Release Update for 64.1.0

NEXUS-40550 - Deprecate and redirect to nxrm ha helm chart

Dockerfile

@@ -11,7 +11,7 @@
 # Eclipse Foundation. All other trademarks are the property of their respective owners.
 #
 
-FROM docker-all.repo.sonatype.com/alpine/helm:3.9.3
+FROM docker-all.repo.sonatype.com/alpine/helm:3.10.1
 
 RUN apk update && apk upgrade && \
     apk add --no-cache bash git openssh

Jenkinsfile-Release

@@ -17,16 +17,6 @@ final jira = [
     credentialId : 'jenkins-jira', autoRelease: true, failOnError: true
 ]
 
-final jiraVersionMappings = [
-  'nexus-repository-manager': 'helm-nxrm',
-  'nxrm-aws-resiliency': 'helm-nxrm-aws-resiliency'
-]
-
-final chartLocation = [
-  'nexus-repository-manager': 'nexus-repository-manager',
-  'nxrm-aws-resiliency': 'nxrm-aws-resiliency'
-]
-
 properties([
   parameters([
     string(
@@ -55,7 +45,8 @@ dockerizedBuildPipeline(
     runSafely "./upgrade.sh ./nexus-repository-manager ${chartVersion} ${params.appVersion}"
     runSafely "./upgrade.sh ./nxrm-aws-resiliency ${chartVersion} ${params.appVersion}"
     runSafely './build.sh'
-    runSafely 'git add nxrm-aws-resiliency nexus-repository-manager'
+    runSafely 'git add nxrm-aws-resiliency'
+    runSafely 'git add nexus-repository-manager'
   },
   skipVulnerabilityScan: true,
   archiveArtifacts: 'docs/*',

README.md

@@ -12,17 +12,12 @@
     Eclipse Foundation. All other trademarks are the property of their respective owners.
 
 -->
+# ⚠️ Archive Notice
+
+As of October 24, 2023, we will no longer update or support the [Single-Instance OSS/Pro Helm Chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nexus-repository-manager). 
+
+Deploying Nexus Repository in containers with an embedded database has been known to corrupt the database under some circumstances. We strongly recommend that you use an external PostgreSQL database for Kubernetes deployments. 
 
 ## Helm Charts for Sonatype Nexus Repository Manager 3
 
-We provide Helm charts for two different deployment scenarios:
-
-See the [AWS Single-Instance Resiliency Chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nxrm-aws-resiliency) if you are doing the following:
-* Deploying Nexus Repository Pro to an AWS cloud environment with the desire for automatic failover across Availability Zones (AZs) within a single region
-* Planning to configure a single Nexus Repository Pro instance within your Kubernetes/EKS cluster with two or more nodes spread across different AZs within an AWS region
-* Using an external PostgreSQL database (required)
-
-See the [Single-Instance OSS/Pro Kubernetes Chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nexus-repository-manager) if you are doing the following:
-* Using embedded OrientDB (required)
-* Deploying either Nexus Repository Pro or OSS to an on-premises environment with bare metal/VM server (Node)
-* Deploying a single Nexus Repository instance within a Kubernetes cluster that has a single Node configured
+We now provide one [HA/Resiliency Helm Chart](https://github.com/sonatype/nxrm3-ha-repository/tree/main/nxrm-ha) that supports both high availability and resilient deployments in AWS, Azure, or on-premises in a Kubernetes cluster. This is our only supported Helm chart for deploying Sonatype Nexus Repository; it requires a PostgreSQL database.

build.sh

@@ -12,7 +12,7 @@
 # Eclipse Foundation. All other trademarks are the property of their respective owners.
 #
 
-helm plugin install https://github.com/quintush/helm-unittest
+helm plugin install --version "0.2.11" https://github.com/quintush/helm-unittest
 
 set -e
 

nexus-repository-manager/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# OWNERS file for Kubernetes
+OWNERS
+*.tar

nexus-repository-manager/Chart.yaml

@@ -1,14 +1,16 @@
 apiVersion: v2
 name: nexus-repository-manager
+# The nexus-repository-manager chart is deprecated and no longer maintained
+deprecated: true
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 41.1.3
+version: 64.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 3.41.1
+appVersion: 3.64.0
 
-description: Sonatype Nexus Repository Manager - Universal Binary repository
+description: DEPRECATED Sonatype Nexus Repository Manager - Universal Binary repository
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -35,6 +37,3 @@ home: https://www.sonatype.com/nexus-repository-oss
 icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
 sources:
   - https://github.com/sonatype/nexus-public
-maintainers:
-  - email:  support@sonatype.com
-    name: Sonatype

nexus-repository-manager/README.md

@@ -12,6 +12,15 @@
     Eclipse Foundation. All other trademarks are the property of their respective owners.
 
