Set replicas to 1

OpenShift requires the red hat image (optional)
and these security settings to alleviate warnings.

These changes are fine for other k8s implementations
like minikube using the stock container from docker hub.

Dockerfile

@@ -11,7 +11,7 @@
 # Eclipse Foundation. All other trademarks are the property of their respective owners.
 #
 
-FROM docker-all.repo.sonatype.com/alpine/helm:3.9.3
+FROM docker-all.repo.sonatype.com/alpine/helm:3.10.1
 
 RUN apk update && apk upgrade && \
     apk add --no-cache bash git openssh

Jenkinsfile-Release

@@ -17,16 +17,6 @@ final jira = [
     credentialId : 'jenkins-jira', autoRelease: true, failOnError: true
 ]
 
-final jiraVersionMappings = [
-  'nexus-repository-manager': 'helm-nxrm',
-  'nxrm-aws-resiliency': 'helm-nxrm-aws-resiliency'
-]
-
-final chartLocation = [
-  'nexus-repository-manager': 'nexus-repository-manager',
-  'nxrm-aws-resiliency': 'nxrm-aws-resiliency'
-]
-
 properties([
   parameters([
     string(
@@ -55,7 +45,8 @@ dockerizedBuildPipeline(
     runSafely "./upgrade.sh ./nexus-repository-manager ${chartVersion} ${params.appVersion}"
     runSafely "./upgrade.sh ./nxrm-aws-resiliency ${chartVersion} ${params.appVersion}"
     runSafely './build.sh'
-    runSafely 'git add nxrm-aws-resiliency nexus-repository-manager'
+    runSafely 'git add nxrm-aws-resiliency'
+    runSafely 'git add nexus-repository-manager'
   },
   skipVulnerabilityScan: true,
   archiveArtifacts: 'docs/*',

README.md

@@ -12,6 +12,9 @@
     Eclipse Foundation. All other trademarks are the property of their respective owners.
 
 -->
+# ⚠️ Archive Notice
+
+As of October 24, 2023, we will no longer update or support the [Single-Instance OSS/Pro Kubernetes Chart](https://github.com/sonatype/nxrm3-helm-repository/tree/main/nexus-repository-manager).
 
 ## Helm Charts for Sonatype Nexus Repository Manager 3
 

nexus-repository-manager/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# OWNERS file for Kubernetes
+OWNERS
+*.tar

nexus-repository-manager/Chart.yaml

@@ -3,10 +3,10 @@ name: nexus-repository-manager
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 41.1.3
+version: 43.0.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 3.41.1
+appVersion: 3.43.0
 
 description: Sonatype Nexus Repository Manager - Universal Binary repository
 

nexus-repository-manager/README.md

@@ -12,6 +12,9 @@
     Eclipse Foundation. All other trademarks are the property of their respective owners.
 
 -->
+# ⚠️ Archive Notice
+
+As of October 24, 2023, we will no longer update or support this Helm chart.
 
 # Nexus Repository
 
@@ -67,14 +70,9 @@ Do not use this Helm chart and, instead, refer to our [resiliency documentation]
 
 By default, this Chart uses Sonatype's Public Docker image. If you want to use a different image, run with the following: `--set nexus.imageName=<my>/<image>`.
 
-### With Red Hat Certified container
+## Adding the Sonatype Repository to your Helm
 
