Commit a82b6a46 authored by Noel Alonso's avatar Noel Alonso
Browse files

Merge branch 'dev' into 'master' 

Modifica config y añade variable para migración

See merge request redmic-project/etl/nifi!26
parents 98a058f6 c3751bb8

README.md

+22 −10
Original line number Diff line number Diff line
@@ -4,31 +4,43 @@ Configuration and deployment for Apache NiFi 


## Generating truststore/keystore



Use [nifi-toolkit](https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html) to generate:

Use [nifi-toolkit](https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html) (included in NiFi container image) to generate:



```sh

./bin/tls-toolkit.sh standalone \

    --certificateAuthorityHostname ${PUBLIC_HOSTNAME} \

    --hostnames ${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME} \

    --hostnames ${TRAEFIK_SUBDOMAIN} \

    --certificateAuthorityHostname ${TRAEFIK_SUBDOMAIN} \

    --nifiDnSuffix ",${LDAP_USER_SEARCH_BASE}" \

    --subjectAlternativeNames "localhost,0.0.0.0,${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME},${TRAEFIK_SUBDOMAIN}" \

    --days 825 \

    --keySize 4096 \

    --trustStorePassword ${TRUSTSTORE_PASSWORD} \

    --keyStorePassword ${KEYSTORE_PASSWORD} \

    --keyPassword ${KEY_PASSWORD}

    --keyPassword ${KEY_PASSWORD} \

    --outputDirectory ${NIFI_HOME}/security

```



Then, migrate from JKS (Java specific, deprecated format) to PKCS12 (generic, recommended format) using:

If you want to generate truststore/keystore for NiFi Registry, you also have to execute:



```sh

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12

keytool -importkeystore -srckeystore truststore.jks -destkeystore truststore.p12 -deststoretype pkcs12

./bin/tls-toolkit.sh standalone \

    --hostnames ${NIFI_REGISTRY_TRAEFIK_SUBDOMAIN} \

    --certificateAuthorityHostname ${NIFI_REGISTRY_TRAEFIK_SUBDOMAIN} \

    --nifiDnSuffix ",${LDAP_USER_SEARCH_BASE}" \

    --subjectAlternativeNames "localhost,0.0.0.0,${NIFI_REGISTRY_TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME},${NIFI_REGISTRY_TRAEFIK_SUBDOMAIN}" \

    --days 825 \

    --keySize 4096 \

    --trustStorePassword ${TRUSTSTORE_PASSWORD} \

    --keyStorePassword ${KEYSTORE_PASSWORD} \

    --keyPassword ${KEY_PASSWORD} \

    --outputDirectory ${NIFI_HOME}/security

```



You can check stores content with:



```sh

keytool -list -v -keystore keystore.p12

keytool -list -v -keystore truststore.p12

keytool -list -v -keystore keystore.jks

keytool -list -v -keystore truststore.jks

```



## Adding truststore/keystore to volume
@@ -42,7 +54,7 @@ In processes like `invokeHttp`, if you wish to access to an external service thr 
```sh

echo -n | openssl s_client -connect external_url:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/external_name.crt



keytool -import -alias external_name -file /tmp/external_name.crt -keystore truststore.p12

keytool -import -alias external_name -file /tmp/external_name.crt -keystore truststore.jks



rm tmp/external_name.crt

```

deploy/.env

+4 −3
Original line number Diff line number Diff line 
NIFI_HOME=/opt/nifi/nifi-current

INITIAL_ADMIN_IDENTITY=cn=admin,dc=example,dc=org

INITIAL_ADMIN_IDENTITY=cn=admin,ou=nifi,dc=example,dc=org

LDAP_AUTHENTICATION_STRATEGY=SIMPLE

LDAP_MANAGER_DN=cn=admin,dc=example,dc=org

LDAP_MANAGER_PASSWORD=changeme
@@ -7,12 +7,13 @@ LDAP_USER_SEARCH_BASE=dc=example,dc=org 
LDAP_USER_SEARCH_FILTER=cn={0}

