#Quick Start

This document will help you quickly understand how to create a Nexus connector to connect to a Nexus repository and perform mvn operations securely without directly handling credentials.

We will create a Nexus connector and use it to perform mvn deploy without directly handling credentials on the client side.

#Estimated Reading Time

15 minutes

#Prerequisites

• Kubernetes cluster with Connectors system installed (Operator, ConnectorsCore and ConnectorsNexus components). See the Installation Guide for details on installing these components.
• Nexus repository address and credentials
• Basic knowledge of Kubernetes and Maven

#Process Overview

#Steps to Operate

#Step 1: Create Namespace

Create a dedicated namespace for this demonstration:

kubectl create ns connectors-nexus-demo

#Step 2: Create Nexus Repository Credentials and Connector

Create both the Secret containing Nexus credentials and the Nexus connector resource. Your Nexus repository should be a snapshots repository.

For more detailed information about creating and configuring connectors, please refer to the Connectors Quick Start Guide.

cat <<EOF | kubectl apply -n connectors-nexus-demo -f -
kind: Secret
apiVersion: v1
metadata:
  name: nexus-registry-secret
type: kubernetes.io/basic-auth
stringData:
  username: your-nexus-username # Replace with your Nexus username
  password: your-nexus-password # Replace with your Nexus password
---
apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: nexus-connector
spec:
  connectorClassName: nexus
  address: https://nexus.example.com # Replace with your Nexus server address
  auth:
    name: basicAuth
    secretRef:
      name: nexus-registry-secret
EOF

Verify that the connector is in "Ready" status:

kubectl get connector nexus-connector -n connectors-nexus-demo

The output should show:

NAME              CLASS   ADDRESS                      READY   REASON   AGE
nexus-connector   nexus   https://nexus.example.com   True             10s

#Step 3: Create a Job to Perform mvn deploy

Create a job that uses the connector to perform Maven operations:

cat <<'EOF' | kubectl apply -n connectors-nexus-demo -f -
apiVersion: batch/v1
kind: Job
metadata:
  name: mvn-deploy
spec:
  backoffLimit: 0
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: mvn
        image: maven:3.9.11-eclipse-temurin-24-alpine # Replace with your image containing maven
        imagePullPolicy: IfNotPresent
        env:
        - name: MAVEN_OPTS
          value: -Dmaven.resolver.transport=wagon
        command:
        - "sh"
        - "-c"
        - |
          set -ex

          mkdir -p ~/.m2
          cp /opt/maven/settings.xml ~/.m2/settings.xml

          keytool -importcert -noprompt \
            -trustcacerts \
            -keystore $JAVA_HOME/lib/security/cacerts \
            -storepass changeit \
            -alias corp-ca \
            -file /opt/maven/ca.cert

          echo "Generating project using maven archetype"
          cd /tmp
          mvn archetype:generate -DgroupId=com.example -DartifactId=HelloWorldApp -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false

          cd HelloWorldApp/
          echo "Building and deploying project"
          mvn package deploy -DaltDeploymentRepository=maven-snapshots::default::https://nexus.example.com/repository/maven-snapshots

        volumeMounts:
        - name: settings
          mountPath: /opt/maven
      volumes:
      - name: settings
        csi:
          readOnly: true
          driver: connectors-csi
          volumeAttributes:
            connector.name: "nexus-connector"
            configuration.names: "settings"
            configuration.params: '{"settings":{"mirrorRepository":"maven-public"}}' # optional
EOF

#Key Settings

MAVEN_OPTS in container environment:

Set to MAVEN_OPTS=-Dmaven.resolver.transport=wagon

Scripts in container:

Using the keytool command to import the ca.cert file to your client's truststore for trusting the connector proxy server before executing mvn operations.

keytool -importcert -noprompt \
  -trustcacerts \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit \
  -alias corp-ca \
  -file /opt/maven/ca.cert

volumes[].volumeAttributes

• connector.name: The name of your Nexus connector
• configuration.names: Set to settings, which references the Maven configuration template defined in the Nexus ConnectorClass. This template generates a settings.xml file with the appropriate proxy and authentication settings.
• configuration.params: JSON string for runtime configuration parameters. For configuration.names: "settings", you can set settings.mirrorRepository (optional). If omitted, the ConnectorClass default ("") is used and no Maven mirror is injected into settings.xml.