-If you're looking run our Certified Red Hat image in an OpenShift4 environment, there is a Certified Operator in OperatorHub.
+To add as a Helm Repo
-
----
-
-## Adding the repo
-To add as a Helm Repo, use the following:
 ```helm repo add sonatype https://sonatype.github.io/helm3-charts/```
 
 ---
@@ -111,6 +109,7 @@ The default login is randomized and can be found in `/nexus-data/admin.password`
 by setting the environment variable `NEXUS_SECURITY_RANDOMPASSWORD` to `false` in your `values.yaml`.
  
 ---
+
 ## Uninstalling the Chart
 
 To uninstall/delete the deployment, use the following:
@@ -134,7 +133,7 @@ The following table lists the configurable parameters of the Nexus chart and the
 |--------------------------------------------|----------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|
 | `deploymentStrategy`                       | Deployment Strategy                                                                          | `Recreate`                                                                                                                                      |
 | `nexus.imagePullPolicy`                    | Nexus Repository image pull policy                                                           | `IfNotPresent`                                                                                                                                  |
-| `nexus.imagePullSecrets`                   | Secret to download Nexus Repository image from private registry                                         | `nil`                                                                                                                                           |
+| `imagePullSecrets`                         | The names of the kubernetes secrets with credentials to login to a registry                  | `[]`                                                                                                                                            |
 | `nexus.docker.enabled`                     | Enable/disable Docker support                                                                | `false`                                                                                                                                         |
 | `nexus.docker.registries`                  | Support multiple Docker registries                                                           | (see below)                                                                                                                                     |
 | `nexus.docker.registries[0].host`          | Host for the Docker registry                                                                 | `cluster.local`                                                                                                                                 |
@@ -159,7 +158,7 @@ The following table lists the configurable parameters of the Nexus chart and the
 | `nexus.hostAliases`                        | Aliases for IPs in /etc/hosts                                                                | []                                                                                                                                              |
 | `nexus.properties.override`                | Set to true to override default nexus.properties                                             | `false`                                                                                                                                         |
 | `nexus.properties.data`                    | A map of custom nexus properties if `override` is set to true                                | `nexus.scripts.allowCreation: true`                                                                                                             |
-| `ingress.enabled`                          | Create an ingress for Nexus Repository                                                                  | `true`                                                                                                                                          |
+| `ingress.enabled`                          | Create an ingress for Nexus Repository                                                       | `false`                                                                                                                                         |
 | `ingress.annotations`                      | Annotations to enhance ingress configuration                                                 | `{kubernetes.io/ingress.class: nginx}`                                                                                                          |
 | `ingress.tls.secretName`                   | Name of the secret storing TLS cert, `false` to use the Ingress' default certificate         | `nexus-tls`                                                                                                                                     |
 | `ingress.path`                             | Path for ingress rules. GCP users should set to `/*`.                                        | `/`                                                                                                                                             |
@@ -201,3 +200,31 @@ The following table lists the configurable parameters of the Nexus chart and the
 By default, a `PersistentVolumeClaim` is created and mounted into the `/nexus-data` directory. In order to disable this functionality, you can change the `values.yaml` to disable persistence, which will use an `emptyDir` instead.
 
 > *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."*
+
+## Using the Image from the Red Hat Registry
+