 -->
+# ⚠️ Archive Notice
+
+As of October 24, 2023, we will no longer update or support this Helm chart.
+
+Deploying Nexus Repository in containers with an embedded database has been known to corrupt the database under some circumstances. We strongly recommend that you use an external PostgreSQL database for Kubernetes deployments. 
+
+If you are deploying in AWS, you can use our [AWS Helm chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nxrm-aws-resiliency) to deploy Nexus Repository in an EKS cluster.
+
+We do not currently provide Helm charts for on-premises deployments using PostgreSQL. For those wishing to deploy on premises, see our [Single Data Center On-Premises Deployment Example Using Kubernetes documentation](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/single-data-center-on-premises-deployment-example-using-kubernetes) for information and sample YAMLs to help you plan a resilient on-premises deployment.
 
 # Nexus Repository
 
@@ -67,14 +76,9 @@ Do not use this Helm chart and, instead, refer to our [resiliency documentation]
 
 By default, this Chart uses Sonatype's Public Docker image. If you want to use a different image, run with the following: `--set nexus.imageName=<my>/<image>`.
 
-### With Red Hat Certified container
+## Adding the Sonatype Repository to your Helm
 
-If you're looking run our Certified Red Hat image in an OpenShift4 environment, there is a Certified Operator in OperatorHub.
-
----
-
-## Adding the repo
-To add as a Helm Repo, use the following:
+To add as a Helm Repo
 ```helm repo add sonatype https://sonatype.github.io/helm3-charts/```
 
 ---
@@ -111,6 +115,7 @@ The default login is randomized and can be found in `/nexus-data/admin.password`
 by setting the environment variable `NEXUS_SECURITY_RANDOMPASSWORD` to `false` in your `values.yaml`.
  
 ---
+
 ## Uninstalling the Chart
 
 To uninstall/delete the deployment, use the following:
@@ -134,7 +139,7 @@ The following table lists the configurable parameters of the Nexus chart and the
 |--------------------------------------------|----------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|
 | `deploymentStrategy`                       | Deployment Strategy                                                                          | `Recreate`                                                                                                                                      |
 | `nexus.imagePullPolicy`                    | Nexus Repository image pull policy                                                           | `IfNotPresent`                                                                                                                                  |
-| `nexus.imagePullSecrets`                   | Secret to download Nexus Repository image from private registry                                         | `nil`                                                                                                                                           |
+| `imagePullSecrets`                         | The names of the kubernetes secrets with credentials to login to a registry                  | `[]`                                                                                                                                            |
 | `nexus.docker.enabled`                     | Enable/disable Docker support                                                                | `false`                                                                                                                                         |
 | `nexus.docker.registries`                  | Support multiple Docker registries                                                           | (see below)                                                                                                                                     |
 | `nexus.docker.registries[0].host`          | Host for the Docker registry                                                                 | `cluster.local`                                                                                                                                 |
@@ -159,7 +164,7 @@ The following table lists the configurable parameters of the Nexus chart and the
 | `nexus.hostAliases`                        | Aliases for IPs in /etc/hosts                                                                | []                                                                                                                                              |
 | `nexus.properties.override`                | Set to true to override default nexus.properties                                             | `false`                                                                                                                                         |
