The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
For me, it's easiest to reproduce by deploying a NifiCluster with NifiUsers using ArgoCD, letting nifikop reconcile certificates for each user. When a cluster is deleted, there's a race condition that occurs where ArgoCD will delete (or mark for deletion) all of the nifikop resources.
The nifi user controller hits a condition where a NifiUser is marked for deletion and the controller revokes certs and deletes secrets. But then it immediately reconciles the certs & secrets again which re-creates them. The code which does this is here. This causes NifiCluster deletions in ArgoCD to hang because the operator is re-creating resources that had just been deleted.
Deploy a secure NifiCluster with one or more NifiUsers. Note that each node is treated as a NifiUser and has certs generated for them.
Delete the cluster deployment in ArgoCD & observe that NifiUser certs and secrets get deleted and immediately re-created.
What is the expected behavior?
The nifi user controller should only reconcile user certs if the associated NifiUser is not marked for deletion.
What do you see instead?
The nifi user controller reconciles user certs regardless of whether the associated NifiUser is marked for deletion.
Possible solution
The nifi user controller should reconcile user certificates only if the associated NifiUser is not marked for deletion.
What steps will reproduce the bug?
For me, it's easiest to reproduce by deploying a
NifiCluster
withNifiUser
s using ArgoCD, letting nifikop reconcile certificates for each user. When a cluster is deleted, there's a race condition that occurs where ArgoCD will delete (or mark for deletion) all of the nifikop resources.The nifi user controller hits a condition where a
NifiUser
is marked for deletion and the controller revokes certs and deletes secrets. But then it immediately reconciles the certs & secrets again which re-creates them. The code which does this is here. This causes NifiCluster deletions in ArgoCD to hang because the operator is re-creating resources that had just been deleted.NifiCluster
with one or moreNifiUser
s. Note that each node is treated as aNifiUser
and has certs generated for them.NifiUser
certs and secrets get deleted and immediately re-created.What is the expected behavior?
The nifi user controller should only reconcile user certs if the associated
NifiUser
is not marked for deletion.What do you see instead?
The nifi user controller reconciles user certs regardless of whether the associated
NifiUser
is marked for deletion.Possible solution
The nifi user controller should reconcile user certificates only if the associated
NifiUser
is not marked for deletion.NiFiKop version
v0.15.0-release
Golang version
go1.18
Kubernetes version
1.24
NiFi version
1.18.0
Additional context
No response