Added https port and renamed ports (#19)

* Added https port and renamed ports * Added NiFi security autoload to config map * Added toolset security scripts * Added cluster LB
saidsef · Mar 22, 2023 · 74eb546 · 74eb546
1 parent 79f849a
commit 74eb546
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 19 deletions.
diff --git a/deployment/kustomization.yml b/deployment/kustomization.yml
@@ -8,7 +8,8 @@ commonAnnotations:
 resources:
 - ingress.yml
 - nifi-configmap.yml
-- nifi-deployment.yml
+- nifi-ssl-configmap.yml
+- nifi.yml
 - nifi-hpa.yml
 - nifi-secrets.yml
 - nifi-service.yml

diff --git a/deployment/nifi-configmap.yml b/deployment/nifi-configmap.yml
@@ -14,7 +14,7 @@ data:
   NIFI_CLUSTER_NODE_READ_TIMEOUT: "2 min"
   NIFI_CLUSTER_PROTOCOL_CONNECTION_HANDSHAKE_TIMEOUT: "2 min"
   NIFI_CLUSTER_PROTOCOL_HEARTBEAT_INTERVAL: "1 min"
-  NIFI_ELECTION_MAX_CANDIDATES: "2"
+  NIFI_ELECTION_MAX_CANDIDATES: "1"
   NIFI_ELECTION_MAX_WAIT: "1 min"
   NIFI_JVM_HEAP_INIT: "1g"
   NIFI_JVM_HEAP_MAX: "2g"
@@ -23,3 +23,11 @@ data:
   NIFI_WEB_HTTPS_PORT: "8443"
   NIFI_ZK_CONNECT_STRING: "zookeeper:2181"
   NIFI_ZOOKEEPER_CONNECT_STRING: "zookeeper:2181"
+  # NIFI_SECURITY_AUTORELOAD_ENABLED: "true"
+  # NIFI_SECURITY_AUTORELOAD_INTERVAL: "1 min"
+  # NIFI_SECURITY_KEYSTORE: "${NIFI_HOME}/keytool/keystore.p12"
+  # NIFI_SECURITY_KEYSTORETYPE: "PKCS12"
+  # NIFI_SECURITY_TRUSTSTORE: "${NIFI_HOME}/keytool/truststore.jks"
+  # NIFI_SECURITY_TRUSTSTORETYPE: "jks"
+  # NIFI_SECURITY_NEEDCLIENTAUTH: "false"
+  # NIFI_CLUSTER_PROTOCOL_IS_SECURE: "false"
diff --git a/deployment/nifi-hpa.yml b/deployment/nifi-hpa.yml
@@ -8,7 +8,7 @@ metadata:
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
-    kind: Deployment
+    kind: StatefulSet
     name: nifi
   minReplicas: 2
   maxReplicas: 8

diff --git a/deployment/nifi-service.yml b/deployment/nifi-service.yml
@@ -13,10 +13,18 @@ spec:
   selector:
     app: nifi
   ports:
+  - protocol: TCP
+    port: 6342
+    targetPort: 6342
+    name: cluster-lb
   - protocol: TCP
     port: 8080
     targetPort: 8080
-    name: nifi
+    name: http
+  - protocol: TCP
+    port: 8443
+    targetPort: 8443
+    name: https
   - protocol: TCP
     port: 11443
     targetPort: 11443

