Sonatype Nexus Repository Manager (NXRM-HA) Documentation📜

Table of Contents📜

Migration Guide - Migrate from legacy nexus chart to nxrm-ha chart
General Configuration - Storage, Database, and High Availability
SSO Integration - SAML/Keycloak configuration
Prometheus Integration - Monitoring setup
Network Policies - Network security configuration
Istio Hardened - Istio hardening guide
Affinity Configuration - Node affinity and anti-affinity

Quick Start📜

Iron Bank Images📜

Pull the Iron Bank image from Registry1 or view the container approval.

Installation📜

git clone https://repo1.dso.mil/big-bang/product/packages/nxrm-ha.git
cd nxrm-ha
helm install nexus-repository-manager ./chart -n nexus-repository-manager --create-namespace

Upstream Chart Documentation📜

This chart uses Sonatype’s nxrm-ha upstream chart as a subchart dependency. Upstream chart values are nested under the upstream: key.

For complete upstream configuration options, see the upstream chart documentation.

Big Bang Additions📜

Admin Password Management📜

The chart automatically generates a random admin password and stores it in a Kubernetes secret for programmatic access.

Retrieve the auto-generated admin password:

kubectl get secret nxrm-ha-adminsecret \
  -n nexus-repository-manager \
  -o jsonpath='{.data.nexus-admin-password}' | base64 -d

Set a custom admin password:

# values.yaml
custom_admin_password: "your-secure-password"

Important: If you change the admin password through the Nexus UI, update custom_admin_password to match. This prevents SAML/proxy job failures on upgrades.

External PostgreSQL Configuration📜

For production deployments, use an external PostgreSQL database:

# Disable internal PostgreSQL
postgresql:
  install: false

# Provide external database credentials
nexus:
  database:
    host: "your-db-host.rds.amazonaws.com"
    user: "nexus"
    password: "your-password"

# Optional: For non-default port or database name
# upstream:
#   statefulset:
#     container:
#       env:
#         nexusDBPort: 5432  # Default: 5432
#         nexusDBName: nexus  # Default: nexus

The chart automatically creates a secret and configures database connections. See general.md for details.

License Configuration (Pro)📜

For Nexus Repository Pro with license:

upstream:
  secret:
    license:
      licenseSecret:
        enabled: true
        fileContentsBase64: "<your-base64-encoded-license>"

Encode your license file:

base64 -w 0 nexus-repo-license.lic

Monitoring📜

See PROMETHEUS.md for Prometheus integration details.

Dependent Packages📜

Nexus IQ Server requires Nexus Repository Manager.

Values Structure📜

The nxrm-ha chart uses a passthrough pattern:

Big Bang additions (hostname, domain, istio, monitoring, sso, etc.) → Root level
Upstream chart values → Nested under upstream: key

Example:

# Big Bang additions (root level)
hostname: nexus
domain: bigbang.dev
istio:
  enabled: true

# Upstream chart values (nested)
upstream:
  statefulset:
    replicaCount: 1
    container:
      image:
        repository: registry1.dso.mil/ironbank/sonatype/nexus/nexus
        nexusTag: 3.84.0-03