrm-password

build.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# Sonatype Nexus (TM) Open Source Version
+# Copyright (c) 2008-present Sonatype, Inc.
+# All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+#
+# This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+# which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+#
+# Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+# of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+# Eclipse Foundation. All other trademarks are the property of their respective owners.
+#
+
+helm plugin install https://github.com/quintush/helm-unittest
+
+set -e
+
+# lint yaml of charts
+helm lint ./nxrm-aws-resiliency
+helm lint ./nexus-repository-manager
+
+# unit test
+(cd ./nxrm-aws-resiliency; helm unittest -3 -t junit -o test-output.xml .)
+(cd ./nexus-repository-manager; helm unittest -3 -t junit -o test-output.xml .)
+
+# package the charts into tgz archives
+helm package ./nxrm-aws-resiliency --destination docs
+helm package ./nexus-repository-manager --destination docs

header.txt

@@ -1,3 +1,10 @@
-Copyright (c) 2019-present Sonatype, Inc. All rights reserved.
-Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
-"Sonatype" is a trademark of Sonatype, Inc.
+Sonatype Nexus (TM) Open Source Version
+Copyright (c) 2008-present Sonatype, Inc.
+All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+Eclipse Foundation. All other trademarks are the property of their respective owners.

nexus-repository-manager/Chart.yaml

@@ -3,10 +3,10 @@ name: nexus-repository-manager
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 38.1.0
+version: 41.1.3
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 3.38.1
+appVersion: 3.41.1
 
 description: Sonatype Nexus Repository Manager - Universal Binary repository
 

nexus-repository-manager/README.md

@@ -1,3 +1,18 @@
+<!--
+
+    Sonatype Nexus (TM) Open Source Version
+    Copyright (c) 2008-present Sonatype, Inc.
+    All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+    This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+    which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+    Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+    of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+    Eclipse Foundation. All other trademarks are the property of their respective owners.
+
+-->
+
 # Nexus Repository
 
 [Nexus Repository OSS](https://www.sonatype.com/nexus-repository-oss) provides universal support for all major build tools.

nexus-repository-manager/values.yaml

@@ -7,7 +7,7 @@ deploymentStrategy: Recreate
 image:
   # Sonatype Official Public Image
   repository: sonatype/nexus3
-  tag: 3.38.1
+  tag: 3.41.1
   pullPolicy: IfNotPresent
 
 nexus:

nxrm-aws-resiliency/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nxrm-aws-resiliency
-description: Helm chart for a Resilient Nexus Repository deployment in AWS
+description: Resilient AWS Deployment of Sonatype Nexus Repository Manager - Universal Binary repository 
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,10 +15,27 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 41.1.0
+version: 41.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.41.1"
+appVersion: 3.41.1
+
+keywords:
+  - artifacts
+  - dependency
+  - management
+  - sonatype
+  - nexus
+  - repository
+  - quickstart
+  - ci
+  - repository-manager
+  - nexus3
+home: https://www.sonatype.com/nexus-repository-oss
+icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
+maintainers:
+  - name: Sonatype
+

nxrm-aws-resiliency/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2020-present Sonatype, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

nxrm-aws-resiliency/README.md

@@ -1,3 +1,18 @@
+<!--
+
+    Sonatype Nexus (TM) Open Source Version
+    Copyright (c) 2008-present Sonatype, Inc.
+    All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+
+    This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+    which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+
+    Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+    of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+    Eclipse Foundation. All other trademarks are the property of their respective owners.
+
+-->
+
 # Helm Chart for a Resilient Nexus Repository Deployment in AWS
 
 This Helm chart configures the Kubernetes resources that are needed for a resilient Nexus Repository deployment on AWS as described in our documented [single-node cloud resilient deployment example using AWS](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/single-node-cloud-resilient-deployment-example-using-aws).
@@ -48,13 +63,17 @@ You will also need to complete the steps below. See the referenced AWS documenta
 ---
 
 ## Deployment
-1. Pull the [nxrm-resiliency-aws-helmchart](https://github.com/sonatype/nxrm3-helm-repository/blob/main/aws-single-instance-resiliency/Chart.yaml).
+1. Add the sonatype repo to your helm:
+```helm repo add sonatype https://sonatype.github.io/helm3-charts/ ```   
 2. Ensure you have updated your values.yaml with appropriate values for your environment.
+  - Note that you can specify Ingress annotations via the values.yaml. 
+  - If you wish to add [Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/), you can do so via kubectl. See the [kubectl Cheat Sheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) for specific commands.
+  
 3. Install the chart using the following:
   
