Loading README.md +30 −1 Original line number Diff line number Diff line # NiFi Este proyecto contiene la configuración y despliegue de Apache NiFi. Configuration and deployment for Apache NiFi ## Generating truststore/keystore Use [nifi-toolkit](https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html) to generate: ```sh ./bin/tls-toolkit.sh standalone \ --certificateAuthorityHostname ${PUBLIC_HOSTNAME} \ --hostnames ${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME} \ --days 825 \ --keySize 4096 \ --trustStorePassword ${TRUSTSTORE_PASSWORD} \ --keyStorePassword ${KEYSTORE_PASSWORD} \ --keyPassword ${KEY_PASSWORD} ``` Then, migrate from JKS (Java specific, deprecated format) to PKCS12 (generic, recommended format) using: ```sh keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12 keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.p12 -deststoretype pkcs12 ``` You can check stores content with: ```sh keytool -list -v -keystore keystore.p12 keytool -list -v -keystore truststore.p12 ``` deploy/.env +20 −3 Original line number Diff line number Diff line HOME=/opt/nifi/nifi-current NIFI_WEB_HTTP_HOST=0.0.0.0 NIFI_HOME=/opt/nifi/nifi-current INITIAL_ADMIN_IDENTITY=cn=admin,dc=example,dc=org LDAP_AUTHENTICATION_STRATEGY=SIMPLE LDAP_MANAGER_DN=cn=admin,dc=example,dc=org LDAP_MANAGER_PASSWORD=changeme LDAP_USER_SEARCH_BASE=dc=example,dc=org LDAP_USER_SEARCH_FILTER=cn={0} LDAP_IDENTITY_STRATEGY=USE_DN LDAP_URL=ldap://openldap:389 KEYSTORE_PATH=/certs/keystore.p12 KEYSTORE_TYPE=PKCS12 KEYSTORE_PASSWORD=changeme KEY_PASSWORD=changeme TRUSTSTORE_PATH=/certs/truststore.p12 TRUSTSTORE_PASSWORD=changeme TRUSTSTORE_TYPE=PKCS12 AUTH=ldap NIFI_WEB_HTTPS_HOST=0.0.0.0 NIFI_WEB_HTTPS_PORT=8443 NIFI_WEB_PROXY_HOST=nifi.redmic.net:443 TRAEFIK_SUBDOMAIN=nifi PORT=8080 CONF_VOL_NAME=nifi-conf-vol DATABASE_VOL_NAME=nifi-database-vol Loading deploy/docker-compose.tmpl.yml +51 −15 Original line number Diff line number Diff line Loading @@ -3,28 +3,51 @@ version: '3.5' services: nifi: image: ${IMAGE_NAME:-apache/nifi}:${IMAGE_TAG:-latest} hostname: apache-nifi environment: HOME: NIFI_WEB_HTTP_HOST: HOME: ${NIFI_HOME}/conf NIFI_HOME: INITIAL_ADMIN_IDENTITY: LDAP_AUTHENTICATION_STRATEGY: LDAP_MANAGER_DN: LDAP_MANAGER_PASSWORD: LDAP_USER_SEARCH_BASE: LDAP_USER_SEARCH_FILTER: LDAP_IDENTITY_STRATEGY: LDAP_URL: KEYSTORE_PATH: KEYSTORE_TYPE: KEYSTORE_PASSWORD: KEY_PASSWORD: TRUSTSTORE_PATH: TRUSTSTORE_PASSWORD: TRUSTSTORE_TYPE: AUTH: NIFI_WEB_HTTPS_HOST: NIFI_WEB_HTTPS_PORT: NIFI_WEB_PROXY_HOST: networks: traefik-net: kafka-net: elastic-net: auth-net: volumes: - log-vol:${HOME}/logs - conf-vol:${HOME}/conf - database-vol:${HOME}/database_repository - flowfile-vol:${HOME}/flowfile_repository - content-vol:${HOME}/content_repository - provenance-vol:${HOME}/provenance_repository - state-vol:${HOME}/state - ingest-vol:${HOME}/data - log-vol:${NIFI_HOME}/logs - conf-vol:${NIFI_HOME}/conf - database-vol:${NIFI_HOME}/database_repository - flowfile-vol:${NIFI_HOME}/flowfile_repository - content-vol:${NIFI_HOME}/content_repository - provenance-vol:${NIFI_HOME}/provenance_repository - state-vol:${NIFI_HOME}/state - ingest-vol:${NIFI_HOME}/data configs: - source: logback-xml target: ${HOME}/conf/logback.xml target: ${NIFI_HOME}/conf/logback.xml - source: truststore-p12 target: ${TRUSTSTORE_PATH} - source: keystore-p12 target: ${KEYSTORE_PATH} healthcheck: test: curl --silent --output /dev/null http://apache-nifi:${PORT}/nifi test: curl --silent --output /dev/null --insecure https://localhost:${NIFI_WEB_HTTPS_PORT}/nifi interval: ${HEALTHCHECK_INTERVAL:-30s} timeout: ${HEALTHCHECK_TIMEOUT:-15s} retries: ${HEALTHCHECK_RETRIES:-10} Loading @@ -37,11 +60,11 @@ services: update_config: delay: ${UPDATE_DELAY:-10m} labels: traefik.frontend.auth.basic.users: ${UI_AUTH} traefik.frontend.rule: Host:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME} traefik.frontend.headers.customRequestHeaders: X-ProxyScheme:https||X-ProxyHost:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME}||X-ProxyPort:443||X-ProxyContextPath:/ traefik.backend: nifi traefik.port: '${PORT}' traefik.protocol: https traefik.port: '${NIFI_WEB_HTTPS_PORT}' networks: traefik-net: Loading @@ -59,6 +82,11 @@ networks: driver: ${ELASTIC_NET_DRIVER:-overlay} external: true auth-net: name: ${AUTH_NET_NAME:-auth-net} driver: ${AUTH_NET_DRIVER:-overlay} external: true volumes: log-vol: name: ${LOG_VOL_NAME:-nifi-log-vol} Loading @@ -70,3 +98,11 @@ configs: logback-xml: name: ${LOGBACK_XML_NAME:-nifi-logback-xml} file: ./config/logback.xml truststore-p12: name: ${TRUSTSTORE_P12_NAME:-nifi-truststore-p12} file: ./config/truststore.p12 keystore-p12: name: ${KEYSTORE_P12_NAME:-nifi-keystore-p12} file: ./config/keystore.p12 Loading
README.md +30 −1 Original line number Diff line number Diff line # NiFi Este proyecto contiene la configuración y despliegue de Apache NiFi. Configuration and deployment for Apache NiFi ## Generating truststore/keystore Use [nifi-toolkit](https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html) to generate: ```sh ./bin/tls-toolkit.sh standalone \ --certificateAuthorityHostname ${PUBLIC_HOSTNAME} \ --hostnames ${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME} \ --days 825 \ --keySize 4096 \ --trustStorePassword ${TRUSTSTORE_PASSWORD} \ --keyStorePassword ${KEYSTORE_PASSWORD} \ --keyPassword ${KEY_PASSWORD} ``` Then, migrate from JKS (Java specific, deprecated format) to PKCS12 (generic, recommended format) using: ```sh keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12 keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.p12 -deststoretype pkcs12 ``` You can check stores content with: ```sh keytool -list -v -keystore keystore.p12 keytool -list -v -keystore truststore.p12 ```
deploy/.env +20 −3 Original line number Diff line number Diff line HOME=/opt/nifi/nifi-current NIFI_WEB_HTTP_HOST=0.0.0.0 NIFI_HOME=/opt/nifi/nifi-current INITIAL_ADMIN_IDENTITY=cn=admin,dc=example,dc=org LDAP_AUTHENTICATION_STRATEGY=SIMPLE LDAP_MANAGER_DN=cn=admin,dc=example,dc=org LDAP_MANAGER_PASSWORD=changeme LDAP_USER_SEARCH_BASE=dc=example,dc=org LDAP_USER_SEARCH_FILTER=cn={0} LDAP_IDENTITY_STRATEGY=USE_DN LDAP_URL=ldap://openldap:389 KEYSTORE_PATH=/certs/keystore.p12 KEYSTORE_TYPE=PKCS12 KEYSTORE_PASSWORD=changeme KEY_PASSWORD=changeme TRUSTSTORE_PATH=/certs/truststore.p12 TRUSTSTORE_PASSWORD=changeme TRUSTSTORE_TYPE=PKCS12 AUTH=ldap NIFI_WEB_HTTPS_HOST=0.0.0.0 NIFI_WEB_HTTPS_PORT=8443 NIFI_WEB_PROXY_HOST=nifi.redmic.net:443 TRAEFIK_SUBDOMAIN=nifi PORT=8080 CONF_VOL_NAME=nifi-conf-vol DATABASE_VOL_NAME=nifi-database-vol Loading
