Run Sonatype Nexus Repository Manager OSS on top of Kubernetes (GKE). Includes instructions for automated backups (GCS) and day-to-day usage.
License: Apache License 2.0
When I deploy maven project to nexus, I get the error:
Return code is: 413, ReasonPhrase: Request Entity Too Large.
How should I do?
Hi,
We have created 2 repository of type docker for storing docker images. but if we push images to second repo it will go to first repo. Please help on this.
Hi,
I'm following the steps to deploy nexus with the proxy on GKE and it is failing due to issues with the Java Key store:
java.lang.RuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.<init>(JWTAuthProviderImpl.java:78) at io.vertx.ext.auth.jwt.JWTAuth.create(JWTAuth.java:41) at com.travelaudience.nexus.proxy.JwtAuth.<init>(JwtAuth.java:29) at com.travelaudience.nexus.proxy.JwtAuth.create(JwtAuth.java:53) at com.travelaudience.nexus.proxy.CloudIamAuthNexusProxyVerticle.init(CloudIamAuthNexusProxyVerticle.java:106) at io.vertx.core.impl.DeploymentManager.lambda$doDeploy$8(DeploymentManager.java:432) at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337) at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163) at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:403) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:445) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) at java.lang.Thread.run(Thread.java:748) Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879) at java.security.KeyStore.load(KeyStore.java:1445) at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.<init>(JWTAuthProviderImpl.java:66)
Expand all | Collapse all {
insertId: "ibljtdg4agry3a"
labels: {…}
logName: "projects/kubernetes-dmafra/logs/nexus-proxy"
receiveTimestamp: "2019-04-09T19:02:02.356485455Z"
resource: {…}
severity: "INFO"
textPayload: "java.lang.RuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect
at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.<init>(JWTAuthProviderImpl.java:78)
at io.vertx.ext.auth.jwt.JWTAuth.create(JWTAuth.java:41)
at com.travelaudience.nexus.proxy.JwtAuth.<init>(JwtAuth.java:29)
at com.travelaudience.nexus.proxy.JwtAuth.create(JwtAuth.java:53)
at com.travelaudience.nexus.proxy.CloudIamAuthNexusProxyVerticle.init(CloudIamAuthNexusProxyVerticle.java:106)
at io.vertx.core.impl.DeploymentManager.lambda$doDeploy$8(DeploymentManager.java:432)
at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:337)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:403)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:445)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:879)
at java.security.KeyStore.load(KeyStore.java:1445)
at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.<init>(JWTAuthProviderImpl.java:66)
"
timestamp: "2019-04-09T19:01:15.668490300Z"
}
and also some other errors such as "java.security.UnrecoverableKeyException: Password verification failed" or "Invalid keystore format at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl."
I created the keystore as explained on the how to with the following code
keytool -genkey \
-keystore keystore.jceks \
-storetype jceks \
-keyalg RSA \
-keysize 2048 \
-alias RS256 \
-sigalg SHA256withRSA \
-dname "CN=,OU=,O=,L=,ST=,C=" \
-validity 3651 \
and was able to validate it with keytool -list -v -keystore keystore.jceks -storetype jceks
Not sure how to proceed here and get it working.
Hello i have an issue upgrading nexus to the latest version. I'm using the following command:
helm upgrade --version 1.19.0 -f values.yaml nexus stable/sonatype-nexus
where values.yaml is:
statefulset:
enabled: true
nexusBackup:
enabled: true
env:
targetBucket: "gs://scm-nexus-backup"
persistence:
storageClass: standard
nexusAdminPassword: "**********"
nexusProxy:
env:
nexusDockerHost: repository-container.domain.com
nexusHttpHost: repository.domain.com
persistence:
storageClass: standard
storageSize: 100Gi
resources:
requests:
cpu: 250m
memory: 4800Mi
but i'm stuck on the following error:
UPGRADE FAILED
Error: StatefulSet.apps "nexus-sonatype-nexus" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden
Error: UPGRADE FAILED: StatefulSet.apps "nexus-sonatype-nexus" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden
There is something that i am doing wrong or there is an issue on statefulset deployment ?
Hi,
I need to know if there is a way to enable a debugger on the proxy and nexus itself, because even after following the instructions multiple times I still can't get it work, it seems the X-forwarded-user header is not being passed correctly and I end up not being able to log on nexus, I get these errors:
Checking the cookies I saw that 3 different JWT tokens are present in the cookie, not sure if this is the expected behavior:
..and its impact in case GCS lifecycle is configured.