diff --git a/deployment/nifi-ssl-configmap.yml b/deployment/nifi-ssl-configmap.yml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nifi-ssl-cm
+data:
+  security.sh: |
+    #!/bin/bash
+    set -ex -o allexport
+
+    ORGANISATION_UNIT=${ORGANISATION_UNIT:-'Cloud Services Application'}
+    ORGANISATION=${ORGANISATION:-'Cloud Services'}
+    PUBLIC_DNS=${PUBLIC_DNS:-'nifi.tld'}
+    CITY=${CITY:-'London'}
+    STATE=${STATE:-'London'}
+    COUNTRY_CODE=${COUNTRY_CODE:-'GB'}
+    KEY_PASS=${KEY_PASS:-$KEYSTORE_PASS}
+    KEYSTORE_PASS=${KEYSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY}
+    KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD:-$NIFI_SENSITIVE_PROPS_KEY}
+    KEYSTORE_PATH=${NIFI_HOME}/keytool/keystore.p12
+    KEYSTORE_TYPE=jks
+    TRUSTSTORE_PASS=${TRUSTSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY}
+    TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD:-$NIFI_SENSITIVE_PROPS_KEY}
+    TRUSTSTORE_PATH=${NIFI_HOME}/keytool/truststore.jks
+    TRUSTSTORE_TYPE=jks
+
+    if [[ ! -f "${NIFI_HOME}/keytool/keystore.p12" ]]
+    then
+      echo "Creating keystore"
+      keytool -genkey -noprompt -alias nifi-keystore \
+      -dname "CN=SA,OU=${ORGANISATION_UNIT},O=${ORGANISATION},L=${CITY},S=${STATE},C=${COUNTRY_CODE}" \
+      -keystore ${NIFI_HOME}/keytool/keystore.p12 \
+      -storepass ${KEYSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY} \
+      -KeySize 2048 \
+      -keypass "${KEY_PASS:-$NIFI_SENSITIVE_PROPS_KEY}" \
+      -keyalg RSA \
+      -storetype pkcs12
+    fi
+
+    if [[ ! -f "${NIFI_HOME}/keytool/truststore.jks" ]]
+    then
+      echo "Creating truststore"
+      keytool -genkey -noprompt -alias nifi-truststore \
+      -dname "CN=SA,OU=${ORGANISATION_UNIT},O=${ORGANISATION},L=${CITY},S=${STATE},C=${COUNTRY_CODE}" \
+      -keystore ${NIFI_HOME}/keytool/truststore.jks \
+      -storetype jks \
+      -keypass ${KEYSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY} \
+      -storepass ${KEY_PASS:-$NIFI_SENSITIVE_PROPS_KEY} \
+      -KeySize 2048
+    fi
+
+    #/usr/bin/bash ${NIFI_HOME}/../scripts/secure.sh 
+    #eval ${NIFI_HOME}/../scripts/secure.sh 
diff --git a/deployment/nifi-deployment.yml → deployment/nifi.yml b/deployment/nifi-deployment.yml → deployment/nifi.yml
@@ -1,6 +1,6 @@
 ---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: nifi
   labels:
@@ -11,8 +11,8 @@ metadata:
     app.kubernetes.io/part-of: nifi
 spec:
   revisionHistoryLimit: 1
-  strategy:
-    type: Recreate
+  serviceName: nifi
+  podManagementPolicy: OrderedReady
   selector:
     matchLabels:
       app: nifi
@@ -66,9 +66,11 @@ spec:
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 8080
-          name: nifi
+          name: http
         - containerPort: 11443
           name: cluster
+        - containerPort: 8443
+          name: https
         - containerPort: 6342
           name: cluster-lb
         env:
@@ -89,26 +91,37 @@ spec:
               name: nifi-cm
               optional: false
         volumeMounts:
-          - name: flow-xml
+          - name: data
             mountPath: /opt/nifi/nifi-current/data
             subPath: data
             readOnly: false
+          - name: data
+            mountPath: /opt/nifi/nifi-current/keytool
+            subPath: keytool
+            readOnly: false
+          - name: scripts
+            mountPath: /scripts/security.sh
+            subPath: security.sh
+            readOnly: false
+        lifecycle:
+          postStart:
+            exec:
+              command:
+                - /scripts/security.sh
         livenessProbe:
           exec:
             command:
               - pgrep
               - java
-          initialDelaySeconds: 60
+          initialDelaySeconds: 30
           periodSeconds: 30
           timeoutSeconds: 10
           failureThreshold: 3
           successThreshold: 1
         readinessProbe:
-          exec:
-            command:
-              - pgrep
-              - java
-          initialDelaySeconds: 180
+          tcpSocket:
+            port: cluster
+          initialDelaySeconds: 30
           periodSeconds: 30
           timeoutSeconds: 10
           failureThreshold: 3
@@ -127,6 +140,11 @@ spec:
             drop:
               - ALL
       volumes:
-        - name: flow-xml
+        - name: data
           emptyDir:
             sizeLimit: 3Gi
+        - name: scripts
+          configMap:
+            name: nifi-ssl-cm
+            optional: false
+            defaultMode: 0755
diff --git a/deployment/zookeeper.yml b/deployment/zookeeper.yml
@@ -12,6 +12,7 @@ metadata:
 spec:
   revisionHistoryLimit: 1
   serviceName: zookeeper
+  podManagementPolicy: OrderedReady
   selector:
     matchLabels:
       app: zookeeper
@@ -37,7 +38,7 @@ spec:
         - containerPort: 2181
           name: zk
         - containerPort: 8080
-          name: web
+          name: http
         - containerPort: 7070
           name: metrics
         env:
@@ -63,8 +64,8 @@ spec:
           successThreshold: 1
         readinessProbe:
           tcpSocket:
-              port: 2181
-          initialDelaySeconds: 120
+              port: zk
+          initialDelaySeconds: 30
           periodSeconds: 30
           timeoutSeconds: 10
           failureThreshold: 3