fix(nexus3): Fixed volume claim template labels (#1066)

Signed-off-by: Steve Hipwell <[email protected]>
stevehipwell · Oct 24, 2024 · 0000838 · 0000838
1 parent 4016f6e
commit 0000838
Show file tree

Hide file tree

Showing 6 changed files with 136 additions and 108 deletions.
diff --git a/charts/nexus3/CHANGELOG.md b/charts/nexus3/CHANGELOG.md
@@ -14,19 +14,36 @@
 
 ## [UNRELEASED]
 
+## [v5.2.0] - 2024-10-24
+
+> [!IMPORTANT]
+> If you're upgrading to this version you will need to run `kubectl --namespace <namespace> delete statefulset <name> --cascade=orphan` before upgrading as there was a bug in previous versions of this chart that incorrectly labeled the volume claim template.
+
+### Changed
+
+- Changed the order of the initialization scripts to allow creating roles based on repository privileges. ([#xxxx](https://github.com/stevehipwell/helm-charts/pull/xxxx)) _@stevehipwell_ & _@mreiche_
+- Improved docs for config with reference to the API documentation. ([#xxxx](https://github.com/stevehipwell/helm-charts/pull/xxxx)) _@stevehipwell_ & _@mreiche_
+
 ### Fixed
 
-- Fix ldap config missing argument
+- Fixed LDAP templating incorrectly using `toJson` without passing in the data resulting in no configuration to apply. ([#1064](https://github.com/stevehipwell/helm-charts/pull/1064)) _@KuroXII_
+- Fixed incorrect labeling on the volume claim template. ([#xxxx](https://github.com/stevehipwell/helm-charts/pull/xxxx)) _@stevehipwell_
 
 ## [v5.1.0] - 2024-10-14
 
+> [!CAUTION]
+> Don't use this version, there is a bug in the logic for creating the `StatefulSet` volume; please use [`5.2.0`](https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.2.0).
+
 ### Changed
 
 - Updated the _Nexus3_ OCI image to [v3.73.0](https://github.com/sonatype/nexus-public/releases/tag/release-3.73.0-12). _@stevehipwell_
 - Updated plugin install logic to show status and fail if the plugin can't be installed. _@EugenMayer_
 
 ## [v5.0.0] - 2024-09-10
 
+> [!CAUTION]
+> Don't use this version, there is a bug in the logic for creating the `StatefulSet` volume; please use [`5.2.0`](https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.2.0).
+
 > [!WARNING]
 > The release contains multiple breaking changes including removing support for OrientDB, please pay attention to the removals section. If you were previously using OrientDB you need to make sure you follow the [upgrade guide](https://help.sonatype.com/en/upgrading-to-nexus-repository-3-71-0-and-beyond.html) before upgrading to this version.
 
@@ -713,6 +730,7 @@ RELEASE LINKS
 -->
 
 [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/nexus3
+[v5.2.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.2.0
 [v5.1.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.1.0
 [v5.0.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.0.0
 [v4.45.1]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-4.45.1

diff --git a/charts/nexus3/Chart.yaml b/charts/nexus3/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: nexus3
 description: Helm chart for Sonatype Nexus 3 OSS.
 type: application
-version: 5.1.0
+version: 5.2.0
 appVersion: 3.73.0
 home: https://www.sonatype.com/products/sonatype-nexus-repository
 icon: https://raw.githubusercontent.com/stevehipwell/helm-charts/main/charts/nexus3/icon.png
@@ -24,4 +24,10 @@ annotations:
   artifacthub.io/alternativeName: nexus
   artifacthub.io/changes: |
     - kind: changed
-      description: "Updated the _Nexus3_ OCI image to [v3.73.0](https://github.com/sonatype/nexus-public/releases/tag/release-3.73.0-12)."
+      description: "Changed the order of the initialization scripts to allow creating roles based on repository privileges."
+    - kind: changed
+      description: "Improved docs for config with reference to the API documentation."
+    - kind: fixed
+      description: "Fixed LDAP templating incorrectly using `toJson` without passing in the data resulting in no configuration to apply."
+    - kind: fixed
+      description: "Fixed incorrect labeling on the volume claim template."
diff --git a/charts/nexus3/README.md b/charts/nexus3/README.md
@@ -1,6 +1,6 @@
 # nexus3
 
-![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.73.0](https://img.shields.io/badge/AppVersion-3.73.0-informational?style=flat-square)
+![Version: 5.2.0](https://img.shields.io/badge/Version-5.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.73.0](https://img.shields.io/badge/AppVersion-3.73.0-informational?style=flat-square)
 
 Helm chart for Sonatype Nexus 3 OSS.
 
