search

konpyutaika / nifikop

The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://konpyutaika.github.io/nifikop/
Apache License 2.0
122 stars 39 forks source link

How to correctly configure single user configuration with https (via cert-manager)? #411

Open cbrendanprice opened 3 months ago

cbrendanprice commented 3 months ago

Type of question

Implementation Assistance

Support question

hello there!

im having troubles getting my nifi cluster to successfully work with single user configuration and https and was wondering if someone might be able to provide a working example configuration for this? for cotnext, i did first reference the example tls configuration in the repo but, unfortunately, it relies upon oidc for authorization.

find below my current configuration. while this configuration does result in the node running successfully, it does not correctly allow me to login with the credentials stored in the provided secret. i get the Access Unknown: Certificate and Token not found. each time i try to login.

any help/insight/suggestions would be much appreciated! thank you.

apiVersion: nifi.konpyutaika.com/v1
kind: NifiCluster
metadata:
  #...
spec:
  externalServices:
    - metadata:
        annotations: {}
        labels: {}
      name: apache-nifi
      spec:
        portConfigs:
          - internalListenerName: https
            port: 8443
            protocol: TCP
        type: ClusterIP
  listenersConfig:
    internalListeners:
      - containerPort: 8443
        name: https
        protocol: TCP
        type: https
      - containerPort: 6007
        name: cluster
        protocol: TCP
        type: cluster
      - containerPort: 10000
        name: s2s
        protocol: TCP
        type: s2s
    sslSecrets:
      clusterScoped: false
      create: true
      issuerRef:
        kind: Issuer
        name: middleware-internal-ca
      tlsSecretName: apache-nifi-listeners-tls
  nodeConfigGroups:
    default-group:
      provenanceStorage: 2GB
      storageConfigs:
        - mountPath: /opt/nifi/nifi-current/conf
          name: conf
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 128Mi
            storageClassName: standard
          reclaimPolicy: Delete
        - mountPath: /opt/nifi/content_repository
          name: content-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 2Gi
            storageClassName: standard
          reclaimPolicy: Delete
        - mountPath: /opt/nifi/data
          name: data
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 256Mi
            storageClassName: standard
          reclaimPolicy: Delete
        - mountPath: /opt/nifi/flowfile_repository
          name: flowfile-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 2Gi
            storageClassName: standard
          reclaimPolicy: Delete
        - mountPath: /opt/nifi/nifi-current/logs
          name: logs
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 512Mi
            storageClassName: standard
          reclaimPolicy: Delete
        - mountPath: /opt/nifi/provenance_repository
          name: provenance-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 2Gi
            storageClassName: standard
          reclaimPolicy: Delete
      tolerations: []
  nodeUserIdentityTemplate: apache-nifi-node-%d
  nodes:
    - id: 1
      nodeConfigGroup: default-group
      readOnlyConfig:
        nifiProperties:
          overrideConfigs: |
            nifi.ui.banner.text=NiFiKop - Node 1
  pod:
    livenessProbe:
      exec:
        command:
          - bash
          - '-c'
          - >-
            curl -L -kv --cert 
            /var/run/secrets/java.io/keystores/server/tls.crt --key
            /var/run/secrets/java.io/keystores/server/tls.key https://$(hostname
            -f):8443/nifi/
      failureThreshold: 5
      initialDelaySeconds: 135
      periodSeconds: 60
      successThreshold: 1
      timeoutSeconds: 20
    readinessProbe:
      exec:
        command:
          - bash
          - '-c'
          - >-
            curl -L -kv --cert 
            /var/run/secrets/java.io/keystores/server/tls.crt --key
            /var/run/secrets/java.io/keystores/server/tls.key https://$(hostname
            -f):8443/nifi/
      failureThreshold: 5
      initialDelaySeconds: 105
      periodSeconds: 30
      successThreshold: 1
      timeoutSeconds: 10
  readOnlyConfig:
    bootstrapProperties:
      nifiJvmMemory: 512m
    nifiProperties:
      overrideConfigs: |
        nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword
        nifi.security.identity.mapping.pattern.dn=CN=([^,]*)(?:, (?:O|OU)=.*)?
        nifi.security.identity.mapping.value.dn=$1
        nifi.security.identity.mapping.transform.dn=NONE
      webProxyHosts:
        - apache-nifi.localhost:443
        - apache-nifi.127.0.0.1.nip.io:443
  singleUserConfiguration:
    authorizerEnabled: true
    enabled: true
    secretKeys:
      password: password
      username: username
    secretRef:
      name: apache-nifi-auth-single-user-credentials
      namespace: middleware

NiFiKop version

v1.8.0-release

Golang version

No response

Kubernetes version

v1.28.0

NiFi version

1.24.0

cbrendanprice commented 3 months ago

more than happy to provide whatever additional information, clarity, context, etc. that would be necessary to help troubleshoot here. appreciate the efforts you all have made on this project and know you're busy making it better! would appreciate any help I can get here when you've time.

