This repo contains OpenShift templates and scripts for deploying Sonatype Nexus 3 AND IQ Server, and pre-configuring Red Hat and JBoss maven repositories on Nexus via post deploy hooks. You can modify the post hook in the templates and add other Nexus repositories by using these helper functions.
post:
execNewPod:
containerName: ${SERVICE_NAME}
command:
- "/bin/bash"
- "-c"
- "curl -o /tmp/nexus-functions -s https://raw.githubusercontent.com/kenmoini/openshift-sonatype-nexus/master/scripts/nexus-functions; source /tmp/nexus-functions; add_nexus3_redhat_repos admin admin123 http://${SERVICE_NAME}:8081"
In order to add Sonatype Nexus templates to OpenShift service catalog run the following commands:
Sonatype Nexus 3:
oc create -f https://raw.githubusercontent.com/kenmoini/openshift-sonatype-nexus/master/nexus3-template.yaml
oc create -f https://raw.githubusercontent.com/kenmoini/openshift-sonatype-nexus/master/nexus3-persistent-template.yaml
Deploy Sonatype Nexus 3 using one of the provided templates. If you have persistent volumes available in your cluster:
oc new-app nexus3-persistent
Otherwise:
oc new-app nexus3
In order to specify the Nexus version to be deployed use NEXUS_VERSION parameter:
oc new-app nexus3 -p NEXUS_VERSION=3.5.2
The last version tested that has worked with the post-deployment configuration script is 3.16.2.
If you'd like to also deploy Sonatype Nexus IQ Server to handle policies/firewalling/etc then jump into the iq-server directory and check out the instructions and objects there.
In order to install a Sonatype Nexus license you can upload it via the Administration > System > Licensing portion of the Settings panel.
NOTE: You will need to have launched Nexus via the Persistent template as the container needs to restart to load the license. An ephemeral container is not able to have a license (at this time, ConfigMaps are being explored).
The whole point of Nexus Repo Manager is to centrally manage components and repositories across your organization so every developer shouldn't have their own Nexus. The easiest way to deploy Nexus centrally is via LDAP.
- Log into Nexus as an Admin, click on the Settings cog button to the left of the Search bar at the top.
- Use the pane to the left to navigate to
Administration > Security > LDAP - Click Create Connection
- Configure the Connection as follows (assuming Red Hat Identity Management setup for LDAPS):
- Name: IDM
- Protocol: LDAPS
- Hostname: idm.example.com
- Port: 636
- Search Base: dc=example,dc=com
- Authentication Method: Simple Authentication
- Username or DN: CN=Directory Manager
- Password: duh
- Connection Rules: Default is fine
- Click Verify Connection and if successful, click Next
- Now set the User and Group configuration as such:
- Configuration template: Generic LDAP Server
- Base DN: CN=accounts
- User subtree: Checked
- Object class: inetOrgPerson
- User filter: (blank)
- User ID attribute: uid
- Real name attribute: cn
- Email attribute: mail
- Password attribute: (blank)
- Map LDAP groups as roles: Checked
- Group type: Dynamic Groups
- Group member of attribute: memberOf
- Click Verify user mapping to ensure it can enumerate the targeted group of users
- Click Verify login and select a random user from LDAP to test
- Click Save
- Log out and log in as one of the users from LDAP for a final test. You should see nothing because the user group has not been mapped to a role yet.
Once LDAP is configured and tested to work, we need to set the Group from LDAP to be associate with a Role in Nexus. For conveinence sake, we'll create a new Role with almost all permissions.
- Log into Nexus as an Admin, click on the Settings cog button to the left of the Search bar at the top.
- Use the pane to the left to navigate to
Administration > Security > Roles - Click Create Role > External Role Mapping > LDAP
- Configure the Role as follows:
- Mapped Role: ipausers
- Role Name: LDAPUsers
- Role Description: Whatever your heart desires
- Privileges, Available: Click on one, then press Ctrl+A on your keyboard to select them all, and click add.
- Privileges, Given: Remove the following:
- nx-all
- nx-capabilities-all
- nx-capabilities-create
- nx-capabilities-delete
- nx-capabilities-update
- nx-ldap-all
- nx-ldap-create
- nx-ldap-delete
- nx-ldap-update
- nx-licensing-all
- nx-licensing-create
- nx-licensing-read
- nx-licensing-uninstall
- nx-privileges-all
- nx-privileges-create
- nx-privileges-delete
- nx-privileges-update
- nx-roles-all
- nx-roles-create
- nx-roles-delete
- nx-roles-update
- nx-settings-all
- nx-settings-update
- nx-users-all
- nx-users-create
- nx-users-delete
- nx-users-update
- nx-userschangepw
- Click Create role
Now once users login from LDAP they can do almost everything outside of administrative tasks that could affect others in the environment.