in packages/constructs/L3/dataops/dataops-nifi-l3-construct/lib/cdk8s/nifi-registry-chart.ts [236:574]
private createNifiRegistryDeployment(
nifiRegistryService: k8s.KubeService,
nifiRegistrySecretName: string,
): k8s.KubeStatefulSet {
// nosemgrep
const nifiRegistryInitScriptsConfigMapData = Object.fromEntries(
fs.readdirSync(`${__dirname}/../../scripts/nifi/`).map(fileName => {
// nosemgrep
return [fileName, fs.readFileSync(`${__dirname}/../../scripts/nifi/${fileName}`, 'utf-8')];
}),
);
const nifiRegistryInitConfigMap = new k8s.KubeConfigMap(this, 'nifi-registry-init-configmap', {
metadata: {
name: 'nifi-registry-init-scripts',
},
data: nifiRegistryInitScriptsConfigMapData,
});
const persistentVolumeClaim = new k8s.KubePersistentVolumeClaim(this, `nifi-registry-persistent-volume-claim`, {
metadata: {
name: 'nifi-registry-data-pvc',
},
spec: {
storageClassName: this.props.efsStorageClassName,
accessModes: ['ReadWriteOnce'],
resources: {
requests: {
storage: k8s.Quantity.fromString('3Gi'),
},
},
},
});
const persistentVolume = new k8s.KubePersistentVolume(this, `nifi-registry-persistent-volume`, {
metadata: {
name: `nifi-registry-vol-${this.props.efsPersistentVolume.efsFsId}-${this.props.efsPersistentVolume.efsApId}`,
labels: {
app: 'nifi-registry',
},
},
spec: {
volumeMode: 'Filesystem',
capacity: {
storage: k8s.Quantity.fromString('60Gi'),
},
accessModes: ['ReadWriteOnce'],
persistentVolumeReclaimPolicy: 'Retain',
storageClassName: this.props.efsStorageClassName,
csi: {
driver: 'efs.csi.aws.com',
volumeHandle: `${this.props.efsPersistentVolume.efsFsId}::${this.props.efsPersistentVolume.efsApId}`,
},
claimRef: {
name: persistentVolumeClaim.name,
namespace: this.namespace,
},
},
});
const sslBasePath = '/opt/nifi-registry/ssl';
const nifiRegistryDataDir = '/opt/nifi-registry/data';
const nifiRegistryInitBaseDir = '/opt/nifi-registry/init';
const nifiRegistryConfigMap = this.createRegistryConfigMap(sslBasePath, nifiRegistryDataDir);
const serviceAccount = new k8s.KubeServiceAccount(this, 'nifi-registry-service-account', {
metadata: {
name: 'nifi-registry',
annotations: {
'eks.amazonaws.com/role-arn': this.props.nifiRegistryServiceRoleArn,
},
},
});
const nifiRegistryDeploymentProps: k8s.KubeDeploymentProps = {
metadata: {
name: 'nifi-registry',
},
spec: {
selector: {
matchLabels: {
app: 'nifi-registry',
},
},
replicas: 1,
template: {
metadata: {
labels: {
app: 'nifi-registry',
},
},
spec: {
serviceAccountName: serviceAccount.name,
tolerations: [
{
key: 'eks.amazonaws.com/compute-type',
value: 'fargate',
},
],
dnsConfig: {
searches: [`${nifiRegistryService.name}.${this.namespace}.svc.cluster.local`],
},
securityContext: {
runAsUser: 1000,
runAsGroup: 1000,
fsGroup: 1000,
},
volumes: [
{
name: 'nifi-registry-init-scripts',
configMap: {
name: nifiRegistryInitConfigMap.name,
defaultMode: 0o755,
},
},
{
name: 'nifi-registry-config',
configMap: {
name: nifiRegistryConfigMap.name,
defaultMode: 0o755,
},
},
{
name: 'aws-creds',
emptyDir: {},
},
{
name: 'pip-local',
emptyDir: {},
},
{
name: `nifi-registry-ssl`,
secret: {
secretName: `nifi-registry-ssl`,
},
},
{
name: `nifi-registry-manager-ssl`,
secret: {
secretName: `nifi-registry-manager-ssl`,
},
},
{
name: 'nifi-registry-data',
persistentVolumeClaim: {
claimName: persistentVolumeClaim.name,
},
},
