chore: nexus3 tilt setup

tilt/nexus-cr/Tiltfile

@@ -0,0 +1,71 @@
+allow_k8s_contexts('docker-desktop')
+load('ext://execute_in_pod', 'execute_in_pod')
+load('ext://helm_resource', 'helm_resource', 'helm_repo')
+load('ext://uibutton', 'cmd_button', 'text_input', 'location')
+## Add the Bitnami Helm Repo
+helm_repo('bitnami','https://charts.bitnami.com/bitnami')
+# Set up a PVC for Nexus
+k8s_yaml('nexuspvc.yaml')
+# Provision Nexus itself
+k8s_yaml('nexus3.yaml')
+# Bind the PVC to the Nexus object in Tilt
+k8s_resource(objects=['nexus3:persistentvolumeclaim'], new_name='nexus3-pvc', labels=['nexus3'],trigger_mode=TRIGGER_MODE_MANUAL)
+# NGINX
+helm_resource(
+  'nginx',
+  'bitnami/nginx',
+  flags=[
+    '--values=./nginx/values.yaml'
+  ],
+  resource_deps=[
+    'nexus3',
+    'nexus3-pvc'
+  ],
+  port_forwards=[8443, 8080]
+)
+k8s_resource(workload='nexus3',port_forwards=8083)
+local_resource(
+  name="nexus3 password reset",
+  cmd="./nexusPassword.sh",
+  resource_deps=[
+    'nexus3',
+    'nginx'
+  ],
+  labels=['nexus3'],
+)
+local_resource(
+  name="nexus3 setup",
+  cmd="./nexusSetup.sh",
+  resource_deps=[
+    "nexus3 password reset"
+  ],
+  labels=['nexus3']
+)
+# At this point you'll need to:
+# 1. add kubernetes.docker.internal to your insecure docker registries
+# 2. docker login kubernetes.docker.internal admin:admin123
+# 3. docker push 127.0.0.1 kubernetes.docker.internal/<repo>/<img>:<tag>
+# 4. attempt import
+helm_resource(
+  'snyk-broker',
+  '../../charts/snyk-broker',
+  release_name='snyk-general',
+  flags=[
+    '--set=brokerToken=<broker-token-goes-here>',
+    '--set=brokerServerUrl=https://broker.dev.snyk.io',
+    '--set=brokerDispatcherUrl=https://api.dev.snyk.io',
+    '--set=brokerResources.requests.cpu=256m',
+    '--set=brokerResources.requests.memory=128Mi',
+    '--set=scmType=container-registry-agent',
+    '--set=crType=nexus-cr',
+    '--set=crBase=nginx.default.svc.cluster.local',
+    '--set=crResources.requests.memory=256Mi',
+    '--set=crResources.requests.cpu=128m',
+    '--set=crUsername=admin',
+    '--set=crPassword=admin123',
+    '--set=tlsRejectUnauthorized=disable',
+    '--set=service.brokerType=LoadBalancer',
+    '--set=service.crType=LoadBalancer',
+    '--set=disableSuffixes=false'
+  ]
+)

tilt/nexus-cr/nexus3.yaml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nexus3
+spec:
+  selector:
+    matchLabels:
+      app: nexus3
+  template:
+    metadata:
+      labels:
+        app: nexus3
+    spec:
+      volumes:
+        - name: nexus3-vol
+          persistentVolumeClaim:
+            claimName: nexus3
+      initContainers:
+      - name: nexus3-init
+        image: registry.hub.docker.com/library/alpine:3.12.0
+        command: ["chown", "-R", "200:200", "/nexus-data"]
+        volumeMounts:
+          - mountPath: /nexus-data
+            name: nexus3-vol
+      containers:
+      - name: nexus3
+        image: sonatype/nexus3
+        resources:
+          requests:
+            memory: "2048Mi"
+            cpu: "1000m"
+          limits:
+            memory: "4096Mi"
+            cpu: "2000m"
+        volumeMounts:
+          - mountPath: /nexus-data
+            name: nexus3-vol
+        ports:
+        - containerPort: 8081
+          name: ui
+        - containerPort: 8083
+          name: docker
+        livenessProbe:
+          httpGet:
+            path: /service/rest/v1/status/writable
+            port: 8081
+          failureThreshold: 5
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /service/rest/v1/status/writable
+            port: 8081
+          failureThreshold: 5
+          periodSeconds: 30
+        startupProbe:
+          httpGet:
+            path: /service/rest/v1/status/writable
+            port: 8081
+          failureThreshold: 30
+          periodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nexus3
+spec:
+  selector:
+    app: nexus3
+  ports:
+  - port: 8081
+    targetPort: 8081
+    name: ui
+  - port: 8083
+    targetPort: 8083
+    name: docker