deploy/docker-compose.tmpl.yml +51 −15 Original line number Diff line number Diff line Loading @@ -3,28 +3,51 @@ version: '3.5' services: nifi: image: ${IMAGE_NAME:-apache/nifi}:${IMAGE_TAG:-latest} hostname: apache-nifi environment: HOME: NIFI_WEB_HTTP_HOST: HOME: ${NIFI_HOME}/conf NIFI_HOME: INITIAL_ADMIN_IDENTITY: LDAP_AUTHENTICATION_STRATEGY: LDAP_MANAGER_DN: LDAP_MANAGER_PASSWORD: LDAP_USER_SEARCH_BASE: LDAP_USER_SEARCH_FILTER: LDAP_IDENTITY_STRATEGY: LDAP_URL: KEYSTORE_PATH: KEYSTORE_TYPE: KEYSTORE_PASSWORD: KEY_PASSWORD: TRUSTSTORE_PATH: TRUSTSTORE_PASSWORD: TRUSTSTORE_TYPE: AUTH: NIFI_WEB_HTTPS_HOST: NIFI_WEB_HTTPS_PORT: NIFI_WEB_PROXY_HOST: networks: traefik-net: kafka-net: elastic-net: auth-net: volumes: - log-vol:${HOME}/logs - conf-vol:${HOME}/conf - database-vol:${HOME}/database_repository - flowfile-vol:${HOME}/flowfile_repository - content-vol:${HOME}/content_repository - provenance-vol:${HOME}/provenance_repository - state-vol:${HOME}/state - ingest-vol:${HOME}/data - log-vol:${NIFI_HOME}/logs - conf-vol:${NIFI_HOME}/conf - database-vol:${NIFI_HOME}/database_repository - flowfile-vol:${NIFI_HOME}/flowfile_repository - content-vol:${NIFI_HOME}/content_repository - provenance-vol:${NIFI_HOME}/provenance_repository - state-vol:${NIFI_HOME}/state - ingest-vol:${NIFI_HOME}/data configs: - source: logback-xml target: ${HOME}/conf/logback.xml target: ${NIFI_HOME}/conf/logback.xml - source: truststore-p12 target: ${TRUSTSTORE_PATH} - source: keystore-p12 target: ${KEYSTORE_PATH} healthcheck: test: curl --silent --output /dev/null http://apache-nifi:${PORT}/nifi test: curl --silent --output /dev/null --insecure https://localhost:${NIFI_WEB_HTTPS_PORT}/nifi interval: ${HEALTHCHECK_INTERVAL:-30s} timeout: ${HEALTHCHECK_TIMEOUT:-15s} retries: ${HEALTHCHECK_RETRIES:-10} Loading @@ -37,11 +60,11 @@ services: update_config: delay: ${UPDATE_DELAY:-10m} labels: traefik.frontend.auth.basic.users: ${UI_AUTH} traefik.frontend.rule: Host:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME} traefik.frontend.headers.customRequestHeaders: X-ProxyScheme:https||X-ProxyHost:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME}||X-ProxyPort:443||X-ProxyContextPath:/ traefik.backend: nifi traefik.port: '${PORT}' traefik.protocol: https traefik.port: '${NIFI_WEB_HTTPS_PORT}' networks: traefik-net: Loading @@ -59,6 +82,11 @@ networks: driver: ${ELASTIC_NET_DRIVER:-overlay} external: true auth-net: name: ${AUTH_NET_NAME:-auth-net} driver: ${AUTH_NET_DRIVER:-overlay} external: true volumes: log-vol: name: ${LOG_VOL_NAME:-nifi-log-vol} Loading @@ -70,3 +98,11 @@ configs: logback-xml: name: ${LOGBACK_XML_NAME:-nifi-logback-xml} file: ./config/logback.xml truststore-p12: name: ${TRUSTSTORE_P12_NAME:-nifi-truststore-p12} file: ./config/truststore.p12 keystore-p12: name: ${KEYSTORE_P12_NAME:-nifi-keystore-p12} file: ./config/keystore.p12
