feat: enable nifi secure script

fix: set nifi cluster set to true and readiness delay to 200

deployment/nifi/configmap-ssl.yml

@@ -13,12 +13,12 @@ data:
     CITY=${CITY:-'London'}
     STATE=${STATE:-'London'}
     COUNTRY_CODE=${COUNTRY_CODE:-'GB'}
-    KEY_PASS=${KEY_PASS:-$KEYSTORE_PASS}
+    KEY_PASS=${NIFI_SENSITIVE_PROPS_KEY:-$KEYSTORE_PASS}
     KEYSTORE_PASS=${KEYSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY}
     KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD:-$NIFI_SENSITIVE_PROPS_KEY}
     KEYSTORE_PATH=${NIFI_HOME}/keytool/keystore.p12
     KEYSTORE_TYPE=pkcs12
-    TRUSTSTORE_PASS=${TRUSTSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY}
+    TRUSTSTORE_PASS=${TRUSTSTORE_PASSWORD:-$NIFI_SENSITIVE_PROPS_KEY}
     TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD:-$NIFI_SENSITIVE_PROPS_KEY}
     TRUSTSTORE_PATH=${NIFI_HOME}/keytool/truststore.p12
     TRUSTSTORE_TYPE=pkcs12
@@ -28,24 +28,31 @@ data:
       echo "Creating keystore"
       keytool -genkey -noprompt -alias nifi-keystore \
       -dname "CN=${NIFI_CLUSTER_NODE_ADDRESS},OU=${ORGANISATION_UNIT},O=${ORGANISATION},L=${CITY},S=${STATE},C=${COUNTRY_CODE}" \
-      -keystore ${NIFI_HOME}/keytool/keystore.p12 \
-      -storepass ${KEYSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY} \
+      -keystore ${KEYSTORE_PATH} \
+      -storepass "${KEYSTORE_PASS:-$NIFI_SENSITIVE_PROPS_KEY}" \
       -keysize 2048 \
       -keypass "${KEY_PASS:-$NIFI_SENSITIVE_PROPS_KEY}" \
       -keyalg RSA \
+      -ext "SAN=ip:${POD_IP},dns:localhost,dns:${NIFI_CLUSTER_NODE_ADDRESS},dns:${NIFI_LOAD_BALANCER},dns:${PUBLIC_DNS},ip:127.0.0.1,dns:${NIFI_WEB_HTTP_HOST},dns:${POD_NAME},dns:${NODE_IDENTITY}" \
       -storetype pkcs12
 
       echo "Exporting the self-signed certificate from the keystore"
       keytool -export -alias nifi-keystore \
       -keystore "${KEYSTORE_PATH}" \
       -storepass "${KEYSTORE_PASS}" \
       -file "${NIFI_HOME}/keytool/nifi-cert.cer" \
+      -storetype pkcs12 \
       -rfc
     fi
 
     if [[ ! -f "${NIFI_HOME}/keytool/truststore.p12" ]]
     then
-      echo "Import truststore"
+      echo "Delete if truststore exists"
+      keytool -delete -alias nifi-truststore \
+      -keystore "${TRUSTSTORE_PATH}" \
+      -storepass "${TRUSTSTORE_PASS}" 2>/dev/null || true
+
+      echo "Importing truststore"
       keytool -import -noprompt -alias nifi-truststore \
       -file "${NIFI_HOME}/keytool/nifi-cert.cer" \
       -keystore "${TRUSTSTORE_PATH}" \
@@ -55,4 +62,4 @@ data:
     fi
 
     #/usr/bin/bash ${NIFI_HOME}/../scripts/secure.sh 
-    #eval ${NIFI_HOME}/../scripts/secure.sh 
+    # eval ${NIFI_HOME}/../scripts/secure.sh

deployment/nifi/nifi.yml

@@ -66,6 +66,13 @@ spec:
       - name: nifi
         image: docker.io/apache/nifi:2.1.0
         imagePullPolicy: IfNotPresent
+        command:
+          - /bin/sh
+          - -c
+          - |
+            echo "Starting NiFi"
+            /scripts/security.sh
+            /opt/nifi/nifi-current/bin/nifi.sh run
         ports:
         - containerPort: 8080
           name: http
@@ -88,6 +95,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace # Use pod namespace
+          - name: NIFI_LOAD_BALANCER
+            value: "nifi.$(POD_NAMESPACE).svc.cluster.local" # Use nifi service fqdn
           - name: NIFI_HOME
             value: "/opt/nifi/nifi-current"
           - name: NIFI_UI_BANNER_TEXT
@@ -104,8 +113,8 @@ spec:
             value: $(POD_NAME).nifi.$(POD_NAMESPACE).svc.cluster.local # Use pod fqdn as input host address
           - name: HOSTNAME
             value: $(POD_IP) # Use pod ip as hostname
-          - name: NIFI_WEB_PROXY_HOST
-            value: $(POD_NAME).nifi.$(POD_NAMESPACE).svc.cluster.local # Use pod fqdn as input host address
+          # - name: NIFI_WEB_PROXY_HOST
+          #   value: $(POD_NAME).nifi.$(POD_NAMESPACE).svc.cluster.local # Use pod fqdn as input host address
           - name: NODE_IDENTITY
             value: $(POD_NAME) # Use pod name as identity
           - name: NIFI_CLUSTER_NODE_PROTOCOL_ADDRESS
@@ -131,11 +140,11 @@ spec:
             mountPath: /scripts/security.sh
             subPath: security.sh
             readOnly: false
-        lifecycle:
-          postStart:
-            exec:
-              command:
-                - /scripts/security.sh
+        # lifecycle:
+        #   postStart:
+        #     exec:
+        #       command:
+        #         - /scripts/security.sh
         livenessProbe:
           exec:
             command:
@@ -149,7 +158,7 @@ spec:
         readinessProbe:
           tcpSocket:
             port: cluster
-          initialDelaySeconds: 90
+          initialDelaySeconds: 200
           periodSeconds: 30
           timeoutSeconds: 20
           failureThreshold: 3