nexus with https about helm-charts HOT 8 CLOSED

@ozbillwang that sounds a strange policy when running containers in Kubernetes.

I assume you're familiar with the ingress controller pattern? The controller is fundamentally a container with a SSL certificate that routes requests to other cluster containers that aren't exposed out of the cluster. If you need certificates for pod to pod communication you're going to need something like a service mesh to provide mTLS, but this would usually be a sidecar. It might be possible to put a cert on Nexus and still use an ingress controller but it not something I'm willing to support and automate.

If you're still trying to add your actual certificate into Nexus you can set the service type to LoadBalancer which if your running on a public cloud (e.g. GCP, AWS, ...) will provision an external load balancer. You will need to figure out the correct annotations for your cloud provider and expose it over HTTP first so you can manually set up HTTPS. I would STRONGLY advise against this pattern. If you're not going to use Kubernetes features such as ingress then for something like Nexus that can only ever be a single container you might as well host it elsewhere.

from helm-charts.

@ozbillwang I would suggest confirming the requirement for a cert on every container vs every pod. Idiomatic Kubernetes would support every pod and you could either use a service mesh or look at running your ingress gateway as a sidecar in your Nexus pod. A cert on every container just doesn't compute and would be far more effort than it was worth.

My suggestion would be to look at the functional requirements, such as mTLS, rather than the legacy way of implementing that, cert on everything, as Kubernetes is a new paradigm that has different ways of working. For our high value businesses (banking, insurance, etc) we're using a service mesh, with mTLS and whitelist egress, plus additional network policies.

from helm-charts.

Hi @ozbillwang, my Nexus3 Helm chart uses a standard Kubernetes ingress resource and so it does very much support HTTPS assuming you've set up your cluster to enable it.

from helm-charts.

Thanks, maybe I didn't express clearly.

Regarding this document (https://help.sonatype.com/repomanager3/system-configuration/configuring-ssl), mostly I'd like to enable inbound ssl on nexus server directly.

I didn't see the setting in this chart, can you point me about the keystore setup, ssl enable, etc, if it supports already.

from helm-charts.

@ozbillwang I'm not sure why you'd want to do this in Nexus itself? If you're using a Helm chart I'd suggest that the idiomatic way for doing HTTPS is with the ingress controller.

from helm-charts.

that's the current company policy I am working on, all ssl, even the running applications in container

from helm-charts.

I totally agree with you, that's the weird requirement. But if you have chance to work for Governments or Bankings, they are asking for this to have SSL on every layer, not only https, inside containers as well.

I have to set two layers SSL, one on nginx ingress (https), the other is in Nexus itself, that would be Keystore JKS (nexus is java application)

Seems I have to add extra codes base on your chart. Need more deep research on it.

Anyway, I am appreciated for you comments.

from helm-charts.

Thanks for the suggestion.

from helm-charts.