feat: Added repo & user password support (#1070)

Signed-off-by: Steve Hipwell <[email protected]>

Author: stevehipwell

charts/nexus3/CHANGELOG.md

@@ -14,6 +14,21 @@
 
 ## [UNRELEASED]
 
+## [v5.3.0] - 2024-10-29
+
+### Added
+
+- Added support for specifying `password.secret` & `password.key` on the `config.repos` objects. ([#1070](https://github.com/stevehipwell/helm-charts/pull/1070)) _@stevehipwell_
+- Added support for specifying `password.secret` & `password.key` on the `config.users` objects. ([#1070](https://github.com/stevehipwell/helm-charts/pull/1070)) _@stevehipwell_
+
+### Changed
+
+- Updated ingress docs to better explain hosts. ([#1070](https://github.com/stevehipwell/helm-charts/pull/1070)) _@stevehipwell_
+
+### Deprecated
+
+- Deprecated `.config.repoCredentials` in favour of directly specifying `password.secret` on the `config.repos` objects. ([#1070](https://github.com/stevehipwell/helm-charts/pull/1070)) _@stevehipwell_
+
 ## [v5.2.0] - 2024-10-24
 
 > [!IMPORTANT]
@@ -730,6 +745,7 @@ RELEASE LINKS
 -->
 
 [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/nexus3
+[v5.3.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.3.0
 [v5.2.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.2.0
 [v5.1.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.1.0
 [v5.0.0]: https://github.com/stevehipwell/helm-charts/releases/tag/nexus3-5.0.0

charts/nexus3/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: nexus3
 description: Helm chart for Sonatype Nexus 3 OSS.
 type: application
-version: 5.2.0
+version: 5.3.0
 appVersion: 3.73.0
 home: https://www.sonatype.com/products/sonatype-nexus-repository
 icon: https://raw.githubusercontent.com/stevehipwell/helm-charts/main/charts/nexus3/icon.png
@@ -23,11 +23,11 @@ maintainers:
 annotations:
   artifacthub.io/alternativeName: nexus
   artifacthub.io/changes: |
+    - kind: added
+      description: "Added support for specifying `password.secret` & `password.key` on the `config.repos` objects."
+    - kind: added
+      description: "Added support for specifying `password.secret` & `password.key` on the `config.users` objects."
     - kind: changed
-      description: "Changed the order of the initialization scripts to allow creating roles based on repository privileges."
-    - kind: changed
-      description: "Improved docs for config with reference to the API documentation."
-    - kind: fixed
-      description: "Fixed LDAP templating incorrectly using `toJson` without passing in the data resulting in no configuration to apply."
-    - kind: fixed
-      description: "Fixed incorrect labeling on the volume claim template."
+      description: "Updated ingress docs to better explain hosts."
+    - kind: deprecated
+      description: "Deprecated `.config.repoCredentials` in favour of directly specifying `password.secret` on the `config.repos` objects."

charts/nexus3/README.md

@@ -1,6 +1,6 @@
 # nexus3
 
-![Version: 5.2.0](https://img.shields.io/badge/Version-5.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.73.0](https://img.shields.io/badge/AppVersion-3.73.0-informational?style=flat-square)
+![Version: 5.3.0](https://img.shields.io/badge/Version-5.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.73.0](https://img.shields.io/badge/AppVersion-3.73.0-informational?style=flat-square)
 
 Helm chart for Sonatype Nexus 3 OSS.
 
@@ -25,15 +25,15 @@ Helm chart for Sonatype Nexus 3 OSS.
 To install the chart using the recommended OCI method you can use the following command.
 
 ```shell
-helm upgrade --install nexus3 oci://ghcr.io/stevehipwell/helm-charts/nexus3 --version 5.2.0
+helm upgrade --install nexus3 oci://ghcr.io/stevehipwell/helm-charts/nexus3 --version 5.3.0
 ```
 
 #### Verification
 
 As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command.
 
 ```shell
-cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/nexus3:5.2.0
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/nexus3:5.3.0
 ```
 
 ### Non-OCI Repository
@@ -42,7 +42,7 @@ Alternatively you can use the legacy non-OCI method via the following commands.
 
 ```shell
 helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/
-helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.2.0
+helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.3.0
 ```
 