LDAP_IDENTITY_STRATEGY=USE_DN

LDAP_URL=ldap://openldap:389

KEYSTORE_TYPE=PKCS12

KEYSTORE_TYPE=JKS

KEYSTORE_PASSWORD=changeme

KEY_PASSWORD=changeme

TRUSTSTORE_PASSWORD=changeme

TRUSTSTORE_TYPE=PKCS12

TRUSTSTORE_TYPE=JKS

AUTH=ldap

NIFI_SENSITIVE_PROPS_KEY=changeme

NIFI_WEB_HTTPS_HOST=0.0.0.0

NIFI_WEB_HTTPS_PORT=8443

NIFI_JVM_HEAP_INIT=2g

deploy/docker-compose.dev.yml

+8 −8
Original line number Diff line number Diff line 
version: '3.5'

version: '3.9'



volumes:

  conf-vol:
@@ -6,7 +6,7 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${CONF_VOL_DEVICE:-:/nifi-conf-vol/}



  database-vol:
@@ -14,7 +14,7 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${DATABASE_VOL_DEVICE:-:/nifi-database-vol/}



  flowfile-vol:
@@ -22,7 +22,7 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${FLOWFILE_VOL_DEVICE:-:/nifi-flowfile-vol/}



  content-vol:
@@ -30,7 +30,7 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${CONTENT_VOL_DEVICE:-:/nifi-content-vol/}



  provenance-vol:
@@ -38,7 +38,7 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${PROVENANCE_VOL_DEVICE:-:/nifi-provenance-vol/}



  state-vol:
@@ -46,7 +46,7 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${STATE_VOL_DEVICE:-:/nifi-state-vol/}



  security-vol:
@@ -54,5 +54,5 @@ volumes: 
    driver: local

    driver_opts:

      type: ${VOL_TYPE}

      o: addr=${VOL_ADDR},${VOL_OPTIONS}

      o: addr=${VOL_ADDR},${VOL_OPTS}

      device: ${SECURITY_VOL_DEVICE:-:/nifi-security-vol/}

deploy/docker-compose.prod.yml

+1 −1
Original line number Diff line number Diff line 
version: '3.5'

version: '3.9'



services:

  nifi:

deploy/docker-compose.tmpl.yml

+5 −4
Original line number Diff line number Diff line 
version: '3.5'

version: '3.9'



services:

  nifi:
@@ -6,8 +6,8 @@ services: 
    environment:

      HOME: ${NIFI_HOME}/conf

      NIFI_WEB_PROXY_HOST: ${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME}:443

      TRUSTSTORE_PATH: ${NIFI_HOME}/security/truststore.p12

      KEYSTORE_PATH: ${NIFI_HOME}/security/keystore.p12

      TRUSTSTORE_PATH: ${NIFI_HOME}/security/nifi/truststore.jks

      KEYSTORE_PATH: ${NIFI_HOME}/security/nifi/keystore.jks

      NIFI_HOME:

      INITIAL_ADMIN_IDENTITY:

      LDAP_AUTHENTICATION_STRATEGY:
@@ -23,6 +23,7 @@ services: 
      TRUSTSTORE_PASSWORD:

      TRUSTSTORE_TYPE:

      AUTH:

      NIFI_SENSITIVE_PROPS_KEY:

      NIFI_WEB_HTTPS_HOST:

      NIFI_WEB_HTTPS_PORT:

      NIFI_JVM_HEAP_INIT:
@@ -67,7 +68,7 @@ services: 
          memory: ${RESOURCES_RESERVATIONS_MEMORY:-3G}

      labels:

        traefik.frontend.rule: Host:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME}

        traefik.frontend.headers.customRequestHeaders: X-ProxyScheme:https||X-ProxyHost:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME}||X-ProxyPort:443||X-ProxyContextPath:/

        traefik.frontend.headers.customRequestHeaders: X-ProxyScheme:https||X-ProxyHost:${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME}||X-ProxyPort:443

        traefik.frontend.redirect.regex: ^(.*://${TRAEFIK_SUBDOMAIN}.${PUBLIC_HOSTNAME})/$$

        traefik.frontend.redirect.replacement: $$1/nifi

        traefik.frontend.redirect.permanent: 'true'