in packages/constructs/L3/dataops/dataops-nifi-l3-construct/lib/dataops-nifi-l3-construct.ts [740:852]
private addZookeeper(
vpc: IVpc,
subnets: ISubnet[],
kmsKey: IKey,
eksCluster: MdaaEKSCluster,
hostedZone: HostedZone,
caIssuerCdk8sChart: CaIssuerChart,
fargateProfile: FargateProfile,
): [KubernetesManifest, ZookeeperChart, ISecurityGroup] {
const zkSecurityGroupProps: MdaaSecurityGroupProps = {
securityGroupName: 'zk',
vpc: vpc,
addSelfReferenceRule: true,
naming: this.props.naming,
allowAllOutbound: true,
ingressRules: this.props.nifi.eksSecurityGroupIngressRules,
};
const zkSecurityGroup = new MdaaSecurityGroup(this, 'zk-sg', zkSecurityGroupProps);
const zkCeystorePasswordSecret = NifiCluster.createSecret(
this,
'zk-keystore-password-secret',
this.props.naming,
'zk-keystore-password',
this.projectKmsKey,
);
const kmsKeyStatement = new PolicyStatement({
sid: 'KmsDecrypt',
effect: Effect.ALLOW,
actions: ['kms:Decrypt'],
resources: [this.projectKmsKey.keyArn],
});
const secretsManagerStatement = new PolicyStatement({
sid: 'GetSecretValue',
effect: Effect.ALLOW,
actions: ['SecretsManager:GetSecretValue'],
resources: [zkCeystorePasswordSecret.secretArn],
});
const externalSecretsServiceRole = NifiCluster.createServiceRole(
this,
'zk-external-secrets',
this.props.naming.resourceName('zk-external-secrets-service-role', 64),
NifiL3Construct.ZOOKEEPER_NAMESPACE,
eksCluster,
[kmsKeyStatement, secretsManagerStatement],
);
const additionalEfsIngressSecurityGroups = this.props.nifi.additionalEfsIngressSecurityGroupIds?.map(id => {
return SecurityGroup.fromSecurityGroupId(this, `zk-efs-ingress-sg-${id}`, id);
});
const efsSecurityGroup = NifiCluster.createEfsSecurityGroup('zookeeper', this, this.props.naming, vpc, [
zkSecurityGroup,
...(additionalEfsIngressSecurityGroups || []),
]);
const zkEfsPvs = NifiCluster.createEfsPvs({
scope: this,
naming: this.props.naming,
name: 'zk',
nodeCount: 3,
vpc: vpc,
subnets: subnets,
kmsKey: kmsKey,
efsSecurityGroup: efsSecurityGroup,
});
const efsManagedPolicy = NifiCluster.createEfsAccessPolicy(
'zookeeper',
this,
this.props.naming,
this.projectKmsKey,
zkEfsPvs,
);
fargateProfile.podExecutionRole.addManagedPolicy(efsManagedPolicy);
const zkNamespaceManifest = eksCluster.addNamespace(
new cdk8s.App(),
'zookeeper-ns',
NifiL3Construct.ZOOKEEPER_NAMESPACE,
zkSecurityGroup,
);
zkNamespaceManifest.node.addDependency(fargateProfile);
const zkK8sChart = new ZookeeperChart(new cdk8s.App(), 'zookeeper-chart', {
namespace: NifiL3Construct.ZOOKEEPER_NAMESPACE,
hostedZoneName: hostedZone.zoneName,
externalSecretsRoleArn: externalSecretsServiceRole.roleArn,
caIssuerName: caIssuerCdk8sChart.caIssuerName,
awsRegion: this.region,
keystorePasswordSecretName: zkCeystorePasswordSecret.secretName,
efsStorageClassName: eksCluster.efsStorageClassName,
efsPersistentVolumes: zkEfsPvs.map(x => {
return { efsFsId: x[0].fileSystemId, efsApId: x[1].accessPointId };
}),
zookeeperCertDuration: this.props.nifi.nodeCertDuration ?? '24h0m0s',
zookeeperCertRenewBefore: this.props.nifi.nodeCertRenewBefore ?? '1h0m0s',
certKeyAlg: this.props.nifi.certKeyAlg ?? 'ECDSA',
certKeySize: this.props.nifi.certKeySize ?? 384,
});
const zkManifest = eksCluster.addCdk8sChart('zookeeper', zkK8sChart);
zkManifest.node.addDependency(zkNamespaceManifest);
zkManifest.node.addDependency(caIssuerCdk8sChart);
const restartNifiCmdProps: KubernetesCmdProps = {
cluster: eksCluster,
namespace: NifiL3Construct.ZOOKEEPER_NAMESPACE,
cmd: ['delete', 'pod', '-l', 'app=zookeeper'],
executionKey: zkK8sChart.hash(),
};
const restartNifiCmd = new KubernetesCmd(this, 'restart-zk-cmd', restartNifiCmdProps);
restartNifiCmd.node.addDependency(zkManifest);
return [zkManifest, zkK8sChart, zkSecurityGroup];
}