diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index da447bca..1382bc54 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,11 +4,13 @@ on:
push:
branches:
- main
+ - fix-1.3.0
pull_request:
branches:
- main
types:
- closed
+ workflow_dispatch:
jobs:
example:
@@ -16,18 +18,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Setup Minikube
- uses: manusa/actions-setup-minikube@v2.7.2
+ uses: manusa/actions-setup-minikube@v2.11.0
with:
- minikube version: 'v1.28.0'
- kubernetes version: 'v1.25.4'
+ minikube version: 'v1.33.0'
+ kubernetes version: 'v1.30.0'
github token: ${{ secrets.GITHUB_TOKEN }}
#- run: minikube addons list
#- name: Interact with the cluster
# run: kubectl get nodes
- - name: Checkout code
- uses: actions/checkout@v3
- name: Install dependencies
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
@@ -53,5 +53,5 @@ jobs:
exit 1
- name: Check that web application responds with expected content
run: |
- kubectl exec pod/nifi-0 -c server -- curl -sk https://localhost:8443 | \
+ kubectl exec pod/nifi-0 -c server -- curl -sk https://nifi-0:8443 | \
grep 'You may have mistyped'
diff --git a/Chart.yaml b/Chart.yaml
index e45e4937..e282297b 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
---
apiVersion: v2
name: nifi
-version: 1.3.0
+version: 1.3.1
appVersion: 1.27.0
description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
keywords:
diff --git a/README.md b/README.md
index b2ecdd50..72db6916 100644
--- a/README.md
+++ b/README.md
@@ -98,15 +98,11 @@ The following table lists the configurable parameters of the nifi chart and the
| `image.tag` | nifi Image tag | `1.23.2` |
| `image.pullPolicy` | nifi Image pull policy | `IfNotPresent` |
| `image.pullSecret` | nifi Image pull secret | `nil` |
-| **SecurityContext** | | |
-| `securityContext.runAsUser` | nifi Docker User | `1000` |
-| `securityContext.fsGroup` | nifi Docker Group | `1000` |
| **sts** | | |
| `sts.useHostNetwork` | If true, use the host's network | `nil` |
| `sts.serviceAccount.create` | If true, a service account will be created and used by the statefulset | `false` |
| `sts.serviceAccount.name` | When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options | `nil` |
| `sts.serviceAccount.annotations` | Service account annotations | `{}` |
-| `sts.podManagementPolicy` | Parallel podManagementPolicy | `Parallel` |
| `sts.AntiAffinity` | Affinity for pod assignment | `soft` |
| `sts.pod.annotations` | Pod template annotations | `security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000` |
| `sts.hostAliases ` | Add entries to Pod /etc/hosts | `[]` |
@@ -141,7 +137,7 @@ The following table lists the configurable parameters of the nifi chart and the
| `properties.siteToSite.port` | Site to Site properties Secure port | `10000` |
| `properties.safetyValve` | Map of explicit 'property: value' pairs that overwrite other configuration | `nil` |
| `properties.customLibPath` | Path of the custom libraries folder | `nil` |
-| `properties.webProxyHost` | Proxy to access to Nifi through the cluster ip address | `Port:30236` |
+| `properties.webProxyHost` | Proxy to access to Nifi through the cluster ip address | `[nifi.nifi.svc]` |
| **[Authentication](/doc/USERMANAGEMENT.md)** | | |
| **Single-user authentication** | Automatically disabled if Client Certificate, OIDC, or LDAP enabled | |
| `auth. admin` | Default admin identity. It will overwrite the LDAP Bind DN for this purpose, when both is filled | ` CN=admin, OU=NIFI` |
@@ -168,9 +164,6 @@ The following table lists the configurable parameters of the nifi chart and the
| Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) |
| **postStart** | | |
| `postStart` | Include additional libraries in the Nifi containers by using the postStart handler | `nil` |
-| **Headless Service** | | |
-| `headless.type` | Type of the headless service for nifi | `ClusterIP` |
-| `headless.annotations` | Headless Service annotations | `service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"` |
| **UI Service** | | |
| `service.type` | Type of the UI service for nifi | `NodePort` |
| `service.httpPort` | Port to expose service | `8080` |
diff --git a/charts/ca/templates/deployment.yaml b/charts/ca/templates/deployment.yaml
