[cetic/nifi] Openshift installation sample

[gil0109]

Is it possible to have a sample values.yaml for simple openshift installation. I tried to install on openshift and received lots of errors:

1. Stalls on creating the nifi-registry: logs show: creating nifi-registry-0 with an error of Init:CrashLoopBackOff

2. Nifi fails with: create Pod nifi-0 in StatefulSet nifi failed error: pods "nifi-0" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group spec.initContainers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001010000, 1001019999] spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001010000, 1001019999] spec.containers[1].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001010000, 1001019999] spec.containers[2].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001010000, 1001019999] spec.containers[3].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001010000, 1001019999]]

even when I added this to the values.yaml:

openshift: scc: enabled: true

3. Zookeeper also fails (not sure if it is even needed with openshift)

create Pod nifi-zookeeper-0 in StatefulSet nifi-zookeeper failed error: pods "nifi-zookeeper-0" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group spec.containers[0].securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001010000, 1001019999]]

Thank you, Karim

[gil0109]

Fixed Zookeeper install in Openshift by running this:

helm install zookeeper bitnami/zookeeper \ --set resources.requests.memory=256Mi \ --set resources.requests.cpu=250m \ --set resources.limits.memory=1Gi \ --set resources.limits.cpu=250m \ --set global.storageClass=netapp-block-standard \ --set networkPolicy.enabled=true \ --set replicaCount=3 \ --set securityContext.enabled=false

Still looking to get Nifi and nifi-registry to work ;)

[Idan-Maimon]

Hi, Any updates ? Did you managed to have Nifi working on OpenShift ?

[gil0109]

Only partially with a modified dockerfile for NIFI. I am hoping the person I was working with will have his pull request to fix the current apache dockerfile submitted and approved.

My biggest issue right now is that Openshift manages the SSL layer at the edge but Nifi requires SSL on to enable OIDC. I haven't figured out how to tell NIFI to that we have a proxy already with openshift.

[guimou]

Hi! If you are still interested, here is some wip for Nifi 15.0 deployment on OpenShift. It's part of a manifest work for OpenDataHub (ODH). I created custom container images that are now 100% compatible with OpenShift, based on ubi8 containers/OpenJDK 11. So no need for SCCs any more, ownership taking, blabla,...

• Custom images are created from this fork/branch, in the same locations as the original components (Nifi, Toolkit,...): https://github.com/guimou/nifi/tree/openshift-image. When I'm finished I'll PR this to the main project if they're interested.
• NiFi deployment is not Helm chart but a Kustomize manifest for integration with the ODF operator. However you should be able to adapt back to Helm as I worked the other way around for the first draft. It's there: https://github.com/guimou/odh-manifests/tree/ubi8/nifi/base As it is now it's only the Single Use deployment, but already fully secured. You'll see there is an init container that takes care of automatically injecting the Certificate inside the Route, so your proxy issue is taken care of. I have also the OIDC and LDAP working, I'm just finishing creating those configs as overlays, should publish in a few days.

[gil0109]

Thank you @guimou I will give it a try ;)

[gil0109]

@guimou Is your solution cluster enabled? I can't seem to enable it on myside without lots of errors..

[guimou]

Yeah, sorry about that. I'm still making some changes, fighting with nodes that sometimes join the cluster, sometimes not. I'm still trying to figure this out. With 3 nodes for example, sometimes (rarely) I end up with a full cluster, but almost always with a 2-node cluster alongside a 1-node cluster. With the exact same configuration, restarting every time from scratch. Everything seems to be configured properly, the nodes see each other, but according to the logs one decides not to participate in the election it has detected happening on the other side, and instead starts its own. Really weird... All the files that matters, flow.xml, authorizers,... are the same, following the docs, so I don't know how it's happening. Yet, I hope... If anyone has an idea...

On Mon., Jan. 10, 2022, 20:11 Karim Gillani, @.***> wrote:

@guimou https://github.com/guimou Is your solution cluster enabled? I can't seem to enable it on myside without lots of errors..

— Reply to this email directly, view it on GitHub https://github.com/cetic/helm-nifi/issues/178#issuecomment-1009509960, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA6C4YR7JNVC2MI54SOQQQ3UVN7UFANCNFSM5GDHYOQQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[guimou]

OK, here it is finally, fully tested and documented: https://github.com/guimou/odh-manifests/tree/nifi/nifi It is normally meant to be used as a KfDef for Open Data Hub or Kubeflow, but you can use it directly with Kustomize:

• Edit the file parameters.env in the base folder according to your needs (mainly the authentication type)
• From the right overlay, depending on what you want to do, use kustomize build to generate the configuration. Let me know if and where there are other issues.

[gil0109]

@guimou Thanks, will give it a shot, now to learn kustomize ;)

from the overlays/oidc folder, the kustomize build shows the configs, now to figure out how to change the namespace and deploy it ;)

[guimou]

@gil0109 OK, quick recipe then:

• in the base folder, edit kustomization.yaml and change the namespace parameter for the name you want
• in the same folder, edit params.env to enter what you need depending on what you want to do
• go into the folder you want, base or one of the overlays, like oidc, and just do oc apply -k . It will deploy everything in the right namespace.

[gil0109]

@guimou Are you on slack or teams? I would love to chat more.. here is the error I am getting

gillani@NE023769:~/git/odh-manifests/nifi/overlays/oidc$ oc apply -k . error: couldn't make target for ../../base: json: unknown field "envs"

But using kustomize build displays fine .. except a message at the beginning saying:

2022/01/17 10:54:54 well-defined vars that were never replaced: ldap_searchBase,ldap_userIdentityMapping,ldap_admin,ldap_host,ldap_searchFilter,ldap_userIdentityAttribute,ldap_pass,admin_password

[nwalens]

you can get it running with the following:

helm install nifi --set ca.enabled=true --set properties.webProxyHost='nifi..' --set replicaCount=3 --set openshift.route.host='nifi..' --set openshift.route.enabled=true --set openshift.scc.enabled=true --set zookeeper.podSecurityContext.enabled=false --set zookeeper.containerSecurityContext.enabled=false --set registry.enabled=false cetic/nifi

Just to clarify, the openshift flags in this chart will only work for the chart itself, the sub-charts/dependencies are not handled.

For zookeeper the bitnami chart is used, therefore securityContexts must be disabled in order to allow openshift to set an arbitrary UID and GID. As for the nifi registry, the subchart tries to execute chown and mkdir during container startup and that will not be allowed in openshift due to container permissions. What I did was to create the nifi registry from kubernetes manifest since it is a rather simple deployment.