update allowed urls in nexus#4899
Conversation
Unit Test Results0 tests 0 ✅ 0s ⏱️ Results for commit 0bd68be. ♻️ This comment has been updated with latest results. |
| core_vnet = "vnet-${var.tre_id}" | ||
| core_resource_group_name = "rg-${var.tre_id}" | ||
| nexus_allowed_fqdns = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com" | ||
| nexus_allowed_fqdns = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com,docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com" |
There was a problem hiding this comment.
Is that Cloudflare URL fixed for the Nexus image?
There was a problem hiding this comment.
yes, it's for nexus to access Docker Images
https://docs.docker.com/desktop/setup/allow-list/
|
Can you test @TonyWildish-BH please? |
All good, thanks. |
There was a problem hiding this comment.
Pull request overview
Updates the Sonatype Nexus VM shared service template to expand outbound allowlists so Nexus (and workspace VMs relying on it) can reach Docker image distribution endpoints and LetsEncrypt revocation/AIA endpoints, addressing recent upstream domain changes/rotations.
Changes:
- Added Docker distribution (Cloudflare R2) FQDN to the Nexus egress allowlist.
- Switched LetsEncrypt revocation/AIA allowlist entries to
*.{o,c,i}.lencr.orgwildcards for workspace VM egress. - Bumped the Nexus template version and recorded the fix in
CHANGELOG.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| templates/shared_services/sonatype-nexus-vm/terraform/locals.tf | Updates the Nexus and workspace VM allowed FQDN lists used to generate firewall application rules. |
| templates/shared_services/sonatype-nexus-vm/porter.yaml | Increments the shared service template version to 3.7.9. |
| CHANGELOG.md | Adds a BUG FIXES entry documenting the Nexus allowlist update. |
| nexus_allowed_fqdns = "pypi.org,*.pypi.org,files.pythonhosted.org,security.ubuntu.com,archive.ubuntu.com,keyserver.ubuntu.com,repo.anaconda.com,*.docker.com,*.docker.io,conda.anaconda.org,azure.archive.ubuntu.com,packages.microsoft.com,repo.almalinux.org,download-ib01.fedoraproject.org,cran.r-project.org,cloud.r-project.org,download1.rstudio.org,*.snapcraftcontent.com,download.microsoft.com,marketplace.visualstudio.com,docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com" | ||
| nexus_allowed_fqdns_list = distinct(compact(split(",", replace(local.nexus_allowed_fqdns, " ", "")))) | ||
| workspace_vm_allowed_fqdns = "r3.o.lencr.org,x1.c.lencr.org" | ||
| workspace_vm_allowed_fqdns = "*.o.lencr.org,*.c.lencr.org,*.i.lencr.org" |
There was a problem hiding this comment.
wildcards are more future proof and prevent the issue #4896 should the urls change again, I feel the trade off is worth it.
Resolves #4895 #4896
What is being addressed
Fixes an error where letsencrypt urls are not reachable leading to certs not being downloaded
Fixes and error where docker images are not reachable from nexus
How is this addressed
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.comtonexus_allowed_fqdns*.o.lencr.org,*.c.lencr.org,*.i.lencr.orginworkspace_vm_allowed_fqdns