From 253ad43b273075bf91165f320bac3794a2446d4f Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Tue, 25 Apr 2023 22:16:14 +0700 Subject: [PATCH 01/18] Disable zkClientEnsembleTracker --- Chart.yaml | 4 ++-- README.md | 2 +- configs/nifi.properties | 1 + doc/INSTALLATION.md | 2 +- templates/statefulset.yaml | 1 + tests/06-alpha.flow.xml | 6 +++--- values.yaml | 3 ++- 7 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 22cf8abc..ffea66f0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: nifi -version: 1.1.4 -appVersion: 1.16.3 +version: 1.1.5 +appVersion: 1.20.0 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems. keywords: - nifi diff --git a/README.md b/README.md index d5c51035..5023a77e 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ The following table lists the configurable parameters of the nifi chart and the | `replicaCount` | Number of nifi nodes | `1` | | **Image** | | `image.repository` | nifi Image name | `apache/nifi` | -| `image.tag` | nifi Image tag | `1.16.3` | +| `image.tag` | nifi Image tag | `1.20.0` | | `image.pullPolicy` | nifi Image pull policy | `IfNotPresent` | | `image.pullSecret` | nifi Image pull secret | `nil` | | **SecurityContext** | diff --git a/configs/nifi.properties b/configs/nifi.properties index d4cfd899..25d53e85 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -238,6 +238,7 @@ nifi.cluster.flow.election.max.wait.time=1 mins nifi.cluster.flow.election.max.candidates= # zookeeper properties, used for cluster management # +nifi.zookeeper.client.ensembleTracker={{.Values.properties.zkClientEnsembleTraker}} nifi.zookeeper.connect.string= nifi.zookeeper.connect.timeout=3 secs nifi.zookeeper.session.timeout=3 secs diff --git a/doc/INSTALLATION.md b/doc/INSTALLATION.md index 821ba2d4..2b03284e 100644 --- a/doc/INSTALLATION.md +++ b/doc/INSTALLATION.md @@ -16,7 +16,7 @@ helm dep up ``` 2. **Set a sensitiveKey** -In 1.16.3 version, Nifi needs a sensitiveKey to encrypt sensitive information. This key can be setted in the `values.yaml` file: +In 1.20.0 version, Nifi needs a sensitiveKey to encrypt sensitive information. This key can be setted in the `values.yaml` file: ```` properties: diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 7a732024..019ebcb6 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -191,6 +191,7 @@ spec: fi {{ end }} + prop_replace nifi.ui.banner.text $(hostname -s) prop_replace nifi.remote.input.host ${FQDN} prop_replace nifi.cluster.node.address ${FQDN} prop_replace nifi.zookeeper.connect.string ${NIFI_ZOOKEEPER_CONNECT_STRING} diff --git a/tests/06-alpha.flow.xml b/tests/06-alpha.flow.xml index f8b781f8..2f8c677b 100644 --- a/tests/06-alpha.flow.xml +++ b/tests/06-alpha.flow.xml @@ -24,7 +24,7 @@ org.apache.nifi nifi-standard-nar - 1.16.3 + 1.20.0 1 1 sec @@ -117,7 +117,7 @@ org.apache.nifi nifi-ssl-context-service-nar - 1.16.3 + 1.20.0 true @@ -162,7 +162,7 @@ org.apache.nifi nifi-site-to-site-reporting-nar - 1.16.3 + 1.20.0 5 sec RUNNING diff --git a/values.yaml b/values.yaml index 158bdfed..6ebace4f 100644 --- a/values.yaml +++ b/values.yaml @@ -7,7 +7,7 @@ replicaCount: 1 ## image: repository: apache/nifi - tag: "1.16.3" + tag: "1.20.0" pullPolicy: "IfNotPresent" ## Optionally specify an imagePullSecret. @@ -94,6 +94,7 @@ properties: httpsPort: 8443 webProxyHost: # : (If Nifi service is NodePort or LoadBalancer) clusterPort: 6007 + zkClientEnsembleTraker: false # https://issues.apache.org/jira/browse/NIFI-10481 provenanceStorage: "8 GB" provenanceMaxStorageTime: "10 days" siteToSite: From 9bf4698fc16ca6193d6056cb8409be24c19cfb6b Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Mon, 1 May 2023 08:30:12 +0700 Subject: [PATCH 02/18] Update s2s bravo flow.xml --- tests/06-bravo.flow.