 ## Values
@@ -73,7 +73,7 @@ helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.2.0
 | config.ldap | object | `{"authPassword":{"key":null,"secret":null},"authRealm":null,"authScheme":"simple","authUsername":null,"connectionRetryDelaySeconds":300,"connectionTimeoutSeconds":30,"enabled":false,"groupBaseDn":null,"groupIdAttribute":null,"groupMemberAttribute":null,"groupMemberFormat":null,"groupObjectClass":null,"groupSubtree":false,"groupType":"dynamic","host":null,"ldapGroupsAsRoles":false,"maxIncidentsCount":3,"name":null,"port":636,"protocol":"ldaps","searchBase":null,"useTrustStore":true,"userBaseDn":null,"userEmailAddressAttribute":"email","userIdAttribute":"sAMAccountName","userLdapFilter":null,"userMemberOfAttribute":"memberOf","userObjectClass":"user","userPasswordAttribute":null,"userRealNameAttribute":"cn","userSubtree":false}` | LDAP configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_). |
 | config.realms.enabled | bool | `false` | If `true`, enable realms. |
 | config.realms.values | list | `[]` | List of realms to configure; can be empty or contain any of `NexusAuthenticatingRealm`, `LdapRealm`, `DockerToken`, `NpmToken`, `NuGetApiKey` or `rutauth-realm`. |
-| config.repoCredentials.enabled | bool | `false` | If `true`, enable repository credentials. |
+| config.repoCredentials.enabled | bool | `false` | **DEPRECATED** - If `true`, enable repository credentials. Use inline repo password instead. |
 | config.repoCredentials.secret | string | `nil` | Name of the secret containing the repository credentials. |
 | config.repos | list | `[]` | Repository configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_) but with `format` & `type` defined in the object. |
 | config.roles | list | `[]` | Roles configuration; based on the REST API (API reference docs require an existing Nexus installation and can be found at **Administration** under _System_ → _API_). |
@@ -91,9 +91,9 @@ helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.2.0
 | imagePullSecrets | list | `[]` | Image pull secrets. |
 | ingress.annotations | object | `{}` | Ingress annotations. |
 | ingress.enabled | bool | `false` | If `true`, create an `Ingress` resource. |
-| ingress.hosts | list | See _values.yaml_ | Ingress hosts. |
+| ingress.hosts | list | See _values.yaml_ | Ingress hosts, do not include hosts defined in `service.additionalPorts`. |
 | ingress.ingressClassName | string | `nil` | Ingress class name. |
-| ingress.tls | list | See _values.yaml_ | Ingress TLS. |
+| ingress.tls | list | See _values.yaml_ | Ingress TLS, hosts defined in both `ingress.hosts` & `service.additionalPorts[*].hosts` should be covered. |
 | install4jAddVmParams | string | `"-Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=2048m"` | Env configuration for the _Nexus3_ container. |
 | jdkImage.digest | string | `nil` | Optional image digest for the JDK container. |
 | jdkImage.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the JDK container. |

charts/nexus3/ci/ci-values.yaml

@@ -33,26 +33,6 @@ config:
       - NpmToken
       - NuGetApiKey
       - rutauth-realm
-  roles:
-    - id: nexus-administrators
-      source: default
-      name: nexus-administrators
-      description: LDAP Administrator Role
-      privileges: []
-      roles:
-        - nx-admin
-  users:
-    - userId: test
-      firstName: Test
-      lastName: User
-      emailAddress: [email protected]
-      source: default
-      status: active
-      roles:
-        - nx-anonymous
-      externalRoles: []
-  ldap:
-    enabled: false
   blobStores: []
   cleanup:
     - name: ExampleCleanup
@@ -78,6 +58,40 @@ config:
       cleanup:
         policyNames:
           - ExampleCleanup
+  roles:
+    - id: nexus-administrators
+      source: default
+      name: nexus-administrators
+      description: LDAP Administrator Role
+      privileges: []
+      roles:
+        - nx-admin
+  users:
+    - userId: test
+      firstName: Test
+      lastName: User
+      emailAddress: [email protected]
+      source: default
+      status: active
+      roles:
+        - nx-anonymous
+      externalRoles: []
+      password:
+        secret: test-user
+        key: passwordx
+    - userId: test2
+      firstName: Test2
+      lastName: User
+      emailAddress: [email protected]
+      source: default
+      status: active
+      roles:
+        - nx-anonymous
+      externalRoles: []
+      password:
+        secret: test-user2
+  ldap:
+    enabled: false
   tasks:
     - name: "Cleanup service"
       typeId: repository.cleanup

