Support cert-manager management of intra-cluster TLS certificates for secure mode.
Is your feature request related to a problem? Please describe.
Issues #205 (and duplicate #209) report that multi-node NiFi clusters are not starting. Looking at app-log shows:
2022-01-02 15:05:59,582 WARN [Process Cluster Protocol Request-2] o.a.n.c.p.impl.SocketProtocolListener Failed processing protocol message from nifi-1.nifi-headless.default.svc.cluster.local due to Received fatal alert: certificate_unknown
This is consistent with the creation of TLS certificates for intra-cluster communication being broken.
Describe the solution you'd like
Use cert-manager to create and automatically update intra-cluster TLC certificates.
Describe alternatives you've considered
Use the older NiFi Toolkit to create certificates for the NiFi cluster nodes. The problem with this approach is that only addresses the initial certificate creation, not the whole certificate lifecycle. So when certificates inevitably expire, the cluster will break again.
Additional context
Secure mode is the upstream default (as of about NiFi 1.14.0) and preferred way of running NiFi clusters, and that requires solid TLS support.
Be sure never to embed cert-manager as a sub-chart of other Helm charts; cert-manager manages non-namespaced resources in your cluster and care must be taken to ensure that it is installed exactly once.
So unlike Zookeeper support, setting up cert-manager with a self-signed CA should be documented and demonstrated in the tests rather than incorporated directly as a sub chart.
Support cert-manager management of intra-cluster TLS certificates for secure mode.
Is your feature request related to a problem? Please describe.
Issues #205 (and duplicate #209) report that multi-node NiFi clusters are not starting. Looking at app-log shows:
This is consistent with the creation of TLS certificates for intra-cluster communication being broken.
Describe the solution you'd like Use cert-manager to create and automatically update intra-cluster TLC certificates.
Describe alternatives you've considered Use the older NiFi Toolkit to create certificates for the NiFi cluster nodes. The problem with this approach is that only addresses the initial certificate creation, not the whole certificate lifecycle. So when certificates inevitably expire, the cluster will break again.
Additional context Secure mode is the upstream default (as of about NiFi 1.14.0) and preferred way of running NiFi clusters, and that requires solid TLS support.
https://cert-manager.io/docs/installation/helm/ warns:
So unlike Zookeeper support, setting up cert-manager with a self-signed CA should be documented and demonstrated in the tests rather than incorporated directly as a sub chart.