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/06-bravo.flow.xml b/tests/06-bravo.flow.xml index 5e5a3ec3..832aa2d6 100644 --- a/tests/06-bravo.flow.xml +++ b/tests/06-bravo.flow.xml @@ -24,7 +24,7 @@ org.apache.nifi nifi-update-attribute-nar - 1.15.2 + 1.20.0 1 0 sec @@ -62,7 +62,7 @@ org.apache.nifi nifi-update-attribute-nar - 1.15.2 + 1.20.0 1 0 sec @@ -159,7 +159,7 @@ org.apache.nifi nifi-prometheus-nar - 1.15.2 + 1.20.0 5 sec RUNNING From 2a58c3dacb28357bb8c01fcdf816b5aec4636953 Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Mon, 1 May 2023 10:05:00 +0700 Subject: [PATCH 03/18] Update s2s test to use cmctl from cert-manager instead of jetstack Signed-off-by: Tan Luu --- .github/workflows/test-site-to-site.yml | 2 +- tests/05-install-cert-manager.bash | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index 31f082bf..0f36148b 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -14,7 +14,7 @@ jobs: - name: Setup Minikube uses: manusa/actions-setup-minikube@v2.7.2 with: - minikube version: 'v1.28.0' + minikube version: 'v1.30.1' kubernetes version: 'v1.25.4' github token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout code diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index d30add6f..ddc2ef96 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -11,7 +11,7 @@ ARCH=$(go env GOARCH) /bin/rm -rf /tmp/cmctl-install mkdir -p /tmp/cmctl-install -curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +curl -fsSL -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) cmctl experimental install From f6a84e713700bf6d4aec5a98e9fc2862dc94c017 Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Mon, 1 May 2023 10:18:10 +0700 Subject: [PATCH 04/18] Change cert-manager installation Signed-off-by: Tan Luu --- tests/05-install-cert-manager.bash | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index ddc2ef96..24608098 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -14,4 +14,5 @@ mkdir -p /tmp/cmctl-install curl -fsSL -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) -cmctl experimental install +kubectl create namespace cert-manager +cmctl experimental install -n cert-manager From 9d34bed9709dfab703538713a6aafa46a8d1f059 Mon Sep 17 00:00:00 2001 From: nathluu Date: Fri, 5 May 2023 00:02:41 +0700 Subject: [PATCH 05/18] Fix s2s test (# * Fix s2s test Signed-off-by: Tan Luu --- .github/workflows/test-site-to-site.yml | 9 ++++++--- tests/05-install-cert-manager.bash | 5 ++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index 0f36148b..041c1952 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -14,7 +14,7 @@ jobs: - name: Setup Minikube uses: manusa/actions-setup-minikube@v2.7.2 with: - minikube version: 'v1.30.1' + minikube version: 'v1.28.0' kubernetes version: 'v1.25.4' github token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout code @@ -87,12 +87,15 @@ jobs: - name: Confirm certificate rotation run: | OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) - echo Certificate "$OLDCERTSTART" + echo Old Certificate "$OLDCERTSTART" cmctl -n alpha renew nifi-0 + kubectl -n alpha rollout restart statefulset/nifi + kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m + sleep 5m for n in [ 0 1 2 3 4 5 6 7 8 9 ] do NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) - echo Certificate "$NEWCERTSTART" + echo New Certificate "$NEWCERTSTART" if [ \""$OLDCERTSTART"\" != \""$NEWCERTSTART"\" ] then exit 0 diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index 24608098..d30add6f 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -11,8 +11,7 @@ ARCH=$(go env GOARCH) /bin/rm -rf /tmp/cmctl-install mkdir -p /tmp/cmctl-install -curl -fsSL -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) -kubectl create namespace cert-manager -cmctl experimental install -n cert-manager +cmctl experimental install From eaed349a9d845f5aa1b229d135ae5008a22cc9b9 Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Fri, 19 May 2023 18:59:13 +0700 Subject: [PATCH 06/18] Update s2s test Signed-off-by: Tan Luu --- .github/workflows/test-site-to-site.yml | 3 +++ tests/05-install-cert-manager.bash | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index 041c1952..bd8d8e21 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -89,9 +89,12 @@ jobs: OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) echo Old Certificate "$OLDCERTSTART" cmctl -n alpha renew nifi-0 + # Remove below block of code when issue NIFI-11536 is fixed + ######################################################################### kubectl -n alpha rollout restart