diff --git a/tilt/nexus-cr/Tiltfile b/tilt/nexus-cr/Tiltfile new file mode 100644 index 0000000..39c32c9 --- /dev/null +++ b/tilt/nexus-cr/Tiltfile @@ -0,0 +1,71 @@ +allow_k8s_contexts('docker-desktop') +load('ext://execute_in_pod', 'execute_in_pod') +load('ext://helm_resource', 'helm_resource', 'helm_repo') +load('ext://uibutton', 'cmd_button', 'text_input', 'location') +## Add the Bitnami Helm Repo +helm_repo('bitnami','https://charts.bitnami.com/bitnami') +# Set up a PVC for Nexus +k8s_yaml('nexuspvc.yaml') +# Provision Nexus itself +k8s_yaml('nexus3.yaml') +# Bind the PVC to the Nexus object in Tilt +k8s_resource(objects=['nexus3:persistentvolumeclaim'], new_name='nexus3-pvc', labels=['nexus3'],trigger_mode=TRIGGER_MODE_MANUAL) +# NGINX +helm_resource( + 'nginx', + 'bitnami/nginx', + flags=[ + '--values=./nginx/values.yaml' + ], + resource_deps=[ + 'nexus3', + 'nexus3-pvc' + ], + port_forwards=[8443, 8080] +) +k8s_resource(workload='nexus3',port_forwards=8083) +local_resource( + name="nexus3 password reset", + cmd="./nexusPassword.sh", + resource_deps=[ + 'nexus3', + 'nginx' + ], + labels=['nexus3'], +) +local_resource( + name="nexus3 setup", + cmd="./nexusSetup.sh", + resource_deps=[ + "nexus3 password reset" + ], + labels=['nexus3'] +) +# At this point you'll need to: +# 1. add kubernetes.docker.internal to your insecure docker registries +# 2. docker login kubernetes.docker.internal admin:admin123 +# 3. docker push 127.0.0.1 kubernetes.docker.internal//: +# 4. attempt import +helm_resource( + 'snyk-broker', + '../../charts/snyk-broker', + release_name='snyk-general', + flags=[ + '--set=brokerToken=', + '--set=brokerServerUrl=https://broker.dev.snyk.io', + '--set=brokerDispatcherUrl=https://api.dev.snyk.io', + '--set=brokerResources.requests.cpu=256m', + '--set=brokerResources.requests.memory=128Mi', + '--set=scmType=container-registry-agent', + '--set=crType=nexus-cr', + '--set=crBase=nginx.default.svc.cluster.local', + '--set=crResources.requests.memory=256Mi', + '--set=crResources.requests.cpu=128m', + '--set=crUsername=admin', + '--set=crPassword=admin123', + '--set=tlsRejectUnauthorized=disable', + '--set=service.brokerType=LoadBalancer', + '--set=service.crType=LoadBalancer', + '--set=disableSuffixes=false' + ] +) diff --git a/tilt/nexus-cr/nexus3.yaml b/tilt/nexus-cr/nexus3.yaml new file mode 100644 index 0000000..77c61f7 --- /dev/null +++ b/tilt/nexus-cr/nexus3.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nexus3 +spec: + selector: + matchLabels: + app: nexus3 + template: + metadata: + labels: + app: nexus3 + spec: + volumes: + - name: nexus3-vol + persistentVolumeClaim: + claimName: nexus3 + initContainers: + - name: nexus3-init + image: registry.hub.docker.com/library/alpine:3.12.0 + command: ["chown", "-R", "200:200", "/nexus-data"] + volumeMounts: + - mountPath: /nexus-data + name: nexus3-vol + containers: + - name: nexus3 + image: sonatype/nexus3 + resources: + requests: + memory: "2048Mi" + cpu: "1000m" + limits: + memory: "4096Mi" + cpu: "2000m" + volumeMounts: + - mountPath: /nexus-data + name: nexus3-vol + ports: + - containerPort: 8081 + name: ui + - containerPort: 8083 + name: docker + livenessProbe: + httpGet: + path: /service/rest/v1/status/writable + port: 8081 + failureThreshold: 5 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /service/rest/v1/status/writable + port: 8081 + failureThreshold: 5 + periodSeconds: 30 + startupProbe: + httpGet: + path: /service/rest/v1/status/writable + port: 8081 + failureThreshold: 30 + periodSeconds: 10 +--- +apiVersion: v1 +kind: Service +metadata: + name: nexus3 +spec: + selector: + app: nexus3 + ports: + - port: 8081 + targetPort: 8081 + name: ui + - port: 8083 + targetPort: 8083 + name: docker diff --git a/tilt/nexus-cr/nexusPassword.sh b/tilt/nexus-cr/nexusPassword.sh new file mode 100755 index 0000000..17f482a --- /dev/null +++ b/tilt/nexus-cr/nexusPassword.