+To use the [Nexus Repository Manager image available from Red Hat's registry](https://catalog.redhat.com/software/containers/sonatype/nexus-repository-manager/594c281c1fbe9847af657690),
+you'll need to:
+* Load the credentials for the registry as a secret in your cluster
+  ```shell
+  kubectl create secret docker-registry redhat-pull-secret \
+    --docker-server=registry.connect.redhat.com \
+    --docker-username=<user_name> \
+    --docker-password=<password> \
+    --docker-email=<email>
+  ```
+  See Red Hat's [Registry Authentication documentation](https://access.redhat.com/RegistryAuthentication)
+  for further details.
+* Provide the name of the secret in `imagePullSecrets` in this chart's `values.yaml`
+  ```yaml
+  imagePullSecrets:
+    - name: redhat-pull-secret
+  ```
+* Set `image.name` and `image.tag` in `values.yaml`
+  ```yaml
+  image:
+    repository: registry.connect.redhat.com/sonatype/nexus-repository-server
+    tag: 3.39.0-ubi-1
+  ```
+
+---

nexus-repository-manager/templates/deployment.yaml

@@ -48,7 +48,7 @@ spec:
       hostAliases:
         {{ toYaml .Values.nexus.hostAliases | nindent 8 }}
       {{- end }}
-      {{- if .Values.nexus.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -59,7 +59,14 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
           lifecycle:
           {{- if .Values.deployment.postStart.command }}
             postStart:

nexus-repository-manager/templates/ingress.yaml

@@ -62,6 +62,9 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
+  {{- if $.Values.ingress.ingressClassName }}
+  ingressClassName: {{ $.Values.ingress.ingressClassName }}
+  {{- end }}
   tls:
     - hosts:
       - {{ $registry.host | quote }}

nexus-repository-manager/tests/deployment_test.yaml

@@ -36,7 +36,14 @@ tests:
           pattern: sonatype/nexus3:3\.\d+\.\d+
       - equal:
           path: spec.template.spec.containers[0].securityContext
-          value: null
+          value: 
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
       - equal:
           path: spec.template.spec.containers[0].imagePullPolicy
           value: IfNotPresent
@@ -44,7 +51,12 @@ tests:
           path: spec.template.spec.containers[0].env
           value:
             - name: INSTALL4J_ADD_VM_PARAMS
-              value: -Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap
+              value: |-
+                -Xms2703M -Xmx2703M
+                -XX:MaxDirectMemorySize=2703M
+                -XX:+UnlockExperimentalVMOptions
+                -XX:+UseCGroupMemoryLimitForHeap
+                -Djava.util.prefs.userRoot=/nexus-data/javaprefs
             - name: NEXUS_SECURITY_RANDOMPASSWORD
               value: "true"
       - equal:
@@ -83,3 +95,26 @@ tests:
             - name: nexus-repository-manager-data
               persistentVolumeClaim:
                 claimName: RELEASE-NAME-nexus-repository-manager-data
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            fsGroup: 200
+            runAsGroup: 200
+            runAsUser: 200
+
+  - it: should use our simple values
+    template: deployment.yaml
+    set:
+      deploymentStrategy: my-strategy
+      imagePullSecrets:
+        - name: top-secret
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.strategy.type
+          value: my-strategy
+      - equal:
+          path: spec.template.spec.imagePullSecrets
+          value:
+            - name: top-secret

nexus-repository-manager/tests/ingress_test.yaml

@@ -1,3 +1,4 @@
+---
 suite: ingress
 templates:
   - ingress.yaml
@@ -97,7 +98,105 @@ tests:
         equal:
           path: metadata.name
           value: RELEASE-NAME-nexus-repository-manager
+      - documentIndex: 0
+        equal:
+          path: spec
+          value:
+            ingressClassName: nginx
+            rules:
+              - host: repo.demo
+                http:
+                  paths:
+                    - path: /
+                      pathType: Prefix
+                      backend:
+                        service:
+                          name: RELEASE-NAME-nexus-repository-manager
+                          port:
+                            number: 8081
+      - documentIndex: 1
+        equal:
+          path: metadata.name
+          value: RELEASE-NAME-nexus-repository-manager-docker-5000
+      - documentIndex: 1
+        equal:
+          path: spec
+          value:
+            ingressClassName: nginx
+            rules:
+              - host: docker.repo.demo
+                http:
+                  paths:
+                    - path: /
+                      pathType: Prefix
+                      backend:
+                        service:
+                          name: RELEASE-NAME-nexus-repository-manager-docker-5000
+                          port:
+                            number: 5000
+            tls:
+              - hosts:
+                  - docker.repo.demo
+                secretName: registry-secret
+  - it: we can exclude ingressClassName for repo ingress and docker ingress
+    set:
+      ingress:
+        enabled: true
+        ingressClassName: {}
+      nexus:
+        docker:
+          enabled: true
+          registries:
+            - host: docker.repo.demo
+              port: 5000
+              secretName: registry-secret
+    asserts:
+      - hasDocuments:
+          count: 2
+      - isKind:
+          of: Ingress
+      - equal:
+          path: apiVersion
+          value: networking.k8s.io/v1
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/instance]
+          value: RELEASE-NAME
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/managed-by]
+          value: Helm
+      - matchRegex:
+          path: metadata.labels.[app.kubernetes.io/version]
+          pattern: \d+\.\d+\.\d+