statefulset/nifi kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m sleep 5m + ######################################################################### for n in [ 0 1 2 3 4 5 6 7 8 9 ] do NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index d30add6f..d8e38d80 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -11,7 +11,7 @@ ARCH=$(go env GOARCH) /bin/rm -rf /tmp/cmctl-install mkdir -p /tmp/cmctl-install -curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) cmctl experimental install From 944db6d30ea0b9dfcedf1495506fafd014afa28b Mon Sep 17 00:00:00 2001 From: cf250024 <59401847+cf250024@users.noreply.github.com> Date: Fri, 9 Jun 2023 02:55:43 -0700 Subject: [PATCH 07/18] Add session affinity FAQ (#299) * Add session affinity FAQ --------- Co-authored-by: Chengjun Fu --- doc/FAQ.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/doc/FAQ.md b/doc/FAQ.md index d3c54fd0..f36a05e2 100644 --- a/doc/FAQ.md +++ b/doc/FAQ.md @@ -1,13 +1,17 @@ FAQ - Frequently Asked Questions -====== +================================ Readyness probe fails ---------------- +--------------------- -When encountering errors like `Readiness probe failed: Node not found with CONNECTED state` or `Multi-Attach error for volume "pvc-xxxxxx-xxx-xxx-xxxx-xxxxxxxxx" Volume is already exclusively attached to one node and can't be attached to another`, it means Kubernetes can't provide the pod access to the persistent data it wants. +When encountering errors like `Readiness probe failed: Node not found with CONNECTED state` or `Multi-Attach error for volume "pvc-xxxxxx-xxx-xxx-xxxx-xxxxxxxxx" Volume is already exclusively attached to one node and can't be attached to another`, it means Kubernetes can't provide the pod access to the persistent data it wants. -When this happens, reach out to your Kubernetes cluster administrators to find and fix the problem manually. +When this happens, reach out to your Kubernetes cluster administrators to find and fix the problem manually. For more background, see https://blog.mayadata.io/recover-from-volume-multi-attach-error-in-on-prem-kubernetes-clusters -(see https://github.com/cetic/helm-nifi/issues/47#issuecomment-1122702262) \ No newline at end of file +(see https://github.com/cetic/helm-nifi/issues/47#issuecomment-1122702262) + +## Session Afffinity + +As mentioned in the official NIFI document regarding [session affinity](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#session_affinity), it's required to implement this feature for your ingress. Please refer to the ingress controller your are using for how to implement it. One example for GKE is with [issue #271](https://github.com/cetic/helm-nifi/issues/271). If NIFI cluster has more than one node, the session affinity has to be there due to the stateful implementation of each node. From f296a8e87ea96e05ece9fe8a8a1b6d29d6f4b1ac Mon Sep 17 00:00:00 2001 From: emrge-michaeld <110516389+emrge-michaeld@users.noreply.github.com> Date: Thu, 15 Jun 2023 23:17:20 +1200 Subject: [PATCH 08/18] feature/en289 Add a one-volume option for persistence using subPath (#301) Signed-off-by: Michael Dent Co-authored-by: Michael Dent --- README.md | 9 ++-- templates/statefulset.yaml | 106 +++++++++++++++++++++++++++++-------- values.yaml | 11 +++- 3 files changed, 101 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index d5c51035..da4287d4 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,9 @@ The following items can be set via `--set` flag during installation or configure #### Configure how to persist data -- **Disable**: The data does not survive the termination of a pod. -- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use. +- **Disable(default)**: The data does not survive the termination of a pod. +- **Persistent Volume Claim**: Enable persistence so that data survives termination of the pod. There is the choice of using one large persistent volume (using subPath) or seven separate persistent volumes for config, data, logs, repos, etc. + A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `persistence.storageClass` setting. #### Configure authentication @@ -184,6 +185,9 @@ The