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +## Get the nexus3 admin password and write to disk +if ! [ -f "admin.txt" ]; then + ADMIN_PASSWORD=$(kubectl exec "$(tilt get kd nexus3 -ojsonpath='{.status.pods[0].name}')" -- cat /nexus-data/admin.password) + echo "$ADMIN_PASSWORD" > admin.txt + # Change the initial password to admin123 + curl -ifu "admin:$ADMIN_PASSWORD" \ + -X PUT \ + -H 'Content-Type: text/plain' \ + --data "admin123" \ + http://localhost:80/service/rest/v1/security/users/admin/change-password +fi diff --git a/tilt/nexus-cr/nexusSetup.sh b/tilt/nexus-cr/nexusSetup.sh new file mode 100755 index 0000000..de375b2 --- /dev/null +++ b/tilt/nexus-cr/nexusSetup.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +if ! [ -f "admin.txt" ]; then + echo "Ensure admin password is updated" + exit 1 +fi + +## Anonymous Access +curl -X PUT \ + 'http://localhost/service/rest/v1/security/anonymous' \ + -H 'accept: application/json' \ + -H 'Content-Type: application/json' \ + -u admin:admin123 \ + -d '{ + "enabled": true, + "userId": "admin", + "realmName": "NexusAuthenticatingRealm" +}' + +# Create a docker repo +curl -X POST \ + http://localhost:80/service/rest/v1/repositories/docker/hosted \ + -H "Content-Type: application/json" \ + -u admin:admin123 \ + -d '{ + "name": "docker", + "online": true, + "storage": { + "blobStoreName": "default", + "strictContentTypeValidation": true, + "writePolicy": "allow_once", + "latestPolicy": true + }, + "docker": { + "v1Enabled": true, + "forceBasicAuth": true, + "httpPort": 8083 + } + }' + diff --git a/tilt/nexus-cr/nexuspvc.yaml b/tilt/nexus-cr/nexuspvc.yaml new file mode 100644 index 0000000..cedd973 --- /dev/null +++ b/tilt/nexus-cr/nexuspvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nexus3 +spec: + resources: + requests: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce diff --git a/tilt/nexus-cr/nginx/values.yaml b/tilt/nexus-cr/nginx/values.yaml new file mode 100644 index 0000000..0bad2a0 --- /dev/null +++ b/tilt/nexus-cr/nginx/values.yaml @@ -0,0 +1,70 @@ +serverBlock: |- + server { + listen 8443 ssl; + resolver 10.96.0.10 valid=10s; + server_name nginx + + ssl on; + ssl_certificate /certs/server.crt; + ssl_certificate_key /certs/server.key; + + # Docker /v2 and /v1 (for search) requests + location /v2 { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri; + } + location /v1 { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri; + } + + # Regular Nexus requests + location / { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "https"; + proxy_pass http://nexus3.default.svc.cluster.local:8081; + } + } + + server { + listen 8080; + resolver 10.96.0.10 valid=10s; + server_name nginx + + ssl off; + + # Docker /v2 and /v1 (for search) requests + location /v2 { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "http"; + proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri; + } + location /v1 { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "http"; + proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri; + } + + # Regular Nexus requests + location / { + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "http"; + proxy_pass http://nexus3.default.svc.cluster.local:8081; + } + } +tls: + enabled: true