Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Support Enable/Disable NiFi Zookeeper client Zookeeper Ensemble Tracker #294

Closed
wants to merge 19 commits into from
Closed

Support Enable/Disable NiFi Zookeeper client Zookeeper Ensemble Tracker #294

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
253ad43
Disable zkClientEnsembleTracker
nathluu Apr 25, 2023
9bf4698
Update s2s bravo flow.xml
nathluu May 1, 2023
2a58c3d
Update s2s test to use cmctl from cert-manager instead of jetstack
nathluu May 1, 2023
f6a84e7
Change cert-manager installation
nathluu May 1, 2023
9d34bed
Fix s2s test (#
nathluu May 4, 2023
eaed349
Update s2s test
nathluu May 19, 2023
944db6d
Add session affinity FAQ (#299)
cf250024 Jun 9, 2023
f296a8e
feature/en289 Add a one-volume option for persistence using subPath (…
emrge-michaeld Jun 15, 2023
09dac85
Add auth.oidc.preferredJwsalgorithm param (#306)
happy-code-com Aug 8, 2023
f851d51
Add bootstrap options (#308)
combineads Aug 11, 2023
219b17e
relaunch tests
banzo Oct 2, 2023
3519298
Disable zkClientEnsembleTracker
nathluu Apr 25, 2023
020c282
Update s2s bravo flow.xml
nathluu May 1, 2023
09953ac
Update s2s test to use cmctl from cert-manager instead of jetstack
nathluu May 1, 2023
a3f7f5f
Change cert-manager installation
nathluu May 1, 2023
c003de2
Fix s2s test (#
nathluu May 4, 2023
317862a
Update s2s test
nathluu May 19, 2023
ea0c9e3
relaunch tests
banzo Oct 2, 2023
c0d0fb0
Merge branch 'nathluu/zkclient-ensemble-tracker-disable' of github.co…
nathluu Nov 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions .github/workflows/test-site-to-site.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,12 +87,19 @@ jobs:
- name: Confirm certificate rotation
run: |
OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start)
echo Certificate "$OLDCERTSTART"
echo Old Certificate "$OLDCERTSTART"
cmctl -n alpha renew nifi-0
# Remove below block of code when issue NIFI-11536 is fixed
# i.e. in version 1.23 https://issues.apache.org/jira/browse/NIFI-11536
#########################################################################
kubectl -n alpha rollout restart statefulset/nifi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This defeats the purpose of the test, which was to confirm that NiFi is automatically detecting the certificate has changed and restarting the TLS modules. If we want to disable this test because NiFi is broken, then I would recommend commenting it out with a comment rather than forcing a restart.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a TODO to remove this block of code when NIFI issue is fixed

kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m
sleep 5m
#########################################################################
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
do
NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start)
echo Certificate "$NEWCERTSTART"
echo New Certificate "$NEWCERTSTART"
if [ \""$OLDCERTSTART"\" != \""$NEWCERTSTART"\" ]
then
exit 0
Expand Down
4 changes: 2 additions & 2 deletions Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
apiVersion: v2
name: nifi
version: 1.1.4
appVersion: 1.16.3
version: 1.1.5
appVersion: 1.20.0
description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
keywords:
- nifi
Expand Down
14 changes: 10 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,9 @@ The following items can be set via `--set` flag during installation or configure

#### Configure how to persist data

- **Disable**: The data does not survive the termination of a pod.
- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you have already existing persistent volumes to use.
- **Disable(default)**: The data does not survive the termination of a pod.
- **Persistent Volume Claim**: Enable persistence so that data survives termination of the pod. There is the choice of using one large persistent volume (using subPath) or seven separate persistent volumes for config, data, logs, repos, etc.
A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `persistence.storageClass` setting.