following table lists the configurable parameters of the nifi chart and the | `persistence.enabled` | Use persistent volume to store data | `false` | | `persistence.storageClass` | Storage class name of PVCs (use the default type if unset) | `nil` | | `persistence.accessMode` | ReadWriteOnce or ReadOnly | `[ReadWriteOnce]` | +| `persistence.subPath.enabled` | Use only one persistent volume with subPath instead of seven separate persistent volumes | `false` | +| `persistence.subPath.name` | Name of the one persistent volume claim when using subPath | `data` | +| `persistence.subPath.size` | Size of the one persistent volume claim when using subPath | `36Gi` | | `persistence.configStorage.size` | Size of persistent volume claim | `100Mi` | | `persistence.authconfStorage.size` | Size of persistent volume claim | `100Mi` | | `persistence.dataStorage.size` | Size of persistent volume claim | `1Gi` | @@ -191,7 +195,6 @@ The following table lists the configurable parameters of the nifi chart and the | `persistence.contentRepoStorage.size` | Size of persistent volume claim | `10Gi` | | `persistence.provenanceRepoStorage.size` | Size of persistent volume claim | `10Gi` | | `persistence.logStorage.size` | Size of persistent volume claim | `5Gi` | -| `persistence.existingClaim` | Use an existing PVC to persist data | `nil` | | **jvmMemory** | | `jvmMemory` | bootstrap jvm size | `2g` | | **SideCar** | diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 7a732024..147f5e10 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -453,20 +453,55 @@ spec: tcpSocket: port: {{ .Values.properties.httpsPort }} volumeMounts: - - name: "logs" - mountPath: /opt/nifi/nifi-current/logs - - name: "data" - mountPath: /opt/nifi/data - - name: "auth-conf" - mountPath: /opt/nifi/nifi-current/auth-conf/ - - name: "config-data" - mountPath: /opt/nifi/nifi-current/config-data - - name: "flowfile-repository" - mountPath: /opt/nifi/flowfile_repository - - name: "content-repository" - mountPath: /opt/nifi/content_repository - - name: "provenance-repository" - mountPath: /opt/nifi/provenance_repository + - mountPath: /opt/nifi/nifi-current/logs + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: logs + {{- else }} + name: "logs" + {{- end }} + - mountPath: /opt/nifi/data + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: data + {{- else }} + name: "data" + {{- end }} + - mountPath: /opt/nifi/nifi-current/auth-conf/ + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: auth-conf + {{- else }} + name: "auth-conf" + {{- end }} + - mountPath: /opt/nifi/nifi-current/config-data + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: config-data + {{- else }} + name: "config-data" + {{- end }} + - mountPath: /opt/nifi/flowfile_repository + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: flowfile-repository + {{- else }} + name: "flowfile-repository" + {{- end }} + - mountPath: /opt/nifi/content_repository + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: content-repository + {{- else }} + name: "content-repository" + {{- end }} + - mountPath: /opt/nifi/provenance_repository + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: provenance-repository + {{- else }} + name: "provenance-repository" + {{- end }} - name: "bootstrap-conf" mountPath: /opt/nifi/nifi-current/conf/bootstrap.conf subPath: "bootstrap.conf" @@ -541,8 +576,13 @@ spec: resources: {{ toYaml .Values.logresources | indent 10 }} volumeMounts: - - name: logs - mountPath: /var/log + - mountPath: /var/log + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: logs + {{- else }} + name: "logs" + {{- end }} - name: bootstrap-log imagePullPolicy: {{ .Values.sidecar.imagePullPolicy | default "Always" | quote }} image: "{{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}" @@ -553,8 +593,13 @@ spec: resources: {{ toYaml .Values.logresources | indent 10 }} volumeMounts: - - name: logs - mountPath: /var/log + - mountPath: /var/log + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: logs + {{- else }} + name: "logs" + {{- end }} - name: user-log imagePullPolicy: {{ .Values.sidecar.imagePullPolicy | default "Always" | quote }} image: "{{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}" @@ -565,8 +610,13 @@ spec: resources: {{ toYaml .Values.logresources | indent 10 }} volumeMounts: - - name: logs - mountPath: /var/log + - mountPath: /var/log + {{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + name: {{ .Values.persistence.subPath.name }} + subPath: logs + {{- else }} + name: "logs" + {{- end }} {{- if .Values.certManager.enabled }} - name: cert-manager imagePullPolicy: {{ .Values.image.pullPolicy | quote }} @@ -786,7 +836,21 @@ spec: {{- if .Values.extraVolumes }} {{ toYaml .Values.extraVolumes | indent 6 }} {{- end }} -{{- if .Values.persistence.enabled }} +{{- if and .Values.persistence.enabled .Values.persistence.subPath.enabled }} + volumeClaimTemplates: + - metadata: + name: {{ .Values.persistence.subPath.name }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + resources: + requests: + storage: {{ .Values.persistence.subPath.size }} +{{- end }} +{{- if and .Values.persistence.enabled (not .Values.persistence.subPath.enabled) }} volumeClaimTemplates: - metadata: name: logs diff --git a/values.yaml b/values.yaml index 158bdfed..a39199df 100644 --- a/values.yaml +++ b/values.yaml @@ -253,7 +253,16 @@ persistence: # The default storage class is used if this variable is not set. accessModes: [ReadWriteOnce] - ## Storage Capacities for persistent volumes + + ## Use subPath and have 1 persistent volume instead of 7 volumes - use when your k8s nodes have limited volume slots, to limit waste of space, + ## or your available volume sizes are quite large + # The one disk will have a directory folder for each volumeMount, but this is hidden. Run 'mount' to view each mount. + subPath: + enabled: false + name: data + size: 30Gi + + ## Storage Capacities for persistent volumes (these are ignored if using one volume with subPath) configStorage: size: 100Mi authconfStorage: From 09dac855ff3a645591e41c99f85339111d72a33d Mon Sep 17 00:00:00 2001 From: Happy Code Date: Tue, 8 Aug 2023 17:07:53 +0300 Subject: [PATCH 09/18] Add auth.oidc.preferredJwsalgorithm param (#306) * Update nifi.properties - Add values - nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsalgorithm}} * Update values.yaml - Add auth.oidc.preferredJwsalgorithm value * Update README.md - Add info about nifi.security.user.oidc.preferred.jwsalgorithm --- README.md | 1 + configs/nifi.properties | 2 +- values.yaml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da4287d4..e838050e 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,7 @@ The following table lists the configurable parameters of the nifi chart and the | `auth.oidc.clientId` | oidc clientId | `nil` | | `auth.oidc.clientSecret` | oidc clientSecret | `nil` | | `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | +| `auth.oidc.preferredJwsAlgorithm` | The preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens. | `nil` | | `auth.oidc.admin` | Default OIDC admin identity | `nifi@example.com` | | Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | | **postStart** | diff --git a/configs/nifi.properties b/configs/nifi.properties index d4cfd899..06d74aec 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -197,7 +197,7 @@ nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id={{.Values.auth.oidc.clientId}} nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}} -nifi.security.user.oidc.preferred.jwsalgorithm= +nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsAlgorithm}} nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}} nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}} {{end}} diff --git a/values.yaml b/values.yaml index a39199df..58b2e246 100644 --- a/values.yaml +++ b/values.yaml @@ -149,6 +149,7 @@ auth: clientSecret: # claimIdentifyingUser: email admin: nifi@example.com + preferredJwsAlgorithm: ## Request additional scopes, for example profile additionalScopes: From f851d51b099105cebb983ac06fdee2a5e8b5d0d0 Mon Sep 17 00:00:00 2001 From: combineads Date: Fri, 11 Aug 2023 20:53:53 +0900 Subject: [PATCH 10/18] Add bootstrap options (#308) Signed-off-by: joseph.ybh Co-authored-by: joseph.ybh --- README.md | 2 ++ configs/bootstrap.conf | 5 +++++ values.yaml | 3 +++ 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index e838050e..fb6cecb5 100644 --- a/README.md +++ b/README.md @@ -223,6 +223,8 @@ The following table lists the configurable parameters of the nifi chart and the | **env** | | `env` | Additional environment variables for the nifi-container (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envvar-v1-core) for details) | `[]` | | `envFrom` | Additional environment variables for the nifi-container from config-maps or secrets (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envfromsource-v1-core) for details) | `[]` | +| **extraOptions** | +| `extraOptions` | Additional bootstrap.conf properties (see [properties](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#bootstrap_properties) for details) | `[]` | | **extraContainers** | | `extraContainers` | Additional container-specifications that should run within the pod (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core) for details) | `[]` | | **extraLabels** | diff --git a/configs/bootstrap.conf b/configs/bootstrap.conf index e6a2444d..a9183e67 100644 --- a/configs/bootstrap.conf +++ b/configs/bootstrap.conf @@ -81,3 +81,8 @@ notification.max.attempts=5 #nifi.dead.notification.services=email-notification +# Extra bootstrap options +{{- range .Values.extraOptions }} +{{ .name }}={{ .value }} +{{- end }} + diff --git a/values.yaml b/values.yaml index 58b2e246..a22b8ea4 100644 --- a/values.yaml +++ b/values.yaml @@ -339,6 +339,9 @@ env: [] ## Extra environment variables from secrets and config maps envFrom: [] +## Extra options to add to the bootstrap.conf file +extraOptions: [] + # envFrom: # - configMapRef: # name: config-name From 219b17e883d0bfe2b768f2f66bc88fd7efac0f82 Mon Sep 17 00:00:00 2001 From: Sebastien Dupont Date: Mon, 2 Oct 2023 10:54:01 +0200 Subject: [PATCH 11/18] relaunch tests --- .github/workflows/test-site-to-site.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index bd8d8e21..dc0336f3 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -90,6 +90,7 @@ jobs: echo Old Certificate "$OLDCERTSTART" cmctl -n alpha renew nifi-0 # Remove below block of code when issue NIFI-11536 is fixed + # i.e. in version 1.23 https://issues.apache.org/jira/browse/NIFI-11536 ######################################################################### kubectl -n alpha rollout restart statefulset/nifi kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m From 351929833d651aaec9e461e0d4c4aea54484ba2b Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Tue, 25 Apr 2023 22:16:14 +0700 Subject: [PATCH 12/18] Disable zkClientEnsembleTracker --- Chart.yaml | 4 ++-- README.md | 2 +- configs/nifi.properties | 1 + doc/INSTALLATION.md | 2 +- templates/statefulset.yaml | 1 + tests/06-alpha.flow.xml | 6 +++--- values.yaml | 3 ++- 7 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 22cf8abc..ffea66f0 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: nifi -version: 1.1.4 -appVersion: 1.16.3 +version: 1.1.5 +appVersion: 1.20.0 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems. keywords: - nifi diff --git a/README.md b/README.md index fb6cecb5..62c2dc0a 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ The following table lists the configurable parameters of the nifi chart and the | `replicaCount` | Number of nifi nodes | `1` | | **Image** | | `image.repository` | nifi Image name | `apache/nifi` | -| `image.tag` | nifi Image tag | `1.16.3` | +| `image.tag` | nifi Image tag | `1.20.0` | | `image.pullPolicy` | nifi Image pull policy | `IfNotPresent` | | `image.pullSecret` | nifi Image pull secret | `nil` | | **SecurityContext** | diff --git a/configs/nifi.properties b/configs/nifi.properties index 06d74aec..d98a5c16 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -238,6 +238,7 @@ nifi.cluster.flow.election.max.wait.time=1 mins nifi.cluster.flow.election.max.candidates= # zookeeper properties, used for cluster management # +nifi.zookeeper.client.ensembleTracker={{.Values.properties.zkClientEnsembleTraker}} nifi.zookeeper.connect.string= nifi.zookeeper.connect.timeout=3 secs nifi.zookeeper.session.timeout=3 