@@ -25,15 +25,15 @@ Helm chart for Sonatype Nexus 3 OSS.
 To install the chart using the recommended OCI method you can use the following command.
 
 ```shell
-helm upgrade --install nexus3 oci://ghcr.io/stevehipwell/helm-charts/nexus3 --version 5.1.0
+helm upgrade --install nexus3 oci://ghcr.io/stevehipwell/helm-charts/nexus3 --version 5.2.0
 ```
 
 #### Verification
 
 As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command.
 
 ```shell
-cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/nexus3:5.1.0
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/nexus3:5.2.0
 ```
 
 ### Non-OCI Repository
@@ -42,7 +42,7 @@ Alternatively you can use the legacy non-OCI method via the following commands.
 
 ```shell
 helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/
-helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.1.0
+helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.2.0
 ```
 
 ## Values
@@ -57,10 +57,11 @@ helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.1.0
 | caCerts.enabled | bool | `false` | If `true`, add the CA certificates in the provided secret to the JVM cacerts key store. |
 | caCerts.secret | string | `nil` | Name of the secret containing the CA certificates. |
 | commonLabels | object | `{}` | Labels to add to all chart resources. |
-| config.anonymous | object | `{"enabled":false,"roles":["nx-anonymous","nx-metrics"]}` | Anonymous access configuration. |
-| config.blobStores | list | `[]` | Blob store configuration. |
+| config.anonymous.enabled | bool | `false` | If `true`, enable anonymous access. |
+| config.anonymous.roles | list | `["nx-anonymous","nx-metrics"]` | Roles for anonymous access. |
+| config.blobStores | list | `[]` | Blob store configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_). |
 | config.cleanup | list | `[]` | Cleanup configuration. |
-| config.enabled | bool | `false` | If `true`, enable the configuration Job. |
+| config.enabled | bool | `false` | If `true` & `rootPassword.secret` is set, enable the configuration Job. |
 | config.job.affinity | object | `{}` | Affinity settings for scheduling the config job. |
 | config.job.image.digest | string | `nil` | Optional image digest for the config container. |
 | config.job.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for config container. |
@@ -69,14 +70,15 @@ helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.1.0
 | config.job.nodeSelector | object | `{}` | Node labels to match for scheduling the config job. |
 | config.job.tolerations | list | `[]` | Node taints which will be tolerated for scheduling the config job. |
 | config.job.ttlSecondsAfterFinished | int | `600` | The number of seconds to keep the config job after it's finished. |
-| config.ldap | object | `{"authPassword":{"key":null,"secret":null},"authRealm":null,"authScheme":"simple","authUsername":null,"connectionRetryDelaySeconds":300,"connectionTimeoutSeconds":30,"enabled":false,"groupBaseDn":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"groupObjectClass":null,"groupSubtree":false,"groupType":"dynamic","host":null,"ldapGroupsAsRoles":false,"maxIncidentsCount":3,"name":null,"port":636,"protocol":"ldaps","searchBase":null,"useTrustStore":true,"userBaseDn":null,"userEmailAddressAttribute":"email","userIdAttribute":"sAMAccountName","userLdapFilter":null,"userMemberOfAttribute":"memberOf","userObjectClass":"user","userPasswordAttribute":null,"userRealNameAttribute":"cn","userSubtree":false}` | LDAP configuration. |
-| config.realms | object | `{"enabled":false,"values":[]}` | Realms configuration. |
+| config.ldap | object | `{"authPassword":{"key":null,"secret":null},"authRealm":null,"authScheme":"simple","authUsername":null,"connectionRetryDelaySeconds":300,"connectionTimeoutSeconds":30,"enabled":false,"groupBaseDn":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"groupObjectClass":null,"groupSubtree":false,"groupType":"dynamic","host":null,"ldapGroupsAsRoles":false,"maxIncidentsCount":3,"name":null,"port":636,"protocol":"ldaps","searchBase":null,"useTrustStore":true,"userBaseDn":null,"userEmailAddressAttribute":"email","userIdAttribute":"sAMAccountName","userLdapFilter":null,"userMemberOfAttribute":"memberOf","userObjectClass":"user","userPasswordAttribute":null,"userRealNameAttribute":"cn","userSubtree":false}` | LDAP configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_). |
+| config.realms.enabled | bool | `false` | If `true`, enable realms. |
+| config.realms.values | list | `[]` | List of realms to configure; can be empty or contain any of `NexusAuthenticatingRealm`, `LdapRealm`, `DockerToken`, `NpmToken`, `NuGetApiKey` or `rutauth-realm`. |
 | config.repoCredentials.enabled | bool | `false` | If `true`, enable repository credentials. |
 | config.repoCredentials.secret | string | `nil` | Name of the secret containing the repository credentials. |
-| config.repos | list | `[]` | Repository configuration. |
-| config.roles | list | `[]` | Roles configuration. |
+| config.repos | list | `[]` | Repository configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_) but with `format` & `type` defined in the object. |
+| config.roles | list | `[]` | Roles configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_). |
 | config.tasks | list | `[]` | Task configuration. |
-| config.users | list | `[]` | Users configuration. |
+| config.users | list | `[]` | Users configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_). |
 | env | list | `[]` | Environment variables for the default container. |
 | extraInitContainers | list | `[]` | Extra init container to run before the default container. |
 | extraVolumeMounts | list | `[]` | Extra volume mounts for the default container. |

