Nexus安装
参考(官网这个看起来比较老,而且需要pro版本,不看它): https://help.sonatype.com/repomanager3/planning-your-implementation/resiliency-and-high-availability/single-data-center-on-premises-deployment-example-using-kubernetes
参考: https://segmentfault.com/a/1190000040446848
参考: https://devopscube.com/setup-nexus-kubernetes/
参考: https://cloud.tencent.com/developer/article/1622308
参考: https://artifacthub.io/packages/helm/sonatype/nexus-repository-manager
安装
参考: https://artifacthub.io/packages/helm/sonatype/nexus-repository-manager
⚠️ Archive Notice ⚠️存档通知
As of October 24, 2023, we will no longer update or support this Helm chart.
创建nexus命名空间,并设为当前操作的默认命名空间
kubectl create ns nexus
kubectl config set-context --current --namespace nexus
kubectl config get-contexts 参考: https://artifacthub.io/packages/helm/sonatype/nexus-repository-manager
从helm仓库下载并解压配置,先看下具体的配置信息
helm repo add sonatype https://sonatype.github.io/helm3-charts/
helm search repo
helm pull sonatype/nexus-repository-manager --untar然后复制一份values,重命名,保留自定义配置
[root@jingmin-kube-archlinux nexus-repository-manager]# cp values.yaml my-override-values.yaml
[root@jingmin-kube-archlinux nexus-repository-manager]# vim my-override-values.yaml
[root@jingmin-kube-archlinux nexus-repository-manager]# cat my-override-values.yaml 如下是我自定的配置
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
hostPath: /
hostRepo: nexus.ole12138.cn
tls:
- secretName: nexus-ole12138-cn-tls
hosts:
- nexus.ole12138.cn
persistence:
enabled: true
accessMode: ReadWriteOnce
## If defined, storageClass: <storageClass>
## If set to "-", storageClass: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClass spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# existingClaim:
# annotations:
# "helm.sh/resource-policy": keep
# storageClass: "-"
storageSize: 8Gi
# If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs.
# pdName: nexus-data-disk
# fsType: ext4
# Enable configmap and add data in configmap
config:
enabled: false
mountPath: /sonatype-nexus-conf
data: []
# # To use an additional secret, set enable to true and add data
secret:
enabled: false
mountPath: /etc/secret-volume
readOnly: true
data: []
这里启动了ingress,并做了配置。
persistence这里没有调整,使用默认的storageclass.
config和secret这里没有调整,这里列出,只是为了方便之后调整配置。
使用helm安装nexus. 这里使用自定义配置,覆盖了部分默认配置
cd ..
helm install nexus -f ./nexus-repository-manager/my-override-values.yaml ./nexus-repository-manager/稍等一会儿,主要看下pod有没有都起来
kubectl get all,cm,secrets,ingress,cringress中我配的域名是nexus.ole12138.cn,然后需要到域名服务商那里,也需要做一下域名解析,然后转发到ingress的ip.
在浏览器输入https://nexus.ole12138.cn,访问。提示不安全,继续进入。然后点右侧login,会提示admin管理员帐号的默认密码所在位置。
Your admin user password is located in
/nexus-data/admin.password on the server.进入容器中查看
[root@jingmin-kube-archlinux Downloads]# kubectl exec -it pods/nexus-nexus-repository-manager-6c9d6f679-vg4nr -- /bin/bash
bash-4.4$ cat /nexus-data/admin.password && echo
3a573849-da46-4c3e-a1ef-89fb4c962d92
bash-4.4$ exit所以admin初始密码是
3a573849-da46-4c3e-a1ef-89fb4c962d92然后浏览器中用这个密码的登录,修改密码为
Nexus12345关闭匿名访问。
配tls证书
看下网站的证书,是k8s的默认自签证书。
接下来,配下cert-manager的issuer,改为由Let’s Encrypt颁发证书即可。
之前章节配好了cert-manager,在当前命名空间下还是建一下staging和production环境的issuer (由Let’s Encrypt提供服务)
修改其中的邮箱部分,用于创建账号,以及将来有证书将要过期相关的内容会发到对应的邮箱
[root@jingmin-kube-archlinux issuer]# vim staging-issuer.yaml
[root@jingmin-kube-archlinux issuer]# cat staging-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: 784319947@qq.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
ingressClassName: nginx
部署staging-issuer
kubectl create -f ./staging-issuer.yaml 类似的方式,创建production-issuer
wget https://raw.githubusercontent.com/cert-manager/website/master/content/docs/tutorials/acme/example/production-issuer.yaml同样,修改其中的邮箱为自己的邮箱
[root@jingmin-kube-archlinux issuer]# vim production-issuer.yaml
[root@jingmin-kube-archlinux issuer]# cat production-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: 784319947@qq.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
ingressClassName: nginx
部署到当前命名空间中
kubectl create -f ./production-issuer.yaml这两个issuer都通过http01的方式向Let’s Encrypt 发出challenge.