charts/nexus3/ci/kubeconform.yaml

@@ -127,26 +127,6 @@ config:
       - NpmToken
       - NuGetApiKey
       - rutauth-realm
-  roles:
-    - id: nexus-administrators
-      source: default
-      name: nexus-administrators
-      description: LDAP Administrator Role
-      privileges: []
-      roles:
-        - nx-admin
-  users:
-    - userId: test
-      firstName: Test
-      lastName: User
-      emailAddress: [email protected]
-      source: default
-      status: active
-      roles:
-        - nx-anonymous
-      externalRoles: []
-  ldap:
-    enabled: false
   blobStores:
     - name: ExampleFileBlobStore
       type: file
@@ -179,6 +159,43 @@ config:
       cleanup:
         policyNames:
           - ExampleCleanup
+      password:
+        secret: test-repo
+        key: passwordx
+  roles:
+    - id: nexus-administrators
+      source: default
+      name: nexus-administrators
+      description: LDAP Administrator Role
+      privileges: []
+      roles:
+        - nx-admin
+  users:
+    - userId: test
+      firstName: Test
+      lastName: User
+      emailAddress: [email protected]
+      source: default
+      status: active
+      roles:
+        - nx-anonymous
+      externalRoles: []
+      password:
+        secret: test-user
+        key: passwordx
+    - userId: test2
+      firstName: Test2
+      lastName: User
+      emailAddress: [email protected]
+      source: default
+      status: active
+      roles:
+        - nx-anonymous
+      externalRoles: []
+      password:
+        secret: test-user2
+  ldap:
+    enabled: false
   tasks:
     - name: "Cleanup service"
       typeId: repository.cleanup

charts/nexus3/scripts/configure.sh

@@ -128,7 +128,10 @@ for json_file in "${CONFIG_DIR}"/conf/*-repo.json; do
     json_file="${tmp_file}"
 
     if [[ "${type}" == "proxy" ]]; then
-      password_file="${CONFIG_DIR}/secret/repo-credentials/${name}"
+      password_file="${CONFIG_DIR}/secret/repo-${name}.password"
+      if [[ ! -f "${password_file}" ]]; then
+        password_file="${CONFIG_DIR}/secret/repo-credentials/${name}"
+      fi
       if [[ -f "${password_file}" ]]; then
         tmp_file="$(mktemp -p "${tmp_dir}")"
         jq -r --arg password "$(cat "${password_file}")" '. * {httpClient: {authentication: {password: $password}}}' "${json_file}" >"${tmp_file}"
@@ -190,8 +193,13 @@ for json_file in "${CONFIG_DIR}"/conf/*-user.json; do
         error "Could not update user '${id}'."
       fi
     else
+      password_file="${CONFIG_DIR}/secret/user-${id}.password"
+      if [[ ! -f "${password_file}" ]]; then
+        echo "${RANDOM}" | md5sum | head -c 20 >"${password_file}"
+      fi
+
       tmp_file="$(mktemp -p "${tmp_dir}")"
-      jq -r --arg password "$(echo "${RANDOM}" | md5sum | head -c 20)" '. + {password: $password}' "${json_file}" >"${tmp_file}"
+      jq -r --arg password "$(cat "${password_file}")" '. + {password: $password}' "${json_file}" >"${tmp_file}"
       json_file="${tmp_file}"
 
       status_code="$(curl -sS -o /dev/null -w "%{http_code}" -X POST -H 'Content-Type: application/json' -u "${NEXUS_USER}:${password}" -d "@${json_file}" "${NEXUS_HOST}/service/rest/v1/security/users")"

charts/nexus3/templates/_test/secret-test-password.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.testResources -}}
+{{- range concat .Values.config.repos .Values.config.users }}
+{{- if dig "password" "secret" nil . }}
+{{- $secretName := .password.secret -}}
+{{- $key := default "password" .password.key }}
+{{- $secret := lookup "v1" "Secret" $.Release.Namespace $secretName -}}
+{{- $password := (randAlpha 16) | b64enc }}
+{{- if $secret }}
+{{- $password = index $secret.data $key -}}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "nexus3.labels" $ | nindent 4 }}
+    test-resource: "true"
+  annotations:
+    "helm.sh/hook": "pre-install"
+type: Opaque
+data:
+  {{ $key }}: {{ $password | quote }}
+---
+{{- end }}
+{{- end }}
+{{- end }}

charts/nexus3/templates/configmap-config.yaml

@@ -25,7 +25,7 @@ data:
 {{- end }}
 {{- range .Values.config.users }}
   {{ .userId }}-user.json: |
-    {{- . | toJson | nindent 4 }}
+    {{- omit . "password" | toJson | nindent 4 }}
 {{- end }}
 {{- if .Values.config.ldap.enabled }}
   ldap.json: |
@@ -43,7 +43,7 @@ data:
 {{- end }}
 {{- range $index, $repo := .Values.config.repos }}
   {{ $index | add 1000 | toString | substr 1 -1 }}-repo.json: |
-    {{- $repo | toJson | nindent 4 }}
+    {{- omit $repo "password" | toJson | nindent 4 }}
 {{- end }}
 {{- range $index, $task := .Values.config.tasks }}
   {{ $index | add 1000 | toString | substr 1 -1 }}-task.json: |

charts/nexus3/templates/job-config.yaml

@@ -51,15 +51,29 @@ spec:
               name: scripts
             - mountPath: /opt/sonatype/nexus/config/conf
               name: config
+          {{- if .Values.config.repoCredentials.enabled }}
+            - mountPath: /opt/sonatype/nexus/config/secret/repo-credentials
+              name: repo-credentials
+          {{- end }}
+          {{- range .Values.config.repos }}
+          {{- if dig "password" "secret" nil . }}
+            - mountPath: {{ printf "/opt/sonatype/nexus/config/secret/repo-%s.password" .name }}
+              name: {{ printf "repo-%s" .name }}
+              subPath: {{ default "password" .password.key }}
+          {{- end }}
+          {{- end }}
+          {{- range .Values.config.users }}
+          {{- if dig "password" "secret" nil . }}
+            - mountPath: {{ printf "/opt/sonatype/nexus/config/secret/user-%s.password" .userId }}
+              name: {{ printf "user-%s" .userId }}
+              subPath: {{ default "password" .password.key }}
+          {{- end }}
+          {{- end }}
           {{- if .Values.config.ldap.enabled }}
             - mountPath: /opt/sonatype/nexus/config/secret/ldap.password
               name: ldap-password
               subPath: {{ .Values.config.ldap.authPassword.key }}
           {{- end }}
-          {{- if .Values.config.repoCredentials.enabled }}
-            - mountPath: /opt/sonatype/nexus/config/secret/repo-credentials
-              name: repo-credentials
-          {{- end }}
       volumes:
         - name: temp
           emptyDir: {}
@@ -71,16 +85,30 @@ spec:
           configMap:
             name: {{ include "nexus3.configConfigMapName" . }}
             defaultMode: 0444
-      {{- if .Values.config.ldap.enabled }}
-        - name: ldap-password
-          secret:
-            secretName: {{ .Values.config.ldap.authPassword.secret }}
-      {{- end }}
       {{- if .Values.config.repoCredentials.enabled }}
         - name: repo-credentials
           secret:
             secretName: {{ .Values.config.repoCredentials.secret }}
       {{- end }}
+      {{- range .Values.config.repos }}
+      {{- if dig "password" "secret" nil . }}
+        - name: {{ printf "repo-%s" .name }}
+          secret:
+            secretName: {{ .password.secret }}
+      {{- end }}
+      {{- end }}
+      {{- range .Values.config.users }}
+      {{- if dig "password" "secret" nil . }}
+        - name: {{ printf "user-%s" .userId }}
+          secret:
+            secretName: {{ .password.secret }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.config.ldap.enabled }}
+        - name: ldap-password
+          secret:
+            secretName: {{ .Values.config.ldap.authPassword.secret }}
+      {{- end }}
       {{- with .Values.config.job.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}