 | `nexus.properties.data`                    | A map of custom nexus properties if `override` is set to true                                | `nexus.scripts.allowCreation: true`                                                                                                             |
-| `ingress.enabled`                          | Create an ingress for Nexus Repository                                                                  | `true`                                                                                                                                          |
+| `ingress.enabled`                          | Create an ingress for Nexus Repository                                                       | `false`                                                                                                                                         |
 | `ingress.annotations`                      | Annotations to enhance ingress configuration                                                 | `{kubernetes.io/ingress.class: nginx}`                                                                                                          |
 | `ingress.tls.secretName`                   | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate         | `nexus-tls`                                                                                                                                     |
 | `ingress.path`                             | Path for ingress rules. GCP users should set to `/*`.                                        | `/`                                                                                                                                             |
@@ -201,3 +206,31 @@ The following table lists the configurable parameters of the Nexus chart and the
 By default, a `PersistentVolumeClaim` is created and mounted into the `/nexus-data` directory. In order to disable this functionality, you can change the `values.yaml` to disable persistence, which will use an `emptyDir` instead.
 
 > *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."*
+
+## Using the Image from the Red Hat Registry
+
+To use the [Nexus Repository Manager image available from Red Hat's registry](https://catalog.redhat.com/software/containers/sonatype/nexus-repository-manager/594c281c1fbe9847af657690),
+you'll need to:
+* Load the credentials for the registry as a secret in your cluster
+  ```shell
+  kubectl create secret docker-registry redhat-pull-secret \
+    --docker-server=registry.connect.redhat.com \
+    --docker-username=<user_name> \
+    --docker-password=<password> \
+    --docker-email=<email>
+  ```
+  See Red Hat's [Registry Authentication documentation](https://access.redhat.com/RegistryAuthentication)
+  for further details.
+* Provide the name of the secret in `imagePullSecrets` in this chart's `values.yaml`
+  ```yaml
+  imagePullSecrets:
+    - name: redhat-pull-secret
+  ```
+* Set `image.name` and `image.tag` in `values.yaml`
+  ```yaml
+  image:
+    repository: registry.connect.redhat.com/sonatype/nexus-repository-server
+    tag: 3.39.0-ubi-1
+  ```
+
+---

nexus-repository-manager/templates/deployment.yaml

@@ -48,7 +48,7 @@ spec:
       hostAliases:
         {{ toYaml .Values.nexus.hostAliases | nindent 8 }}
       {{- end }}
-      {{- if .Values.nexus.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -59,7 +59,14 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
           lifecycle:
           {{- if .Values.deployment.postStart.command }}
             postStart:

nexus-repository-manager/templates/ingress.yaml

@@ -62,6 +62,9 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
+  {{- if $.Values.ingress.ingressClassName }}
+  ingressClassName: {{ $.Values.ingress.ingressClassName }}
+  {{- end }}
   tls:
     - hosts:
       - {{ $registry.host | quote }}

nexus-repository-manager/tests/deployment_test.yaml

@@ -36,7 +36,14 @@ tests:
           pattern: sonatype/nexus3:3\.\d+\.\d+
       - equal:
           path: spec.template.spec.containers[0].securityContext
-          value: null
+          value: 
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: IfNotPresent
@@ -44,7 +51,12 @@ tests:
           path: spec.template.spec.containers[0].env
           value:
             - name: INSTALL4J_ADD_VM_PARAMS
-              value: -Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap
+              value: |-
+                -Xms2703M -Xmx2703M
+                -XX:MaxDirectMemorySize=2703M
+                -XX:+UnlockExperimentalVMOptions
+                -XX:+UseCGroupMemoryLimitForHeap
+                -Djava.util.prefs.userRoot=/nexus-data/javaprefs
             - name: NEXUS_SECURITY_RANDOMPASSWORD
               value: "true"
       - equal:
@@ -83,3 +95,26 @@ tests:
             - name: nexus-repository-manager-data
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-nexus-repository-manager-data
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            fsGroup: 200
+            runAsGroup: 200
+            runAsUser: 200
+
+  - it: should use our simple values
+    template: deployment.yaml
+    set:
+      deploymentStrategy: my-strategy
+      imagePullSecrets:
+        - name: top-secret
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.strategy.type
+          value: my-strategy
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: top-secret

nexus-repository-manager/tests/ingress_test.yaml

@@ -1,3 +1,4 @@
+---
 suite: ingress
 templates:
   - ingress.yaml
@@ -97,7 +98,105 @@ tests:
         equal:
           path: metadata.name
           value: RELEASE-NAME-nexus-repository-manager
+      - documentIndex: 0
+        equal:
+          path: spec
+          value:
+            ingressClassName: nginx
+            rules:
+              - host: repo.demo
+                http:
+                  paths:
+                    - path: /
+                      pathType: Prefix
+                      backend:
+                        service:
+                          name: RELEASE-NAME-nexus-repository-manager
+                          port:
+                            number: 8081
+      - documentIndex: 1
+        equal:
+          path: metadata.name
+          value: RELEASE-NAME-nexus-repository-manager-docker-5000
+      - documentIndex: 1
+        equal:
+          path: spec
+          value:
+            ingressClassName: nginx
+            rules:
+              - host: docker.repo.demo
+                http:
+                  paths:
+                    - path: /
+                      pathType: Prefix
+                      backend:
+                        service:
+                          name: RELEASE-NAME-nexus-repository-manager-docker-5000
+                          port:
+                            number: 5000
+            tls:
+              - hosts:
+                  - docker.repo.demo
+                secretName: registry-secret
+  - it: we can exclude ingressClassName for repo ingress and docker ingress
+    set:
+      ingress:
+        enabled: true
+        ingressClassName: {}
+      nexus:
+        docker:
+          enabled: true
+          registries:
+            - host: docker.repo.demo
+              port: 5000
+              secretName: registry-secret
+    asserts:
+      - hasDocuments:
+          count: 2
+      - isKind:
+          of: Ingress
+      - equal:
+          path: apiVersion
+          value: networking.k8s.io/v1
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/instance]
+          value: RELEASE-NAME
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/managed-by]
+          value: Helm
+      - matchRegex:
+          path: metadata.labels.[app.kubernetes.io/version]
+          pattern: \d+\.\d+\.\d+
+      - matchRegex:
+          path: metadata.labels.[helm.sh/chart]
+          pattern: nexus-repository-manager-\d+\.\d+\.\d+
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/name]
+          value: nexus-repository-manager
+      - equal:
+          path: metadata.annotations
+          value:
+            nginx.ingress.kubernetes.io/proxy-body-size: "0"
 
+      - documentIndex: 0
+        equal:
+          path: metadata.name
+          value: RELEASE-NAME-nexus-repository-manager
+      - documentIndex: 0
+        equal:
+          path: spec
+          value:
+            rules:
+              - host: repo.demo
+                http:
+                  paths:
+                    - path: /
+                      pathType: Prefix
+                      backend:
+                        service:
+                          name: RELEASE-NAME-nexus-repository-manager
+                          port:
+                            number: 8081
       - documentIndex: 1
         equal:
           path: metadata.name
@@ -121,7 +220,6 @@ tests:
               - hosts:
                   - docker.repo.demo
                 secretName: registry-secret
-
   - it: is disabled by default
     asserts:
       - hasDocuments:

nexus-repository-manager/values.yaml

@@ -2,13 +2,16 @@
 statefulset:
   # This is not supported
   enabled: false
-# By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage.
 deploymentStrategy: Recreate
 image:
   # Sonatype Official Public Image
   repository: sonatype/nexus3
-  tag: 3.41.1
+  tag: 3.64.0
   pullPolicy: IfNotPresent
+imagePullSecrets:
+# for image registries that require login, specify the name of the existing
+# kubernetes secret
+#   - name: <pull-secret-name>
 
 nexus:
   docker:
@@ -16,12 +19,17 @@ nexus:
     # registries:
     #   - host: chart.local
     #     port: 5000
-    #     secretName: registrySecret
+    #     secretName: registry-secret
   env:
     # minimum recommended memory settings for a small, person instance from
     # https://help.sonatype.com/repomanager3/product-information/system-requirements
     - name: INSTALL4J_ADD_VM_PARAMS
-      value: "-Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
+      value: |-
+        -Xms2703M -Xmx2703M