secs diff --git a/doc/INSTALLATION.md b/doc/INSTALLATION.md index 821ba2d4..2b03284e 100644 --- a/doc/INSTALLATION.md +++ b/doc/INSTALLATION.md @@ -16,7 +16,7 @@ helm dep up ``` 2. **Set a sensitiveKey** -In 1.16.3 version, Nifi needs a sensitiveKey to encrypt sensitive information. This key can be setted in the `values.yaml` file: +In 1.20.0 version, Nifi needs a sensitiveKey to encrypt sensitive information. This key can be setted in the `values.yaml` file: ```` properties: diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 147f5e10..f0db1cd1 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -191,6 +191,7 @@ spec: fi {{ end }} + prop_replace nifi.ui.banner.text $(hostname -s) prop_replace nifi.remote.input.host ${FQDN} prop_replace nifi.cluster.node.address ${FQDN} prop_replace nifi.zookeeper.connect.string ${NIFI_ZOOKEEPER_CONNECT_STRING} diff --git a/tests/06-alpha.flow.xml b/tests/06-alpha.flow.xml index f8b781f8..2f8c677b 100644 --- a/tests/06-alpha.flow.xml +++ b/tests/06-alpha.flow.xml @@ -24,7 +24,7 @@ org.apache.nifi nifi-standard-nar - 1.16.3 + 1.20.0 1 1 sec @@ -117,7 +117,7 @@ org.apache.nifi nifi-ssl-context-service-nar - 1.16.3 + 1.20.0 true @@ -162,7 +162,7 @@ org.apache.nifi nifi-site-to-site-reporting-nar - 1.16.3 + 1.20.0 5 sec RUNNING diff --git a/values.yaml b/values.yaml index a22b8ea4..fed0e673 100644 --- a/values.yaml +++ b/values.yaml @@ -7,7 +7,7 @@ replicaCount: 1 ## image: repository: apache/nifi - tag: "1.16.3" + tag: "1.20.0" pullPolicy: "IfNotPresent" ## Optionally specify an imagePullSecret. @@ -94,6 +94,7 @@ properties: httpsPort: 8443 webProxyHost: # : (If Nifi service is NodePort or LoadBalancer) clusterPort: 6007 + zkClientEnsembleTraker: false # https://issues.apache.org/jira/browse/NIFI-10481 provenanceStorage: "8 GB" provenanceMaxStorageTime: "10 days" siteToSite: From 020c282f0a250d9365bf44ce99772866ae1b1d15 Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Mon, 1 May 2023 08:30:12 +0700 Subject: [PATCH 13/18] Update s2s bravo flow.xml --- tests/06-bravo.flow.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/06-bravo.flow.xml b/tests/06-bravo.flow.xml index 5e5a3ec3..832aa2d6 100644 --- a/tests/06-bravo.flow.xml +++ b/tests/06-bravo.flow.xml @@ -24,7 +24,7 @@ org.apache.nifi nifi-update-attribute-nar - 1.15.2 + 1.20.0 1 0 sec @@ -62,7 +62,7 @@ org.apache.nifi nifi-update-attribute-nar - 1.15.2 + 1.20.0 1 0 sec @@ -159,7 +159,7 @@ org.apache.nifi nifi-prometheus-nar - 1.15.2 + 1.20.0 5 sec RUNNING From 09953ac8370a99c97958933c57336551403fb667 Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Mon, 1 May 2023 10:05:00 +0700 Subject: [PATCH 14/18] Update s2s test to use cmctl from cert-manager instead of jetstack Signed-off-by: Tan Luu --- .github/workflows/test-site-to-site.yml | 2 +- tests/05-install-cert-manager.bash | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index 31f082bf..0f36148b 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -14,7 +14,7 @@ jobs: - name: Setup Minikube uses: manusa/actions-setup-minikube@v2.7.2 with: - minikube version: 'v1.28.0' + minikube version: 'v1.30.1' kubernetes version: 'v1.25.4' github token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout code diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index d30add6f..ddc2ef96 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -11,7 +11,7 @@ ARCH=$(go env GOARCH) /bin/rm -rf /tmp/cmctl-install mkdir -p /tmp/cmctl-install -curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +curl -fsSL -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) cmctl experimental install From a3f7f5f1d7772007d1065e8e60f6d9a8c6fc327f Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Mon, 1 May 2023 10:18:10 +0700 Subject: [PATCH 15/18] Change cert-manager installation Signed-off-by: Tan Luu --- tests/05-install-cert-manager.bash | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index ddc2ef96..24608098 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -14,4 +14,5 @@ mkdir -p /tmp/cmctl-install curl -fsSL -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) -cmctl experimental install +kubectl create