-```helm install nxrm nexus/nxrm-aws-resiliency --values values.yaml```
+```helm install nxrm sonatype/nxrm-aws-resiliency -f values.yaml```
   
-3. Get the Nexus Repository link using the following:
+4. Get the Nexus Repository link using the following:
   
 ```kubectl get ingresses -n nexusrepo```
 

nxrm-aws-resiliency/templates/external-dns-rbac.yml

@@ -0,0 +1,66 @@
+# comment out sa if it was previously created
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+  namespace: {{ .Values.namespaces.externaldnsNs }}
+  labels:
+    app.kubernetes.io/name: external-dns
+rules:
+  - apiGroups: [""]
+    resources: ["services","endpoints","pods","nodes"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["extensions","networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get","watch","list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+  namespace: {{ .Values.namespaces.externaldnsNs }}  
+  labels:
+    app.kubernetes.io/name: external-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.externaldns.name }}
+    namespace: {{ .Values.namespaces.externaldnsNs }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: {{ .Values.namespaces.externaldnsNs }}  
+  labels:
+    app.kubernetes.io/name: external-dns
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-dns
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: k8s.gcr.io/external-dns/external-dns:v0.11.0
+          args:
+            - --source=service
+            - --source=ingress
+            - --domain-filter={{ .Values.externaldns.domainFilter }} # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+            - --provider=aws
+            - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
+            - --aws-zone-type={{ .Values.externaldns.awsZoneType }} # only look at public hosted zones (valid values are public, private or no value for both)
+            - --registry=txt
+            - --txt-owner-id=external-dns
+          env:
+            - name: AWS_DEFAULT_REGION
+              value: {{ .Values.deployment.clusterRegion }}

nxrm-aws-resiliency/templates/fluent-bit.yaml

@@ -77,7 +77,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.nexus-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -112,7 +112,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.request-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_request-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_request-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -147,7 +147,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.audit-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_audit-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_audit-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -182,7 +182,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.tasks-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment-*-*_{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -263,7 +263,7 @@ spec:
     spec:
       containers:
         - name: fluent-bit
-          image: amazon/aws-for-fluent-bit:2.10.0
+          image: amazon/aws-for-fluent-bit:{{ .Values.deployment.fluentBitVersion }}
           imagePullPolicy: Always
           env:
             - name: AWS_REGION

nxrm-aws-resiliency/templates/ingress.yaml

@@ -9,7 +9,12 @@ metadata:
   {{- end }}
 spec:
   rules:
+    {{- if .Values.ingress.host }}
+    - host: {{ .Values.ingress.host }}
+      http:
+    {{- else }}
     - http:
+    {{- end }}
         paths:
           - path: /
             pathType: Prefix
@@ -30,7 +35,12 @@ metadata:
   {{- end }}
 spec:
   rules:
+    {{- if .Values.ingress.dockerIngress.host }}
+    - host: {{ .Values.ingress.dockerIngress.host }}
+      http:
+    {{- else}}
     - http:
+    {{- end }}
         paths:
           - path: /
             pathType: Prefix
@@ -38,4 +48,4 @@ spec:
               service:
                 name: {{ .Chart.Name }}-docker-service
                 port:
-                  number: {{ .Values.ingress.dockerIngress.port }}
+                  number: {{ .Values.service.docker.port }}

nxrm-aws-resiliency/templates/namespaces.yaml

@@ -8,3 +8,8 @@ kind: Namespace
 metadata:
   name: {{ .Values.namespaces.cloudwatchNs }}
 ---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespaces.externaldnsNs }}
+---

nxrm-aws-resiliency/templates/serviceaccount.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.namespaces.nexusNs }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.externaldns.name }}
+  namespace: {{ .Values.namespaces.externaldnsNs }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.externaldns.role }}