+      - matchRegex:
+          path: metadata.labels.[helm.sh/chart]
+          pattern: nexus-repository-manager-\d+\.\d+\.\d+
+      - equal:
+          path: metadata.labels.[app.kubernetes.io/name]
+          value: nexus-repository-manager
+      - equal:
+          path: metadata.annotations
+          value:
+            nginx.ingress.kubernetes.io/proxy-body-size: "0"
 
+      - documentIndex: 0
+        equal:
+          path: metadata.name
+          value: RELEASE-NAME-nexus-repository-manager
+      - documentIndex: 0
+        equal:
+          path: spec
+          value:
+            rules:
+              - host: repo.demo
+                http:
+                  paths:
+                    - path: /
+                      pathType: Prefix
+                      backend:
+                        service:
+                          name: RELEASE-NAME-nexus-repository-manager
+                          port:
+                            number: 8081
       - documentIndex: 1
         equal:
           path: metadata.name
@@ -121,7 +220,6 @@ tests:
               - hosts:
                   - docker.repo.demo
                 secretName: registry-secret
-
   - it: is disabled by default
     asserts:
       - hasDocuments:

nexus-repository-manager/values.yaml

@@ -2,13 +2,16 @@
 statefulset:
   # This is not supported
   enabled: false
-# By default deploymentStrategy is set to rollingUpdate with maxSurge of 25% and maxUnavailable of 25% . you can change type to `Recreate` or can uncomment `rollingUpdate` specification and adjust them to your usage.
 deploymentStrategy: Recreate
 image:
   # Sonatype Official Public Image
   repository: sonatype/nexus3
-  tag: 3.41.1
+  tag: 3.43.0
   pullPolicy: IfNotPresent
+imagePullSecrets:
+# for image registries that require login, specify the name of the existing
+# kubernetes secret
+#   - name: <pull-secret-name>
 
 nexus:
   docker:
@@ -16,12 +19,17 @@ nexus:
     # registries:
     #   - host: chart.local
     #     port: 5000
-    #     secretName: registrySecret
+    #     secretName: registry-secret
   env:
     # minimum recommended memory settings for a small, person instance from
     # https://help.sonatype.com/repomanager3/product-information/system-requirements
     - name: INSTALL4J_ADD_VM_PARAMS
-      value: "-Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
+      value: |-
+        -Xms2703M -Xmx2703M
+        -XX:MaxDirectMemorySize=2703M
+        -XX:+UnlockExperimentalVMOptions
+        -XX:+UseCGroupMemoryLimitForHeap
+        -Djava.util.prefs.userRoot=/nexus-data/javaprefs
     - name: NEXUS_SECURITY_RANDOMPASSWORD
       value: "true"
   properties:
@@ -72,8 +80,6 @@ nexus:
   #   - "example.com"
   #   - "www.example.com"
 
-
-imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 

nxrm-aws-resiliency/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 41.1.3
+version: 43.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 3.41.1
+appVersion: 3.43.0
 
 keywords:
   - artifacts

nxrm-aws-resiliency/README.md

@@ -62,6 +62,98 @@ You will also need to complete the steps below. See the referenced AWS documenta
 
 ---
 
+## External-dns
+
+This helm chart uses [external-dns](https://github.com/kubernetes-sigs/external-dns) to create 'A' records in AWS Route 53 for our [Docker subdomain feature](https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/docker-registry/docker-subdomain-connector).
+
+See the ```external-dns.alpha.kubernetes.io/hostname``` annotation in the dockerIngress resource in the values.yaml.
+
+### Permissions for external-dns
+
+Open a terminal that has connectivity to your EKS cluster and run the following commands:
+```
+
+cat <<'EOF' >> external-dns-r53-policy.json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": [
+        "arn:aws:route53:::hostedzone/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+
+
+aws iam create-policy --policy-name "AllowExternalDNSUpdates" --policy-document file://external-dns-r53-policy.json
+
+
+POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`AllowExternalDNSUpdates`].Arn' --output text)
+
+
+EKS_CLUSTER_NAME=<Your EKS Cluster Name>
+
+
+aws eks describe-cluster --name $EKS_CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text
+
+
+eksctl utils associate-iam-oidc-provider --cluster $EKS_CLUSTER_NAME --approve
+
+ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+OIDC_PROVIDER=$(aws eks describe-cluster --name $EKS_CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | sed -e 's|^https://||')
+```
+
+Note: The value you assign to the 'EXTERNALDNS_NS' variable below should be the same as the one you specify in your values.yaml for namespaces.externaldnsNs
+```
+EXTERNALDNS_NS=nexus-externaldns
+
+cat <<-EOF > externaldns-trust.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::$ACCOUNT_ID:oidc-provider/$OIDC_PROVIDER"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringEquals": {
+                    "$OIDC_PROVIDER:sub": "system:serviceaccount:${EXTERNALDNS_NS}:external-dns",
+                    "$OIDC_PROVIDER:aud": "sts.amazonaws.com"
+                }
+            }
+        }
+    ]
+}
+EOF
+
+IRSA_ROLE="nexusrepo-external-dns-irsa-role"
+aws iam create-role --role-name $IRSA_ROLE --assume-role-policy-document file://externaldns-trust.json 
+aws iam attach-role-policy --role-name $IRSA_ROLE --policy-arn $POLICY_ARN
+
+ROLE_ARN=$(aws iam get-role --role-name $IRSA_ROLE --query Role.Arn --output text)
+echo $ROLE_ARN
+```
+
+2. Take note of the ROLE_ARN outputted last above and specify it in your values.yaml for serviceAccount.externaldns.role
+
 ## Deployment
 1. Add the sonatype repo to your helm:
 ```helm repo add sonatype https://sonatype.github.io/helm3-charts/ ```   