After following the instructions to configure the backups and double check that the backup tasks ran successfully, I still get no files on the GC bucket created to store the backups.
By looking at the logs of the nexus-backup I see some errors:
$ kubectl logs nexus-0 nexus-backup
==> Checking whether Nexus is reachable.
==> Starting the backup procedure @ Thu Aug 3 04:00:02 UTC 2017.
==> Attempting to stop repositories.
==> Sleeping for 60 seconds.
==> Attempting to backup the 'default' blobstore.
tar: removing leading '/' from member names
Copying from <STDIN>...
ResumableUploadAbortException: 403 Insufficient Permission
(!) Couldn't backup the blobstore. Manual intervention is advised.
==> Attempting to backup the Nexus databases.
tar: removing leading '/' from member names
Copying from <STDIN>...
ResumableUploadAbortException: 403 Insufficient Permission
(!) Couldn't backup the databases. Manual intervention is advised.
==> Attempting to start repositories.
==> Finished the backup procedure @ Thu Aug 3 04:01:09 UTC 2017.
Basically, document how to generate, publish and pull Python eggs.
I am trying to setup nexus via HTTPS following instructions.
I've created a static IP address named "nexus" and updated ingress settings as:
kubernetes.io/ingress.global-static-ip-name: nexus
after ingress and nexus-proxy deployments i still dont see that IP is use and kube-lego is failing to access nexus to setup the certificate: authorization failed after 1m0s: reachability test failed: wrong status code '404'" context=acme domain=containers.mydomain.com
Please suggest,
Leo
Hello, i writed full nginx configuration for support multiple repos without publish additional ports here.
In your ingress not work properly docker repos.
Can you please look my work?
upon completion of helm install nexus, the link above is suggested by the tool, but is broken
While the documentation is clear it doesn't provide a TOC and one should do it so it becomes easier to navigate.
Hell,
I'm using the Herlm Chart https://artifacthub.io/packages/helm/oteemo-charts/sonatype-nexus in version 5.3.5 for my deployment and I call the helm install command via Terraform during setup my infrastructure. With Terraform I generate a random passwords string (16 chars, 4 number, 8 characters, 4 other chars) and call than the Terraform helm provider with these settings
initAdminPassword = {
enabled = false,
password = random_string.service_nexus_password.id
}
IMHO with this setting Terraform generates a random password and should set it into Nexus, but the Kubernetes job initpw fails with the curl error Failed to connect to nexus-sonatype-nexus.default port 8081: Operation timed out
My Nexus pod is set with nodeSelector to special nodes but the initpw-job is executed on any free node, because in the Helm chart there is no possibility to define the nodeSelector to the initpw job.
How can I fix this, so that I can use Terraform call to generate the initial admin password for the Nexus? Thanks a lot
Can you post an ingress example, where nexus is accessible in a host path other than / ?
For example, the following does not work:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/rewrite-target: /
ingress.kubernetes.io/add-base-url: "true"
name: myingress
spec:
rules:
- host: mynexus.com
http:
paths:
- path: /mypath
backend:
serviceName: mynexus-sonatype-nexus
servicePort: 9988
tls:
- hosts:
- mynexus.com
secretName: nexus-cc-cert-secret
Installing helm using:
helm install --name nexus --namespace bpi-cdo-toolchain stable/sonatype-nexus -f ./values.yaml
Where values for now is the default. The pod, service, pv (nexus-data), pvc all seem are running.
How do I at the minimum expose the service publicly as http://nexus.mydomain.xx ?
When upgrade chart via helm, the new pod is stuck, with RollingUpdate strategy due to
Nexus data directory already in use: /nexus-data
I installed the helm chart 1.5.1 into a GKE cluster:
helm install -f values.yaml --name cicd stable/sonatype-nexus
When the ingress is ready, I always get "default backend - 404" when visiting my nexus service IP/host.