+---

nxrm-aws-resiliency/templates/services.yaml

@@ -26,7 +26,7 @@ spec:
   selector:
     app: nxrm
   ports:
-    - name: docker-connector
+    - name: docker-service
       protocol: {{ .Values.service.docker.protocol }}
       port: {{ .Values.service.docker.port }}
       targetPort: {{ .Values.service.docker.targetPort }}

nxrm-aws-resiliency/values.yaml

@@ -0,0 +1,93 @@
+# Declare variables to be passed into your templates.
+namespaces:
+  nexusNs: nexusrepo
+  cloudwatchNs: amazon-cloudwatch
+  externaldnsNs: nexus-externaldns
+externaldns:
+  domainFilter: example.com #your root domain e.g example.com
+  awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both)
+deployment:
+  clusterRegion: us-east-1
+  name: nxrm.deployment
+  clusterName: nxrm-nexus
+  logsRegion: us-east-1
+  fluentBitVersion: 2.28.0
+  initContainer:
+    image:
+      repository: busybox
+      tag: 1.33.1
+  container:
+    image:
+      repository: sonatype/nexus3
+      tag: 3.41.1
+    containerPort: 8081
+    pullPolicy: IfNotPresent
+    env:
+      nexusDBName: nexus
+      nexusDBPort: 3306
+  requestLogContainer:
+    image:
+      repository: busybox
+      tag: 1.33.1
+  auditLogContainer:
+    image:
+      repository: busybox
+      tag: 1.33.1
+  taskLogContainer:
+    image:
+      repository: busybox
+      tag: 1.33.1
+serviceAccount:
+  name: nexus-repository-deployment-sa #This SA is created as part of steps under "AWS Secrets Manager"
+  role: arn:aws:iam::000000000000:role/nxrm-nexus-role #Role with secretsmanager permissions
+  externaldns:
+    name: external-dns
+    role: arn:aws:iam::000000000000:role/nexusrepo-external-dns-irsa-role #Role with route53 permissions needed by external-dns     
+ingress:
+  #host: "example.com" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish
+  annotations:
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/scheme: internal # scheme
+    alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # The AWS Certificate Manager ARN for your HTTPS certificate    
+  dockerIngress:  #Ingress for Docker Connector - comment out if you don't use docker repositories
+    annotations:
+      kubernetes.io/ingress.class: alb # comment out if you don't use docker repositories
+      alb.ingress.kubernetes.io/scheme: internal # scheme comment out if you don't use docker repositories
+      alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids, comment out if you don't use docker repositories
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #comment out if you don't use docker repositories
+      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate
+      external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories
+pv:
+  storage: 120Gi
+  volumeMode: Filesystem
+  accessModes: ReadWriteOnce
+  reclaimPolicy: Retain
+  path: /mnt
+  zones:
+    zone1: us-east-1a
+    zone2: us-east-1b
+pvc:
+  accessModes: ReadWriteOnce
+  storage: 100Gi
+
+service:  #Nexus Repo NodePort Service
+  nexus:
+   type: NodePort
+   protocol: TCP
+   port: 80
+   targetPort: 8081
+  docker:  #Nodeport Service for Docker Service
+   type: NodePort
+   protocol: TCP
+   port: 9090
+   targetPort: 8081
+secret:
+  license:
+   arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrm-nexus-license
+   alias: nxrm-license.lic
+  rds:
+    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:nxrmrds-cred-nexus
+  adminpassword:
+    arn: arn:aws:secretsmanager:us-east-1:000000000000:secret:admin-nxrm-password

upgrade.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+#
+# Sonatype Nexus (TM) Open Source Version
+# Copyright (c) 2008-present Sonatype, Inc.
+# All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+#
+# This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+# which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+#
+# Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+# of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+# Eclipse Foundation. All other trademarks are the property of their respective owners.
+#
+
+if [ $# != 3 ]; then
+    echo "Usage: $0 <dir> <chart-version> <app-version>"
+    exit 1
+fi
+
+DIR="$1"
+CHART_VERSION="$2"
+APP_VERSION="$3"
+
+OUTPUT_FILE=$(mktemp)
+
+cat "$DIR/Chart.yaml" \
+  | sed -E "s/version: .+/version: $CHART_VERSION/" \
+  | sed -E "s/appVersion: .+/appVersion: $APP_VERSION/" \
+  > "$OUTPUT_FILE"
+
+mv "$OUTPUT_FILE" "$DIR/Chart.yaml"
+
+cat "$DIR/values.yaml" \
+  | sed -E "s/^  tag: .+$/  tag: $APP_VERSION/" \
+  > "$OUTPUT_FILE"
+
+mv "$OUTPUT_FILE" "$DIR/values.yaml"
+
+git diff "$DIR"