tilt/nexus-cr/nexusPassword.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+## Get the nexus3 admin password and write to disk
+if ! [ -f "admin.txt" ]; then
+  ADMIN_PASSWORD=$(kubectl exec "$(tilt get kd nexus3 -ojsonpath='{.status.pods[0].name}')" -- cat /nexus-data/admin.password)
+  echo "$ADMIN_PASSWORD" > admin.txt
+  # Change the initial password to admin123
+  curl -ifu "admin:$ADMIN_PASSWORD" \
+    -X PUT \
+    -H 'Content-Type: text/plain' \
+    --data "admin123" \
+    http://localhost:80/service/rest/v1/security/users/admin/change-password
+fi

tilt/nexus-cr/nexusSetup.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if ! [ -f "admin.txt" ]; then
+  echo "Ensure admin password is updated"
+  exit 1
+fi
+
+## Anonymous Access
+curl -X PUT \
+  'http://localhost/service/rest/v1/security/anonymous' \
+  -H 'accept: application/json' \
+  -H 'Content-Type: application/json' \
+  -u admin:admin123 \
+  -d '{
+  "enabled": true,
+  "userId": "admin",
+  "realmName": "NexusAuthenticatingRealm"
+}'
+
+# Create a docker repo
+curl -X POST \
+  http://localhost:80/service/rest/v1/repositories/docker/hosted \
+  -H "Content-Type: application/json" \
+  -u admin:admin123 \
+  -d '{
+    "name": "docker",
+    "online": true,
+    "storage": {
+      "blobStoreName": "default",
+        "strictContentTypeValidation": true,
+        "writePolicy": "allow_once",
+        "latestPolicy": true
+    },
+    "docker": {
+      "v1Enabled": true,
+      "forceBasicAuth": true,
+      "httpPort": 8083
+    }
+  }'
+

tilt/nexus-cr/nexuspvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nexus3
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce

tilt/nexus-cr/nginx/values.yaml

@@ -0,0 +1,70 @@
+serverBlock: |-
+  server {
+    listen 8443 ssl;
+    resolver 10.96.0.10 valid=10s;
+    server_name nginx
+
+    ssl on;
+    ssl_certificate /certs/server.crt;
+    ssl_certificate_key /certs/server.key;
+
+    # Docker /v2 and /v1 (for search) requests
+    location /v2 {
+      proxy_set_header Host $host:$server_port;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto "https";
+      proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri;
+    }
+    location /v1 {
+      proxy_set_header Host $host:$server_port;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto "https";
+      proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri;
+    }
+
+    # Regular Nexus requests
+    location / {
+      proxy_set_header Host $host:$server_port;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto "https";
+      proxy_pass http://nexus3.default.svc.cluster.local:8081;
+    }
+  }
+
+  server {
+    listen 8080;
+    resolver 10.96.0.10 valid=10s;
+    server_name nginx
+
+    ssl off;
+
+    # Docker /v2 and /v1 (for search) requests
+    location /v2 {
+      proxy_set_header Host $host:$server_port;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto "http";
+      proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri;
+    }
+    location /v1 {
+      proxy_set_header Host $host:$server_port;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto "http";
+      proxy_pass http://nexus3.default.svc.cluster.local:8081/repository/docker/$request_uri;
+    }
+
+    # Regular Nexus requests
+    location / {
+      proxy_set_header Host $host:$server_port;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto "http";
+      proxy_pass http://nexus3.default.svc.cluster.local:8081;
+    }
+  }
+tls:
+  enabled: true