$ kubectl describe ingress/cicd-nexus-sonatype-nexus
Name: cicd-nexus-sonatype-nexus
Namespace: default
Address: 35.190.xxx.xxx
Default backend: default-http-backend:80 (10.0.1.3:8080)
TLS:
nexus-tls terminates container.graphconnected.com,nexus.graphconnected.com
Rules:
Host Path Backends
---- ---- --------
container.foo.com
/* cicd-nexus-sonatype-nexus:8080 (<none>)
nexus.foo.com
/* cicd-nexus-sonatype-nexus:8080 (<none>)
Annotations:
backends: {"k8s-be-32262--fa005fc45b78c698":"HEALTHY","k8s-be-32273--fa005fc45b78c698":"HEALTHY"}
forwarding-rule: k8s-fw-default-cicd-nexus-sonatype-nexus--fa005fc45b78c698
target-proxy: k8s-tp-default-cicd-nexus-sonatype-nexus--fa005fc45b78c698
url-map: k8s-um-default-cicd-nexus-sonatype-nexus--fa005fc45b78c698
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Service 2m (x10 over 1h) loadbalancer-controller no user specified default backend, using system default
Output from the dryrun $ helm install --dry-run --debug -f values.yaml stable/sonatype-nexus:
# Source: sonatype-nexus/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: angry-whippet-sonatype-nexus
labels:
app: sonatype-nexus
fullname: angry-whippet-sonatype-nexus
chart: sonatype-nexus-1.5.1
release: angry-whippet
heritage: Tiller
annotations:
kubernetes.io/ingress.allow-http: "true"
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.global-static-ip-name: "kubernetes-ingress-static-ip"
kubernetes.io/tls-acme: "true"
spec:
rules:
- host: container.foo.com
http:
paths:
- backend:
serviceName: angry-whippet-sonatype-nexus
servicePort: 8080
path: /*
- host: nexus.foo.com
http:
paths:
- backend:
serviceName: angry-whippet-sonatype-nexus
servicePort: 8080
path: /*
tls:
- hosts:
- container.foo.com
- nexus.foo.com
secretName: "nexus-tls"
My full values.yaml content:
replicaCount: 1
nexus:
imageName: quay.io/travelaudience/docker-nexus
imageTag: 3.12.1
imagePullPolicy: IfNotPresent
env:
- name: install4jAddVmParams
value: "-Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"
# nodeSelector:
# cloud.google.com/gke-nodepool: default-pool
resources: {}
# requests:
## Based on https://support.sonatype.com/hc/en-us/articles/115006448847#mem
## and https://twitter.com/analytically/status/894592422382063616:
## Xms == Xmx
## Xmx <= 4G
## MaxDirectMemory >= 2G
## Xmx + MaxDirectMemory <= RAM * 2/3 (hence the request for 4800Mi)
## MaxRAMFraction=1 is not being set as it would allow the heap
## to use all the available memory.
# cpu: 250m
# memory: 4800Mi
# The ports should only be changed if the nexus image uses a different port
dockerPort: 5003
nexusPort: 8081
serviceType: NodePort
# securityContext:
# fsGroup: 2000
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 30
failureThreshold: 6
path: /
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 30
failureThreshold: 6
path: /
nexusProxy:
imageName: quay.io/travelaudience/docker-nexus-proxy
imageTag: 2.2.0
imagePullPolicy: IfNotPresent
port: 8080
env:
nexusDockerHost: container.foo.com
nexusHttpHost: nexus.foo.com
enforceHttps: false
cloudIamAuthEnabled: false
## If cloudIamAuthEnabled is set to true uncomment the variables below and remove this line
# clientId: ""
# clientSecret: ""
# organizationId: ""
# redirectUrl: ""
# secrets:
# keystore: ""
# password: ""
resources: {}
# requests:
# cpu: 100m
# memory: 256Mi
# limits:
# cpu: 200m
# memory: 512Mi
persistence:
enabled: true
accessMode: ReadWriteOnce
## If defined, storageClass: <storageClass>
## If set to "-", storageClass: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClass spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# existingClaim:
# annotations:
# "helm.sh/resource-policy": keep
# storageClass: "-"
storageSize: 8Gi
nexusBackup:
enabled: false
imageName: quay.io/travelaudience/docker-nexus-backup
imageTag: 1.2.0
imagePullPolicy: IfNotPresent
env:
targetBucket:
nexusAdminPassword: "admin123"
persistence:
enabled: true
# existingClaim:
# annotations:
# "helm.sh/resource-policy": keep
accessMode: ReadWriteOnce
# See comment above for information on setting the backup storageClass
# storageClass: "-"
storageSize: 8Gi
ingress:
enabled: true
path: /*
annotations:
# NOTE: Can't use 'false' due to https://github.com/jetstack/kube-lego/issues/173.
kubernetes.io/ingress.allow-http: true
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.global-static-ip-name: "kubernetes-ingress-static-ip"
kubernetes.io/tls-acme: true
tls:
enabled: true
secretName: nexus-tls
Please advise.
Thanks!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.