#Step 4: Verify Operation

Check the job's logs to confirm the mvn deploy operations were successfully performed:

kubectl logs -f job/mvn-deploy -n connectors-nexus-demo

You should see the mvn deploy operations completing successfully and uploading the jar to the Nexus repository.

Example output:

Uploading to maven-snapshots: https://nexus.example.com/repository/maven-snapshots/com/example/HelloWorldApp/1.0-SNAPSHOT/maven-metadata.xml
Uploaded to maven-snapshots: https://nexus.example.com/repository/maven-snapshots/com/example/HelloWorldApp/1.0-SNAPSHOT/maven-metadata.xml (768 B at 80 B/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:27 min
[INFO] Finished at: 2025-09-02T10:18:50Z
[INFO] ------------------------------------------------------------------------

#What Happens Under the Hood

The Nexus connector works by:

1. Creating a proxy service that sits between your client and the target Nexus repository
2. Injecting authentication information when requests pass through the proxy
3. Providing configuration files (e.g., settings.xml, .npmrc, pip.conf) for clients to perform operations via the proxy

To demonstrate this mechanism, inspect the generated settings.xml file:

cat <<EOF | kubectl apply -n connectors-nexus-demo -f -
apiVersion: v1
kind: Pod
metadata:
  name: inspect-nexus-settings
spec:
  restartPolicy: Never
  containers:
  - name: mvn
    image: maven:3.9.11-eclipse-temurin-24-alpine
    command: ["sleep", "3600"]
    volumeMounts:
    - name: settings
      mountPath: /opt/maven
  volumes:
  - name: settings
    csi:
      readOnly: true
      driver: connectors-csi
      volumeAttributes:
        connector.name: "nexus-connector"
        configuration.names: "settings"
EOF

View the generated files in /opt/maven/:

$ kubectl exec -it inspect-nexus-settings -n connectors-nexus-demo -- ls -l /opt/maven

total 8
-r--r--r-- 1 root root 1261 Sep  2 10:25 ca.cert
-r--r--r-- 1 root root 1679 Sep  2 10:25 settings.xml

View the generated settings.xml file:

$ kubectl exec -it inspect-nexus-settings -n connectors-nexus-demo -- cat /opt/maven/settings.xml

Example output:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">

  <proxies>
    <proxy>
      <id>connectors-proxy</id>
      <active>true</active>
      <protocol>http</protocol>
      <host>c-nexus-connector.connectors-nexus-demo.svc.cluster.local</host>
      <port>80</port>
      <username>connectors-nexus-demo/nexus-connector</username>
      <password>eyJhbGciOiJEnEZaTQ</password>
      <nonProxyHosts>localhost</nonProxyHosts>
    </proxy>
  </proxies>
</settings>

#Key Notes

• Two files are mounted into the Pod via Connectors CSI Driver: settings.xml and ca.cert.
• The settings.xml file contains the proxy configuration section, which provides the ability to connect to the Nexus Maven repository via the proxy. The proxy injects authentication information when requests pass through.
• The settings.xml file contains no original secret and is mounted into the Pod via Connectors CSI Driver.

#Troubleshooting

If your operation fails, check the following:

1. Connector Status: Ensure the connector is in "Ready" state:

   kubectl describe connector nexus-connector -n connectors-nexus-demo

2. Verify the connectors deployment status: ensure all components are deployed and in "Ready" state

   kubectl get pods -n <connector-component-namespace>

#Further Reading

After successfully performing operations using the Nexus connector, you can:

• Learn more about Concepts of Nexus Connectors

#References

• Nexus Connector Installation Guide