kubectl describe issuer可以看到description中都有一条Message: The ACME account was registered with the ACME server
向ingress中,
添加cert-manager的issuer注解cert-manager.io/issuer: letsencrypt-staging,
以及添加tls的hosts和secretsName部分(secretsName名称随便起,cert-manager会自动生成)
[root@jingmin-kube-archlinux nexus-repository-manager]# kubectl edit ingress nexus-nexus-repository-manager
ingress.networking.k8s.io/nexus-nexus-repository-manager edited
[root@jingmin-kube-archlinux nexus-repository-manager]# kubectl get ingress nexus-nexus-repository-manager -o yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: letsencrypt-staging
meta.helm.sh/release-name: nexus
meta.helm.sh/release-namespace: nexus
nginx.ingress.kubernetes.io/proxy-body-size: "0"
creationTimestamp: "2023-08-28T13:17:02Z"
generation: 1
labels:
app.kubernetes.io/instance: nexus
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: nexus-repository-manager
app.kubernetes.io/version: 3.59.0
helm.sh/chart: nexus-repository-manager-59.0.0
name: nexus-nexus-repository-manager
namespace: nexus
resourceVersion: "1370844"
uid: 9f4d0be2-ed14-47f2-a055-861cf6595d1e
spec:
ingressClassName: nginx
rules:
- host: nexus.ole12138.cn
http:
paths:
- backend:
service:
name: nexus-nexus-repository-manager
port:
number: 8081
path: /
pathType: Prefix
tls:
- hosts:
- nexus.ole12138.cn
secretName: nexus-ole12138-cn-tls
status:
loadBalancer:
ingress:
- ip: 192.168.1.100
在浏览器中,使用https访问ingress地址https://nexus.ole12138.cn/, 会有提示警告,看下证书,以及颁发者(虽然是提示无效,但不是k8s提供默认的fake证书,那就是Let’s Encrypt提供的staging证书)。
现在再修改一下ingress中annotations中的issuer,切换为production环境的issuer。注意其中一行: cert-manager.io/issuer: letsencrypt-prod
[root@jingmin-kube-archlinux nexus-repository-manager]# kubectl edit ingress nexus-nexus-repository-manager
ingress.networking.k8s.io/nexus-nexus-repository-manager edited
[root@jingmin-kube-archlinux nexus-repository-manager]# kubectl get ingress nexus-nexus-repository-manager -o yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: letsencrypt-prod
meta.helm.sh/release-name: nexus
meta.helm.sh/release-namespace: nexus
nginx.ingress.kubernetes.io/proxy-body-size: "0"
creationTimestamp: "2023-08-28T13:17:02Z"
generation: 1
labels:
app.kubernetes.io/instance: nexus
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: nexus-repository-manager
app.kubernetes.io/version: 3.59.0
helm.sh/chart: nexus-repository-manager-59.0.0
name: nexus-nexus-repository-manager
namespace: nexus
resourceVersion: "1371203"
uid: 9f4d0be2-ed14-47f2-a055-861cf6595d1e
spec:
ingressClassName: nginx
rules:
- host: nexus.ole12138.cn
http:
paths:
- backend:
service:
name: nexus-nexus-repository-manager
port:
number: 8081
path: /
pathType: Prefix
tls:
- hosts:
- nexus.ole12138.cn
secretName: nexus-ole12138-cn-tls
status:
loadBalancer:
ingress:
- ip: 192.168.1.100
再次在浏览器中,以https方式,访问nacos的ingress地址https://nexus.ole12138.cn/. 正常的话,可以直接访通,没有任何警告。 看下地址栏前面的锁头标志,点看看下证书,确认是Let’s Encrypt颁发的。
配置仓库
//TODO
发表回复