+        -XX:MaxDirectMemorySize=2703M
+        -XX:+UnlockExperimentalVMOptions
+        -XX:+UseCGroupMemoryLimitForHeap
+        -Djava.util.prefs.userRoot=/nexus-data/javaprefs
     - name: NEXUS_SECURITY_RANDOMPASSWORD
       value: "true"
   properties:
@@ -72,8 +80,6 @@ nexus:
   #   - "example.com"
   #   - "www.example.com"
 
-
-imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 

nxrm-aws-resiliency/Chart.yaml

@@ -1,6 +1,8 @@
 apiVersion: v2
 name: nxrm-aws-resiliency
-description: Resilient AWS Deployment of Sonatype Nexus Repository Manager - Universal Binary repository 
+# The nxrm-aws-resiliency chart is deprecated and no longer maintained
+deprecated: true
+description: DEPRECATED Resilient AWS Deployment of Sonatype Nexus Repository Manager - Universal Binary repository
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,13 +17,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 41.1.3
+version: 64.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 3.41.1
+appVersion: 3.64.0
 
 keywords:
   - artifacts
@@ -36,6 +38,4 @@ keywords:
   - nexus3
 home: https://www.sonatype.com/nexus-repository-oss
 icon: https://sonatype.github.io/helm3-charts/NexusRepo_Vertical.svg
-maintainers:
-  - name: Sonatype
 

nxrm-aws-resiliency/README.md

@@ -12,109 +12,24 @@
     Eclipse Foundation. All other trademarks are the property of their respective owners.
 
 -->
+# ⚠️ Archive Notice
 
-# Helm Chart for a Resilient Nexus Repository Deployment in AWS
+As of February 9, 2024, we now provide one [HA/Resiliency Helm Chart](https://github.com/sonatype/nxrm3-ha-repository/tree/main/nxrm-ha) that supports both high availability and resilient deployments in AWS, Azure, or on-premises in a Kubernetes cluster. This is our only supported Helm chart for deploying Sonatype Nexus Repository; it requires a PostgreSQL database and a Pro license. 
 
-This Helm chart configures the Kubernetes resources that are needed for a resilient Nexus Repository deployment on AWS as described in our documented [single-node cloud resilient deployment example using AWS](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/single-node-cloud-resilient-deployment-example-using-aws).
+# Helm Chart Instructions
 
-Use the checklist below to determine if this Helm chart is suitable for your deployment needs.
-
----
-
-## When to Use This Helm Chart
-Use this Helm chart if you are doing any of the following:
-- Deploying Nexus Repository Pro to an AWS cloud environment with the desire for automatic failover across Availability Zones (AZs) within a single region
-- Planning to configure a single Nexus Repository Pro instance within your Kubernetes/EKS cluster with two or more nodes spread across different AZs within an AWS region
-- Using an external PostgreSQL database
-
-> **Note**: A Nexus Repository Pro license is required for our resilient deployment options. Your Nexus Repository Pro license file must be stored externally as mounted from AWS Secrets AWS (required).
-
----
-
-## Prerequisites for This Chart
-In order to set up an environment like the one illustrated above and described in this section, you will need the following:
-
-- Kubernetes 1.19+
-- [kubectl](https://kubernetes.io/docs/tasks/tools/)
-- [Helm 3](https://helm.sh/docs/intro/install/)
-- A Nexus Repository Pro license
-- An AWS account with permissions for accessing the following AWS services:
-  - Elastic Kubernetes Service (EKS)
-  - Relational Database Service (RDS) for PostgreSQL
-  - Application Load Balancer (ALB)
-  - CloudWatch
-  - Simple Storage Service (S3)
-  - Secrets Manager
-
-You will also need to complete the steps below. See the referenced AWS documentation for detailed configuration steps. Also see [our resiliency documentation](https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/single-node-cloud-resilient-deployment-example-using-aws) for more details about why these steps are necessary and how each AWS solution functions within a resilient deployment:
-1. Configure an EKS cluster - [AWS documentation for managed nodes (i.e., EC2)](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html)
-2. Create an Aurora database cluster - [AWS documentation for creating an Aurora database cluster](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html)
-3. Deploy the AWS Load Balancer Controller (LBC) to your EKS cluster - [AWS documentation for deploying the AWS LBC to your EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html)
-4. Install AWS Secrets Store CSI drivers - You need to create an IAM service account using the ```eksctl create iamserviceaccount``` command. Before proceeding, read the points below as they contain important required steps to ensure this helm chart will work for you:  <br>
-  - **You must include two additional command parameters when running the command**: ```--role-only``` and ```--namespace <nexusrepo namespace>```