namespace cert-manager +cmctl experimental install -n cert-manager From c003de2858386c61016e23ad8ea47891a403c715 Mon Sep 17 00:00:00 2001 From: nathluu Date: Fri, 5 May 2023 00:02:41 +0700 Subject: [PATCH 16/18] Fix s2s test (# * Fix s2s test Signed-off-by: Tan Luu --- .github/workflows/test-site-to-site.yml | 9 ++++++--- tests/05-install-cert-manager.bash | 5 ++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index 0f36148b..041c1952 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -14,7 +14,7 @@ jobs: - name: Setup Minikube uses: manusa/actions-setup-minikube@v2.7.2 with: - minikube version: 'v1.30.1' + minikube version: 'v1.28.0' kubernetes version: 'v1.25.4' github token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout code @@ -87,12 +87,15 @@ jobs: - name: Confirm certificate rotation run: | OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) - echo Certificate "$OLDCERTSTART" + echo Old Certificate "$OLDCERTSTART" cmctl -n alpha renew nifi-0 + kubectl -n alpha rollout restart statefulset/nifi + kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m + sleep 5m for n in [ 0 1 2 3 4 5 6 7 8 9 ] do NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) - echo Certificate "$NEWCERTSTART" + echo New Certificate "$NEWCERTSTART" if [ \""$OLDCERTSTART"\" != \""$NEWCERTSTART"\" ] then exit 0 diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index 24608098..d30add6f 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -11,8 +11,7 @@ ARCH=$(go env GOARCH) /bin/rm -rf /tmp/cmctl-install mkdir -p /tmp/cmctl-install -curl -fsSL -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) -kubectl create namespace cert-manager -cmctl experimental install -n cert-manager +cmctl experimental install From 317862a064193481dd0faf61360a192f625a2c5f Mon Sep 17 00:00:00 2001 From: Tan Luu Date: Fri, 19 May 2023 18:59:13 +0700 Subject: [PATCH 17/18] Update s2s test Signed-off-by: Tan Luu --- .github/workflows/test-site-to-site.yml | 3 +++ tests/05-install-cert-manager.bash | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index 041c1952..bd8d8e21 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -89,9 +89,12 @@ jobs: OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) echo Old Certificate "$OLDCERTSTART" cmctl -n alpha renew nifi-0 + # Remove below block of code when issue NIFI-11536 is fixed + ######################################################################### kubectl -n alpha rollout restart statefulset/nifi kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m sleep 5m + ######################################################################### for n in [ 0 1 2 3 4 5 6 7 8 9 ] do NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) diff --git a/tests/05-install-cert-manager.bash b/tests/05-install-cert-manager.bash index d30add6f..d8e38d80 100755 --- a/tests/05-install-cert-manager.bash +++ b/tests/05-install-cert-manager.bash @@ -11,7 +11,7 @@ ARCH=$(go env GOARCH) /bin/rm -rf /tmp/cmctl-install mkdir -p /tmp/cmctl-install -curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz +curl -L -o /tmp/cmctl-install/cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/latest/download/cmctl-$OS-$ARCH.tar.gz (cd /tmp/cmctl-install ; tar xvzf cmctl.tar.gz ; sudo mv cmctl /usr/local/bin) cmctl experimental install From ea0c9e347cfee32356136f9d0cccee3accf00632 Mon Sep 17 00:00:00 2001 From: Sebastien Dupont Date: Mon, 2 Oct 2023 10:54:01 +0200 Subject: [PATCH 18/18] relaunch tests --- .github/workflows/test-site-to-site.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-site-to-site.yml b/.github/workflows/test-site-to-site.yml index bd8d8e21..dc0336f3 100644 --- a/.github/workflows/test-site-to-site.yml +++ b/.github/workflows/test-site-to-site.yml @@ -90,6 +90,7 @@ jobs: echo Old Certificate "$OLDCERTSTART" cmctl -n alpha renew nifi-0 # Remove below block of code when issue NIFI-11536 is fixed + # i.e. in version 1.23 https://issues.apache.org/jira/browse/NIFI-11536 ######################################################################### kubectl -n alpha rollout restart statefulset/nifi kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m