wrender commented 3 months ago

Hmm. I think that should work. And you created the secret? If you exec into one of the nifi containers, and do tail -f logs/nifi-user.log do you see any information? Here is an example single user auth someone sent me on Slack that seems to work and has a sidecar to help troubleshoot/view the logs:

apiVersion: nifi.konpyutaika.com/v1
kind: NifiCluster
metadata:
  name: nifikop
spec:
  clusterImage: apache/nifi:1.23.2
  externalServices:
  - name: nifikop
    spec:
      portConfigs:
      - internalListenerName: https
        port: 443
      - internalListenerName: prometheus
        port: 9092
      - internalListenerName: s2s
        port: 10000
      type: ClusterIP
  listenersConfig:
    internalListeners:
    - containerPort: 8443
      name: https
      type: https
    - containerPort: 6007
      name: cluster
      type: cluster
    - containerPort: 10000
      name: s2s
      type: s2s
    - containerPort: 9092
      name: prometheus
      type: prometheus
    sslSecrets:
      create: true
      tlsSecretName: nifikop-tls
  nifiClusterTaskSpec:
    retryDurationMinutes: 10
  nodeConfigGroups:
    default_group:
      fsGroup: 1337
      isNode: true
      resourcesRequirements:
        limits:
          cpu: "6"
          memory: 6Gi
        requests:
          cpu: "6"
          memory: 5Gi
      storageConfigs:
      - mountPath: /opt/nifi/nifi-current/logs
        name: logs
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 50Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/data
        name: data
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/flowfile_repository
        name: flowfile-repository
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 12Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/nifi-current/conf
        name: conf
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/content_repository
        name: content-repository-default
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 10Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/content-additional/rep1
        name: content-repository-rep1
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 35Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/content-additional/rep2
        name: content-repository-rep2
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 35Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/provenance_repository
        name: provenance-repository-default
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 10Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/provenance-additional/rep1
        name: provenance-repository-rep1
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 12Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/provenance-additional/rep2
        name: provenance-repository-rep2
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 12Gi
          storageClassName: ssd-wait
      - mountPath: /opt/nifi/extensions
        name: extensions-repository
        pvcSpec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 5Gi
          storageClassName: ssd-wait
      tolerations:
      - effect: NoExecute
        key: dedicated
        operator: Equal
        value: instances
  nodes:
  - id: 0
    labels:
      nifi_cr: nifikop
      nifi_node_group: default_group
    nodeConfigGroup: default_group
  propagateLabels: true
  readOnlyConfig:
    bootstrapProperties:
      nifiJvmMemory: 4g
    maximumTimerDrivenThreadCount: 40
    nifiProperties:
      overrideConfigMap:
        data: nifi.properties
        name: nifi-config
        namespace: squid-system
      overrideConfigs: |
        nifi.nar.library.autoload.directory=../extensions
        nifi.security.identity.mapping.pattern.dn=CN=([^,]*)(?:, (?:O|OU)=.*)?
        nifi.security.identity.mapping.value.dn=$1
        nifi.security.identity.mapping.transform.dn=NONE
        nifi.content.repository.directory.rep1=../content-additional/rep1
        nifi.content.repository.directory.rep2=../content-additional/rep2
        nifi.provenance.repository.directory.rep1=../provenance-additional/rep1
        nifi.provenance.repository.directory.rep2=../provenance-additional/rep2
        nifi.sensitive.props.key=nifikopnifikopnifikop
      webProxyHosts:
      - nifikop.konpyutaika.com:443
      - nifikop.konpyutaika.com
  service:
    headlessEnabled: true
  sidecarConfigs:
  - args:
    - tail
    - -n+1
    - -F
    - /var/log/nifi-app.log
    image: busybox:1.36
    name: app-log
    resources:
      limits:
        cpu: 50m
        memory: 50Mi
      requests:
        cpu: 50m
        memory: 50Mi
    volumeMounts:
    - mountPath: /var/log
      name: logs
  - args:
    - tail
    - -n+1
    - -F
    - /var/log/nifi-bootstrap.log
    image: busybox:1.36
    name: bootstrap-log
    resources:
      limits:
        cpu: 50m
        memory: 50Mi
      requests:
        cpu: 50m
        memory: 50Mi
    volumeMounts:
    - mountPath: /var/log
      name: logs
  - args:
    - tail
    - -n+1
    - -F
    - /var/log/nifi-user.log
    image: busybox:1.36
    name: user-log
    resources:
      limits:
        cpu: 50m
        memory: 50Mi
      requests:
        cpu: 50m
        memory: 50Mi
    volumeMounts:
    - mountPath: /var/log
      name: logs
  singleUserConfiguration:
    authorizerEnabled: true
    enabled: true
    secretKeys:
      username: username
      password: password
    secretRef:
      name: nifikop
  zkAddress: zookeeper.zookeeper:2181
  zkPath: /nifikop-instances
---
apiVersion: v1
kind: Secret
metadata:
  name: nifikop
stringData:
  username: nifikop
  password: nifikopnifikopnifikop