Alauda DevOps Connectors Docs
  • English

    • Maven Connector

    The Maven connector is a platform-agnostic connector that you can use to connect to any Maven registry.

    You can use the Maven Connector to securely perform maven operations in CICD pipelines, or use it in kubernetes workloads to perform maven operations without credentials.

    Additionally, you can centralize the management of maven access configurations across namespaces, avoiding the need to repeat the maven credentials in each namespace.

    TOC

    OverviewIntegration RequirementsCreating a simple Maven connectorFields ReferenceCapabilities of Maven ConnectorAuthenticationUsing Basic AuthenticationCredential Permissions RequiredProxy and settings.xml ConfigurationProxy Addresssettings.xml configuration fileca.cert fileUsing Connectors CSI Driver to mount settings.xml and ca.cert fileFurther ReadingReferences

    Overview

    This document covers:

    • Integration Requirements: Prerequisites for target Maven registries
    • Creating Maven connector
    • Advanced Features: Proxy capabilities and configuration capabilities about Maven connector

    Integration Requirements

    Maven Registries Prerequisites

    • The maven registry must be able to support the maven operations, like mvn deploy, mvn install, mvn package, etc. it must be one of maven snapshots repository or maven release repository or maven proxy repository. like maven central, maven repository hosted by nexus, artifactory, etc.

    There are some prerequisites for the client to use the Maven connector:

    Client Prerequisites

    • The client should trust the connectors proxy server's certificate, so you should import the ca.cert file to your client's truststore before executing mvn operations. Generally, you can use keytool -importcert command to import the ca.cert file to your client's truststore. for example:

      keytool -importcert -noprompt \
            -trustcacerts \
            -keystore $JAVA_HOME/lib/security/cacerts \
            -storepass changeit \
            -alias corp-ca \
            -file /opt/maven/ca.cert

    • The mvn client should use transport=wagon to execute mvn operations. it could achieve by add the -Dmaven.resolver.transport=wagon parameter to the mvn command or set the MAVEN_OPTS environment variable to -Dmaven.resolver.transport=wagon.

    Creating a simple Maven connector

    Here's how to create a basic Maven Connector:

    # Maven Connector
apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: maven-connector
spec:
  connectorClassName: maven
  address: https://repo.maven.apache.org/maven2
  auth:
    name: basicAuth

    Fields Reference

    spec.connectorClassName:

    maven (constant), specifies the ConnectorClass name for Maven integration.

    spec.address:

    Target Maven registry address, for example: https://nexus.example.com/repository/maven-snapshots or https://repo.maven.apache.org/maven2. It must be one of maven snapshots repository or maven release repository or maven proxy repository.

    spec.auth:

    specifies the authentication method of the maven registry

    • spec.auth.name: should be basicAuth for maven connector.

    • spec.auth.secretRef: specifies the secret that contains the authentication information of the maven registry, the secret should be created in the same namespace as the connector. If your maven registry does not require authentication, you can omit this field.

    Optional Metadata fields:

    • cpaas.io/description: Description information for the maven connector, for example:

      apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: maven-connector
  annotations:
    cpaas.io/description: "Connect to team development maven registry"

    Capabilities of Maven Connector

    Authentication

    The Maven connector supports the following authentication types:

    • basicAuth: Username and password-based authentication, corresponding secret type: kubernetes.io/basic-auth

    Using Basic Authentication

    For example:

    apiVersion: v1
stringData:
  username: your-maven-registry-username
  password: your-maven-registry-password
kind: Secret
metadata:
  name: maven-secret
type: kubernetes.io/basic-auth

    If the secret is not correct, the status.conditions field in the maven connector will show the error message.

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: maven-connector
spec: {}
status:
  conditions:
    - type: Ready
      status: False
      reason: "xxxxx"
      message: "xxxx"

    For comprehensive status information, see Connector Status Documentation.

    If the Maven registry does not require authentication, you can omit the secretRef field:

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: maven-connector
spec:
  connectorClassName: maven
  address: https://repo.maven.apache.org/maven2
  auth:
    name: basicAuth

    Credential Permissions Required

    The required permissions for the configured credential depend on how you intend to use it in your Pods/Pipelines.

    For example:

    • Package operations: If you only need to download dependencies using mvn package or mvn install, the credential only require read permissions for the target Maven repository.
    • Package and Deploy operations: If you need to publish artifacts using mvn deploy, the credentials must have both read and write permissions for the target repository.

    For security best practices, we recommend creating credentials with minimal required permissions. When additional privileges are needed, create separate Connectors with more privileged secret and use namespace isolation to control which users can access each Connector.

    Proxy and settings.xml Configuration

    To provide clients with the ability to access maven registry without credentials, the Maven connector provides a proxy server to automatically inject authentication information.

    Clients can use this proxy server to access maven registry without needing to configure credentials on the client side.

    To simplify usage, the Maven connectorclass provides settings.xml files that can be mounted into Pods via CSI. In the Pod, when executing maven operations, the proxy service can be automatically inject authentication information.

    Proxy Address

    Upon Connector creation, the system automatically provisions a proxy service for the target maven registry.

    The proxy endpoint is recorded in status.proxy.httpAddress:

    For example:

    apiVersion: connectors.alauda.io/v1alpha1
kind: Connector
metadata:
  name: maven-connector
spec:
  # connector spec fields
status:
  conditions:
    # status conditions
  proxy:
    httpAddress:
      url: http://c-maven-connector.default.svc.cluster.local

    settings.xml configuration file

    The Maven connector provides the following configuration:

    settings.xml:

    • Provides a settings.xml configuration file. Combined with the connector-csi-driver, this configuration file will be mounted into the Pod, allowing access to the maven registry through the proxy without needing to configure credentials on the client side.

    Example of the configuration file generated in the Pod:

    <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">

  <proxies>
    <proxy>
      <id>connectors-proxy</id>
      <active>true</active>
      <protocol>http</protocol>
      <host>c-maven-connector.connectors-maven-demo.svc.cluster.local</host>
      <port>80</port>
      <username>connectors-maven-demo/maven-connector</username>
      <password>eyJhbGciOiJEnEZaTQ</password>
      <nonProxyHosts>localhost</nonProxyHosts>
    </proxy>
  </proxies>
</settings>

    For detailed proxy mechanics, see How It Works in the Quick Start guide.

    ca.cert file

    The Maven connector provides a ca.cert file that can be mounted into the Pod via Connector CSI Driver. It is used to trust the connectors proxy server, so you should import the ca.cert file to your client's truststore before executing mvn operations.

    keytool -importcert -noprompt \
  -trustcacerts \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit \
  -alias corp-ca \
  -file /opt/maven/ca.cert

    Using Connectors CSI Driver to mount settings.xml and ca.cert file

    The Maven connector provides a settings.xml and ca.cert file that can be mounted into the Pod via Connector CSI Driver.

    For example:

    spec:
  volumes:
  - name: settings
    csi:
      readOnly: true
      driver: connectors-csi
      volumeAttributes:
        connector.name: "maven-connector"
        configuration.names: "settings"

    parameter descriptions:

    • csi.readOnly: Fixed value true
    • csi.driver: The Connector CSI Driver, fixed as connectors-csi.
    • csi.volumeAttributes: CSI Volume attributes
      • connector.name: Name of the Maven Connector
      • connector.namespace: Namespace of the Maven Connector; if not specified, the Pod's namespace is used
      • configuration.names: Configuration name, provide by the Maven Connector. As above, settings is supported.

    For detailed information about how to use the settings file in the Pod by connectors-csi-driver, please refer to Using Maven Connectors in kubernetes jobs

    Further Reading

    References