Helm Chart for a Resilient Nexus Repository Deployment in AWS
This Helm chart configures the Kubernetes resources that are needed for a resilient Nexus Repository deployment on AWS as described in our documented single-node cloud resilient deployment example using AWS.
Use the checklist below to determine if this Helm chart is suitable for your deployment needs.
When to Use This Helm Chart
Use this Helm chart if you are doing any of the following:
- Deploying Nexus Repository Pro to an AWS cloud environment with the desire for automatic failover across Availability Zones (AZs) within a single region
- Planning to configure a single Nexus Repository Pro instance within your Kubernetes/EKS cluster with two or more nodes spread across different AZs within an AWS region
- Using an external PostgreSQL database
Note
: A Nexus Repository Pro license is required for our resilient deployment options. Your Nexus Repository Pro license file must be stored externally as mounted from AWS Secrets AWS (required).
Prerequisites for This Chart
In order to set up an environment like the one illustrated above and described in this section, you will need the following:
- Kubernetes 1.19+
- kubectl
- Helm 3
- A Nexus Repository Pro license
- An AWS account with permissions for accessing the following AWS services:
- Elastic Kubernetes Service (EKS)
- Relational Database Service (RDS) for PostgreSQL
- Application Load Balancer (ALB)
- CloudWatch
- Simple Storage Service (S3)
- Secrets Manager
 
You will also need to complete the steps below. See the referenced AWS documentation for detailed configuration steps. Also see our resiliency documentation for more details about why these steps are necessary and how each AWS solution functions within a resilient deployment:
- Configure an EKS cluster - AWS documentation for managed nodes (i.e., EC2)
- Create an Aurora database cluster - AWS documentation for creating an Aurora database cluster
- Deploy the AWS Load Balancer Controller (LBC) to your EKS cluster - AWS documentation for deploying the AWS LBC to your EKS cluster
- Install AWS Secrets Store CSI drivers - You need to create an IAM service account using the eksctl create iamserviceaccountcommand. Before proceeding, read the points below as they contain important required steps to ensure this helm chart will work for you:
- You must include two additional command parameters when running the command: --role-onlyand--namespace <nexusrepo namespace>- It is important to include the --role-onlyoption in theeksctl create iamserviceaccountcommand so that the helm chart manages the Kubernetes service account.
 
- It is important to include the 
- The namespace you specify to the eksctl create iamserviceaccountmust be the same namespace into which you will deploy the Nexus Repository pod.
 - Although the namespace does not exist at this point, you must specify it as part of the command. Do not create that namespace manually beforehand; the helm chart will create and manage it.
- You should specify this same namespace as the value of nexusNsin your values.yaml.
 
- Follow the instructions provided in the AWS Secrets Store CSI drivers documentation to install the AWS Secrets Store CSI drivers; ensure that you follow the additional instructions in the bullets above when you reach the eksctl create iamserviceaccountcommand on that page.
- Ensure that your EKS nodes are granted CloudWatchFullAccess and CloudWatchAgentServerPolicy IAM policies. This Helm chart will configure Fluentbit for log externalisation to CloudWatch.
External-dns
This helm chart uses external-dns to create 'A' records in AWS Route 53 for our Docker subdomain feature.
See the external-dns.alpha.kubernetes.io/hostname annotation in the dockerIngress resource in the values.yaml.
Permissions for external-dns
Open a terminal that has connectivity to your EKS cluster and run the following commands:
cat <<'EOF' >> external-dns-r53-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
aws iam create-policy --policy-name "AllowExternalDNSUpdates" --policy-document file://external-dns-r53-policy.json
POLICY_ARN=$(aws iam list-policies --query 'Policies[?PolicyName==`AllowExternalDNSUpdates`].Arn' --output text)
EKS_CLUSTER_NAME=<Your EKS Cluster Name>
aws eks describe-cluster --name $EKS_CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text
eksctl utils associate-iam-oidc-provider --cluster $EKS_CLUSTER_NAME --approve
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
OIDC_PROVIDER=$(aws eks describe-cluster --name $EKS_CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | sed -e 's|^https://||')
Note: The value you assign to the 'EXTERNALDNS_NS' variable below should be the same as the one you specify in your values.yaml for namespaces.externaldnsNs
EXTERNALDNS_NS=nexus-externaldns
cat <<-EOF > externaldns-trust.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::$ACCOUNT_ID:oidc-provider/$OIDC_PROVIDER"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "$OIDC_PROVIDER:sub": "system:serviceaccount:${EXTERNALDNS_NS}:external-dns",
                    "$OIDC_PROVIDER:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
EOF
IRSA_ROLE="nexusrepo-external-dns-irsa-role"
aws iam create-role --role-name $IRSA_ROLE --assume-role-policy-document file://externaldns-trust.json 
aws iam attach-role-policy --role-name $IRSA_ROLE --policy-arn $POLICY_ARN
ROLE_ARN=$(aws iam get-role --role-name $IRSA_ROLE --query Role.Arn --output text)
echo $ROLE_ARN
- Take note of the ROLE_ARN outputted last above and specify it in your values.yaml for serviceAccount.externaldns.role
Deployment
- Add the sonatype repo to your helm:
helm repo add sonatype https://sonatype.github.io/helm3-charts/
- Ensure you have updated your values.yaml with appropriate values for your environment.
- Note that you can specify Ingress annotations via the values.yaml.
- If you wish to add Labels, you can do so via kubectl. See the kubectl Cheat Sheet for specific commands.
- Install the chart using the following:
helm install nxrm sonatype/nxrm-aws-resiliency -f values.yaml
- Get the Nexus Repository link using the following:
kubectl get ingresses -n nexusrepo
Health Check
You can use the following commands to perform various health checks:
See a list of releases:
helm list
Check pods using the following:
kubectl get pods -n nexusrepo
Check the Nexus Repository logs with the following:
kubectl logs <pod_name> -n nexusrepo nxrm-app
Check if the pod is OK by using the following; you shouldn't see any error/warning messages:
kubectl describe pod <pod_name> -n nexusrepo
Check if ingress is OK using the following:
kubectl describe ingress <ingress_name> -n nexusrepo
Check that the Fluent Bit pod is sending events to CloudWatch using the following:
kubectl logs -n amazon-cloudwatch <fluent-bit pod id>
If the above returns without error, then check CloudWatch for the /aws/containerinsights/<eks cluster name>/nexus-logs log group, which should contain four log streams.
Uninstall
To uninstall the deployment, use the following:
helm uninstall nxrm
After removing the deployment, ensure that the namespace is deleted and that Nexus Repository is not listed when using the following:
helm list