index 0af662f7..5a214771 100644
--- a/charts/ca/templates/deployment.yaml
+++ b/charts/ca/templates/deployment.yaml
@@ -51,7 +51,11 @@ spec:
{{- end }}
terminationGracePeriodSeconds: 0
securityContext:
-{{ toYaml .Values.securityContext | indent 8 }}
+ runAsUser: 1000
+ fsGroup: 1000
+ sysctls:
+ - name: net.ipv4.ip_local_port_range
+ value: "10000 65000"
{{- if .Values.persistence.enabled }}
initContainers:
- command:
diff --git a/configs/logback.xml b/configs/logback.xml
new file mode 100644
index 00000000..46de56b8
--- /dev/null
+++ b/configs/logback.xml
@@ -0,0 +1,261 @@
+
+
+
+
+
+
+
+ true
+
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-app.log
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-app_%d{yyyy-MM-dd_HH}.%i.log
+ 100MB
+
+ 30
+
+ true
+
+ %date %level [%thread] %logger{40} %msg%n
+
+
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-user.log
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-user_%d.log
+
+ 30
+
+
+ %date %level [%thread] %logger{40} %msg%n
+
+
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-request.log
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-request_%d.log
+ 30
+
+
+ %msg%n
+
+
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-bootstrap.log
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-bootstrap_%d.log
+
+ 5
+
+
+ %date %level [%thread] %logger{40} %msg%n
+
+
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-deprecation.log
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-deprecation_%d.%i.log
+ 10MB
+ 10
+ 100MB
+
+
+ %date %level [%thread] %logger %msg%n
+
+
+
+
+
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-app-${logFileSuffix}.log
+
+
+ ${org.apache.nifi.bootstrap.config.log.dir}/nifi-app-${logFileSuffix}_%d{yyyy-MM-dd_HH}.%i.log
+ 100MB
+
+ 30
+
+ true
+
+ %date %level [%thread] %logger{40} %msg%n
+
+
+
+
+
+
+
+ %date %level [%thread] %logger{40} %msg%n
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/configs/nifi.properties b/configs/nifi.properties
index 96ee3b33..48607d1e 100644
--- a/configs/nifi.properties
+++ b/configs/nifi.properties
@@ -130,7 +130,13 @@ nifi.remote.contents.cache.expiration=30 secs
# web properties #
nifi.web.war.directory=./lib
-nifi.web.proxy.host={{.Values.properties.webProxyHost}}
+{{- if .Values.properties.webProxyHost }}
+# Values set by the user in values.yaml.
+nifi.web.proxy.host={{.Values.properties.webProxyHost | join ","}}
+{{- else }}
+nifi.web.proxy.host={{ template "apache-nifi.fullname" $ }}.{{ .Release.Namespace }}.svc
+{{- end }}
+
nifi.web.https.port={{.Values.properties.httpsPort}}
nifi.web.http.host=
nifi.web.http.network.interface.default=eth0
diff --git a/dist/nifi-1.3.1.tgz b/dist/nifi-1.3.1.tgz
new file mode 100644
index 00000000..120ddd1e
Binary files /dev/null and b/dist/nifi-1.3.1.tgz differ
diff --git a/templates/configmap.yaml b/templates/configmap.yaml
index bccc9f94..06d1a6f8 100644
--- a/templates/configmap.yaml
+++ b/templates/configmap.yaml
@@ -9,6 +9,6 @@ metadata:
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
annotations:
- lastUpdate: {{ now | quote }}
+ checksum/config: {{ (.Files.Glob "configs/*").AsConfig | sha256sum | quote }}
data:
{{ (tpl (.Files.Glob "configs/*").AsConfig . ) | indent 2 }}
diff --git a/templates/service.yaml b/templates/service.yaml
index 5de375b7..db6baf19 100644
--- a/templates/service.yaml
+++ b/templates/service.yaml
@@ -8,12 +8,9 @@ metadata:
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
-{{- if .Values.headless.annotations }}
annotations:
-{{ toYaml .Values.headless.annotations | indent 4 }}
-{{- end }}
+ service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
- type: {{ .Values.headless.type }}
clusterIP: None
ports:
- port: {{ .Values.properties.httpsPort }}
diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
index c19eb9ab..61c5a02f 100644
--- a/templates/statefulset.yaml
+++ b/templates/statefulset.yaml
@@ -9,7 +9,8 @@ metadata:
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
spec:
- podManagementPolicy: {{ .Values.sts.podManagementPolicy }}
+ # Parallel podManagementPolicy for faster bootstrap and teardown. OrderedReady(default) is not recommended here.