nxrm-aws-resiliency/templates/external-dns-rbac.yml

@@ -63,4 +63,4 @@ spec:
             - --txt-owner-id=external-dns
           env:
             - name: AWS_DEFAULT_REGION
-              value: {{ .Values.deployment.clusterRegion }}
+              value: {{ .Values.statefulset.clusterRegion }}

nxrm-aws-resiliency/templates/fluent-bit.yaml

@@ -39,12 +39,12 @@ metadata:
   name: fluent-bit-cluster-info
   namespace: {{ .Values.namespaces.cloudwatchNs }}
 data:
-  cluster.name: {{ .Values.deployment.clusterName }}
+  cluster.name: {{ .Values.statefulset.clusterName }}
   http.server: "On"
   http.port: "2020"
   read.head: "Off"
   read.tail: "On"
-  logs.region: {{ .Values.deployment.logsRegion }}
+  logs.region: {{ .Values.statefulset.logsRegion }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -77,7 +77,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.nexus-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version  | replace "." "-" }}-{{ .Release.Name }}-{{ .Values.statefulset.name }}*{{ .Values.namespaces.nexusNs }}_nxrm-app-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -112,7 +112,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.request-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_request-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version  | replace "." "-" }}-{{ .Release.Name }}-{{ .Values.statefulset.name }}*{{ .Values.namespaces.nexusNs }}_request-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -147,7 +147,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.audit-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_audit-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version  | replace "." "-" }}-{{ .Release.Name }}-{{ .Values.statefulset.name }}*{{ .Values.namespaces.nexusNs }}_audit-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -182,7 +182,7 @@ data:
     [INPUT]
         Name                tail
         Tag                 nexus.tasks-log
-        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-nxrm.deployment*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
+        Path                /var/log/containers/{{ .Chart.Name }}-{{ .Chart.Version  | replace "." "-" }}-{{ .Release.Name }}-{{ .Values.statefulset.name }}*{{ .Values.namespaces.nexusNs }}_tasks-log-*.log
         Parser              docker
         DB                  /var/fluent-bit/state/flb_container.db
         Mem_Buf_Limit       5MB
@@ -263,7 +263,7 @@ spec:
     spec:
       containers:
         - name: fluent-bit
-          image: amazon/aws-for-fluent-bit:{{ .Values.deployment.fluentBitVersion }}
+          image: amazon/aws-for-fluent-bit:{{ .Values.statefulset.fluentBitVersion }}
           imagePullPolicy: Always
           env:
             - name: AWS_REGION

nxrm-aws-resiliency/templates/pv.yaml

@@ -1,28 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: {{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-ebs-pv
-spec:
-  capacity:
-    storage: {{ .Values.pv.storage }}
-  volumeMode: Filesystem
-  accessModes:
-  - {{ .Values.pv.accessModes }}
-  persistentVolumeReclaimPolicy: {{ .Values.pv.reclaimPolicy }}
-  storageClassName: local-storage
-  local:
-    path: {{ .Values.pv.path }}
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: topology.kubernetes.io/zone
-          operator: In
-          values:
-          {{- range $zone  := .Values.pv.zones }}
-          - {{ $zone }} 
-          {{- end }}  
-
-          
-          
-         

nxrm-aws-resiliency/templates/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-ebs-claim
-  namespace: {{ .Values.namespaces.nexusNs }}
-spec:
-  accessModes:
-    - {{ .Values.pvc.accessModes }}
-  storageClassName: local-storage
-  resources:
-    requests:
-      storage: {{ .Values.pvc.storage }}

