|
1 | 1 | boxcutter_sonatype |
2 | 2 | ================== |
3 | 3 |
|
| 4 | +The `boxcutter_sonatype` cookbook automates the installation, bootstrap, and |
| 5 | +ongoing configuration of a Sonatype Nexus Repository 3 instance using Chef. |
| 6 | + |
| 7 | +At a high level, this cookbook: |
| 8 | + |
| 9 | +• Installs Nexus Repository 3 |
| 10 | +• Ensures the Nexus service is running |
| 11 | +• Bootstraps the admin account (if required) |
| 12 | +• Accepts the Nexus EULA (if required) |
| 13 | +• Enforces selected security and access settings (for example, anonymous access) |
| 14 | +• Ensures the instance is left in a known, converged state |
| 15 | + |
| 16 | +This cookbook is safe to run repeatedly. All configuration steps are |
| 17 | +idempotent and driven through the Nexus REST API. |
| 18 | + |
| 19 | + |
4 | 20 | Usage |
5 | 21 | ----- |
6 | 22 |
|
| 23 | +The following code snippet is the most minimal example that will set up a |
| 24 | +Sonatype Nexus 3 repository. It will configure an `admin` account that the |
| 25 | +automation will use to make Nexus REST API calls, and configure the server |
| 26 | +enough so that the onboarding wizard is never displayed. |
| 27 | + |
| 28 | +```ruby |
| 29 | +node.run_state['boxcutter_sonatype'] ||= {} |
| 30 | +node.run_state['boxcutter_sonatype']['nexus_repository'] ||= {} |
| 31 | +node.run_state['boxcutter_sonatype']['nexus_repository']['admin_username'] = 'admin' |
| 32 | +node.run_state['boxcutter_sonatype']['nexus_repository']['admin_password'] = 'superseekret' |
| 33 | + |
| 34 | +include_recipe 'boxcutter_sonatype::default' |
| 35 | +``` |
| 36 | + |
7 | 37 | To use this automation, you need to define a password for the `admin` account. |
8 | | -The `admin` account is used to authorize all the API calls that drive this |
9 | | -automation. |
| 38 | +The `admin` account is used to authenticate all Nexus REST API calls performed |
| 39 | +in this cookbook (bootstrapping, configuration, and ongoing enforcement.) |
10 | 40 |
|
11 | 41 | Since this is a secret, it is recommended this key be stored in |
12 | | -`node.run_state` so that it is not stored on the Chef server after the Chef run. |
| 42 | +`node.run_state` so that it is not persisted on the Chef server after the Chef |
| 43 | +run completes. |
| 44 | + |
| 45 | +### Credential lookup order |
| 46 | + |
| 47 | +The automation looks for Nexus admin password in the following order |
| 48 | +(highest priority first): |
13 | 49 |
|
14 | | -The automation will look for credentials in the following preference order: |
15 | 50 | 1. `node.run_state['boxcutter_sonatype']['nexus_repository']['admin_password']` |
16 | | -4. `node['boxcutter_sonatype']['nexus_repository']['admin_password']` |
| 51 | +2. `node['boxcutter_sonatype']['nexus_repository']['admin_password']` |
17 | 52 |
|
18 | | -Provide the `admin` password in `node.run_state`, like so. The automation will |
19 | | -automatically |
| 53 | +If a password is present in `node.run_state`, it will always take precedence |
| 54 | +over any value defined in node attributes. |
20 | 55 |
|
21 | | -The automation will automatically allocate a new one-time preauthorization key using |
22 | | -the OAuth Client on each Chef run, when something needs to be changed on your tailnet. |
23 | | -Conflicts with `auth_key`, if provided. |
| 56 | +### Providing the admin password via node.run_state |
| 57 | + |
| 58 | +The recommended approach is to inject the password into `node.run_state` |
| 59 | +from a wrapper cookbook at converge time: |
24 | 60 |
|
25 | 61 | ``` |
26 | 62 | # Initialize the parent hash if it doesn't exist |
27 | | -node.run_state['boxcutter_tailscale'] ||= {} |
28 | 63 | node.run_state['boxcutter_sonatype'] ||= {} |
29 | 64 | node.run_state['boxcutter_sonatype']['nexus_repository'] ||= {} |
| 65 | +
|
| 66 | +# Provide the Nexus admin password for this Chef run only |
30 | 67 | node.run_state['boxcutter_sonatype']['nexus_repository']['admin_password'] = 'Superseekret63' |
31 | 68 | ``` |
32 | 69 |
|
33 | | -NOTE: Instructions for recovery if Chef ever gets out of sync with the current |
34 | | -admin password are located as this [link](https://support.sonatype.com/hc/en-us/articles/213467158-How-to-reset-a-forgotten-admin-password-in-Sonatype-Nexus-Repository-3). |
| 70 | +Using `node.run_state `ensures the password is available only for the duration |
| 71 | +of the Chef run and is not stored or indexed by the Chef Server. |
| 72 | + |
| 73 | +### Admin password recovery |
| 74 | + |
| 75 | +If the Nexus admin password ever becomes out of sync with Chef (for example, |
| 76 | +after a manual reset or a failed converge), follow Sonatype’s official recovery |
| 77 | +procedure: |
| 78 | + |
| 79 | +https://support.sonatype.com/hc/en-us/articles/213467158-How-to-reset-a-forgotten-admin-password-in-Sonatype-Nexus-Repository-3 |
| 80 | + |
| 81 | +After resetting the password, update the value supplied to this cookbook and |
| 82 | +re-run Chef. |
0 commit comments