fix(nexus3): prepare removal of chown-data-dir initContainer (#1238)

Falltrades · web-flow · commit 7a4165a1c61e · 2025-09-01T12:58:08.000+01:00
diff --git a/charts/nexus3/CHANGELOG.md b/charts/nexus3/CHANGELOG.md
@@ -15,6 +15,14 @@
 
 ## [UNRELEASED]
 
+### Added
+
+- Add `chownDataDir` chart value to allow for opting out of the _chown-data-dir_ init container. ([#1238](https://github.com/stevehipwell/helm-charts/pull/1238)) _@falltrades_
+
+### Deprecated
+
+- Deprecate the `chownDataDir` default chart value of `true`, the default value will be changed to `false` in the next chart major version. ([#1238](https://github.com/stevehipwell/helm-charts/pull/1238)) _@falltrades_
+
 ## [v5.13.1] - 2025-08-20
 
 ### Changed
diff --git a/charts/nexus3/README.md b/charts/nexus3/README.md
@@ -56,6 +56,7 @@ helm upgrade --install nexus3 stevehipwell/nexus3 --version 5.13.1
 | bashImage.tag | string | `"latest"` | Image tag for bash containers, this will be omitted if set to `-`. |
 | caCerts.enabled | bool | `false` | If `true`, add the CA certificates in the provided secret to the JVM cacerts key store. |
 | caCerts.secret | string | `nil` | Name of the secret containing the CA certificates. |
+| chownDataDir | bool | `true` | If `true`, the _chown-data-dir_ init container will be enabled, this should not be required for most CSI drivers but is left in for backwards compatibility. For new chart installs this should be set to `false`. |
 | commonLabels | object | `{}` | Labels to add to all chart resources. |
 | config.anonymous.enabled | bool | `false` | If `true`, enable anonymous access. |
 | config.anonymous.roles | list | `["nx-anonymous","nx-metrics"]` | Roles for anonymous access. |
diff --git a/charts/nexus3/ci/kubeconform.yaml b/charts/nexus3/ci/kubeconform.yaml
@@ -106,6 +106,8 @@ plugins:
   - name: nexus-repository-composer
     url: https://repo1.maven.org/maven2/org/sonatype/nexus/plugins/nexus-repository-composer/0.0.29/nexus-repository-composer-0.0.29-bundle.kar
 
+chownDataDir: true 
+
 rootPassword:
   secret: nexus3-creds
   key: password
diff --git a/charts/nexus3/templates/configmap-scripts.yaml b/charts/nexus3/templates/configmap-scripts.yaml
@@ -22,6 +22,7 @@ data:
 {{- range .Values.plugins }}
     curl -fLo /deploy/{{ .name }}.kar {{ .url }}
 {{- end }}
+{{- if .Values.chownDataDir }}
   chown-data-dir.sh: |
     #!/usr/bin/env bash
     set -euo pipefail
@@ -35,6 +36,7 @@ data:
     touch -a /nexus-data/log/request.log
 
     chown -R {{ .Values.podSecurityContext.fsGroup }}:{{ .Values.podSecurityContext.fsGroup }} /nexus-data
+{{- end }}
   tail-logs.sh: |
     #!/usr/bin/env bash
     set -euo pipefail
diff --git a/charts/nexus3/templates/statefulset.yaml b/charts/nexus3/templates/statefulset.yaml
@@ -113,6 +113,7 @@ spec:
       {{- with .Values.extraInitContainers }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.chownDataDir }}
         - name: chown-data-dir
           image: {{ include "nexus3.image" .Values.bashImage }}
           imagePullPolicy: {{ .Values.bashImage.pullPolicy }}
@@ -134,6 +135,7 @@ spec:
               subPath: chown-data-dir.sh
             - mountPath: /nexus-data
               name: data
+      {{- end }}
       {{- if (semverCompare ">= 1.29-0" .Capabilities.KubeVersion.Version) }}
         - name: tail-request-log
           restartPolicy: Always
diff --git a/charts/nexus3/values.yaml b/charts/nexus3/values.yaml
@@ -292,6 +292,9 @@ plugins: []
 #   - name: nexus-repository-composer
 #     url: https://repo1.maven.org/maven2/org/sonatype/nexus/plugins/nexus-repository-composer/0.0.29/nexus-repository-composer-0.0.29-bundle.kar
 
+# -- If `true`, the _chown-data-dir_ init container will be enabled, this should not be required for most CSI drivers but is left in for backwards compatibility. For new chart installs this should be set to `false`.
+chownDataDir: true
+
 rootPassword:
   # -- (string) Name of the secret containing the root password.
   secret:
