Overview:
Nexus Lifecycle Products can be installed installed on OpenShift clusters using Operators and helm charts. This article explains how to install Nexus Lifecycle using Sonatype Helm charts.
Pre-requisites:
1. Administrator access to existing OpenShift cluster
2. Add sonatype helm repo
$ helm repo add sonatype https://sonatype.github.io/helm3-charts/
3. Nexus Lifecycle license file, saved in current directory (this kb refers the file as nxlicense.lic)
4. SecurityConstraintContext created to allow IQ pod to run as user id 1000.
Use below yaml file to create the SCC, if not already exists.
$ more nexusiq-scc.yaml
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: nexusiq-scc
priority: 9
readOnlyRootFilesystem: false
requiredDropCapabilities: null
allowPrivilegeEscalation: true
runAsUser:
type: MustRunAs
uid: 1000
runAsGroup:
type: MustRunAs
uid: 1000
supplementalGroups:
type: MustRunAs
ranges:
- min: 1000
max: 1000
fsGroup:
type: MustRunAs
ranges:
- min: 1000
max: 1000
seLinuxContext:
type: MustRunAs
seccompProfiles:
- runtime/default
users:
- system:serviceaccount:iq:nexus-iq-sa
groups: []
$ oc create -f nexusiq-scc.yaml
securitycontextconstraints.security.openshift.io/nexusiq-scc created
Procedure:
1. Create a new project / namespace for nexus lifecycle deployment
$ oc create namespace nxiq
namespace/nxiq created
2. Create a new service account for this deployment
$ oc create sa nexus-iq-sa -n nxiq
serviceaccount/nexus-iq-sa created
3. Add newly created service account to Nexus SCC.
$ oc adm policy add-scc-to-user nexusiq-scc system:serviceaccount:nxiq:nexus-iq-sa
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:nexusiq-scc added: "nexus-iq-sa"
4. Create a myvalues.yaml file with below values. We highly recommend to use external database for container environment.
Below arguments can be added for connecting to a postgresql hostname postgres, database named iqdb, as user iq with password iq123. Modify the myvalues.yaml with your local values as below for configuring with external database.
iq:
name: nxiq
hostname: iq-server.demo
applicationPort: 8070
adminPort: 8071
# base 64 encoded license file with no line breaks
licenseSecret: "cylwwtYx6FiIrqpvQh...."
env:
- name: JAVA_OPTS
value: "-Djava.util.prefs.userRoot=$(SONATYPE_WORK)/javaprefs -Ddw.database.type=postgresql -Ddw.database.hostname=postgresql.tools -Ddw.database.port=5432 -Ddw.database.name=iqdb -Ddw.database.username=iq -Ddw.database.password=iq123"
serviceAccount:
create: false
name: nexus-iq-sa
5. Use the myvalues.yaml file with helm command to deploy nexus lifecycle
$ helm install iq1 -n nxiq -f myvalues.yaml sonatype/nexus-iq-server
NAME: iq1
LAST DEPLOYED: Thu Feb 15 17:50:25 2024
NAMESPACE: nxiq
STATUS: deployed
REVISION: 1
NOTES:
1. Get the application URL by running these commands:
export POD_NAME=$(kubectl get pods --namespace nxiq -l "app.kubernetes.io/name=nexus-iq-server,app.kubernetes.io/instance=iq1" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace nxiq port-forward $POD_NAME 8070:8070
Your application is available at http://127.0.0.1:8070
5. Create a Route Object selecting the service object created by the helm chart and choosing application port.
6. Access the nexus UI using the Location URL from the Route Object.
7. Set the BaseUrl to the Location URL from the Route Object.
8. Create Organizations / Applications and start application scans