in packages/constructs/L3/dataops/dataops-nifi-l3-construct/lib/dataops-nifi-l3-construct.ts [433:595]
private addRegistry(addRegistryProps: AddRegistryProps) {
const allIngressSgIds = [
...Object.entries(addRegistryProps.nifiClusters).map(x => x[1].securityGroup.securityGroupId),
...(this.props.nifi.securityGroupIngressSGs || []),
];
const registryHttpsPort = addRegistryProps.registryProps.httpsPort ?? 8443;
const ingressRules: MdaaSecurityGroupRuleProps = {
sg: allIngressSgIds
.map(sgId => {
return [
{
sgId: sgId,
protocol: Protocol.TCP,
port: registryHttpsPort,
},
];
})
.flat(),
ipv4: this.props.nifi.securityGroupIngressIPv4s
?.map(ipv4 => {
return [
{
cidr: ipv4,
protocol: Protocol.TCP,
port: registryHttpsPort,
},
];
})
.flat(),
};
const registrySecurityGroupProps: MdaaSecurityGroupProps = {
securityGroupName: 'registry',
vpc: addRegistryProps.vpc,
addSelfReferenceRule: true,
naming: this.props.naming,
allowAllOutbound: true,
ingressRules: ingressRules,
};
const registrySecurityGroup = new MdaaSecurityGroup(this, 'registry-sg', registrySecurityGroupProps);
const registryKeystorePasswordSecret = NifiCluster.createSecret(
this,
'registry-keystore-password-secret',
this.props.naming,
'registry-keystore-password',
this.projectKmsKey,
);
const registryAdminCredentialsSecret = NifiCluster.createSecret(
this,
'registry-admin-creds-secret',
this.props.naming,
'registry-admin-creds-secret',
addRegistryProps.kmsKey,
);
const kmsKeyStatement = new PolicyStatement({
sid: 'KmsDecrypt',
effect: Effect.ALLOW,
actions: ['kms:Decrypt'],
resources: [this.projectKmsKey.keyArn],
});
const secretsManagerStatement = new PolicyStatement({
sid: 'GetSecretValue',
effect: Effect.ALLOW,
actions: ['SecretsManager:GetSecretValue'],
resources: [registryKeystorePasswordSecret.secretArn, registryAdminCredentialsSecret.secretArn],
});
const externalSecretsServiceRole = NifiCluster.createServiceRole(
this,
'registry-external-secrets',
this.props.naming.resourceName('registry-external-secrets-service-role', 64),
NifiL3Construct.REGISTRY_NAMESPACE,
addRegistryProps.eksCluster,
[kmsKeyStatement, secretsManagerStatement],
);
const additionalEfsIngressSecurityGroups = this.props.nifi.additionalEfsIngressSecurityGroupIds?.map(id => {
return SecurityGroup.fromSecurityGroupId(this, `registry-efs-ingress-sg-${id}`, id);
});
const efsSecurityGroup = NifiCluster.createEfsSecurityGroup(
'registry',
this,
this.props.naming,
addRegistryProps.vpc,
[registrySecurityGroup, ...(additionalEfsIngressSecurityGroups || [])],
);
const registryEfsPvs = NifiCluster.createEfsPvs({
scope: this,
naming: this.props.naming,
name: 'registry',
nodeCount: 1,
vpc: addRegistryProps.vpc,
subnets: addRegistryProps.subnets,
kmsKey: addRegistryProps.kmsKey,
efsSecurityGroup: efsSecurityGroup,
})[0];
const efsManagedPolicy = NifiCluster.createEfsAccessPolicy(
'registry',
this,
this.props.naming,
this.projectKmsKey,
[registryEfsPvs],
);
addRegistryProps.fargateProfile.podExecutionRole.addManagedPolicy(efsManagedPolicy);
const registryNamespaceManifest = addRegistryProps.eksCluster.addNamespace(
new cdk8s.App(),
'registry-ns',
NifiL3Construct.REGISTRY_NAMESPACE,
registrySecurityGroup,
);
const clusterServiceRole = NifiCluster.createServiceRole(
this,
'registry-service-role',
this.props.naming.resourceName('registry-service-role', 64),
NifiL3Construct.REGISTRY_NAMESPACE,
addRegistryProps.eksCluster,
);
const registryChartProps: NifiRegistryChartProps = {
namespace: NifiL3Construct.REGISTRY_NAMESPACE,
awsRegion: this.region,
adminCredsSecretName: registryAdminCredentialsSecret.secretName,
keystorePasswordSecretName: registryKeystorePasswordSecret.secretName,
externalSecretsRoleArn: externalSecretsServiceRole.roleArn,
efsPersistentVolume: { efsFsId: registryEfsPvs[0].fileSystemId, efsApId: registryEfsPvs[1].accessPointId },
efsStorageClassName: addRegistryProps.eksCluster.efsStorageClassName,
caIssuerName: addRegistryProps.caIssuerCdk8sChart.caIssuerName,
hostname: addRegistryProps.registryHostname,
hostedZoneName: addRegistryProps.hostedZone.zoneName,
httpsPort: registryHttpsPort,
nifiRegistryServiceRoleArn: clusterServiceRole.roleArn,
nifiRegistryServiceRoleName: clusterServiceRole.roleName,
nifiRegistryCertDuration: this.props.nifi.nodeCertDuration ?? '24h0m0s',
nifiRegistryCertRenewBefore: this.props.nifi.nodeCertRenewBefore ?? '1h0m0s',
certKeyAlg: this.props.nifi.certKeyAlg ?? 'ECDSA',
certKeySize: this.props.nifi.certKeySize ?? 384,
nifiClusters: addRegistryProps.nifiClusters,
nifiManagerImageUri: addRegistryProps.nifiManagerImageUri,
adminIdentities: addRegistryProps.registryProps.adminIdentities,
buckets: addRegistryProps.registryProps.buckets,
};
const registryChart = new NifiRegistryChart(new cdk8s.App(), 'registry-chart', registryChartProps);
const registryManifest = addRegistryProps.eksCluster.addCdk8sChart('registry', registryChart);
registryManifest.node.addDependency(registryNamespaceManifest);
const restartRegistryCmdProps: KubernetesCmdProps = {
cluster: addRegistryProps.eksCluster,
namespace: NifiL3Construct.REGISTRY_NAMESPACE,
cmd: ['delete', 'pod', '-l', 'app=nifi-registry'],
executionKey: registryChart.hash(),
};
const restartRegistryCmd = new KubernetesCmd(this, 'restart-registry-cmd', restartRegistryCmdProps);
restartRegistryCmd.node.addDependency(registryManifest);
addRegistryProps.dependencies.forEach(dependency => registryManifest.node.addDependency(dependency));
}