NiFi registry

[bmgante]

Hi, I am using chart 0.7.8 and registry is enabled. However i am not able to connect via http to the regitry url (http://nifi-registry.xxx.net:80, where xxx stands for internal domain) Can someone provide some guidance on how to access registry webpage?

nifi-registry values.yml below

# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: apache/nifi-registry
  pullPolicy: IfNotPresent
  tag: "0.8.0"

initContainers:
  git:
    image: alpine/git
    tag: v2.26.2
  alpine:
    image: alpine
    tag: 3.6
  # Additional environment variables to set for the initContainers
  extraEnvs: []
  # extraEnvs:
  #   - name: FOO
  #     value: bar

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations:
  sidecar.istio.io/inject: "true"

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 80

ingress:
  enabled: false
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths: []
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

## Persist data to a persistent volume
persistence:
  enabled: true
  database:
    # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 1Gi
  flowStorage:
    # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 1Gi

#resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

resources:
  requests:
    memory: 512Mi
    cpu: 100m
  limits:
    memory: 1Gi
    cpu: 200m

#Required to use dedicated compute
#nodeSelector: {}
nodeSelector:
  function: nifi-network-packet

#Required to use dedicated compute
#tolerations: []
tolerations:
- effect: NoSchedule
  key: function
  operator: Equal
  value: nifi-network-packet

affinity: {}

flowProvider:
  git:
    enabled: false
    url:
    remote: origin
    user:
    password:
    # The secret name can be used to supply your own SSH key:
    # 1. Generate a SSH key named identity:
    #      ssh-keygen -q -N "" -f ./identity
    # 2. Create a Kubernetes secret:
    #      kubectl -n nifi-registry create secret generic nifi-registry-git-deploy --from-file=./identity
    # 3. Don't check these key files into your Git repository! Once you've created
    #    the Kubernetes secret, Delete the private key:
    #      rm ./identity
    # 4. Add ./identity.pub as a deployment key with write access in your Git repo
    # 5. Set the secret name (default: nifi-registry-git-deploy) below
    secretName:
    # Global Git configuration See https://git-scm.com/docs/git-config for more details.
    config:
      enabled: false
      secretName: ""
      data: ""
      # data: |
      #   [credential "https://github.com"]
      #           username = foo

# Additional environment variables to set
extraEnvs: []
# extraEnvs:
#   - name: FOO
#     value: bar

ssh:
  # Overrides for git over SSH. If you use your own git server, you
  # will likely need to provide a host key for it in this field.
  known_hosts: ""
  config: ""
    # specify the config which would go in /home/nifi/.ssh/config file
    # for e.g.
  # config: |
  #   Host github.com
  #   ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
  #   User git
  #   Hostname ssh.github.com
  #   Port 443
  #   IdentityFile /etc/fluxd/ssh/identity

tests:
  images:
    busybox:
      image: busybox
      tag: 1.33.1

[lfreinag]

So this is an old thread but I had the same problem and found this other issue open at the nifi-registry chart.

https://github.com/dysnix/charts/issues/111#issuecomment-968679223

You basically want to add these two lines inside the values.yaml file. Per default it just has extraEnvs: [] (almost towards the end of the values.yaml file you posted)

extraEnvs:
  - name: NIFI_REGISTRY_WEB_HTTP_HOST
    value: "0.0.0.0"

Another piece of advice, doing an upgrade to try to apply this new environment variable is not going to work 😟 So you will have to uninstall and install again the chart. Or at least that is how I got it to work.

If you want to verify the problem they mention there, i.e. the server is accepting localhost: you can use this command:

kubectl logs <pod_name> -n <namespace> | grep JettyServer    

You should get something like:

2022-03-25 12:37:51,833 INFO [main] o.apache.nifi.registry.jetty.JettyServer Configuring Jetty for HTTP on port: 18080
2022-03-25 12:37:51,873 INFO [main] o.apache.nifi.registry.jetty.JettyServer Loading WAR: /opt/nifi-registry/nifi-registry-current/./lib/nifi-registry-web-ui-0.8.0.war with context path set to /nifi-registry
2022-03-25 12:37:51,874 INFO [main] o.apache.nifi.registry.jetty.JettyServer No database driver directory was specified
2022-03-25 12:37:51,874 INFO [main] o.apache.nifi.registry.jetty.JettyServer Loading WAR: /opt/nifi-registry/nifi-registry-current/./lib/nifi-registry-web-api-0.8.0.war with context path set to /nifi-registry-api
2022-03-25 12:37:51,874 INFO [main] o.apache.nifi.registry.jetty.JettyServer Adding NiFiRegistryProperties object to ServletContext with key 'nifi-registry.properties'
2022-03-25 12:37:51,875 INFO [main] o.apache.nifi.registry.jetty.JettyServer Adding BootstrapFileCryptoKeyProvider object to ServletContext with key 'nifi-registry.key'
2022-03-25 12:37:51,875 INFO [main] o.apache.nifi.registry.jetty.JettyServer Loading WAR: /opt/nifi-registry/nifi-registry-current/./lib/nifi-registry-web-docs-0.8.0.war with context path set to /nifi-registry-docs
2022-03-25 12:37:51,879 INFO [main] o.apache.nifi.registry.jetty.JettyServer Loading documents web app with context path set to /nifi-registry-docs
2022-03-25 12:37:58,594 INFO [main] o.apache.nifi.registry.jetty.JettyServer NiFi Registry has started. The UI is available at the following URLs:
2022-03-25 12:37:58,594 INFO [main] o.apache.nifi.registry.jetty.JettyServer http://0.0.0.0:18080/nifi-registry

The last line shows that my configuration is accepting the connection in localhost:18080.

So you want to do a port-forwarding into that port too and not port 80.

kubectl -n <namespace> port-forward <pod_name> 18080:8080

Hope it helps!

[wknickless]

@lfreinag I've started working on extending the dysnix nifi-registry chart to operate in secure mode using cert-manager and OIDC (to go along with the work I did here in #218): https://github.com/wknickless/dysnix-charts/tree/nifi-registry/feature/cert-manager-oidc This is a work in progress; it currently starts NiFi Registry in secure mode with the correct certificates but I haven't yet got the initial administrator properly incorporated into the configuration files.

In secure mode, my work in progress accomplishes this by having a secure.httpsHost Helm configuration variable that's set to 0.0.0.0 in values.yaml, which gets put into the NIFI_REGISTRY_WEB_HTTPS_HOST environment variable, which has the startup script actually set the nifi.registry.web.https.host configuration file entry . This follows the control/data flow of the $NIFI_REGISTRY_BASE_DIR/scripts/start.sh and $NIFI_REGISTRY_BASE_DIR/scripts/secure.sh files provided in the official Apache Docker Hub container.

@banzo in a perfect world we could refactor the NiFi chart (this one) to break out the generic secure mode parameters into their own section, and then have the (e.g.) cert-manager, CA, LDAP, OIDC, and Kerberos configuration sections self-contained (c.f. https://github.com/wknickless/dysnix-charts/blob/730fc7d7ed456cd653fd60d7be8ebbb4f0f71563/dysnix/nifi-registry/values.yaml#L167). But I'm not sure if it's possible/feasible to do that without breaking existing deployments. Thoughts?

[banzo]

@banzo (...) But I'm not sure if it's possible/feasible to do that without breaking existing deployments. Thoughts?

@wknickless I am not very familiar with those dark corners of the chart.