+ podManagementPolicy: Parallel
serviceName: {{ template "apache-nifi.fullname" . }}-headless
replicas: {{ .Values.replicaCount }}
selector:
@@ -19,6 +20,7 @@ spec:
template:
metadata:
annotations:
+ checksum/config: {{ (.Files.Glob "configs/*").AsConfig | sha256sum | quote }}
{{- if .Values.sts.pod.annotations }}
{{ toYaml .Values.sts.pod.annotations | indent 8 }}
{{- end }}
@@ -80,10 +82,12 @@ spec:
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
-{{- if .Values.securityContext }}
securityContext:
-{{ toYaml .Values.securityContext | indent 8 }}
-{{- end }}
+ runAsUser: 1000
+ fsGroup: 1000
+ sysctls:
+ - name: net.ipv4.ip_local_port_range
+ value: "10000 65000"
initContainers:
{{- if .Values.properties.isNode }}
- name: zookeeper
@@ -161,13 +165,6 @@ spec:
prop_replace nifi.zookeeper.connect.string ${NIFI_ZOOKEEPER_CONNECT_STRING}
prop_replace nifi.web.http.host ${FQDN}
-{{- if .Values.properties.webProxyHost }}
- # Update nifi.properties for web ui proxy hostname
- prop_replace nifi.web.proxy.host {{ .Values.properties.webProxyHost }}
-{{- else }}
- prop_replace nifi.web.proxy.host {{ template "apache-nifi.fullname" $ }}.{{ .Release.Namespace }}.svc
-{{- end }}
-
{{- if .Values.certManager.enabled }}
prop_replace nifi.security.keystore "${NIFI_HOME}/tls/keystore.jks"
prop_replace nifi.security.keystoreType JKS
@@ -256,7 +253,7 @@ spec:
echo "truststore=$(prop nifi.security.truststore)" >> secure.properties
echo "truststorePasswd=$(prop nifi.security.truststorePasswd)" >> secure.properties
echo "proxiedEntity={{ .Values.auth.admin }}" >> secure.properties
-
+
secureArgs="-p secure.properties"
echo baseUrl ${baseUrl}
@@ -323,7 +320,7 @@ spec:
{{- if .Values.metrics.prometheus.enabled }}
- containerPort: {{ .Values.metrics.prometheus.port }}
name: metrics
- protocol: TCP
+ protocol: TCP
{{- end }}
- containerPort: {{ .Values.properties.httpsPort }}
{{- if .Values.sts.hostPort }}
@@ -472,6 +469,9 @@ spec:
- name: "zookeeper-properties"
mountPath: /opt/nifi/nifi-current/conf/zookeeper.properties
subPath: "zookeeper.properties"
+ - name: "logback-xml"
+ mountPath: /opt/nifi/nifi-current/conf/logback.xml
+ subPath: "logback.xml"
- name: "flow-content"
mountPath: /opt/nifi/data/flow.xml
subPath: "flow.xml"
@@ -518,7 +518,7 @@ spec:
- name: app-log
imagePullPolicy: {{ .Values.sidecar.imagePullPolicy | default "Always" | quote }}
image: "{{ .Values.sidecar.image }}:{{ .Values.sidecar.tag }}"
- args:
+ args:
- /bin/sh
- -c
- trap "exit 0" TERM; tail -n+1 -F /var/log/nifi-app.log & wait $!
@@ -575,7 +575,7 @@ spec:
- -ce
- |
trap "exit 0" TERM
-
+
NODENAME=$(hostname)
mkdir -p "${NIFI_HOME}"/tls/cert-manager
@@ -594,12 +594,12 @@ spec:
--output /tmp/secret.json
jq .data < /tmp/secret.json > /tmp/secret-data.json
rm -f /tmp/secret.json
- }
-
+ }
+
pullNodeSecretData
jq -r '."ca.crt"' < /tmp/secret-data.json | base64 -d > "${NIFI_HOME}"/tls/cert-manager/ca.crt
touch /tmp/tls.crt.old
-
+
rm -f "${NIFI_HOME}/tls/truststore-new.jks"
for ca in "${NIFI_HOME}"/tls/*/ca.crt
do
@@ -740,6 +740,12 @@ spec:
items:
- key: "zookeeper.properties"
path: "zookeeper.properties"
+ - name: "logback-xml"
+ configMap:
+ name: {{ template "apache-nifi.fullname" . }}-config
+ items:
+ - key: "logback.xml"
+ path: "logback.xml"
- name: "flow-content"
configMap:
name: {{ template "apache-nifi.fullname" . }}-config
diff --git a/tests/04-oidc-values.yaml b/tests/04-oidc-values.yaml
index 0f0bccc8..418972e5 100644
--- a/tests/04-oidc-values.yaml
+++ b/tests/04-oidc-values.yaml
@@ -14,7 +14,8 @@ auth:
claimIdentifyingUser: email
properties:
- webProxyHost: nifi.default.svc.cluster.local:8443
+ webProxyHost:
+ - nifi.default.svc.cluster.local:8443
sts:
startupProbe:
diff --git a/tests/05-secure-cluster-values.yaml b/tests/05-secure-cluster-values.yaml
index 899ca3fa..7b0ec8e5 100644
--- a/tests/05-secure-cluster-values.yaml
+++ b/tests/05-secure-cluster-values.yaml
@@ -3,7 +3,7 @@ zookeeper:
properties:
isNode: true
- webProxyHost: nifi.default.svc.cluster.local:8443
+ webProxyHost: [nifi.default.svc.cluster.local:8443]
replicaCount: 2
diff --git a/tests/07-oidc-cluster-values.yaml b/tests/07-oidc-cluster-values.yaml
index 54f8aa51..46aeb4fe 100644
--- a/tests/07-oidc-cluster-values.yaml
+++ b/tests/07-oidc-cluster-values.yaml
@@ -17,7 +17,7 @@ sts:
replicaCount: 3
properties:
- webProxyHost: ingress-nginx-controller.ingress-nginx.svc.cluster.local
+ webProxyHost: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local"]
isNode: true
auth:
diff --git a/values.yaml b/values.yaml
index cf5ae607..8ec63a62 100644
--- a/values.yaml
+++ b/values.yaml
@@ -12,33 +12,24 @@ image:
repository: apache/nifi
tag: "1.27.0"
pullPolicy: "IfNotPresent"
