/nexus-oss-on-aws

Deploy Sonatype Nexus Repository OSS on AWS with well architecture.

Primary LanguageTypeScriptMIT No AttributionMIT-0

Sonatype Nexus Repository OSS on Amazon EKS

Deploy Sonatype Nexus Repository OSS via Helm on EKS.

  • Use EFS via EFS CSI driver, PV and PVC as Nexus3 data storage
  • Create a dedicated S3 bucket as Nexus3 blobstore
  • Use external DNS to create record in Route53 for ingress domain name
  • Use ACM to get certificate of domain name

Architecture diagram

architecture diagram

Usage

Prerequisites

  • An AWS account
  • Nodejs LTS installed, such as 12.x or 14.x
  • Install Docker Engine
  • A public hosted zone in Route53(optional)
  • Has default VPC with public and private subnets cross two available zones at least, NAT gateway also is required
  • Install dependencies of app
yarn install --check-files --frozen-lockfile
npx projen

Deployment

Deploy with custom domain

npx cdk deploy --parameters NexusAdminInitPassword=<init admin password of nexus3>  --parameters DomainName=<the hostname of nexus3 deployment>

Deploy with Route53 managed domain name

npx cdk deploy --parameters NexusAdminInitPassword=<init admin password of nexus3> --parameters DomainName=<nexus.mydomain.com> -c r53Domain=<mydomain.com>

or

npx cdk deploy --parameters NexusAdminInitPassword=<init admin password of nexus3> --parameters DomainName=<nexus.mydomain.com> --parameters R53HostedZoneId=<id of route53 hosted zone> -c enableR53HostedZone=true

Deploy to an existing VPC

This solution will create new VPC across two AZs with public, private subnets and NAT gateways by default.

You can deploy the solution to the existing VPC by below options,

npx cdk deploy <other options> -c vpcId=<existing vpc id>

# or deploy to the default vpc
npx cdk deploy <other options> -c vpcId=default

NOTE: the existing VPC must have public and private subnets across two AZs and route the internet traffic of private subnets to NAT gateways.

Deploy with internal load balancer

npx cdk deploy -c internalALB=true

Customize the version of Kubernetes

The solution will create Kubernetes 1.20 by default. You can specify other Kubernetes versions like below,

npx cdk deploy <other options> --parameters KubernetesVersion=1.19

NOTE: 1.20, 1.19 and 1.18 are allowed versions. You can NOT enable auto configuration feat when creating an EKS cluster with version 1.19. See this issue for detail.

Deploy to China regions

Due to AWS load balancer has different policy requirement for partitions, you need speicfy the target region info via context region to pick the corresponding IAM policies.

npx cdk deploy <other options> -c region=cn-north-1

Deploy to existing EKS cluster

The solution could deploy the Nexus Repository OSS to the existing EKS cluster. There are some prerequisites that your EKS cluster must meet,

  • the version of EKS cluster is v1.17+,
  • the EKS cluster has EC2 based node group which is required by EFS CSI driver,
  • the ARN of an IAM role mapped to the system:masters RBAC role. If the cluster you are using was created using the AWS CDK, the CloudFormation stack has an output that includes an IAM role that can be used. Otherwise, you can create an IAM role and map it to system:masters manually. The trust policy of this role should include the the arn:aws::iam::${accountId}:root principal in order to allow the execution role of the kubectl resource to assume it. Then you can follow the eksctl guide to map the IAM role to Kubernetes RBAC,
  • the OpenId connect provider ARN of your EKS. You can find the ARN from IAM's console. If your cluster does not have an OpenId connect provider, you can follow the eksctl guide to create one,
  • the ARN of the IAM role associated with the nodegroup in your cluster. You can find the ARN of node group from EKS console.

Below is an example to deploy Nexus Repository OSS to an existing EKS cluster with public domain configured,

npx cdk deploy -c vpcId=vpc-12345 -c importedEKS=true -c eksClusterName=the-cluster-name -c eksKubectlRoleArn=arn:aws:iam::123456789012:role/eks-kubectl-role -c eksOpenIdConnectProviderArn=arn:aws:iam::123456789012:oidc-provider/oidc.eks.ap-east-1.amazonaws.com/id/12345678 -c nodeGroupRoleArn=arn:aws:iam::123456789012:role/eksctl-cluster-nodegroup-ng-NodeInstanceRole-123456 --parameters NexusAdminInitPassword=<the strong password> -c enableAutoConfigured=true --parameters DomainName=<the custom domain> --parameters R53HostedZoneId=<id of r53 zone> -c enableR53HostedZone=true

Init admin password

You must specify the default init admin password when deploying this solution. The password must satisfy below requirements,

  • at least 8 characters
  • must contain at least 1 uppercase letter, 1 lowercase letter, and 1 number
  • can contain special characters

Auto configuration

Nexus3 supports using script to configure the Nexus3 service, for example, BlobStores, Repositories and so on. The script feature is disabled by default since Nexus3 3.21.2. You can opt-in auto configuration feature of this solution like below that will enable script feature of Nexus.

npx cdk deploy <other options> -c enableAutoConfigured=true

It would automatically configure the fresh provisioning Nexus3 with below changes,

  • Delete all built-in repositories
  • Delete default file based blobstore
  • Create a new blobstore named s3-blobstore using the dedicated S3 bucket created by this solution with never expiration policy for artifacts

How to clean

Run below command to clean the deployment or delete the SonatypeNexus3OnEKS stack via CloudFormation console.

npx cdk destroy

NOTE: you still need manually delete the EFS file system and S3 bucket created by this solution. Those storage might contain your data, be caution before deleting them.

Quick deployment

It's an official solution of AWS China regions. You can quickly deploy this solution to below regions via CloudFormation,

Deploy Nexus Repository OSS as a public service

Region name Region code Launch
Global regions(switch to the region you want to deploy) us-east-1(default) Launch Stack
AWS China(Beijing) Region cn-north-1 Launch Stack
AWS China(Ningxia) Region cn-northwest-1 Launch Stack

Deploy Nexus Repository OSS as an internal service inside VPC

Region name Region code Launch
Global regions(switch to the region you want to deploy) us-east-1(default) Launch Stack
AWS China(Beijing) Region cn-north-1 Launch Stack
AWS China(Ningxia) Region cn-northwest-1 Launch Stack

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Also this application uses below open source projects,