-    - It is important to include the ```--role-only``` option in the ```eksctl create iamserviceaccount``` command so that the helm chart manages the Kubernetes service account.  <br> 
-  - **The namespace you specify to the ```eksctl create iamserviceaccount``` must be the same namespace into which you will deploy the Nexus Repository pod.**  <br>
-    - Although the namespace does not exist at this point, you must specify it as part of the command. **Do not create that namespace manually beforehand**; the helm chart will create and manage it. 
-    - You should specify this same namespace as the value of ```nexusNs``` in your values.yaml.  <br>
-  - Follow the instructions provided in the [AWS Secrets Store CSI drivers documentation](https://github.com/aws/secrets-store-csi-driver-provider-aws/blob/main/README.md) to install the AWS Secrets Store CSI drivers; ensure that you follow the additional instructions in the bullets above when you reach the ```eksctl create iamserviceaccount``` command on that page.
-5. Ensure that your EKS nodes are granted CloudWatchFullAccess and CloudWatchAgentServerPolicy IAM policies. This Helm chart will configure Fluentbit for log externalisation to CloudWatch.
-  - [AWS documentation for setting up Fluentbit](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-EKS.html)
-
----
-
-## Deployment
-1. Add the sonatype repo to your helm:
-```helm repo add sonatype https://sonatype.github.io/helm3-charts/ ```   
-2. Ensure you have updated your values.yaml with appropriate values for your environment.
-  - Note that you can specify Ingress annotations via the values.yaml. 
-  - If you wish to add [Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/), you can do so via kubectl. See the [kubectl Cheat Sheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) for specific commands.
-  
-3. Install the chart using the following:
-  
-```helm install nxrm sonatype/nxrm-aws-resiliency -f values.yaml```
-  
-4. Get the Nexus Repository link using the following:
-  
-```kubectl get ingresses -n nexusrepo```
-
----
-
-## Health Check
-You can use the following commands to perform various health checks:
-  
-See a list of releases:
-  
-  ```helm list```
-  
- Check pods using the following:
-  
-  ```kubectl get pods -n nexusrepo```
-  
-Check the Nexus Repository logs with the following:
-  
-  ```kubectl logs <pod_name> -n nexusrepo nxrm-app```
-  
-Check if the pod is OK by using the following; you shouldn't see any error/warning messages:
-  
-  ```kubectl describe pod <pod_name> -n nexusrepo```
-  
-Check if ingress is OK using the following:
-  
-  ```kubectl describe ingress <ingress_name> -n nexusrepo```
-  
-Check that the Fluent Bit pod is sending events to CloudWatch using the following:
-
-  ```kubectl logs -n amazon-cloudwatch <fluent-bit pod id>```
-  
-If the above returns without error, then check CloudWatch for the ```/aws/containerinsights/<eks cluster name>/nexus-logs``` log group, which should contain four log streams.
-
----
-
-## Uninstall
-To uninstall the deployment, use the following:
-  
-  ```helm uninstall nxrm```
-  
-After removing the deployment, ensure that the namespace is deleted and that Nexus Repository is not listed when using the following:
-  
-  ```helm list```
+See the [HA/Resiliency Helm Chart in GitHub](https://github.com/sonatype/nxrm3-ha-repository/tree/main/nxrm-ha) for details on the new combined Helm chart.
+Detailed Help instructions are also available at the following locations:
+* [Single-Node Cloud Resilient Example Using AWS] (https://help.sonatype.com/en/single-node-cloud-resilient-deployment-example-using-aws.html)
+* [Single-Node Cloud Resilient Example Using Azure] (https://help.sonatype.com/en/single-node-cloud-resilient-deployment-example-using-azure.html)
+* [Single Data Center On-Premises Resilient Example Using Kubernetes] (https://help.sonatype.com/en/single-data-center-on-premises-deployment-example-using-kubernetes.html)
+* [High Availability Deployment in AWS] (https://help.sonatype.com/en/option-3---high-availability-deployment-in-amazon-web-services--aws-.html)
+* [High Availability Deployment in Azure] (https://help.sonatype.com/en/option-4---high-availability-deployment-in-azure.html)
+* [On-Premises High Availability Deployment Using Kubernetes] (https://help.sonatype.com/en/option-2---on-premises-high-availability-deployment-using-kubernetes.html)
+Detailed Help instructions are also available at the following locations:
+* [Single-Node Cloud Resilient Example Using AWS] (https://help.sonatype.com/en/single-node-cloud-resilient-deployment-example-using-aws.html)
+* [Single-Node Cloud Resilient Example Using Azure] (https://help.sonatype.com/en/single-node-cloud-resilient-deployment-example-using-azure.html)
+* [Single Data Center On-Premises Resilient Example Using Kubernetes] (https://help.sonatype.com/en/single-data-center-on-premises-deployment-example-using-kubernetes.html)
