search

stackabletech / nifi-operator

A kubernetes operator for Apache NiFi
Other
28 stars 3 forks source link

Support switch to non-TLS UI #369

Open berndfo opened 1 year ago

berndfo commented 1 year ago

Affected version

nifi-operator-0.6.0

Current and expected behavior

Current behavior

  1. defaults When using Nifi in a default setting, I fail to establish an ingress properly exposing the Nifi UI to the outside, probably because Nifi is set to use httpS/8443.

  2. with overrides When providing overriding Nifi settings to use http/8080

configOverrides:
   nifi.properties:
     nifi.web.https.host: ""
     nifi.web.https.port: ""
     nifi.web.http.host: "0.0.0.0"
     nifi.web.http.port: "8080"
     nifi.cluster.protocol.is.secure: "false"

the ingress is working, but Nifi is unstable because health checks (still assuming 8443) are always failing.

Expected behavior

There's a supported way to use Ingress with the Nifi UI with health checks succeeding.

Bonus

Operator recognizes http/https and will set up a k8s Service accordingly.

Possible solution

No response

Additional context

off-topic: trying to open a feature request led to a 404 for me.

Environment

k3s

Would you like to work on fixing this bug?

No response

chris922 commented 9 months ago

Looking forward to get this feature! I was also a bit confused that by default a NodePort will be exposed and there is no way to disable this or reconfigure it to use a regular ClusterIP, LoadBalancer etc. I am missing from the operator(s) some ways to override usual things that can be overridden in nearly all helm charts etc.

I've got the same use case (exposing NiFi via ingress), maybe my workaround can help someone.

I configured my Traefik ingress controller accordingly to accept insecure https. Here are some more details:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-nifi-cluster
  namespace: stackable
spec:
  rules:
    - host: {{ .Values.ingress.host }}
      http:
        paths:
          - backend:
              service:
                name: simple-nifi-cluster
                port:
                  name: https
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - {{ .Values.ingress.host }}

---

apiVersion: v1
kind: Service
metadata:
  name: simple-nifi-cluster
  namespace: stackable
  annotations:
    traefik.ingress.kubernetes.io/service.serverstransport: stackable-simple-nifi-cluster@kubernetescrd
spec:
  type: ClusterIP
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  selector:
    app.kubernetes.io/component: node
    app.kubernetes.io/instance: simple-nifi
    app.kubernetes.io/name: nifi

---

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: simple-nifi-cluster
  namespace: stackable
spec:
  serverName: {{ .Values.ingress.host }}
  insecureSkipVerify: true

The Service annotations value must have the format {{namespace}}-{{service-name}}@kubernetescrd and update the simple-nifi value everywhere with your NiFi cluster name.

And for your NifiCluster override the nifi.web.proxy.host setting (restart pod afterwards due to #531):

kind: NifiCluster
...
spec:
  ...
  nodes:
    configOverrides:
      nifi.properties:
        {{ if .Values.ingress.host -}}
        nifi.web.proxy.host: {{ .Values.ingress.host }}
        {{- end }}