diff --git a/charts/nexus3/scripts/configure.sh b/charts/nexus3/scripts/configure.sh
@@ -53,90 +53,6 @@ if [[ -f "${json_file}" ]]; then
   echo "Realms configured."
 fi
 
-echo "Configuring roles..."
-for json_file in "${CONFIG_DIR}"/conf/*-role.json; do
-  if [[ -f "${json_file}" ]]; then
-    id="$(jq -r '.id' "${json_file}")"
-    source="$(jq -r '.source' "${json_file}")"
-
-    status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/roles/${id}?source=${source}")
-    if [[ "${status_code}" -eq 200 ]]; then
-      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/roles/${id}")"
-      if [[ "${status_code}" -ne 204 ]]; then
-        error "Could not update role '${id}'."
-      fi
-    else
-      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/roles")"
-      if [[ "${status_code}" -ne 200 ]]; then
-        error "Could not create role '${id}'."
-      fi
-    fi
-
-    echo "Role '${id}' configured."
-  fi
-done
-
-echo "Configuring users..."
-for json_file in "${CONFIG_DIR}"/conf/*-user.json; do
-  if [[ -f "${json_file}" ]]; then
-    id="$(jq -r '.userId' "${json_file}")"
-    source="$(jq -r '.source' "${json_file}")"
-
-    out_file="$(mktemp -p "${tmp_dir}")"
-    status_code=$(curl -sS -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/users/?userId=${id}&source=${source}")
-    if [[ "${status_code}" -eq 200 ]] && [[ -n "$(jq -r 'first(.[]).userId // empty' "${out_file}")" ]]; then
-      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users/${id}")"
-      if [[ "${status_code}" -ne 204 ]]; then
-        error "Could not update user '${id}'."
-      fi
-    else
-      tmp_file="$(mktemp -p "${tmp_dir}")"
-      jq -r --arg password "$(echo "${RANDOM}" | md5sum | head -c 20)" '. + {password: $password}' "${json_file}" >"${tmp_file}"
-      json_file="${tmp_file}"
-
-      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users")"
-      if [[ "${status_code}" -ne 200 ]]; then
-        error "Could not create user '${id}'."
-      fi
-    fi
-
-    echo "User '${id}' configured."
-  fi
-done
-
-json_file="${CONFIG_DIR}/conf/ldap.json"
-if [[ -f "${json_file}" ]]; then
-  echo "Configuring LDAP..."
-
-  name="$(jq -r '.name' "${json_file}")"
-
-  if [[ -f "${CONFIG_DIR}/secret/ldap.password" ]]; then
-    tmp_file="$(mktemp -p "${tmp_dir}")"
-    jq -r --arg password "$(sed 's|"|\\"|g;s|/|\\/|g' "${CONFIG_DIR}/secret/ldap.password")" '. + {authPassword: $password}' "${json_file}" >"${tmp_file}"
-    json_file="${tmp_file}"
-  fi
-
-  out_file="$(mktemp -p "${tmp_dir}")"
-  status_code=$(curl -sS -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/ldap/${name// /%20}")
-  if [[ "${status_code}" -eq 200 ]]; then
-    tmp_file="$(mktemp -p "${tmp_dir}")"
-    jq -r --arg id "$(jq -r '.id' "${out_file}")" '. + {id: $id}' "${json_file}" >"${tmp_file}"
-    json_file="${tmp_file}"
-
-    status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/ldap/${name// /%20}")"
-    if [[ "${status_code}" -ne 204 ]]; then
-      error "Could not update LDAP '${name}'."
-    fi
-  else
-    status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/ldap")"
-    if [[ "${status_code}" -ne 201 ]]; then
-      error "Could not create LDAP '${name}'."
-    fi
-  fi
-
-  echo "LDAP '${name}' configured."
-fi
-
 echo "Configuring blob stores..."
 for json_file in "${CONFIG_DIR}"/conf/*-blobstore.json; do
   if [[ -f "${json_file}" ]]; then
@@ -237,6 +153,90 @@ for json_file in "${CONFIG_DIR}"/conf/*-repo.json; do
   fi
 done
 
