Comments (8)
@ozbillwang that sounds a strange policy when running containers in Kubernetes.
I assume you're familiar with the ingress controller pattern? The controller is fundamentally a container with a SSL certificate that routes requests to other cluster containers that aren't exposed out of the cluster. If you need certificates for pod to pod communication you're going to need something like a service mesh to provide mTLS, but this would usually be a sidecar. It might be possible to put a cert on Nexus and still use an ingress controller but it not something I'm willing to support and automate.
If you're still trying to add your actual certificate into Nexus you can set the service type to LoadBalancer
which if your running on a public cloud (e.g. GCP, AWS, ...) will provision an external load balancer. You will need to figure out the correct annotations for your cloud provider and expose it over HTTP first so you can manually set up HTTPS. I would STRONGLY advise against this pattern. If you're not going to use Kubernetes features such as ingress then for something like Nexus that can only ever be a single container you might as well host it elsewhere.
from helm-charts.
@ozbillwang I would suggest confirming the requirement for a cert on every container vs every pod. Idiomatic Kubernetes would support every pod and you could either use a service mesh or look at running your ingress gateway as a sidecar in your Nexus pod. A cert on every container just doesn't compute and would be far more effort than it was worth.
My suggestion would be to look at the functional requirements, such as mTLS, rather than the legacy way of implementing that, cert on everything, as Kubernetes is a new paradigm that has different ways of working. For our high value businesses (banking, insurance, etc) we're using a service mesh, with mTLS and whitelist egress, plus additional network policies.
from helm-charts.
Hi @ozbillwang, my Nexus3 Helm chart uses a standard Kubernetes ingress resource and so it does very much support HTTPS assuming you've set up your cluster to enable it.
from helm-charts.
Thanks, maybe I didn't express clearly.
Regarding this document (https://help.sonatype.com/repomanager3/system-configuration/configuring-ssl), mostly I'd like to enable inbound ssl on nexus server directly.
I didn't see the setting in this chart, can you point me about the keystore setup, ssl enable, etc, if it supports already.
from helm-charts.
@ozbillwang I'm not sure why you'd want to do this in Nexus itself? If you're using a Helm chart I'd suggest that the idiomatic way for doing HTTPS is with the ingress controller.
from helm-charts.
that's the current company policy I am working on, all ssl, even the running applications in container
from helm-charts.
I totally agree with you, that's the weird requirement. But if you have chance to work for Governments or Bankings, they are asking for this to have SSL on every layer, not only https, inside containers as well.
I have to set two layers SSL, one on nginx ingress (https), the other is in Nexus itself, that would be Keystore JKS (nexus is java application)
Seems I have to add extra codes base on your chart. Need more deep research on it.
Anyway, I am appreciated for you comments.
from helm-charts.
Thanks for the suggestion.
from helm-charts.
Related Issues (20)
- [nexus3] Allow user credentials specified by kubernetes secret HOT 11
- FR: thoughts about adding tar to the nexus container HOT 2
- Update PlantUML PodDisruptionBudget API HOT 1
- Problem using rootPassword and persistence HOT 5
- [thanos] Unable to update to 1.13.0 - YAML parsing error HOT 3
- [Thanos] StatefulSet PVC Retention Policy HOT 1
- Aggregator Not Sending Logs to outputs After Running for a Few Hours HOT 6
- bug(confluence-server): No template "postgresql.primary.fullname" HOT 2
- More info regarding blob store configuration for Nexus HOT 4
- Allow overriding repository for init containers in Nexus helm chart HOT 2
- [thanos] How to implement authentication HOT 3
- Would you add `resources.extra` field so that I can add my gpu value into the resource? HOT 1
- [Nexus3] Deployment doesn't scale more than one HOT 7
- [nexus] Ldap password escaping \ breaks other passwords that have sed special characters (&) HOT 3
- [thanos] support prometheus sidecar method of deployment HOT 2
- [nexus3] Setting rootPassword.key has no effect HOT 2
- thanos-recever-router ingress creation issue HOT 1
- [nexus3] Question: Requirement for groovy script files in helm chart? HOT 2
- Missing Permissions for ippools in tigera-operator ClusterRole v2.10.0
- Let's Talk About a Proposal
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.