feat: additional ca cert chain var (#14)

docs: add notes about ac and disconnected environments feat: add additional expose template
defenseunicorns · Jun 10, 2024 · a03ba4c · a03ba4c
1 parent 26d4c99
commit a03ba4c
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -27,4 +27,18 @@ Bigbang [Nexus Repository Manager](https://repo1.dso.mil/big-bang/product/packag
 #### NEXUS_VM_PARAMS
 - This package provides the same default as the upstream registry1 chart. You may need to update these to your needs.
 
-`-Dcom.redhat.fips=false -Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -Djava.util.prefs.userRoot=/nexus-data/javaprefs`
+`-Dcom.redhat.fips=false -Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -Djava.util.prefs.userRoot=/nexus-data/javaprefs`
+
+#### Additional Notes
+##### Access Control
+- Information about configuring access controls and related topics such as realms, privileges, roles, default roles, ect can be found [here](https://help.sonatype.com/en/access-control.html#related-topics)
+
+- To assign a Default Role to an authenticated user follow these steps.
+  - Ensure the Default Role Realm is Active
+  ![active-realms](docs/images/active-realms.png)
+  - Create a Capability using the capability type *Default Role* and the role you would like to use for authenticated users
+  ![default-role-capability](docs/images/default-role-capability.png)
+
+##### Disconnected Environments
+- When deploying in a disconnected environment, you will want to disable the outreach management capability.
+![outreach-settings](docs/images/outreach-management-settings.png)
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -25,11 +25,14 @@ spec:
   network:
     expose:
       - service: nexus-nexus-repository-manager
-        podLabels:
+        selector:
           app: nexus-repository-manager
         gateway: tenant
         host: nexus
         port: 8081
+      {{ if .Values.additionalNetworkExposures }}
+      {{- toYaml .Values.additionalNetworkExposures | nindent 6 }}
+      {{- end }}
     allow:
       - direction: Ingress
         remoteGenerated: IntraNamespace

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -4,3 +4,4 @@ sso:
   # Replace with https://nexus to match what nexus is using once UDS bug is fixed.
   # This package replaces this automatically on deployment
   clientId: replace-me-with-nexus-entity-uri
+additionalNetworkExposures: []
diff --git a/docs/images/active-realms.png b/docs/images/active-realms.png
diff --git a/docs/images/default-role-capability.png b/docs/images/default-role-capability.png
diff --git a/docs/images/outreach-management-settings.png b/docs/images/outreach-management-settings.png
diff --git a/zarf.yaml b/zarf.yaml
@@ -44,6 +44,7 @@ variables:
     default: "-Dcom.redhat.fips=false -Xms2703M -Xmx2703M -XX:MaxDirectMemorySize=2703M -XX:+UnlockExperimentalVMOptions -XX:+UseContainerSupport -Djava.util.prefs.userRoot=/nexus-data/javaprefs"
   - name: NEXUS_SECURITY_RANDOMPASSWORD
     default: "true"
+  - name: ADDITIONAL_CA_CHAIN
 
 components:
   - name: keycloak-idp-metadata
@@ -54,7 +55,12 @@ components:
         before:
           - cmd: |
               if [ "${ZARF_VAR_NEXUS_SSO_ENABLED}" = "true" ]; then
-                curl https://sso.${ZARF_VAR_DOMAIN}/realms/uds/protocol/saml/descriptor
+                if [ -z "${ZARF_VAR_ADDITIONAL_CA_CHAIN}" ]; then
+                  curl https://sso.${ZARF_VAR_DOMAIN}/realms/uds/protocol/saml/descriptor
+                else
+                  echo "${ZARF_VAR_ADDITIONAL_CA_CHAIN}" | base64 --decode > /tmp/ca_cert.crt
+                  curl --cacert /tmp/ca_cert.crt https://sso.${ZARF_VAR_DOMAIN}/realms/uds/protocol/saml/descriptor
+                fi
               fi
             mute: true
             setVariables: