From 3296fdc4e181f6dacec40ec2980ba8f838b68327 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Wed, 1 Dec 2021 14:54:57 +0100 Subject: [PATCH 01/12] First fix --- deploy/crd/nificluster.crd.yaml | 3 +++ examples/simple-nificluster.yaml | 2 +- rust/crd/src/lib.rs | 13 ++++++------- rust/operator/src/config.rs | 4 ++-- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/deploy/crd/nificluster.crd.yaml b/deploy/crd/nificluster.crd.yaml index 3c43914c..a8a93ae1 100644 --- a/deploy/crd/nificluster.crd.yaml +++ b/deploy/crd/nificluster.crd.yaml @@ -148,6 +148,7 @@ spec: version: enum: - 1.13.2 + - 1.15.0 type: string zookeeperReference: description: Contains all necessary information identify a Stackable managed ZooKeeper ensemble and build a connection string for it. The main purpose for this struct is for other operators that need to reference a ZooKeeper ensemble to use in their CRDs. This has the benefit of keeping references to Zookeeper ensembles consistent throughout the entire stack. @@ -225,11 +226,13 @@ spec: current: enum: - 1.13.2 + - 1.15.0 nullable: true type: string target: enum: - 1.13.2 + - 1.15.0 nullable: true type: string type: object diff --git a/examples/simple-nificluster.yaml b/examples/simple-nificluster.yaml index 9152a197..9e8f4e58 100644 --- a/examples/simple-nificluster.yaml +++ b/examples/simple-nificluster.yaml @@ -4,7 +4,7 @@ metadata: name: simple spec: metricsPort: 8428 - version: "1.13.2" + version: "1.15.0" zookeeperReference: name: simple namespace: default diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 9c37a3ba..aa94481b 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -71,10 +71,9 @@ pub enum NifiVersion { // TODO: NiFi 1.14 does not work with this operator yet // Therefore we skip using it in the CRD for now. Should be uncommented as soon as #82 is fixed. - //#[serde(rename = "1.14.0")] - #[serde(skip)] - #[strum(serialize = "1.14.0")] - v1_14_0, + #[serde(rename = "1.15.0")] + #[strum(serialize = "1.15.0")] + v1_15_0, } impl Versioning for NifiVersion { @@ -214,11 +213,11 @@ mod tests { #[test] fn test_zookeeper_version_versioning() { assert_eq!( - NifiVersion::v1_13_2.versioning_state(&NifiVersion::v1_14_0), + NifiVersion::v1_13_2.versioning_state(&NifiVersion::v1_15_0), VersioningState::ValidUpgrade ); assert_eq!( - NifiVersion::v1_14_0.versioning_state(&NifiVersion::v1_13_2), + NifiVersion::v1_15_0.versioning_state(&NifiVersion::v1_13_2), VersioningState::ValidDowngrade ); assert_eq!( @@ -230,7 +229,7 @@ mod tests { #[test] fn test_version_conversion() { NifiVersion::from_str("1.13.2").unwrap(); - NifiVersion::from_str("1.14.0").unwrap(); + NifiVersion::from_str("1.15.0").unwrap(); NifiVersion::from_str("1.2.3").unwrap_err(); } } diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs index 8354a38f..f3ea810d 100644 --- a/rust/operator/src/config.rs +++ b/rust/operator/src/config.rs @@ -434,11 +434,11 @@ pub fn build_nifi_properties( properties.insert("nifi.web.should.send.server.version", "true".to_string()); // security properties - properties.insert("nifi.sensitive.props.key", "".to_string()); + properties.insert("nifi.sensitive.props.key", "oMYWEWxj2LM5XoUOOxKLj67GRXSRhLqV".to_string()); properties.insert("nifi.sensitive.props.key.protected", "".to_string()); properties.insert( "nifi.sensitive.props.algorithm", - "PBEWITHMD5AND256BITAES-CBC-OPENSSL".to_string(), + "NIFI_PBKDF2_AES_GCM_256".to_string(), ); properties.insert("nifi.sensitive.props.provider", "BC".to_string()); properties.insert("nifi.sensitive.props.additional.keys", "".to_string()); From 3b3ad57876b208f3c4042a26486a43a0b4e1dcd4 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 2 Dec 2021 15:43:30 +0100 Subject: [PATCH 02/12] Removed nifi 1.13.2 --- deploy/crd/nificluster.crd.yaml | 3 --- rust/crd/src/lib.rs | 17 +---------------- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/deploy/crd/nificluster.crd.yaml b/deploy/crd/nificluster.crd.yaml index a8a93ae1..924edd5d 100644 --- a/deploy/crd/nificluster.crd.yaml +++ b/deploy/crd/nificluster.crd.yaml @@ -147,7 +147,6 @@ spec: type: object version: enum: - - 1.13.2 - 1.15.0 type: string zookeeperReference: @@ -225,13 +224,11 @@ spec: properties: current: enum: - - 1.13.2 - 1.15.0 nullable: true type: string target: enum: - - 1.13.2 - 1.15.0 nullable: true type: string diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index aa94481b..0258b588 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -65,12 +65,6 @@ impl Status for NifiCluster { strum_macros::EnumString, )] pub enum NifiVersion { - #[serde(rename = "1.13.2")] - #[strum(serialize = "1.13.2")] - v1_13_2, - - // TODO: NiFi 1.14 does not work with this operator yet - // Therefore we skip using it in the CRD for now. Should be uncommented as soon as #82 is fixed. #[serde(rename = "1.15.0")] #[strum(serialize = "1.15.0")] v1_15_0, @@ -213,22 +207,13 @@ mod tests { #[test] fn test_zookeeper_version_versioning() { assert_eq!( - NifiVersion::v1_13_2.versioning_state(&NifiVersion::v1_15_0), - VersioningState::ValidUpgrade - ); - assert_eq!( - NifiVersion::v1_15_0.versioning_state(&NifiVersion::v1_13_2), - VersioningState::ValidDowngrade - ); - assert_eq!( - NifiVersion::v1_13_2.versioning_state(&NifiVersion::v1_13_2), + NifiVersion::v1_15_0.versioning_state(&NifiVersion::v1_15_0), VersioningState::NoOp ); } #[test] fn test_version_conversion() { - NifiVersion::from_str("1.13.2").unwrap(); NifiVersion::from_str("1.15.0").unwrap(); NifiVersion::from_str("1.2.3").unwrap_err(); } From 4338753aba8d84a6b249ba13960852e00e3096f6 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 2 Dec 2021 16:26:19 +0100 Subject: [PATCH 03/12] Added secret for sensitve property key; written to an env var --- deploy/crd/nificluster.crd.yaml | 8 +++++ examples/sensitive-property-key-secret.yaml | 7 +++++ examples/simple-nificluster.yaml | 2 ++ rust/crd/src/lib.rs | 7 +++++ rust/operator/src/lib.rs | 34 +++++++++++++++++++-- 5 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 examples/sensitive-property-key-secret.yaml diff --git a/deploy/crd/nificluster.crd.yaml b/deploy/crd/nificluster.crd.yaml index 924edd5d..ba0b1099 100644 --- a/deploy/crd/nificluster.crd.yaml +++ b/deploy/crd/nificluster.crd.yaml @@ -52,6 +52,10 @@ spec: minimum: 0.0 nullable: true type: integer + sensitivePropertyKeySecret: + type: string + required: + - sensitivePropertyKeySecret type: object configOverrides: additionalProperties: @@ -91,6 +95,10 @@ spec: minimum: 0.0 nullable: true type: integer + sensitivePropertyKeySecret: + type: string + required: + - sensitivePropertyKeySecret type: object configOverrides: additionalProperties: diff --git a/examples/sensitive-property-key-secret.yaml b/examples/sensitive-property-key-secret.yaml new file mode 100644 index 00000000..0db203d8 --- /dev/null +++ b/examples/sensitive-property-key-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: nifi-sensitive-property-key +stringData: + sensitivePropertyKey: mYsUp3rS3cr3tk3y + diff --git a/examples/simple-nificluster.yaml b/examples/simple-nificluster.yaml index 9e8f4e58..e58fa5f8 100644 --- a/examples/simple-nificluster.yaml +++ b/examples/simple-nificluster.yaml @@ -19,4 +19,6 @@ spec: httpPort: 10000 protocolPort: 10443 loadBalancePort: 6342 + sensitivePropertyKeySecret: nifi-sensitive-property-key + replicas: 2 diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 0258b588..c13666d9 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -21,6 +21,8 @@ pub const NIFI_CLUSTER_NODE_PROTOCOL_PORT: &str = "nifi.cluster.node.protocol.po pub const NIFI_CLUSTER_LOAD_BALANCE_PORT: &str = "nifi.cluster.load.balance.port"; pub const NIFI_CLUSTER_METRICS_PORT: &str = "metricsPort"; +pub const NIFI_SENSITIVE_PROPERTY_KEY: &str = "NIFI_SENSITIVE_PROPERTY_KEY"; + #[derive(Clone, CustomResource, Debug, Deserialize, JsonSchema, Serialize)] #[kube( group = "nifi.stackable.tech", @@ -136,6 +138,7 @@ pub struct NifiConfig { pub http_port: Option, pub protocol_port: Option, pub load_balance_port: Option, + pub sensitive_property_key_secret: String, } impl Configuration for NifiConfig { @@ -153,6 +156,10 @@ impl Configuration for NifiConfig { Some(metrics_port.to_string()), ); } + result.insert( + NIFI_SENSITIVE_PROPERTY_KEY.to_string(), + Some(self.sensitive_property_key_secret.to_string()) + ); Ok(result) } diff --git a/rust/operator/src/lib.rs b/rust/operator/src/lib.rs index 8c7c9b9c..c771fb70 100644 --- a/rust/operator/src/lib.rs +++ b/rust/operator/src/lib.rs @@ -14,7 +14,7 @@ use async_trait::async_trait; use futures::Future; use stackable_nifi_crd::{ NifiCluster, NifiRole, NifiSpec, APP_NAME, MANAGED_BY, NIFI_CLUSTER_LOAD_BALANCE_PORT, - NIFI_CLUSTER_METRICS_PORT, NIFI_CLUSTER_NODE_PROTOCOL_PORT, NIFI_WEB_HTTP_PORT, + NIFI_CLUSTER_METRICS_PORT, NIFI_CLUSTER_NODE_PROTOCOL_PORT, NIFI_WEB_HTTP_PORT, NIFI_SENSITIVE_PROPERTY_KEY }; use stackable_operator::builder::{ContainerBuilder, ObjectMetaBuilder, PodBuilder, VolumeBuilder}; use stackable_operator::client::Client; @@ -23,7 +23,7 @@ use stackable_operator::error::OperatorResult; use stackable_operator::identity::{ LabeledPodIdentityFactory, NodeIdentity, PodIdentity, PodToNodeMapping, }; -use stackable_operator::k8s_openapi::api::core::v1::{ConfigMap, EnvVar, Pod}; +use stackable_operator::k8s_openapi::api::core::v1::{ConfigMap, EnvVar, EnvVarSource, Pod, SecretKeySelector}; use stackable_operator::kube::api::ListParams; use stackable_operator::kube::Api; use stackable_operator::kube::ResourceExt; @@ -442,6 +442,16 @@ impl NifiState { } } + let secret = validated_config + .get(&PropertyNameKind::Env) + .and_then(|m| m.get(NIFI_SENSITIVE_PROPERTY_KEY)); + + let env = secret.map(|s| { + vec![ + env_var_from_secret(NIFI_SENSITIVE_PROPERTY_KEY, s, "sensitivePropertyKey"), + ] + }); + let pod_name = name_utils::build_resource_name( pod_id.app(), pod_id.instance(), @@ -512,6 +522,9 @@ impl NifiState { container_builder.add_container_port(METRICS_PORT_NAME, port.parse()?); } + let mut container = container_builder.build(); + container.env = env; + let pod = pod_builder .metadata( ObjectMetaBuilder::new() @@ -522,7 +535,7 @@ impl NifiState { .ownerreference_from_resource(&self.context.resource, Some(true), Some(true))? .build()?, ) - .add_container(container_builder.build()) + .add_container(container) .node_name(node_id.name.as_str()) // TODO: first iteration we are using host network .host_network(true) @@ -702,6 +715,21 @@ impl NifiState { } } +fn env_var_from_secret(var_name: &str, secret: &str, secret_key: &str) -> EnvVar { + EnvVar { + name: String::from(var_name), + value_from: Some(EnvVarSource { + secret_key_ref: Some(SecretKeySelector { + name: Some(String::from(secret)), + key: String::from(secret_key), + ..Default::default() + }), + ..Default::default() + }), + ..Default::default() + } +} + impl ReconciliationState for NifiState { type Error = error::NifiError; From add555838b815f578d7d55a67c0eaa513ebdfc63 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 2 Dec 2021 17:44:45 +0100 Subject: [PATCH 04/12] Implemented sensitive property key as secret --- examples/sensitive-property-key-secret.yaml | 2 +- rust/crd/src/lib.rs | 4 ++-- rust/operator/src/lib.rs | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/sensitive-property-key-secret.yaml b/examples/sensitive-property-key-secret.yaml index 0db203d8..469e08a1 100644 --- a/examples/sensitive-property-key-secret.yaml +++ b/examples/sensitive-property-key-secret.yaml @@ -3,5 +3,5 @@ kind: Secret metadata: name: nifi-sensitive-property-key stringData: - sensitivePropertyKey: mYsUp3rS3cr3tk3y + nifiSensitivePropsKey: mYsUp3rS3cr3tk3y diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index c13666d9..8125938d 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -21,7 +21,7 @@ pub const NIFI_CLUSTER_NODE_PROTOCOL_PORT: &str = "nifi.cluster.node.protocol.po pub const NIFI_CLUSTER_LOAD_BALANCE_PORT: &str = "nifi.cluster.load.balance.port"; pub const NIFI_CLUSTER_METRICS_PORT: &str = "metricsPort"; -pub const NIFI_SENSITIVE_PROPERTY_KEY: &str = "NIFI_SENSITIVE_PROPERTY_KEY"; +pub const NIFI_SENSITIVE_PROPS_KEY: &str = "NIFI_SENSITIVE_PROPS_KEY"; #[derive(Clone, CustomResource, Debug, Deserialize, JsonSchema, Serialize)] #[kube( @@ -157,7 +157,7 @@ impl Configuration for NifiConfig { ); } result.insert( - NIFI_SENSITIVE_PROPERTY_KEY.to_string(), + NIFI_SENSITIVE_PROPS_KEY.to_string(), Some(self.sensitive_property_key_secret.to_string()) ); Ok(result) diff --git a/rust/operator/src/lib.rs b/rust/operator/src/lib.rs index c771fb70..543c2d49 100644 --- a/rust/operator/src/lib.rs +++ b/rust/operator/src/lib.rs @@ -14,7 +14,7 @@ use async_trait::async_trait; use futures::Future; use stackable_nifi_crd::{ NifiCluster, NifiRole, NifiSpec, APP_NAME, MANAGED_BY, NIFI_CLUSTER_LOAD_BALANCE_PORT, - NIFI_CLUSTER_METRICS_PORT, NIFI_CLUSTER_NODE_PROTOCOL_PORT, NIFI_WEB_HTTP_PORT, NIFI_SENSITIVE_PROPERTY_KEY + NIFI_CLUSTER_METRICS_PORT, NIFI_CLUSTER_NODE_PROTOCOL_PORT, NIFI_WEB_HTTP_PORT, NIFI_SENSITIVE_PROPS_KEY }; use stackable_operator::builder::{ContainerBuilder, ObjectMetaBuilder, PodBuilder, VolumeBuilder}; use stackable_operator::client::Client; @@ -444,11 +444,11 @@ impl NifiState { let secret = validated_config .get(&PropertyNameKind::Env) - .and_then(|m| m.get(NIFI_SENSITIVE_PROPERTY_KEY)); + .and_then(|m| m.get(NIFI_SENSITIVE_PROPS_KEY)); let env = secret.map(|s| { vec![ - env_var_from_secret(NIFI_SENSITIVE_PROPERTY_KEY, s, "sensitivePropertyKey"), + env_var_from_secret(NIFI_SENSITIVE_PROPS_KEY, s, "nifiSensitivePropsKey"), ] }); @@ -479,7 +479,7 @@ impl NifiState { // we use the copy_assets.sh script here to copy everything from the "STACKABLE_TMP_CONFIG" // folder to the "conf" folder in the nifi package. container_builder.args(vec![format!( - "/stackable/bin/copy_assets {}; {} {}", + "/stackable/bin/copy_assets {}; /stackable/bin/update_config; {} {}", STACKABLE_TMP_CONFIG, "bin/nifi.sh", "run" )]); container_builder.add_env_vars(env_vars); From 15fa32638aabc1794d73a7a08e7bbeb56211bcac Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 2 Dec 2021 17:47:52 +0100 Subject: [PATCH 05/12] cargo clippy and fmt --- rust/crd/src/lib.rs | 2 +- rust/operator/src/config.rs | 5 ++++- rust/operator/src/lib.rs | 15 ++++++++++----- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 8125938d..6c8bad24 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -158,7 +158,7 @@ impl Configuration for NifiConfig { } result.insert( NIFI_SENSITIVE_PROPS_KEY.to_string(), - Some(self.sensitive_property_key_secret.to_string()) + Some(self.sensitive_property_key_secret.to_string()), ); Ok(result) } diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs index f3ea810d..729e373f 100644 --- a/rust/operator/src/config.rs +++ b/rust/operator/src/config.rs @@ -434,7 +434,10 @@ pub fn build_nifi_properties( properties.insert("nifi.web.should.send.server.version", "true".to_string()); // security properties - properties.insert("nifi.sensitive.props.key", "oMYWEWxj2LM5XoUOOxKLj67GRXSRhLqV".to_string()); + properties.insert( + "nifi.sensitive.props.key", + "oMYWEWxj2LM5XoUOOxKLj67GRXSRhLqV".to_string(), + ); properties.insert("nifi.sensitive.props.key.protected", "".to_string()); properties.insert( "nifi.sensitive.props.algorithm", diff --git a/rust/operator/src/lib.rs b/rust/operator/src/lib.rs index 543c2d49..46dda878 100644 --- a/rust/operator/src/lib.rs +++ b/rust/operator/src/lib.rs @@ -14,7 +14,8 @@ use async_trait::async_trait; use futures::Future; use stackable_nifi_crd::{ NifiCluster, NifiRole, NifiSpec, APP_NAME, MANAGED_BY, NIFI_CLUSTER_LOAD_BALANCE_PORT, - NIFI_CLUSTER_METRICS_PORT, NIFI_CLUSTER_NODE_PROTOCOL_PORT, NIFI_WEB_HTTP_PORT, NIFI_SENSITIVE_PROPS_KEY + NIFI_CLUSTER_METRICS_PORT, NIFI_CLUSTER_NODE_PROTOCOL_PORT, NIFI_SENSITIVE_PROPS_KEY, + NIFI_WEB_HTTP_PORT, }; use stackable_operator::builder::{ContainerBuilder, ObjectMetaBuilder, PodBuilder, VolumeBuilder}; use stackable_operator::client::Client; @@ -23,7 +24,9 @@ use stackable_operator::error::OperatorResult; use stackable_operator::identity::{ LabeledPodIdentityFactory, NodeIdentity, PodIdentity, PodToNodeMapping, }; -use stackable_operator::k8s_openapi::api::core::v1::{ConfigMap, EnvVar, EnvVarSource, Pod, SecretKeySelector}; +use stackable_operator::k8s_openapi::api::core::v1::{ + ConfigMap, EnvVar, EnvVarSource, Pod, SecretKeySelector, +}; use stackable_operator::kube::api::ListParams; use stackable_operator::kube::Api; use stackable_operator::kube::ResourceExt; @@ -447,9 +450,11 @@ impl NifiState { .and_then(|m| m.get(NIFI_SENSITIVE_PROPS_KEY)); let env = secret.map(|s| { - vec![ - env_var_from_secret(NIFI_SENSITIVE_PROPS_KEY, s, "nifiSensitivePropsKey"), - ] + vec![env_var_from_secret( + NIFI_SENSITIVE_PROPS_KEY, + s, + "nifiSensitivePropsKey", + )] }); let pod_name = name_utils::build_resource_name( From 760b65b7c71d0eae245c612ccbcb01e5d58f74ae Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 2 Dec 2021 17:49:05 +0100 Subject: [PATCH 06/12] Removed hardcoded key again, the value is required for now --- rust/operator/src/config.rs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs index 729e373f..88c06295 100644 --- a/rust/operator/src/config.rs +++ b/rust/operator/src/config.rs @@ -434,10 +434,7 @@ pub fn build_nifi_properties( properties.insert("nifi.web.should.send.server.version", "true".to_string()); // security properties - properties.insert( - "nifi.sensitive.props.key", - "oMYWEWxj2LM5XoUOOxKLj67GRXSRhLqV".to_string(), - ); + properties.insert("nifi.sensitive.props.key", "".to_string()); properties.insert("nifi.sensitive.props.key.protected", "".to_string()); properties.insert( "nifi.sensitive.props.algorithm", From b5b104b7c042892e6e33107a92f13e19c9c35e74 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Fri, 3 Dec 2021 12:11:10 +0100 Subject: [PATCH 07/12] Updated more config options --- examples/simple-nificluster.yaml | 2 +- rust/operator/src/config.rs | 96 ++++++++++++++++++++------------ 2 files changed, 61 insertions(+), 37 deletions(-) diff --git a/examples/simple-nificluster.yaml b/examples/simple-nificluster.yaml index e58fa5f8..cb8d3bfb 100644 --- a/examples/simple-nificluster.yaml +++ b/examples/simple-nificluster.yaml @@ -20,5 +20,5 @@ spec: protocolPort: 10443 loadBalancePort: 6342 sensitivePropertyKeySecret: nifi-sensitive-property-key - replicas: 2 + replicas: 2 diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs index 88c06295..59de009b 100644 --- a/rust/operator/src/config.rs +++ b/rust/operator/src/config.rs @@ -25,6 +25,8 @@ pub fn build_bootstrap_conf() -> String { bootstrap.insert("java", "java".to_string()); // Username to use when running NiFi. This value will be ignored on Windows. bootstrap.insert("run.as", "".to_string()); + // Preserve shell environment while runnning as "run.as" user + bootstrap.insert("preserve.environment", "false".to_string()); // Configure where NiFi's lib and conf directories live bootstrap.insert("lib.dir", "./lib".to_string()); bootstrap.insert("conf.dir", "./conf".to_string()); @@ -40,6 +42,9 @@ pub fn build_bootstrap_conf() -> String { bootstrap.insert("java.arg.2", "-Xms1024m".to_string()); bootstrap.insert("java.arg.3", "-Xmx1024m".to_string()); + // Enable Remote Debugging + // bootstrap.insert("java.arg.debug", "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000".to_string()); + bootstrap.insert("java.arg.4", "-Djava.net.preferIPv4Stack=true".to_string()); // allowRestrictedHeaders is required for Cluster/Node communications to work properly @@ -55,7 +60,7 @@ pub fn build_bootstrap_conf() -> String { // The G1GC is known to cause some problems in Java 8 and earlier, but the issues were addressed in Java 9. If using Java 8 or earlier, // it is recommended that G1GC not be used, especially in conjunction with the Write Ahead Provenance Repository. However, if using a newer // version of Java, it can result in better performance without significant \"stop-the-world\" delays. - //bootstrap.insert("java.arg.13", "-XX:+UseG1GC".to_string()); + //bootstrap.insert("java.arg.13", "-XX:+UseG1GC".to_string()) // Set headless mode by default bootstrap.insert("java.arg.14", "-Djava.awt.headless=true".to_string()); @@ -213,6 +218,13 @@ pub fn build_nifi_properties( ";LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE".to_string(), ); + // Repository Encryption properties override individual repository implementation properties + properties.insert("nifi.repository.encryption.protocol.version","".to_string()); + properties.insert("nifi.repository.encryption.key.id","".to_string()); + properties.insert("nifi.repository.encryption.key.provider","".to_string()); + properties.insert("nifi.repository.encryption.key.provider.keystore.location","".to_string()); + properties.insert("nifi.repository.encryption.key.provider.keystore.password","".to_string()); + // FlowFile Repository properties.insert( "nifi.flowfile.repository.implementation", @@ -231,16 +243,6 @@ pub fn build_nifi_properties( "20 secs".to_string(), ); properties.insert("nifi.flowfile.repository.always.sync", "false".to_string()); - properties.insert( - "nifi.flowfile.repository.encryption.key.provider.implementation", - "".to_string(), - ); - properties.insert( - "nifi.flowfile.repository.encryption.key.provider.location", - "".to_string(), - ); - properties.insert("nifi.flowfile.repository.encryption.key.id", "".to_string()); - properties.insert("nifi.flowfile.repository.encryption.key", "".to_string()); properties.insert( "nifi.flowfile.repository.retain.orphaned.flowfiles", "true".to_string(), @@ -279,35 +281,12 @@ pub fn build_nifi_properties( "nifi.content.viewer.url", "../nifi-content-viewer/".to_string(), ); - properties.insert( - "nifi.content.repository.encryption.key.provider.implementation", - "".to_string(), - ); - properties.insert( - "nifi.content.repository.encryption.key.provider.location", - "".to_string(), - ); - properties.insert("nifi.content.repository.encryption.key.id", "".to_string()); - properties.insert("nifi.content.repository.encryption.key", "".to_string()); // Provenance Repository Properties properties.insert( "nifi.provenance.repository.implementation", "org.apache.nifi.provenance.WriteAheadProvenanceRepository".to_string(), ); - properties.insert( - "nifi.provenance.repository.encryption.key.provider.implementation", - "".to_string(), - ); - properties.insert( - "nifi.provenance.repository.encryption.key.provider.location", - "".to_string(), - ); - properties.insert( - "nifi.provenance.repository.encryption.key.id", - "".to_string(), - ); - properties.insert("nifi.provenance.repository.encryption.key", "".to_string()); // Persistent Provenance Repository Properties properties.insert( @@ -388,6 +367,20 @@ pub fn build_nifi_properties( "1 min".to_string(), ); + // QuestDB Status History Repository Properties + properties.insert( + "nifi.status.repository.questdb.persist.node.days", + "14".to_string(), + ); + properties.insert( + "nifi.status.repository.questdb.persist.component.days", + "3".to_string(), + ); + properties.insert( + "nifi.status.repository.questdb.persist.location", + "./status_repository".to_string(), + ); + // Site to Site properties properties.insert("nifi.remote.input.host", node_name.to_string()); properties.insert("nifi.remote.input.secure", "false".to_string()); @@ -431,18 +424,26 @@ pub fn build_nifi_properties( properties.insert("nifi.web.proxy.host", "".to_string()); properties.insert("nifi.web.max.content.size", "".to_string()); properties.insert("nifi.web.max.requests.per.second", "30000".to_string()); + properties.insert("nifi.web.max.access.token.requests.per.second", "25".to_string()); + properties.insert("nifi.web.request.timeout", "60 secs".to_string()); + properties.insert("nifi.web.request.ip.whitelist", "".to_string()); properties.insert("nifi.web.should.send.server.version", "true".to_string()); + // Include or Exclude TLS Cipher Suites for HTTPS + properties.insert("nifi.web.https.ciphersuites.include", "".to_string()); + properties.insert("nifi.web.https.ciphersuites.exclude", "".to_string()); + // security properties - properties.insert("nifi.sensitive.props.key", "".to_string()); + properties.insert("nifi.sensitive.props.key", "".to_string()); // this property is later set from a secret properties.insert("nifi.sensitive.props.key.protected", "".to_string()); properties.insert( "nifi.sensitive.props.algorithm", "NIFI_PBKDF2_AES_GCM_256".to_string(), ); - properties.insert("nifi.sensitive.props.provider", "BC".to_string()); properties.insert("nifi.sensitive.props.additional.keys", "".to_string()); + properties.insert("nifi.security.autoreload.enabled", "false".to_string()); + properties.insert("nifi.security.autoreload.interval", "10 secs".to_string()); properties.insert("nifi.security.keystore", "".to_string()); properties.insert("nifi.security.keystoreType", "".to_string()); properties.insert("nifi.security.keystorePasswd", "".to_string()); @@ -459,6 +460,7 @@ pub fn build_nifi_properties( "false".to_string(), ); properties.insert("nifi.security.user.login.identity.provider", "".to_string()); + properties.insert("nifi.security.user.jws.key.rotation.period", "PT1H".to_string()); properties.insert("nifi.security.ocsp.responder.url", "".to_string()); properties.insert("nifi.security.ocsp.responder.certificate", "".to_string()); @@ -646,6 +648,7 @@ pub fn build_nifi_properties( properties.insert("nifi.zookeeper.security.truststore", "".to_string()); properties.insert("nifi.zookeeper.security.truststoreType", "".to_string()); properties.insert("nifi.zookeeper.security.truststorePasswd", "".to_string()); + properties.insert("nifi.zookeeper.jute.maxbuffer", "".to_string()); // Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management // Values supported for nifi.zookeeper.auth.type are "default", which will apply world/anyone rights on znodes @@ -699,6 +702,27 @@ pub fn build_nifi_properties( ".90".to_string(), ); + // runtime monitoring properties + properties.insert("nifi.monitor.long.running.task.schedule", "".to_string()); + properties.insert("nifi.monitor.long.running.task.threshold", "".to_string()); + + // Create automatic diagnostics when stopping/restarting NiFi. + + // Enable automatic diagnostic at shutdown. + properties.insert("nifi.diagnostics.on.shutdown.enabled", "false".to_string()); + + // Include verbose diagnostic information. + properties.insert("nifi.diagnostics.on.shutdown.verbose", "false".to_string()); + + // The location of the diagnostics folder. + properties.insert("nifi.diagnostics.on.shutdown.directory", "./diagnostics".to_string()); + + // The maximum number of files permitted in the directory. If the limit is exceeded, the oldest files are deleted. + properties.insert("nifi.diagnostics.on.shutdown.max.filecount", "10".to_string()); + + // The diagnostics folder's maximum permitted size in bytes. If the limit is exceeded, the oldest files are deleted. + properties.insert("nifi.diagnostics.on.shutdown.max.directory.size", "10 MB".to_string()); + format_properties(properties) } From b57434361cc9abcea9e109880a1a18e84a34c75c Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Fri, 3 Dec 2021 12:19:22 +0100 Subject: [PATCH 08/12] docs & formatting --- docs/modules/ROOT/pages/usage.adoc | 14 +++++++-- rust/operator/src/config.rs | 46 +++++++++++++++++++++++------- 2 files changed, 47 insertions(+), 13 deletions(-) diff --git a/docs/modules/ROOT/pages/usage.adoc b/docs/modules/ROOT/pages/usage.adoc index c42f7dff..8d569b72 100644 --- a/docs/modules/ROOT/pages/usage.adoc +++ b/docs/modules/ROOT/pages/usage.adoc @@ -4,7 +4,7 @@ After installation, the CRD for this operator must be created: kubectl apply -f /etc/stackable/nifi-operator/crd/nificluster.crd.yaml -To create a single node Apache NiFi (v1.13.2) cluster with Prometheus metrics exposed on port 8428 and the WebUi on port 10000. As of now only one instance per node is supported: +To create a single node Apache NiFi (v1.15.0) cluster with Prometheus metrics exposed on port 8428 and the WebUi on port 10000. As of now only one instance per node is supported: cat < Date: Fri, 3 Dec 2021 12:25:34 +0100 Subject: [PATCH 09/12] Updated Changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b093fd5..35018cf3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,14 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added +- Support for 1.15.0 +- Sensitive property key is setable via a secret + ### Changed +- Removed support for 1.13.2 +- Added/removed some default config settings that changed from 1.13 to 1.15 - `operator-rs` `0.3.0` → `0.4.0` ([#101]). - `stackable-zookeeper-crd`: `0.4.1` → `0.5.0` ([#101]). - Adapted pod image and container command to docker image ([#101]). From 0713b3eff1fb3eda115c0f86b0a39bda90b57e11 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Fri, 3 Dec 2021 14:14:56 +0100 Subject: [PATCH 10/12] Minor fixes --- CHANGELOG.md | 8 ++++---- rust/operator/src/config.rs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35018cf3..9b06a0f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,13 +5,13 @@ All notable changes to this project will be documented in this file. ## [Unreleased] ### Added -- Support for 1.15.0 -- Sensitive property key is setable via a secret +- Support for 1.15.0 ([#125]) +- Sensitive property key is setable via a secret ([#125]) ### Changed -- Removed support for 1.13.2 -- Added/removed some default config settings that changed from 1.13 to 1.15 +- Removed support for 1.13.2 ([#125]) +- Added/removed some default config settings that changed from 1.13 to 1.15 ([#125]) - `operator-rs` `0.3.0` → `0.4.0` ([#101]). - `stackable-zookeeper-crd`: `0.4.1` → `0.5.0` ([#101]). - Adapted pod image and container command to docker image ([#101]). diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs index cfaebb87..cef5198b 100644 --- a/rust/operator/src/config.rs +++ b/rust/operator/src/config.rs @@ -60,7 +60,7 @@ pub fn build_bootstrap_conf() -> String { // The G1GC is known to cause some problems in Java 8 and earlier, but the issues were addressed in Java 9. If using Java 8 or earlier, // it is recommended that G1GC not be used, especially in conjunction with the Write Ahead Provenance Repository. However, if using a newer // version of Java, it can result in better performance without significant \"stop-the-world\" delays. - //bootstrap.insert("java.arg.13", "-XX:+UseG1GC".to_string()) + //bootstrap.insert("java.arg.13", "-XX:+UseG1GC".to_string()); // Set headless mode by default bootstrap.insert("java.arg.14", "-Djava.awt.headless=true".to_string()); From f2ad99b12f4b2bd31de78979ea303cdfcb77f6d9 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Fri, 3 Dec 2021 14:51:26 +0100 Subject: [PATCH 11/12] fixed env var handling --- rust/operator/src/config.rs | 3 --- rust/operator/src/lib.rs | 13 +++++-------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs index cef5198b..9bc78274 100644 --- a/rust/operator/src/config.rs +++ b/rust/operator/src/config.rs @@ -42,9 +42,6 @@ pub fn build_bootstrap_conf() -> String { bootstrap.insert("java.arg.2", "-Xms1024m".to_string()); bootstrap.insert("java.arg.3", "-Xmx1024m".to_string()); - // Enable Remote Debugging - // bootstrap.insert("java.arg.debug", "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000".to_string()); - bootstrap.insert("java.arg.4", "-Djava.net.preferIPv4Stack=true".to_string()); // allowRestrictedHeaders is required for Cluster/Node communications to work properly diff --git a/rust/operator/src/lib.rs b/rust/operator/src/lib.rs index 46dda878..4febe813 100644 --- a/rust/operator/src/lib.rs +++ b/rust/operator/src/lib.rs @@ -449,13 +449,13 @@ impl NifiState { .get(&PropertyNameKind::Env) .and_then(|m| m.get(NIFI_SENSITIVE_PROPS_KEY)); - let env = secret.map(|s| { - vec![env_var_from_secret( + if let Some(s) = secret { + env_vars.push(env_var_from_secret( NIFI_SENSITIVE_PROPS_KEY, s, "nifiSensitivePropsKey", - )] - }); + )); + } let pod_name = name_utils::build_resource_name( pod_id.app(), @@ -527,9 +527,6 @@ impl NifiState { container_builder.add_container_port(METRICS_PORT_NAME, port.parse()?); } - let mut container = container_builder.build(); - container.env = env; - let pod = pod_builder .metadata( ObjectMetaBuilder::new() @@ -540,7 +537,7 @@ impl NifiState { .ownerreference_from_resource(&self.context.resource, Some(true), Some(true))? .build()?, ) - .add_container(container) + .add_container(container_builder.build()) .node_name(node_id.name.as_str()) // TODO: first iteration we are using host network .host_network(true) From 3d1dd5b16ed6cac83330f4b65651c3057d3f7b99 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Fri, 3 Dec 2021 14:55:53 +0100 Subject: [PATCH 12/12] Added ref in changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b06a0f9..488e2799 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file. - Adapted documentation to represent new workflow with docker images ([#101]). [#101]: https://github.com/stackabletech/nifi-operator/pull/101 +[#125]: https://github.com/stackabletech/nifi-operator/pull/125 ## [0.3.0] - 2021-10-27