chilcano.apache-nifi-toolkit

Ansible Role: apache-nifi-toolkit

This Ansible Role installs and sets up the Apache NiFi Toolkit and executes commands to generate X.509 and NiFi configuration files. The Apache NiFi Toolkit helps to securely configure NiFi by creating NiFi configuration, X.509 Certificates, Java Key Store, and Java Trust Store required for secure setups. You can read more about it here.

Features of this Role

Installs the Apache NiFi Toolkit.
Executes specific commands from the Apache NiFi Toolkit. The standalone option is the only NiFi TLS Toolkit Service implemented.
Synchronizes and organizes all generated NiFi configurations, X.509 Certificates, and Java KeyStore and Trust Store files in a single location on the local machine.

Requirements

Java must be installed.

Role Variables

Default variables are located in defaults/main.yml.

Dependencies

This Ansible Role does not have any dependencies, but NiFi Toolkit needs Java. To install Java, I will use the geerlingguy.java role with slight modifications for installing Oracle Java 8 on Debian. You can find these changes in my fork at chilcano.java / branch oracle-java-debian. Just clone that branch.

If you're using Apache NiFi Toolkit on Ubuntu or CentOS, you won't need these changes. You can download the geerlingguy.java role as shown below, or manually install Java 7 or 8 on your machine:

$ sudo ansible-galaxy install geerlingguy.java

Example Playbook

---
- hosts: nftk1
  become: yes
  vars_files:
    - vars.yml
  roles:
    - role: ../../playbooks/roles/ansible-role-java
      java_packages:
        - oracle-java8-installer
        - ca-certificates
        - oracle-java8-set-default
      java_cleanup: false
      java_home: "/usr/lib/jvm/java-8-oracle"

    - role: chilcano.apache-nifi-toolkit
      nftk:
        version: "1.2.0"
        packaging_bin: "tar.gz"
        packaging_src: "zip"
        action:
          clean:
            installation: false
            repository: false
            dependencies: false
          install: true
          run_cmd: true
          sync: true
        download:
          http_uri: "http://mirror.ox.ac.uk/sites/rsync.apache.org"
      nftk_run:
        cmd: "standalone -n 'nf1.intix.info' --nifiDnSuffix ',OU=INTIX' -C 'CN=chilcano, OU=INTIX' -O -c 'nftk1_ca'"
        clientpasswd: "demo00a"
        keypasswd: "demo00b"
        truststorepasswd: "demo00c"
        keystorepasswd: "demo00d"
      nftk_cfg.dir_repo: "nftk_repo"
      nftk_sync_dir_local: "/Users/Chilcano/1github-repo/binaries"

The inventory file contains:

[nifitks]
nftk1

nftk1 ansible_host=192.168.77.4

[nifitks:vars]
ansible_user=vagrant
ansible_ssh_private_key_file="/Users/Chilcano/.vagrant.d/insecure_private_key"

This Ansible Playbook will install Oracle Java, set up the Apache NiFi Toolkit, and run the command $ ./bin/tls-toolkit.sh standalone -n 'nf1.intix.info' --nifiDnSuffix ',OU=INTIX' -C 'CN=chilcano, OU=INTIX' -O -c 'nftk1_ca'. All generated Keys, Certificates, and Configurations will be stored in $NIFI_TOOLKIT_HOME/nftk_repo and synced to your local machine in /Users/Chilcano/1github-repo/binaries. Remember to create the /Users/Chilcano/1github-repo/binaries directory beforehand. Syncing allows easy access to all necessary files for securely configuring NiFi, whether for a single instance or a cluster.

The final file structure with Keys, Certificates, and configuration files will look like this:

Apache NiFi Toolkit - folder structure and files generated

Updates

The role now copies binaries/installers from the local file system if they don't exist. If they are not found locally, it will attempt to download from a URL. Finally, the downloaded binary will be saved locally for future use.