From 819b0f0c62eb4c3216995ee2577f0814c1875dd7 Mon Sep 17 00:00:00 2001 From: Sebastien Dupont Date: Fri, 2 Dec 2022 15:55:29 +0100 Subject: [PATCH] Update Github Action: bump action, minikube and Kubernetes versions (ctd) Update ldap users int ldap-test Rollback CN node name generating Replace generating standalone certs path Fix values.yaml for automatic usage of storageClass --- .github/workflows/test-oidc.yml | 6 ++--- .github/workflows/test-persistence.yml | 6 ++--- configs/authorizers.xml | 10 ++++---- configs/nifi.properties | 22 ++++++++++++------ templates/statefulset.yaml | 13 ++++------- tests/03-ldap-values.yaml | 7 +++--- values.yaml | 32 +++++++++++++------------- 7 files changed, 51 insertions(+), 45 deletions(-) diff --git a/.github/workflows/test-oidc.yml b/.github/workflows/test-oidc.yml index 1d32b9ff..7b82ab7a 100644 --- a/.github/workflows/test-oidc.yml +++ b/.github/workflows/test-oidc.yml @@ -65,10 +65,10 @@ jobs: - name: Checkout uses: actions/checkout@v1 - name: Setup Minikube - uses: manusa/actions-setup-minikube@v2.4.1 + uses: manusa/actions-setup-minikube@v2.7.1 with: - minikube version: 'v1.20.0' - kubernetes version: 'v1.20.2' + minikube version: 'v1.26.1' + kubernetes version: 'v1.25.0' - name: Checkout code uses: actions/checkout@v1 - name: Install dependencies diff --git a/.github/workflows/test-persistence.yml b/.github/workflows/test-persistence.yml index e738d457..8466a836 100644 --- a/.github/workflows/test-persistence.yml +++ b/.github/workflows/test-persistence.yml @@ -81,10 +81,10 @@ jobs: - name: Checkout uses: actions/checkout@v1 - name: Setup Minikube - uses: manusa/actions-setup-minikube@v2.4.1 + uses: manusa/actions-setup-minikube@v2.7.1 with: - minikube version: 'v1.20.0' - kubernetes version: 'v1.20.2' + minikube version: 'v1.26.1' + kubernetes version: 'v1.25.0' - name: Checkout code uses: actions/checkout@v1 - name: Install dependencies diff --git a/configs/authorizers.xml b/configs/authorizers.xml index 6ad30a8f..a6370f35 100644 --- a/configs/authorizers.xml +++ b/configs/authorizers.xml @@ -48,7 +48,7 @@ ./auth-conf/users.xml {{- range $i := until $replicas }} - CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI + CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI {{- end }} {{- if and .Values.auth.ldap.enabled (not .Values.auth.admin) }} {{.Values.auth.ldap.initialAdmin}} @@ -125,10 +125,10 @@ {{.Values.auth.ldap.managerDN}} {{.Values.auth.ldap.managerPassword}} /opt/nifi/nifi-current/tls/keystore.jks - {{.Values.auth.SSL.keystorePassword}} - jks + {{.Values.auth.SSL.keystorePasswd}} + JKS /opt/nifi/nifi-current/tls/truststore.jks - {{.Values.auth.SSL.truststorePassword}} + {{.Values.auth.SSL.truststorePasswd}} JKS NONE TLS @@ -230,7 +230,7 @@ {{- end}} {{- range $i := until $replicas }} - CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI + CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI {{- end }} diff --git a/configs/nifi.properties b/configs/nifi.properties index dbcae8f9..dcd6f09e 100644 --- a/configs/nifi.properties +++ b/configs/nifi.properties @@ -147,7 +147,7 @@ nifi.sensitive.props.algorithm={{ .Values.properties.algorithm }} nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= -{{if .Values.auth.clientAuth.enabled}} +{{- if .Values.auth.clientAuth.enabled }} nifi.security.keystore=/opt/nifi/nifi-current/config-data/certs/keystore.jks nifi.security.keystoreType=jks nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}} @@ -157,18 +157,26 @@ nifi.security.truststoreType=jks nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}} nifi.security.user.authorizer=managed-authorizer nifi.security.user.login.identity.provider= -{{else if .Values.auth.ldap.enabled}} +{{- else if .Values.auth.ldap.enabled }} +{{- if .Values.certManager.enabled }} nifi.security.keystore=/opt/nifi/nifi-current/tls/keystore.jks +{{- else }} +nifi.security.keystore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}/keystore.jks +{{- end }} nifi.security.keystoreType=jks nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}} nifi.security.keyPasswd={{.Values.auth.SSL.keystorePasswd}} +{{- if .Values.certManager.enabled }} nifi.security.truststore=/opt/nifi/nifi-current/tls/truststore.jks +{{- else }} +nifi.security.truststore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}/truststore.jks +{{- end }} nifi.security.truststoreType=jks nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}} proxiedEntity={{.Values.auth.ldap.initialAdmin}} nifi.security.user.authorizer=managed-authorizer nifi.security.user.login.identity.provider=ldap-provider -{{else if .Values.auth.oidc.enabled}} +{{- else if .Values.auth.oidc.enabled }} nifi.security.keystore=/opt/nifi/nifi-current/conf/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd= @@ -177,7 +185,7 @@ nifi.security.truststore=/opt/nifi/nifi-current/conf/truststore.p12 nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd= nifi.security.user.authorizer=managed-authorizer -{{ else }} +{{- else }} nifi.security.keystore=./conf/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd= @@ -187,10 +195,10 @@ nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd= nifi.security.user.login.identity.provider=single-user-provider nifi.security.user.authorizer=single-user-authorizer -{{end}} +{{- end }} nifi.security.needClientAuth={{.Values.properties.needClientAuth}} -{{if .Values.auth.oidc.enabled}} +{{- if .Values.auth.oidc.enabled }} # OpenId Connect SSO Properties # nifi.security.user.oidc.discovery.url={{.Values.auth.oidc.discoveryUrl}} nifi.security.user.oidc.connect.timeout=5 secs @@ -200,7 +208,7 @@ nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}} nifi.security.user.oidc.preferred.jwsalgorithm= nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}} nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}} -{{end}} +{{- end }} # Apache Knox SSO Properties # diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 03e6253b..a888c532 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -251,12 +251,12 @@ spec: {{- /* if .Values.certManager.enabled */}}{{ else }} - if [ ! -r "${NIFI_HOME}/conf/nifi-cert.pem" ] + if [ ! -r "${NIFI_HOME}/tls/nifi-cert.pem" ] then /opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone \ - -n '{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \ + -n '{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \ -C '{{.Values.auth.admin}}' \ - -o "${NIFI_HOME}/conf/" \ + -o "${NIFI_HOME}/tls" \ -P {{.Values.auth.SSL.truststorePasswd}} \ -S {{.Values.auth.SSL.keystorePasswd}} \ --nifiPropertiesFile /opt/nifi/nifi-current/conf/nifi.properties @@ -523,11 +523,8 @@ spec: {{- end }} {{- end }} {{- end }} -{{- if .Values.certManager.enabled }} - name: "tls" mountPath: /opt/nifi/nifi-current/tls - readOnly: true -{{- /* if .Values.certManager.enabled */}}{{ end }} {{- if .Values.extraVolumeMounts }} {{ toYaml .Values.extraVolumeMounts | indent 10 }} {{- end }} @@ -755,12 +752,12 @@ spec: items: - key: "logback.xml" path: "logback.xml" + - name: "tls" + emptyDir: {} {{- if .Values.certManager.enabled }} - name: secret-reader-token secret: secretName: {{ template "apache-nifi.fullname" $ }}-secret-reader-token - - name: tls - emptyDir: {} {{- range .Values.certManager.caSecrets }} - name: {{ include "apache-nifi.fullname" $ }}-{{ . }} secret: diff --git a/tests/03-ldap-values.yaml b/tests/03-ldap-values.yaml