improve nifi, nifi-registry, and postgres roles

zeevo · Apr 27, 2024 · fcc6da5 · fcc6da5
1 parent c76fbad
commit fcc6da5
Show file tree

Hide file tree

Showing 20 changed files with 263 additions and 113 deletions.
diff --git a/roles/common/default/main.yml b/roles/common/default/main.yml
@@ -1 +1,2 @@
 common_files: []
+common_copy: []
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -6,3 +6,14 @@
     group: "{{ item.group }}"
   loop: "{{ common_files }}"
   become: true
+
+- name: Copy files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.user }}"
+    group: "{{ item.group | default(None) }}"
+    mode: "{{ item.mode | default(None) }}"
+    force: "{{ item.force | default(true) }}"
+  loop: "{{ common_copy }}"
+  become: true
diff --git a/roles/nifi-registry/defaults/main.yml b/roles/nifi-registry/defaults/main.yml
@@ -1,11 +1,13 @@
-nifi_registry_truststore_password: truststorepass
-nifi_registry_keystore_password: keystorepass
+nifi_registry_security_truststore_password: truststorepass
+nifi_registry_security_keystore_password: keystorepass
+nifi_registry_security_keystore: /opt/certs/keystore.jks
+nifi_registry_security_truststore: /opt/certs/truststore.jks
 nifi_registry_name: nifi-registry
 nifi_registry_user: nifi
 nifi_registry_group: nifi
 nifi_registry_home_dir: ~/nifi-registry
 nifi_registry_data_dir: "{{ nifi_registry_home_dir }}/data"
 nifi_registry_network: nifi-registry
 nifi_registry_image: apache/nifi-registry:2.0.0-M1
-nifi_registry_users: []
-nifi_registry_groups: []
+nifi_registry_additional_certs: []
+nifi_registry_subject_alternative_names: ["localhost"]
diff --git a/roles/nifi-registry/tasks/main.yml b/roles/nifi-registry/tasks/main.yml
@@ -73,7 +73,15 @@
     group: "{{ nifi_registry_group }}"
 
 - name: Create truststore and keystore
-  shell: "docker run --user root -v {{ nifi_registry_home_dir }}/nifi_certs:/opt/certs apache/nifi-toolkit:latest tls-toolkit standalone -O --subjectAlternativeNames {{ nifi_registry_name }},localhost -o /opt/certs -n {{ nifi_registry_name }} -P {{ nifi_registry_truststore_password }} -K {{ nifi_registry_keystore_password }} -S {{ nifi_registry_keystore_password }}"
+  shell: "docker run --user root -v {{ nifi_registry_home_dir }}/nifi_certs:/opt/certs apache/nifi-toolkit:latest tls-toolkit standalone -O --subjectAlternativeNames {{ nifi_registry_name }},{{ nifi_registry_subject_alternative_names | join(',') }} -o /opt/certs -n {{ nifi_registry_name }} -P {{ nifi_registry_security_truststore_password }} -K {{ nifi_registry_security_keystore_password }} -S {{ nifi_registry_security_keystore_password }}"
+
+- name: Cat NiFi Registry Cert
+  shell: "cat {{ nifi_registry_home_dir }}/nifi_certs/nifi-cert.pem"
+  register: _nifi_cert_output
+
+- name: Print NiFi Cert
+  debug:
+    msg: "{{ _nifi_cert_output.stdout_lines }}"
 
 - name: Change permissions on /remote/file/path to ansible:user so we can write to it
   file:
@@ -82,14 +90,38 @@
     owner: "{{ nifi_registry_user }}"
     group: "{{ nifi_registry_group }}"
 