+* [High Availability Deployment in AWS] (https://help.sonatype.com/en/option-3---high-availability-deployment-in-amazon-web-services--aws-.html)
+* [High Availability Deployment in Azure] (https://help.sonatype.com/en/option-4---high-availability-deployment-in-azure.html)
+* [On-Premises High Availability Deployment Using Kubernetes] (https://help.sonatype.com/en/option-2---on-premises-high-availability-deployment-using-kubernetes.html)

nxrm-aws-resiliency/templates/deployment.yaml

@@ -70,7 +70,7 @@ spec:
             - name: NEXUS_SECURITY_RANDOMPASSWORD
               value: "false"
             - name: INSTALL4J_ADD_VM_PARAMS
-              value: "-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Dnexus.licenseFile=/nxrm-secrets/{{ .Values.secret.license.alias }} \
+              value: "{{ .Values.deployment.container.env.install4jAddVmParams }} -Dnexus.licenseFile=/nxrm-secrets/{{ .Values.secret.license.alias }} \
           -Dnexus.datastore.enabled=true -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs \
           -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://${DB_HOST}:{{ .Values.deployment.container.env.nexusDBPort }}/${DB_NAME} \
           -Dnexus.datastore.nexus.username=${DB_USER} \

nxrm-aws-resiliency/templates/external-dns-rbac.yml

@@ -1,4 +1,4 @@
-# comment out sa if it was previously created
+{{- if .Values.externaldns.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -64,3 +64,4 @@ spec:
           env:
             - name: AWS_DEFAULT_REGION
               value: {{ .Values.deployment.clusterRegion }}
+{{- end }}

nxrm-aws-resiliency/templates/fluent-bit.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.fluentbit.enabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -77,7 +78,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.nexus-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-{{ .Values.deployment.name }}*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -112,7 +113,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.request-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_request-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-{{ .Values.deployment.name }}*{{ .Values.namespaces.nexusNs }}_request-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -147,7 +148,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.audit-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_audit-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-{{ .Values.deployment.name }}*{{ .Values.namespaces.nexusNs }}_audit-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -182,7 +183,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.tasks-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-{{ .Values.deployment.name }}*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -358,3 +359,4 @@ spec:
           effect: "NoExecute"
         - operator: "Exists"
           effect: "NoSchedule"
+{{- end }}

nxrm-aws-resiliency/templates/ingress.yaml

@@ -24,6 +24,7 @@ spec:
                 port:
                   number: {{ .Values.service.nexus.port }}
 ---
+{{- if .Values.ingress.dockerIngress.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -49,3 +50,4 @@ spec:
                 name: {{ .Chart.Name }}-docker-service
                 port:
                   number: {{ .Values.service.docker.port }}
+{{- end }}

nxrm-aws-resiliency/templates/namespaces.yaml

@@ -3,13 +3,16 @@ kind: Namespace
 metadata:
   name: {{ .Values.namespaces.nexusNs }}
 ---
+{{- if .Values.fluentbit.enabled }}
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.namespaces.cloudwatchNs }}
+{{- end }}
 ---
+{{- if .Values.externaldns.enabled }}
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.namespaces.externaldnsNs }}
----
+{{- end }}

nxrm-aws-resiliency/templates/serviceaccount.yaml

@@ -6,6 +6,7 @@ metadata:
   annotations:
     eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.role }}
 ---
+{{- if .Values.externaldns.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -13,4 +14,4 @@ metadata:
   namespace: {{ .Values.namespaces.externaldnsNs }}
   annotations:
     eks.amazonaws.com/role-arn: {{ .Values.serviceAccount.externaldns.role }}
----
+{{- end }}

nxrm-aws-resiliency/templates/services.yaml

@@ -14,6 +14,7 @@ spec:
       port: {{ .Values.service.nexus.port }}
       targetPort: {{ .Values.service.nexus.targetPort }}
 ---
+{{- if .Values.service.docker.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -30,3 +31,4 @@ spec:
       protocol: {{ .Values.service.docker.protocol }}
       port: {{ .Values.service.docker.port }}
       targetPort: {{ .Values.service.docker.targetPort }}
+{{- end }}

nxrm-aws-resiliency/templates/workdir-configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.workdir.configmap.name }}
+  namespace: {{ .Values.namespaces.nexusNs }}
+data:
+   create-nexus-work-dir.sh: |
+    #!/bin/bash
+    # Make Nexus Repository Manager work directory
+    mkdir -p /nexus-repo-mgr-work-dir/work
+

