Deploy Sonatype Nexus Repository OSS via Helm on EKS.
- Use EFS via EFS CSI driver, PV and PVC as Nexus3 data storage
- Create a dedicated S3 bucket as Nexus3 blobstore
- Use external DNS to create record in Route53 for ingress domain name
- Use ACM to get certificate of domain name
- An AWS account
- Nodejs LTS installed, such as 12.x or 14.x
- Install Docker Engine
- A public hosted zone in Route53(optional)
- Has default VPC with public and private subnets cross two available zones at least, NAT gateway also is required
- Install dependencies of app
yarn install --check-files --frozen-lockfile
npx projen
npx cdk deploy --parameters NexusAdminInitPassword=<init admin password of nexus3> --parameters DomainName=<the hostname of nexus3 deployment>
npx cdk deploy --parameters NexusAdminInitPassword=<init admin password of nexus3> --parameters DomainName=<nexus.mydomain.com> -c r53Domain=<mydomain.com>
or
npx cdk deploy --parameters NexusAdminInitPassword=<init admin password of nexus3> --parameters DomainName=<nexus.mydomain.com> --parameters R53HostedZoneId=<id of route53 hosted zone> -c enableR53HostedZone=true
This solution will create new VPC across two AZs with public, private subnets and NAT gateways by default.
You can deploy the solution to the existing VPC by below options,
npx cdk deploy <other options> -c vpcId=<existing vpc id>
# or deploy to the default vpc
npx cdk deploy <other options> -c vpcId=default
NOTE: the existing VPC must have public and private subnets across two AZs and route the internet traffic of private subnets to NAT gateways.
npx cdk deploy -c internalALB=true
The solution will create Kubernetes 1.20 by default. You can specify other Kubernetes versions like below,
npx cdk deploy <other options> --parameters KubernetesVersion=1.19
NOTE: 1.20, 1.19 and 1.18 are allowed versions. You can NOT enable auto configuration feat when creating an EKS cluster with version 1.19. See this issue for detail.
Due to AWS load balancer has different policy requirement for partitions, you need speicfy the target region info via context region to pick the corresponding IAM policies.
npx cdk deploy <other options> -c region=cn-north-1
The solution could deploy the Nexus Repository OSS to the existing EKS cluster. There are some prerequisites that your EKS cluster must meet,
- the version of EKS cluster is v1.17+,
- the EKS cluster has EC2 based node group which is required by EFS CSI driver,
- the ARN of an IAM role mapped to the
system:mastersRBAC role. If the cluster you are using was created using the AWS CDK, the CloudFormation stack has an output that includes an IAM role that can be used. Otherwise, you can create an IAM role and map it tosystem:mastersmanually. The trust policy of this role should include the thearn:aws::iam::${accountId}:rootprincipal in order to allow the execution role of the kubectl resource to assume it. Then you can follow the eksctl guide to map the IAM role to Kubernetes RBAC, - the OpenId connect provider ARN of your EKS. You can find the ARN from IAM's console. If your cluster does not have an OpenId connect provider, you can follow the eksctl guide to create one,
- the ARN of the IAM role associated with the nodegroup in your cluster. You can find the ARN of node group from EKS console.
Below is an example to deploy Nexus Repository OSS to an existing EKS cluster with public domain configured,
npx cdk deploy -c vpcId=vpc-12345 -c importedEKS=true -c eksClusterName=the-cluster-name -c eksKubectlRoleArn=arn:aws:iam::123456789012:role/eks-kubectl-role -c eksOpenIdConnectProviderArn=arn:aws:iam::123456789012:oidc-provider/oidc.eks.ap-east-1.amazonaws.com/id/12345678 -c nodeGroupRoleArn=arn:aws:iam::123456789012:role/eksctl-cluster-nodegroup-ng-NodeInstanceRole-123456 --parameters NexusAdminInitPassword=<the strong password> -c enableAutoConfigured=true --parameters DomainName=<the custom domain> --parameters R53HostedZoneId=<id of r53 zone> -c enableR53HostedZone=trueYou must specify the default init admin password when deploying this solution. The password must satisfy below requirements,
- at least 8 characters
- must contain at least 1 uppercase letter, 1 lowercase letter, and 1 number
- can contain special characters
Nexus3 supports using script to configure the Nexus3 service, for example, BlobStores, Repositories and so on. The script feature is disabled by default since Nexus3 3.21.2. You can opt-in auto configuration feature of this solution like below that will enable script feature of Nexus.
npx cdk deploy <other options> -c enableAutoConfigured=true
It would automatically configure the fresh provisioning Nexus3 with below changes,
- Delete all built-in repositories
- Delete default
filebased blobstore - Create a new blobstore named
s3-blobstoreusing the dedicated S3 bucket created by this solution with never expiration policy for artifacts
Run below command to clean the deployment or delete the SonatypeNexus3OnEKS stack via CloudFormation console.
npx cdk destroy
NOTE: you still need manually delete the EFS file system and S3 bucket created by this solution. Those storage might contain your data, be caution before deleting them.
It's an official solution of AWS China regions. You can quickly deploy this solution to below regions via CloudFormation,
| Region name | Region code | Launch |
|---|---|---|
| Global regions(switch to the region you want to deploy) | us-east-1(default) |  |
| AWS China(Beijing) Region | cn-north-1 | |
| AWS China(Ningxia) Region | cn-northwest-1 | |
| Region name | Region code | Launch |
|---|---|---|
| Global regions(switch to the region you want to deploy) | us-east-1(default) | |
| AWS China(Beijing) Region | cn-north-1 | |
| AWS China(Ningxia) Region | cn-northwest-1 | |
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
Also this application uses below open source projects,