The broader problem is that I have a Sonatype Nexus server running within a K3s cluster, and I am trying to serve/expose endpoints for Docker clients to pull images from. In Sonatype's documentation they have example host mapping strategies listed here as it pertains to docker registries --> https://help.sonatype.com/repomanager3/nexus-repository-administration/formats/docker-registry/docker-repository-reverse-proxy-strategies
I am trying to adapt the NGINX configuration that Sonatype outlines in the link above and titled Host Mapping Strategy. The Nexus pod is configured like so
apiVersion: apps/v1
kind: Deployment
metadata:
name: nexus
namespace: nexus
labels:
app: nexus
spec:
replicas: 1
selector:
matchLabels:
app: nexus
template:
metadata:
labels:
app: nexus
spec:
containers:
- name: nexus
image: sonatype/nexus3:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8081
volumeMounts:
- name: nexus-data
mountPath: /nexus-data
volumes:
- name: nexus-data
persistentVolumeClaim:
claimName: nexus-claim
The service definition...
apiVersion: v1
kind: Service
metadata:
name: nexus-service
namespace: nexus
spec:
selector:
app: nexus
ports:
- port: 8081
name: nexus-default-port
type: ClusterIP
This is what I have tried so far for the Traefik IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nexus-ingressroute
namespace: nexus
spec:
entryPoints:
- websecure
routes:
- match: Host(`k3sdev-m.nexus.com`) && PathPrefix(`/v2`)
kind: Rule
services:
- name: nexus-service
port: 8081
middlewares:
- name: nexus-middleware-headers
- name: nexus-middleware-regex
- match: Host(`k3sdev-m.nexus.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: nexus-service
port: 8081
tls:
secretName: host-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: nexus-middleware-headers
namespace: nexus
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: https
X-Forwarded-For: |
{{ default "" .X-Forwarded-For }}
X-Real-IP: |
{{ default "" .X-Real-IP }}
Host: |
{{ default "" .Host }}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: nexus-middleware-regex
namespace: nexus
spec:
replacePathRegex:
regex: ^/v2/(.*)
replacement: /v2/repository/docker-pull/$1
#permanent: true
I have tried this with and w/out middleware, have made tweaks to the regex, added and omitted http headers with no good results. I either get 404 or a 500 which I attempted to trace but could find no logs that caught the error in Traefik or Nexus. All attempts where made using a docker client with the registry listed as unsecured since I am using self signed certs. I was performing docker pull k3sdev-m.nexus.com/python3:latest
and I have Nexus setup for now to allow anonymous pulls until I can get this figured out. The registry I am trying to reach in Nexus is a proxy for docker hub.