nxrm-aws-resiliency/templates/statefulset.yaml

@@ -1,12 +1,13 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: {{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-{{ .Values.deployment.name }}
+  name: {{ .Chart.Name }}-{{ .Chart.Version  | replace "." "-"}}-{{ .Release.Name }}-{{ .Values.statefulset.name }}
   namespace: {{ .Values.namespaces.nexusNs }}
   labels:
     app: nxrm
 spec:
   replicas: 1
+  serviceName: "{{ .Chart.Name }}-{{ .Chart.Version  | replace "." "-"}}-{{ .Release.Name }}-{{ .Values.statefulset.name }}"
   selector:
     matchLabels:
       app: nxrm
@@ -21,7 +22,7 @@ spec:
         # otherwise the side car containers will crash a couple of times and backoff whilst waiting
         # for nxrm-app to start and this increases the total start up time.
         - name: chown-nexusdata-owner-to-nexus-and-init-log-dir
-          image: {{ .Values.deployment.initContainer.image.repository }}:{{ .Values.deployment.initContainer.image.tag }}
+          image: {{ .Values.statefulset.initContainer.image.repository }}:{{ .Values.statefulset.initContainer.image.tag }}
           command: [/bin/sh]
           args:
             - -c
@@ -34,19 +35,20 @@ spec:
               touch -a /nexus-data/log/request.log &&
               chown -R '200:200' /nexus-data
           volumeMounts:
-            - name: nexusdata
+            - name: nexus-data
               mountPath: /nexus-data
+      terminationGracePeriodSeconds: 20
       containers:
         - name: nxrm-app
-          image: {{ .Values.deployment.container.image.repository }}:{{ .Values.deployment.container.image.tag }}
+          image: {{ .Values.statefulset.container.image.repository }}:{{ .Values.statefulset.container.image.tag }}
           securityContext:
             runAsUser: 200
-          imagePullPolicy: {{ .Values.deployment.container.pullPolicy }}
+          imagePullPolicy: {{ .Values.statefulset.container.pullPolicy }}
           ports:
-            - containerPort: {{ .Values.deployment.container.containerPort }}
+            - containerPort: {{ .Values.statefulset.container.containerPort }}
           env:
             - name: DB_NAME
-              value: "{{ .Values.deployment.container.env.nexusDBName }}"
+              value: "{{ .Values.statefulset.container.env.nexusDBName }}"
             - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -70,41 +72,38 @@ spec:
             - name: NEXUS_SECURITY_RANDOMPASSWORD
               value: "false"
             - name: INSTALL4J_ADD_VM_PARAMS
-              value: "-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Dnexus.licenseFile=/nxrm-secrets/{{ .Values.secret.license.alias }} \
+              value: "{{ .Values.statefulset.container.env.install4jAddVmParams }} -Dnexus.licenseFile=/nxrm-secrets/{{ .Values.secret.license.alias }} \
           -Dnexus.datastore.enabled=true -Djava.util.prefs.userRoot=${NEXUS_DATA}/javaprefs \
-          -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://${DB_HOST}:{{ .Values.deployment.container.env.nexusDBPort }}/${DB_NAME} \
+          -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://${DB_HOST}:{{ .Values.statefulset.container.env.nexusDBPort }}/${DB_NAME} \
           -Dnexus.datastore.nexus.username=${DB_USER} \
           -Dnexus.datastore.nexus.password=${DB_PASSWORD}"
           volumeMounts:
             - mountPath: /nxrm-secrets
               name: nxrm-secrets
-            - name: nexusdata
+            - name: nexus-data
               mountPath: /nexus-data
             - name: logback-tasklogfile-override
               mountPath: /nexus-data/etc/logback/logback-tasklogfile-appender-override.xml
               subPath: logback-tasklogfile-appender-override.xml
         - name: request-log
-          image: {{ .Values.deployment.requestLogContainer.image.repository }}:{{ .Values.deployment.requestLogContainer.image.tag }}
+          image: {{ .Values.statefulset.requestLogContainer.image.repository }}:{{ .Values.statefulset.requestLogContainer.image.tag }}
           args: [/bin/sh, -c, 'tail -n+1 -F /nexus-data/log/request.log']
           volumeMounts:
-            - name: nexusdata
+            - name: nexus-data
               mountPath: /nexus-data
         - name: audit-log
-          image: {{ .Values.deployment.auditLogContainer.image.repository }}:{{ .Values.deployment.auditLogContainer.image.tag }}
+          image: {{ .Values.statefulset.auditLogContainer.image.repository }}:{{ .Values.statefulset.auditLogContainer.image.tag }}
           args: [/bin/sh, -c, 'tail -n+1 -F /nexus-data/log/audit/audit.log']
           volumeMounts:
-            - name: nexusdata
+            - name: nexus-data
               mountPath: /nexus-data
         - name: tasks-log
-          image: {{ .Values.deployment.taskLogContainer.image.repository }}:{{ .Values.deployment.taskLogContainer.image.tag }}
+          image: {{ .Values.statefulset.taskLogContainer.image.repository }}:{{ .Values.statefulset.taskLogContainer.image.tag }}
           args: [/bin/sh, -c, 'tail -n+1 -F /nexus-data/log/tasks/allTasks.log']
           volumeMounts:
-            - name: nexusdata
+            - name: nexus-data
               mountPath: /nexus-data
       volumes:
-        - name: nexusdata
-          persistentVolumeClaim:
-            claimName: {{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-ebs-claim
         - name: nxrm-secrets
           csi:
             driver: secrets-store.csi.k8s.io
@@ -118,3 +117,12 @@ spec:
             items:
               - key: logback-tasklogfile-appender-override.xml
                 path: logback-tasklogfile-appender-override.xml
+  volumeClaimTemplates:
+    - metadata:
+        name: nexus-data
+      spec:
+        accessModes: [ "{{.Values.pvc.accessModes }}" ]
+        storageClassName: "{{ .Chart.Name }}-{{ .Chart.Version}}-{{ .Release.Name }}-ebs-storage"
+        resources:
+          requests:
+            storage: {{.Values.pvc.storage }}