#### Configure authentication

Expand Down Expand Up @@ -95,7 +96,7 @@ The following table lists the configurable parameters of the nifi chart and the
| `replicaCount` | Number of nifi nodes | `1` |
| **Image** |
| `image.repository` | nifi Image name | `apache/nifi` |
| `image.tag` | nifi Image tag | `1.16.3` |
| `image.tag` | nifi Image tag | `1.20.0` |
| `image.pullPolicy` | nifi Image pull policy | `IfNotPresent` |
| `image.pullSecret` | nifi Image pull secret | `nil` |
| **SecurityContext** |
Expand Down Expand Up @@ -155,6 +156,7 @@ The following table lists the configurable parameters of the nifi chart and the
| `auth.oidc.clientId` | oidc clientId | `nil` |
| `auth.oidc.clientSecret` | oidc clientSecret | `nil` |
| `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` |
| `auth.oidc.preferredJwsAlgorithm` | The preferred algorithm for validating identity tokens. If this value is blank, it will default to RS256 which is required to be supported by the OpenID Connect Provider according to the specification. If this value is HS256, HS384, or HS512, NiFi will attempt to validate HMAC protected tokens using the specified client secret. If this value is none, NiFi will attempt to validate unsecured/plain tokens. | `nil` |
| `auth.oidc.admin` | Default OIDC admin identity | `[email protected]` |
| Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) |
| **postStart** |
Expand Down Expand Up @@ -184,14 +186,16 @@ The following table lists the configurable parameters of the nifi chart and the
| `persistence.enabled` | Use persistent volume to store data | `false` |
| `persistence.storageClass` | Storage class name of PVCs (use the default type if unset) | `nil` |
| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `[ReadWriteOnce]` |
| `persistence.subPath.enabled` | Use only one persistent volume with subPath instead of seven separate persistent volumes | `false` |
| `persistence.subPath.name` | Name of the one persistent volume claim when using subPath | `data` |
| `persistence.subPath.size` | Size of the one persistent volume claim when using subPath | `36Gi` |
| `persistence.configStorage.size` | Size of persistent volume claim | `100Mi` |
| `persistence.authconfStorage.size` | Size of persistent volume claim | `100Mi` |
| `persistence.dataStorage.size` | Size of persistent volume claim | `1Gi` |
| `persistence.flowfileRepoStorage.size` | Size of persistent volume claim | `10Gi` |
| `persistence.contentRepoStorage.size` | Size of persistent volume claim | `10Gi` |
| `persistence.provenanceRepoStorage.size` | Size of persistent volume claim | `10Gi` |
| `persistence.logStorage.size` | Size of persistent volume claim | `5Gi` |
| `persistence.existingClaim` | Use an existing PVC to persist data | `nil` |
| **jvmMemory** |
| `jvmMemory` | bootstrap jvm size | `2g` |
| **SideCar** |
Expand Down Expand Up @@ -219,6 +223,8 @@ The following table lists the configurable parameters of the nifi chart and the
| **env** |
| `env` | Additional environment variables for the nifi-container (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envvar-v1-core) for details) | `[]` |
| `envFrom` | Additional environment variables for the nifi-container from config-maps or secrets (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envfromsource-v1-core) for details) | `[]` |
| **extraOptions** |
| `extraOptions` | Additional bootstrap.conf properties (see [properties](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#bootstrap_properties) for details) | `[]` |
| **extraContainers** |
| `extraContainers` | Additional container-specifications that should run within the pod (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core) for details) | `[]` |
| **extraLabels** |
Expand Down
5 changes: 5 additions & 0 deletions configs/bootstrap.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,8 @@ notification.max.attempts=5
#nifi.dead.notification.services=email-notification


# Extra bootstrap options
{{- range .Values.extraOptions }}
{{ .name }}={{ .value }}
{{- end }}

3 changes: 2 additions & 1 deletion configs/nifi.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id={{.Values.auth.oidc.clientId}}
nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}}
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.preferred.jwsalgorithm={{.Values.auth.oidc.preferredJwsAlgorithm}}
nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}}
nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}}
{{end}}
Expand Down Expand Up @@ -238,6 +238,7 @@ nifi.cluster.flow.election.max.wait.time=1 mins
nifi.cluster.flow.election.max.candidates=

# zookeeper properties, used for cluster management #
nifi.zookeeper.client.ensembleTracker={{.Values.properties.zkClientEnsembleTraker}}
nifi.zookeeper.connect.string=
nifi.zookeeper.connect.timeout=3 secs
nifi.zookeeper.session.timeout=3 secs
Expand Down
14 changes: 9 additions & 5 deletions doc/FAQ.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
FAQ - Frequently Asked Questions
======
================================

Readyness probe fails
---------------
---------------------

When encountering errors like `Readiness probe failed: Node not found with CONNECTED state` or `Multi-Attach error for volume "pvc-xxxxxx-xxx-xxx-xxxx-xxxxxxxxx" Volume is already exclusively attached to one node and can't be attached to another`, it means Kubernetes can't provide the pod access to the persistent data it wants.
When encountering errors like `Readiness probe failed: Node not found with CONNECTED state` or `Multi-Attach error for volume "pvc-xxxxxx-xxx-xxx-xxxx-xxxxxxxxx" Volume is already exclusively attached to one node and can't be attached to another`, it means Kubernetes can't provide the pod access to the persistent data it wants.

When this happens, reach out to your Kubernetes cluster administrators to find and fix the problem manually.
When this happens, reach out to your Kubernetes cluster administrators to find and fix the problem manually.

For more background, see https://blog.mayadata.io/recover-from-volume-multi-attach-error-in-on-prem-kubernetes-clusters

(see https://github.com/cetic/helm-nifi/issues/47#issuecomment-1122702262)
(see https://github.com/cetic/helm-nifi/issues/47#issuecomment-1122702262)

## Session Afffinity

As mentioned in the official NIFI document regarding [session affinity](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#session_affinity), it's required to implement this feature for your ingress. Please refer to the ingress controller your are using for how to implement it. One example for GKE is with [issue #271](https://github.com/cetic/helm-nifi/issues/271). If NIFI cluster has more than one node, the session affinity has to be there due to the stateful implementation of each node.
2 changes: 1 addition & 1 deletion doc/INSTALLATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ helm dep up
```
2. **Set a sensitiveKey**

In 1.16.3 version, Nifi needs a sensitiveKey to encrypt sensitive information. This key can be setted in the `values.yaml` file:
In 1.20.0 version, Nifi needs a sensitiveKey to encrypt sensitive information. This key can be setted in the `values.yaml` file:

````
properties:
Expand Down
Loading
Loading