nxrm-aws-resiliency/templates/workdir-daemonset.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name:  {{ .Values.workdir.daemonset.name }}
+  namespace: {{ .Values.namespaces.nexusNs }}
+spec:
+  selector:
+    matchLabels:
+      job: dircreator
+  template:
+    metadata:
+      labels:
+        job: dircreator
+    spec:
+      hostPID: true
+      restartPolicy: Always
+      initContainers:
+        # Copy file for creating nexus work directory over and execute it on host 
+        - name: create-nexus-work-dir
+          image: ubuntu:23.04
+          command: [/bin/sh]
+          args:
+            - -c
+            - >-
+              cp /tmp/create-nexus-work-dir.sh /host-dir && 
+              /usr/bin/nsenter -m/proc/1/ns/mnt -- chmod u+x /tmp/install/create-nexus-work-dir.sh && 
+              /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/install/create-nexus-work-dir.sh
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: create-nexus-work-dir-script
+              mountPath: /tmp
+            - name: host-mnt
+              mountPath: /host-dir            
+      containers:
+      - name: directory-creator
+        image: busybox:1.33.1
+        command: ["/bin/sh"]
+        args:
+            - -c
+            - >-
+              tail -f /dev/null
+        securityContext:
+          privileged: true 
+      volumes:
+      - name: create-nexus-work-dir-script
+        configMap:
+          name: {{ .Values.workdir.configmap.name }}
+      - name: host-mnt
+        hostPath:
+          path: /tmp/install

nxrm-aws-resiliency/values.yaml

@@ -4,14 +4,18 @@ namespaces:
   cloudwatchNs: amazon-cloudwatch
   externaldnsNs: nexus-externaldns
 externaldns:
+  enabled: false
   domainFilter: example.com #your root domain e.g example.com
   awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both)
+fluentbit:
+  enabled: false
 deployment:
   clusterRegion: us-east-1
   name: nxrm.deployment
   clusterName: nxrm-nexus
   logsRegion: us-east-1
   fluentBitVersion: 2.28.0
+  replicaCount: 1
   initContainer:
     image:
       repository: busybox
@@ -19,12 +23,13 @@ deployment:
   container:
     image:
       repository: sonatype/nexus3
-      tag: 3.41.1
+      tag: 3.45.1
     containerPort: 8081
     pullPolicy: IfNotPresent
     env:
       nexusDBName: nexus
       nexusDBPort: 3306
+      install4jAddVmParams: "-Xms2703m -Xmx2703m"
   requestLogContainer:
     image:
       repository: busybox
@@ -47,24 +52,33 @@ ingress:
   #host: "example.com" #host to apply this ingress rule to. Uncomment this in your values.yaml and set it as you wish
   annotations:
     kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/healthcheck-path: /service/rest/v1/status
     alb.ingress.kubernetes.io/scheme: internal # scheme
     alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids
-    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
-    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # The AWS Certificate Manager ARN for your HTTPS certificate    
+    #alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' uncomment for https
+    #alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # Uncomment for https. The AWS Certificate Manager ARN for your HTTPS certificate    
   dockerIngress: #Ingress for Docker Connector - comment out if you don't use docker repositories
+    enabled: false
     annotations:
       kubernetes.io/ingress.class: alb # comment out if you don't use docker repositories
       alb.ingress.kubernetes.io/scheme: internal # scheme comment out if you don't use docker repositories
       alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids, comment out if you don't use docker repositories
-      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #comment out if you don't use docker repositories
-      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate
-      external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories
+#      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #uncomment if you use docker repositories
+#      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  #  Uncomment if you use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate
+#      external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories
+workdir:
+  configmap:
+    name: create-nexus-workdir-config
+  daemonset:
+    name: create-nexus-work-dir
+storageClass:
+  iopsPerGB: "10" #Note: aws plugin multiplies this by the size of the requested volumne to compute IOPS of the volumne and caps it a 20, 000 IOPS
 pv:
   storage: 120Gi
   volumeMode: Filesystem
   accessModes: ReadWriteOnce
   reclaimPolicy: Retain
-  path: /mnt
+  path: /nexus-repo-mgr-work-dir/work
   zones:
     zone1: us-east-1a
     zone2: us-east-1b
@@ -79,6 +93,7 @@ service:  #Nexus Repo NodePort Service
     port: 80
     targetPort: 8081
   docker: #Nodeport Service for Docker Service
+    enabled: false
     type: NodePort
     protocol: TCP
     port: 9090