nxrm-aws-resiliency/templates/storageclass.yaml

@@ -1,7 +1,11 @@
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
-  name: {{ .Chart.Name }}-{{ .Chart.Version }}.{{ .Release.Name }}-local-storage
+  name: "{{ .Chart.Name }}-{{ .Chart.Version}}-{{ .Release.Name }}-ebs-storage"
   namespace: {{ .Values.namespaces.nexusNs }}
-provisioner: kubernetes.io/no-provisioner
+provisioner: kubernetes.io/aws-ebs
+parameters:
+  type: io1
+  fsType: "ext4"
+  iopsPerGB: "{{ .Values.storageClass.iopsPerGB }}"
 volumeBindingMode: WaitForFirstConsumer

nxrm-aws-resiliency/values.yaml

@@ -6,9 +6,9 @@ namespaces:
 externaldns:
   domainFilter: example.com #your root domain e.g example.com
   awsZoneType: private # hosted zone to look at (valid values are public, private or no value for both)
-deployment:
+statefulset:
   clusterRegion: us-east-1
-  name: nxrm.deployment
+  name: nxrm-statefulset
   clusterName: nxrm-nexus
   logsRegion: us-east-1
   fluentBitVersion: 2.28.0
@@ -19,12 +19,13 @@ deployment:
   container:
     image:
       repository: sonatype/nexus3
-      tag: 3.41.1
+      tag: 3.44.0
     containerPort: 8081
     pullPolicy: IfNotPresent
     env:
       nexusDBName: nexus
       nexusDBPort: 3306
+      install4jAddVmParams: "-Xms2703m -Xmx2703m"
   requestLogContainer:
     image:
       repository: busybox
@@ -58,16 +59,13 @@ ingress:
       alb.ingress.kubernetes.io/subnets: subnet-1,subnet-2 #comma separated list of subnet ids, comment out if you don't use docker repositories
       alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' #comment out if you don't use docker repositories
       alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:0000000000000:certificate/00000000-1111-2222-3333-444444444444  # Comment out if you don't use docker repositories - The AWS Certificate Manager ARN for your HTTPS certificate
-      external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com othereise comment out if you don't use docker repositories
+      external-dns.alpha.kubernetes.io/hostname: dockerrepo1.example.com, dockerrepo2.example.com, dockerrepo3.example.com # Add more docker subdomains using dockerrepoName.example.com otherwise comment out if you don't use docker repositories
-pv:
+storageClass:
-  storage: 120Gi
-  volumeMode: Filesystem
-  accessModes: ReadWriteOnce
-  reclaimPolicy: Retain
-  path: /mnt
   zones:
-    zone1: us-east-1a
+    zone1: zone1
-    zone2: us-east-1b
+    zone2: zone2
+    zone3: zone3
+  iopsPerGB: "10"
 pvc:
   accessModes: ReadWriteOnce
   storage: 100Gi