-
## Optionally specify an imagePullSecret.
## Secret must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecret: myRegistrKeySecretName
-securityContext:
- runAsUser: 1000
- fsGroup: 1000
- sysctls:
- - name: net.ipv4.ip_local_port_range
- value: "10000 65000"
-
-## @param useHostNetwork - boolean - optional
-## Bind ports on the hostNetwork. Useful for CNI networking where hostPort might
-## not be supported. The ports need to be available on all hosts. It can be
-## used for custom metrics instead of a service endpoint.
-##
-## WARNING: Make sure that hosts using this are properly firewalled otherwise
-## metrics and traces are accepted from any host able to connect to this host.
-#
+# Amount of memory to give the NiFi java heap
+jvmMemory: 2g
sts:
- # Parallel podManagementPolicy for faster bootstrap and teardown. Default is OrderedReady.
- podManagementPolicy: Parallel
AntiAffinity: soft
+ ## @param useHostNetwork - boolean - optional
+ ## Bind ports on the hostNetwork. Useful for CNI networking where hostPort might
+ ## not be supported. The ports need to be available on all hosts. It can be
+ ## used for custom metrics instead of a service endpoint.
+ ##
+ ## WARNING: Make sure that hosts using this are properly firewalled otherwise
+ ## metrics and traces are accepted from any host able to connect to this host.
useHostNetwork: null
hostPort: null
pod:
@@ -67,6 +58,7 @@ sts:
# - key1
# - key2
# mountPath: /opt/nifi/secret
+secrets: {}
## Useful if using any custom configmaps
## Pass in some configmaps to use (if required)
@@ -75,7 +67,7 @@ sts:
# keys:
# - myconf.conf
# mountPath: /opt/nifi/custom-config
-
+configmaps: {}
properties:
# https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#nifi_sensitive_props_key
@@ -97,7 +89,9 @@ properties:
externalSecure: false
isNode: false
httpsPort: 8443
- webProxyHost: # : (If Nifi service is NodePort or LoadBalancer)
+ webProxyHost: [] # : (If Nifi service is NodePort or LoadBalancer)
+# - localhost:30001
+# - localhost:30002
clusterPort: 6007
zkClientEnsembleTraker: false # https://issues.apache.org/jira/browse/NIFI-10481
clusterNodeConnectionTimeout: '5 sec'
@@ -114,14 +108,16 @@ properties:
port: 10000
# use properties.safetyValve to pass explicit 'key: value' pairs that overwrite other configuration
#nifi.variable.registry.properties: "${NIFI_HOME}/example1.properties, ${NIFI_HOME}/example2.properties"
- safetyValve: { }
+ safetyValve: {}
- ## Include aditional processors
+ ## Include additional processors
# customLibPath: "/opt/configuration_resources/custom_lib"
+ customLibPath: nil
## Include additional libraries in the Nifi containers by using the postStart handler
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
# postStart: /opt/nifi/psql; wget -P /opt/nifi/psql https://jdbc.postgresql.org/download/postgresql-42.2.6.jar
+ postStart: nil
# Nifi User Authentication
auth:
@@ -185,12 +181,6 @@ openldap:
## ref: http://kubernetes.io/docs/user-guide/services/
##
-# headless service
-headless:
- type: ClusterIP
- annotations:
- service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
-
# ui service
service:
type: ClusterIP
@@ -238,9 +228,6 @@ ingress:
path: /
# If you want to change the default path, see this issue https://github.com/cetic/helm-nifi/issues/22
-# Amount of memory to give the NiFi java heap
-jvmMemory: 2g
-
# Separate image for tailing each log separately and checking zookeeper connectivity
sidecar:
image: busybox
@@ -459,5 +446,4 @@ metrics:
enabled: false
# namespace: monitoring
# Additional labels for the ServiceMonitor
- labels: {}
labels: { }