+echo "Configuring roles..."
+for json_file in "${CONFIG_DIR}"/conf/*-role.json; do
+  if [[ -f "${json_file}" ]]; then
+    id="$(jq -r '.id' "${json_file}")"
+    source="$(jq -r '.source' "${json_file}")"
+
+    status_code=$(curl -sS -o /dev/null -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/roles/${id}?source=${source}")
+    if [[ "${status_code}" -eq 200 ]]; then
+      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/roles/${id}")"
+      if [[ "${status_code}" -ne 204 ]]; then
+        error "Could not update role '${id}'."
+      fi
+    else
+      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/roles")"
+      if [[ "${status_code}" -ne 200 ]]; then
+        error "Could not create role '${id}'."
+      fi
+    fi
+
+    echo "Role '${id}' configured."
+  fi
+done
+
+echo "Configuring users..."
+for json_file in "${CONFIG_DIR}"/conf/*-user.json; do
+  if [[ -f "${json_file}" ]]; then
+    id="$(jq -r '.userId' "${json_file}")"
+    source="$(jq -r '.source' "${json_file}")"
+
+    out_file="$(mktemp -p "${tmp_dir}")"
+    status_code=$(curl -sS -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/users/?userId=${id}&source=${source}")
+    if [[ "${status_code}" -eq 200 ]] && [[ -n "$(jq -r 'first(.[]).userId // empty' "${out_file}")" ]]; then
+      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users/${id}")"
+      if [[ "${status_code}" -ne 204 ]]; then
+        error "Could not update user '${id}'."
+      fi
+    else
+      tmp_file="$(mktemp -p "${tmp_dir}")"
+      jq -r --arg password "$(echo "${RANDOM}" | md5sum | head -c 20)" '. + {password: $password}' "${json_file}" >"${tmp_file}"
+      json_file="${tmp_file}"
+
+      status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users")"
+      if [[ "${status_code}" -ne 200 ]]; then
+        error "Could not create user '${id}'."
+      fi
+    fi
+
+    echo "User '${id}' configured."
+  fi
+done
+
+json_file="${CONFIG_DIR}/conf/ldap.json"
+if [[ -f "${json_file}" ]]; then
+  echo "Configuring LDAP..."
+
+  name="$(jq -r '.name' "${json_file}")"
+
+  if [[ -f "${CONFIG_DIR}/secret/ldap.password" ]]; then
+    tmp_file="$(mktemp -p "${tmp_dir}")"
+    jq -r --arg password "$(sed 's|"|\\"|g;s|/|\\/|g' "${CONFIG_DIR}/secret/ldap.password")" '. + {authPassword: $password}' "${json_file}" >"${tmp_file}"
+    json_file="${tmp_file}"
+  fi
+
+  out_file="$(mktemp -p "${tmp_dir}")"
+  status_code=$(curl -sS -o "${out_file}" -w "%{http_code}" -X GET -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" "${NEXUS_HOST}/service/rest/v1/security/ldap/${name// /%20}")
+  if [[ "${status_code}" -eq 200 ]]; then
+    tmp_file="$(mktemp -p "${tmp_dir}")"
+    jq -r --arg id "$(jq -r '.id' "${out_file}")" '. + {id: $id}' "${json_file}" >"${tmp_file}"
+    json_file="${tmp_file}"
+
+    status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X PUT -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/ldap/${name// /%20}")"
+    if [[ "${status_code}" -ne 204 ]]; then
+      error "Could not update LDAP '${name}'."
+    fi
+  else
+    status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/ldap")"
+    if [[ "${status_code}" -ne 201 ]]; then
+      error "Could not create LDAP '${name}'."
+    fi
+  fi
+
+  echo "LDAP '${name}' configured."
+fi
+
 echo "Configuring tasks..."
 for json_file in "${CONFIG_DIR}"/conf/*-task.json; do
   if [[ -f "${json_file}" ]]; then