[HELP] User settings to access from maven settings.xml

[eirisdg]

Hi there, and happy new year!

I'm using oauth2-proxy-plugin to connect with Authentik, and everything is fine.
I'm able to access to UI with my user from the ID provider, and do everything.

But... I'm trying to use the user/token in my .m2/settings.xml to download artifacts... and it doesn't work.
I'm getting an Authentik .html in the .m2/repository/XXXX when run mvn clean package
I think is something I'm missing in the authentication config... but don't know what.

Here is my settings.xml:

<?xml version="1.0" encoding="UTF-8"?>
<settings
    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"
    xmlns="http://maven.apache.org/SETTINGS/1.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <servers>
        <server>
            <id>nexus</id>
            <username>[email protected]</username>
            <password>XXXX</password> <!-- I'm using here the OAuth2 Proxy API Token. Is it ok? -->
        </server>
    </servers>

    <profiles>
        <profile>
            <id>nexus</id>
            <repositories>
                <repository>
                    <id>XXXX-nexus</id>
                    <name>XXXX Nexus</name>
                    <url>https://repo.XXXX.com/repository/XXXX/</url>
                </repository>
            </repositories>
            <pluginRepositories>
                <pluginRepository>
                    <id>XXXX-nexus</id>
                    <name>XXXX Nexus</name>
                    <url>https://repo.XXXX.com/repository/XXXX/</url>
                </pluginRepository>
            </pluginRepositories>
        </profile>
    </profiles>
    <activeProfiles>
        <!--make
        the profile active all the time -->
        <activeProfile>nexus</activeProfile>
    </activeProfiles>
</settings>

And here is the error:

 XXXX@XXXX  ~/git/tramas/test  mvn clean package -U
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< com.example:maven-test >-----------------------
[INFO] Building maven-test 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from XXXX-nexus: https://repo.XXXX.com/repository/XXXX-virtual/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
[WARNING] Checksum validation failed, expected <!DOCTYPE but is 09db83cfff05a9a2343f0520e3e0660627fc8dac from XXXX-nexus for https://repo.XXXX.com/repository/XXXX-virtual/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
[WARNING] Could not validate integrity of download from https://repo.XXXX.com/repository/XXXX-virtual/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom: Checksum validation failed, expected <!DOCTYPE but is b472f698936e5486898c1ade4cf3291550bdd619
[WARNING] Checksum validation failed, expected <!DOCTYPE but is b472f698936e5486898c1ade4cf3291550bdd619 from XXXX-nexus for https://repo.XXXX.com/repository/XXXX-virtual/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
Downloaded from XXXX-nexus: https://repo.XXXX.com/repository/XXXX-virtual/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom (2.9 kB at 962 B/s)
[WARNING] The POM for org.apache.maven.plugins:maven-clean-plugin:jar:2.5 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.246 s
[INFO] Finished at: 2025-01-08T17:36:27+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5: 1 problem was encountered while building the effective model
[ERROR] [FATAL] Non-parseable POM /home/XXXX/.m2/repository/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom: expected = after attribute name (position: TEXT seen ...sheet" type="text/css" href="/static/dist/custom.css" data-inject>... @43:91)  @ line 43, column 91
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException

[tumbl3w33d]

Hi, your settings.xml should be fine. You missed an important part of the README that says

For non-interactive programmatic access you circumvent the OAuth2 Proxy and go straight to the Nexus application.

That means you need to configure an additional proxy with the logic to decide whether the request to your nexus.example.com goes to Authentik (OAuth2 Proxy replacement) or straight to Nexus. The nature of these authenticating proxies is rather interactive and that doesn't work for build tools like maven and gradle.

The README has examples for HAproxy and nginx. You can probably achieve the same with pretty much any common proxy I can think of.

[eirisdg]

After several hours testing various configurations, the only one with which I've managed to achieve this is by creating a new Ingress in Nexus that redirects traffic from /repository directly to the Nexus service, leaving the rest of the configuration intact.

This is because, having protected all of Nexus with the authentication annotations, selectively disabling proxy redirection for specific paths is not possible, so creating a new Ingress is necessary.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nexus-repository-path
  namespace: nexus
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-pro
    nginx.ingress.kubernetes.io/affinity: cookie
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - repo.XXXX.com
      secretName: tls-nexus
  rules:
    - host: repo.XXXX.com
      http:
        paths:
          - path: /repository
            pathType: Prefix
            backend:
              service:
                name: sistemas-sonatype-nexus-nexus3
                port:
                  name: http

This will be added to the documentation upon verification.

[tumbl3w33d]

Glad you found a way. I'm sure sooner or later some other k8s user will come along and propose an improvement (if there is any), but this at least saves everyone else some time when getting started.