+- name: Make tmp cert dir
+  file:
+    path: /tmp/ansible-nifi-registry-certs
+    state: directory
+
+- name: Copy tmp certs
+  loop: "{{ nifi_registry_users + nifi_registry_additional_certs }}"
+  copy:
+    src: "{{ item.cert }}"
+    dest: "/tmp/ansible-nifi-registry-certs/{{ item.cert }}"
+
 - name: Add users to truststore
-  loop: "{{ nifi_registry_users }}"
-  shell: "docker run -v /tmp/ansible-nifi-certs:/tmp/ansible-nifi-certs -v {{ nifi_registry_home_dir }}/nifi_certs:/opt/certs openjdk keytool -noprompt -import -file /tmp/ansible-nifi-certs/{{ item.cert }} -alias {{ item.alias }} -keystore /opt/certs/{{ nifi_registry_name }}/truststore.jks -storepass {{ nifi_registry_truststore_password }}"
-  ignore_errors: true
+  loop: "{{ nifi_registry_users + nifi_registry_additional_certs }}"
+  shell: "docker run -v /tmp/ansible-nifi-registry-certs:/tmp/ansible-nifi-registry-certs -v {{ nifi_registry_home_dir }}/nifi_certs:/opt/certs openjdk keytool -noprompt -import -file /tmp/ansible-nifi-registry-certs/{{ item.cert }} -alias {{ item.alias }} -keystore /opt/certs/{{ nifi_registry_name }}/truststore.jks -storepass {{ nifi_registry_security_truststore_password }}"
 
 - name: Create registry network
   shell: "docker network create {{ nifi_registry_network }} || true"
   ignore_errors: true
 
+- name: Add view_keystore
+  template:
+    src: view_keystore.sh.j2
+    dest: "{{ nifi_registry_home_dir }}/view_keystore.sh"
+    owner: "{{ nifi_registry_user }}"
+    group: "{{ nifi_registry_group }}"
+
+- name: Add view_truststore
+  template:
+    src: view_truststore.sh.j2
+    dest: "{{ nifi_registry_home_dir }}/view_truststore.sh"
+    owner: "{{ nifi_registry_user }}"
+    group: "{{ nifi_registry_group }}"
+
 - name: Start registry
   shell: "docker compose -f {{ nifi_registry_home_dir }}/docker-compose.yml up -d --force-recreate --remove-orphans"
diff --git a/roles/nifi-registry/templates/authorizations.xml.j2 b/roles/nifi-registry/templates/authorizations.xml.j2
@@ -10,7 +10,7 @@
 {% endfor %}
         </policy>
 
-        <policy identifier="1CE953DF-5FCB-4DC3-A964-E4E25E202CD9" resource="/proxy" action="R">
+        <policy identifier="16E19609-3417-4088-93F7-C8EAE547DA38" resource="/proxy" action="R">
 {% for group in nifi_registry_groups %}
     {% if 'proxy' in group.permissions %}
             <group identifier="{{ group.id }}"/>

diff --git a/roles/nifi-registry/templates/docker-compose.yml.j2 b/roles/nifi-registry/templates/docker-compose.yml.j2
@@ -4,11 +4,11 @@ services:
     image: {{ nifi_registry_image }}
     networks:
       - registry_network
-    hostname: nifi-registry
+    hostname: {{ nifi_registry_name }}
     ports:
       - "18443:18443"
     volumes:
-      - {{ nifi_registry_home_dir }}/nifi_certs:/opt/certs
+      - {{ nifi_registry_home_dir }}/nifi_certs/{{ nifi_registry_name }}:/opt/certs
       - {{ nifi_registry_data_dir }}/conf:/opt/nifi-registry/nifi-registry-current/conf
       - {{ nifi_registry_data_dir }}/database:/opt/nifi-registry/nifi-registry-current/database
       - {{ nifi_registry_data_dir }}/flow_storage:/opt/nifi-registry/nifi-registry-current/flow_storage
@@ -17,10 +17,10 @@ services:
         AUTH: tls
         TRUSTSTORE_TYPE: JKS
         KEYSTORE_TYPE: JKS
-        KEYSTORE_PATH: /opt/certs/{{ nifi_registry_name }}/keystore.jks
-        TRUSTSTORE_PATH: /opt/certs/{{ nifi_registry_name }}/truststore.jks
-        KEYSTORE_PASSWORD: {{ nifi_registry_keystore_password }}
-        TRUSTSTORE_PASSWORD: {{ nifi_registry_truststore_password }}
+        KEYSTORE_PATH: /opt/certs/keystore.jks
+        TRUSTSTORE_PATH: /opt/certs/truststore.jks
+        KEYSTORE_PASSWORD: {{ nifi_registry_security_keystore_password }}
+        TRUSTSTORE_PASSWORD: {{ nifi_registry_security_truststore_password }}
 