],
shareProcessNamespace: true,
containers: [
{
name: 'nifi-registry-manager',
image: this.props.nifiManagerImageUri,
command: ['sh', `/opt/nifi/scripts/nifi_registry_manager.sh`],
resources: {
requests: {
memory: k8s.Quantity.fromString('0.5Gi'),
cpu: k8s.Quantity.fromString('250m'),
},
limits: {
memory: k8s.Quantity.fromString('0.5Gi'),
cpu: k8s.Quantity.fromString('250m'),
},
},
env: [
{
name: 'NIFI_APP',
value: 'registry',
},
{
name: 'MANAGER_CONFIG',
value: `${nifiRegistryInitBaseDir}/conf/registry_manager.json`,
},
{
name: 'NIFI_INIT_DIR',
value: nifiRegistryInitBaseDir,
},
{
name: 'PYTHONUNBUFFERED',
value: '1',
},
{
name: 'NIFI_DATA_DIR',
value: nifiRegistryDataDir,
},
{
name: 'NIFI_SSL_BASE_PATH',
value: `${sslBasePath}/registry`,
},
{
name: 'NIFI_CERT_NAME',
value: 'nifi-registry',
},
{
name: 'NIFI_NODES',
value: this.nifiNodes.map(x => `CN=${x}`).join(','),
},
{
name: 'NIFI_KEYSTORE_PASSWORD',
valueFrom: {
secretKeyRef: {
name: nifiRegistrySecretName,
key: 'keystore-password',
optional: false,
},
},
},
{
name: 'NIFI_TRUSTSTORE_PASSWORD',
valueFrom: {
secretKeyRef: {
name: nifiRegistrySecretName,
key: 'keystore-password',
optional: false,
},
},
},
],
volumeMounts: [
{
name: 'nifi-registry-config',
mountPath: `${nifiRegistryInitBaseDir}/conf`,
},
{
name: 'aws-creds',
mountPath: `/home/nifi/.aws`,
},
{
name: 'nifi-registry-init-scripts',
mountPath: `${nifiRegistryInitBaseDir}/scripts`,
},
{
name: 'nifi-registry-data',
mountPath: `${nifiRegistryDataDir}`,
},
{
mountPath: `${sslBasePath}/manager`,
name: `nifi-registry-manager-ssl`,
readOnly: true,
},
{
mountPath: `${sslBasePath}/registry/nifi-registry`,
name: 'nifi-registry-ssl',
readOnly: true,
},
],
},
{
name: 'nifi-registry',
image: `apache/nifi-registry:${
this.props.nifiRegistryImageTag ?? NifiRegistryChart.DEFAULT_NIFI_IMAGE_TAG
}`,
ports: [{ containerPort: this.props.httpsPort }],
command: ['bash', '-c', `${nifiRegistryInitBaseDir}/scripts/nifi_registry_start.sh`],
resources: {
requests: {
memory: k8s.Quantity.fromString('1Gi'),
cpu: k8s.Quantity.fromString('500m'),
},
limits: {
memory: k8s.Quantity.fromString('1Gi'),
cpu: k8s.Quantity.fromString('500m'),
},
},
env: [
{
name: 'NIFI_INIT_DIR',
value: nifiRegistryInitBaseDir,
},
{
name: 'NIFI_DATA_DIR',
value: nifiRegistryDataDir,
},
{
name: 'NIFI_HOME',
value: '/opt/nifi-registry/nifi-registry-current',
},
{
name: 'NIFI_SSL_BASE_PATH',
value: sslBasePath,
},
{
name: 'NIFI_KEYSTORE_PASSWORD',
valueFrom: {
secretKeyRef: {
name: nifiRegistrySecretName,
key: 'keystore-password',
optional: false,
},
},
},
{
name: 'NIFI_TRUSTSTORE_PASSWORD',
valueFrom: {
secretKeyRef: {
name: nifiRegistrySecretName,
key: 'keystore-password',
optional: false,
},
},
},
],
volumeMounts: [
{
name: 'nifi-registry-config',
mountPath: `${nifiRegistryInitBaseDir}/conf`,
},
{
name: 'nifi-registry-init-scripts',
mountPath: `${nifiRegistryInitBaseDir}/scripts`,
},
{
name: 'nifi-registry-data',
mountPath: `${nifiRegistryDataDir}`,
},
{
name: 'aws-creds',
mountPath: `/home/nifi/.aws`,
},
{
mountPath: `${sslBasePath}`,
name: 'nifi-registry-ssl',
readOnly: true,
},
],
},
],
},
},
},
};
const sts = new k8s.KubeDeployment(this, 'nifi-registry-sts', nifiRegistryDeploymentProps);
sts.addDependency(persistentVolume);
sts.addDependency(persistentVolumeClaim);
return sts;
}