index ecf5b334..b3b99db1 100644 --- a/tests/03-ldap-values.yaml +++ b/tests/03-ldap-values.yaml @@ -8,7 +8,8 @@ auth: ldap: enabled: true host: ldap://openldap:389 - searchBase: ou=users,dc=example,dc=org - admin: cn=user1,ou=users,dc=example,dc=org - pass: password1 + userSearchBase: ou=users,dc=example,dc=org + managerDN: cn=user1,ou=users,dc=example,dc=org + initialAdmin: cn=user1,ou=users,dc=example,dc=org + managerPassword: password1 authStrategy: SIMPLE diff --git a/values.yaml b/values.yaml index 0fe15647..3ee2c485 100644 --- a/values.yaml +++ b/values.yaml @@ -125,10 +125,10 @@ logbackXml: # Nifi User Authentication auth: # If set while LDAP is enabled, this value will be used for the initial admin and not the ldap bind dn / admin - admin: nifiAdmin # Initial Admin account username from LDAP-server. You can set the property aka env var + admin: CN=admin, OU=NIFI # Initial Admin account username. You can set the property aka env var SSL: - keystorePassword: changeMe - truststorePassword: changeMe + keystorePasswd: changeMe + truststorePasswd: changeMe # Automaticaly disabled if OIDC or LDAP enabled singleUser: @@ -143,19 +143,19 @@ auth: host: ldap://ldap-server.example.com:389 userSearchBase: ou=People,dc=example,dc=com initialAdmin: nifiAdmin # LDAP account for initialize as admin user - userSearchFilter: (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com) - userIdentityAttribute: uid + userSearchFilter: (objectClass=*) # (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com) + userIdentityAttribute: # uid authenticationStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. identityStrategy: USE_USERNAME # USE_DN or USE_USERNAME authExpiration: 12 hours - groupSearchBase: ou=Groups,dc=example,dc=com - groupObjectClass: groupOfNames - referralStrategy: FOLLOW - groupNameAttribute: cn - groupMemberAttribute: member + groupSearchBase: # ou=Groups,dc=example,dc=com + groupObjectClass: group # groupOfNames + referralStrategy: IGNORE # FOLLOW + groupNameAttribute: # cn + groupMemberAttribute: # member groupSearchScope: ONE_LEVEL # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups. userSearchScope: SUBTREE # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users. - userGroupNameAttribute: memberOf + userGroupNameAttribute: # memberOf managerDN: uid=nifiAdmin,ou=People,dc=example,dc=com # account DN for connection to LDAP-server. You can set the property aka env var managerPassword: changeMechangeMe # account password for connection to LDAP-server. You can set the property aka env var providerUserSearchFilter: (uid={0}) @@ -279,7 +279,7 @@ persistence: # storageClass: standard # # The default storage class is used if this variable is not set. - storageClass: '' + accessModes: [ReadWriteOnce] ## Storage Capacities for persistent volumes configStorage: @@ -379,16 +379,16 @@ openshift: ca: ## If true, enable the nifi-toolkit certificate authority enabled: false + persistence: + enabled: true + server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}" envFrom: [] image: repository: apache/nifi-toolkit - persistence: - enabled: false accessModes: [ReadWriteOnce] storageClass : '' initContainer: image: busybox:1.32.0 - server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}" service: port: 9090 token: sixteenCharacters @@ -409,7 +409,7 @@ certManager: keystorePasswd: changeme truststorePasswd: changeme replaceDefaultTrustStore: false - # For security reason, define secret aka source of env variable for keystorePassword and truststorePassword + # For security reason, define secret aka source of env variable for keystorePasswd and truststorePasswd envFrom: {} # - secretRef: # name: test