 networks:
   registry_network:

diff --git a/roles/nifi-registry/templates/view_keystore.sh.j2 b/roles/nifi-registry/templates/view_keystore.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose -f {{ nifi_registry_home_dir }}/docker-compose.yml run --entrypoint "/bin/bash -c" nifi_registry "keytool -v -list -keystore {{ nifi_registry_security_keystore }} -storepass {{ nifi_registry_security_keystore_password }}"
diff --git a/roles/nifi-registry/templates/view_truststore.sh.j2 b/roles/nifi-registry/templates/view_truststore.sh.j2
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose -f {{ nifi_registry_home_dir }}/docker-compose.yml run --entrypoint "/bin/bash -c" nifi_registry "keytool -v -list -keystore {{ nifi_registry_security_truststore }} -storepass {{ nifi_registry_security_truststore_password }}"
diff --git a/roles/nifi/defaults/main.yml b/roles/nifi/defaults/main.yml
@@ -1,38 +1,58 @@
-nifi_name: nifi-0
+# Base
+nifi_name: nifi
 nifi_user: nifi # This user MUST have UID 1000
 nifi_https_port: 8443
 nifi_image: apache/nifi:2.0.0-M1
 nifi_group: nifi
 nifi_home_dir: /home/nifi
 nifi_data_dir: "{{ nifi_home_dir }}/data"
 nifi_network: nifi
+nifi_nar_extensions_dir: "{{ nifi_data_dir }}/nar_extensions"
 
 # Base environment
-nifi_cluster_is_node: true
+
+# Cluster
+nifi_cluster_address: "{{ nifi_name }}"
+nifi_cluster_is_node: false
+nifi_cluster_node_protocol_port: 8082
+nifi_zookeeper_connect_string: zookeeper:2181
+nifi_cluster_flow_election_wait_time: 1 min
+
+# Web
 nifi_web_https_port: 8443
-nifi_zk_connect_string: zookeeper:2181
-nifi_election_max_wait: 12 sec
-nifi_sensitive_props_key: my-random-string
+nifi_web_https_host: nifi
+
+# Single User Mode
+nifi_single_user_mode: false
 nifi_single_user_credentials_username: nifi
 nifi_single_user_credentials_password: nifinifinifinifi
-nifi_single_user_mode: false
 nifi_security_user_authorizer: single-user-authorizer
 nifi_security_user_login_identity_provider: single-user-provider
 
-# Core
-nifi_archive_enabled: true
+# Flow Configuration
+nifi_flow_configuration_archive_enabled: true
+nifi_content_repository_archive_enabled: true
 
 # Provenance
 nifi_provenance_repository_max_storage_size: 10 GB
 
+# Users and Groups
 nifi_groups: []
 nifi_users: []
 
+# Nodes
 nifi_nodes:
-  - dn: CN=nifi-0, OU=NIFI
+  - dn: "CN={{ nifi_name }}, OU=NIFI"
+
+# Security
+nifi_security_keystore_password: keystorepass
+nifi_security_keystore: "/opt/certs/keystore.jks"
+nifi_security_keystore_type: PKCS12
+nifi_security_truststore_password: truststorepass
+nifi_security_truststore: "/opt/certs/truststore.jks"
+nifi_security_truststore_type: PKCS12
+nifi_sensitive_props_key: my-random-string
 
-nifi_keystore_password: keystorepass
-nifi_truststore_password: truststorepass
-generate_certs: true
-nifi_include_zookeeper: true
-nifi_include_registry: true
+# Other
+nifi_additional_certs: []
+nifi_subject_alternative_names: ["localhost"]
diff --git a/roles/nifi/tasks/bootstrap.yml b/roles/nifi/tasks/bootstrap.yml
@@ -20,6 +20,7 @@
     - flowfile_repository
     - state
     - logs
+    - nar_extensions
 
 - name: Change permissions on /remote/file/path to ansible:user so we can write to it 
   file:
@@ -35,6 +36,7 @@
     - flowfile_repository
     - state
     - logs
+    - nar_extensions
 
 - name: Cleanup bootstrap container
   shell: docker rm -f nifi-bootstrap

diff --git a/roles/nifi/tasks/main.yml b/roles/nifi/tasks/main.yml
@@ -39,6 +39,7 @@
     - logs
     - provenance_repository
     - state
+    - nar_extensions
 
 - name: Add nifi docker compose
   template:
@@ -93,7 +94,7 @@
     state: directory
 
 - name: Copy tmp certs
-  loop: "{{ nifi_users }}"
+  loop: "{{ nifi_users + nifi_additional_certs }}"
   copy:
     src: "{{ item.cert }}"
     dest: "/tmp/ansible-nifi-certs/{{ item.cert }}"
@@ -105,7 +106,15 @@
     dest: "{{ nifi_home_dir }}/scripts/make_cert.sh"
 
 - name: Create truststore and keystore
-  shell: "docker run --user root -v {{ nifi_home_dir }}/nifi_certs:/opt/certs apache/nifi-toolkit:latest tls-toolkit standalone -O --subjectAlternativeNames {{ nifi_name }},localhost -o /opt/certs -n {{ nifi_name }} -P {{ nifi_truststore_password }} -K {{ nifi_keystore_password }} -S {{ nifi_keystore_password }}"
+  shell: "docker run --user root -v {{ nifi_home_dir }}/nifi_certs:/opt/certs apache/nifi-toolkit:latest tls-toolkit standalone -O --subjectAlternativeNames {{ nifi_name }},{{ nifi_subject_alternative_names | join(',') }} -o /opt/certs -n {{ nifi_name }} -P {{ nifi_security_truststore_password }} -K {{ nifi_security_keystore_password }} -S {{ nifi_security_keystore_password }}"
+
+- name: Cat NiFi Cert
+  shell: "cat {{ nifi_home_dir }}/nifi_certs/nifi-cert.pem"
+  register: _nifi_cert_output
+
+- name: Print NiFi Cert
+  debug:
+    msg: "{{ _nifi_cert_output.stdout_lines }}"
 
 - name: Change permissions on /remote/file/path to ansible:user so we can write to it
   file:
@@ -115,8 +124,8 @@
     group: "{{ nifi_group }}"
 
 - name: Add users to truststore
-  loop: "{{ nifi_users }}"
-  shell: "docker run -v /tmp/ansible-nifi-certs:/tmp/ansible-nifi-certs -v {{ nifi_home_dir }}/nifi_certs:/opt/certs openjdk keytool -noprompt -import -file /tmp/ansible-nifi-certs/{{ item.cert }} -alias {{ item.alias }} -keystore /opt/certs/{{ nifi_name }}/truststore.jks -storepass {{ nifi_truststore_password }}"
+  loop: "{{ nifi_users + nifi_additional_certs }}"
+  shell: "docker run -v /tmp/ansible-nifi-certs:/tmp/ansible-nifi-certs -v {{ nifi_home_dir }}/nifi_certs:/opt/certs openjdk keytool -noprompt -import -file /tmp/ansible-nifi-certs/{{ item.cert }} -alias {{ item.alias }} -keystore /opt/certs/{{ nifi_name }}/truststore.jks -storepass {{ nifi_security_truststore_password }}"
   ignore_errors: true
 
 - name: Create nifi network
@@ -147,6 +156,20 @@
     owner: "{{ nifi_user }}"
     group: "{{ nifi_group }}"
 
+- name: Add view_keystore
+  template:
+    src: view_keystore.sh.j2
+    dest: "{{ nifi_home_dir }}/view_keystore.sh"
+    owner: "{{ nifi_user }}"
+    group: "{{ nifi_group }}"
+
+- name: Add view_truststore
+  template:
+    src: view_truststore.sh.j2
+    dest: "{{ nifi_home_dir }}/view_truststore.sh"
+    owner: "{{ nifi_user }}"
+    group: "{{ nifi_group }}"
+
 - name: Message
   debug:
     msg: IMPORTANT -- set the nifi_root_pg_id variable for correct clustering permissions