Update Github Action: bump action, minikube and Kubernetes versions (…

…ctd) Update LDAP parameters * Add envFrom for loading env from secrets, and subsets them. * Fix LDAP parameters in config files * Upgrade app version * Fix format for nifi.provenance.repository.debug.frequency * Add commenst for ingress in values.yaml * Fix hardoded busybox image tag in ca app * Fix hardcoded ldap parameters in authorizers.xml * Add logback.xml for log level * Fix hardcode and add new parameters in login-identity-providers-ldap.xml * Update hardcode and add new parameters in nifi.properties * Replace command cat to envsubst for using env vars aka source of params in configs * Update app version * Add clusterDomain aka global parameter
cetic · Dec 6, 2022 · f7c9072 · f7c9072
1 parent a4275f8
commit f7c9072
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 68 deletions.
diff --git a/.github/workflows/test-oidc.yml b/.github/workflows/test-oidc.yml
@@ -65,10 +65,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v1
       - name: Setup Minikube
-        uses: manusa/actions-setup-minikube@v2.4.1
+        uses: manusa/actions-setup-minikube@v2.7.1
         with:
-          minikube version: 'v1.20.0'
-          kubernetes version: 'v1.20.2'
+          minikube version: 'v1.26.1'
+          kubernetes version: 'v1.25.0'
       - name: Checkout code
         uses: actions/checkout@v1
       - name: Install dependencies

diff --git a/.github/workflows/test-persistence.yml b/.github/workflows/test-persistence.yml
@@ -81,10 +81,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v1
       - name: Setup Minikube
-        uses: manusa/actions-setup-minikube@v2.4.1
+        uses: manusa/actions-setup-minikube@v2.7.1
         with:
-          minikube version: 'v1.20.0'
-          kubernetes version: 'v1.20.2'
+          minikube version: 'v1.26.1'
+          kubernetes version: 'v1.25.0'
       - name: Checkout code
         uses: actions/checkout@v1
       - name: Install dependencies

diff --git a/Chart.yaml b/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v2
 name: nifi
 version: 1.1.4
-appVersion: 1.18.0
+appVersion: 1.19.0
 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
 keywords:
   - nifi

diff --git a/configs/authorizers.xml b/configs/authorizers.xml
@@ -48,7 +48,7 @@
         <property name="Users File">./auth-conf/users.xml</property>
         <property name="Legacy Authorized Users File"></property>
         {{- range $i := until $replicas }}
-        <property name="Initial User Identity {{ $i }}">CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
+        <property name="Initial User Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
         {{- end }}
         {{- if and .Values.auth.ldap.enabled (not .Values.auth.admin) }}
         <property name="Initial User Identity admin">{{.Values.auth.ldap.initialAdmin}}</property>
@@ -117,18 +117,23 @@
         NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the user identities.
             Group names are not mapped.
     -->
-    {{- if .Values.auth.ldap.enabled}}
+    {{- if .Values.auth.ldap.enabled }}
     <userGroupProvider>
         <identifier>ldap-user-group-provider</identifier>
         <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
         <property name="Authentication Strategy">{{.Values.auth.ldap.authenticationStrategy}}</property>
         <property name="Manager DN">{{.Values.auth.ldap.managerDN}}</property>
         <property name="Manager Password">{{.Values.auth.ldap.managerPassword}}</property>
+        <property name="TLS - Keystore Password">{{.Values.auth.SSL.keystorePasswd}}</property>
+        <property name="TLS - Keystore Type">JKS</property>
+        {{- if .Values.certManager.enabled }}
         <property name="TLS - Keystore">/opt/nifi/nifi-current/tls/keystore.jks</property>
-        <property name="TLS - Keystore Password">{{.Values.auth.SSL.keystorePassword}}</property>
-        <property name="TLS - Keystore Type">jks</property>
         <property name="TLS - Truststore">/opt/nifi/nifi-current/tls/truststore.jks</property>
-        <property name="TLS - Truststore Password">{{.Values.auth.SSL.truststorePassword}}</property>
+        {{- else }}
+        <property name="TLS - Keystore">/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{.Values.clusterDomain}}/keystore.jks</property>
+        <property name="TLS - Truststore">/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{.Values.clusterDomain}}/truststore.jks</property>
+        {{- end }}
+        <property name="TLS - Truststore Password">{{.Values.auth.SSL.truststorePasswd}}</property>
         <property name="TLS - Truststore Type">JKS</property>
         <property name="TLS - Client Auth">NONE</property>
         <property name="TLS - Protocol">TLS</property>
@@ -155,7 +160,7 @@
         <property name="Group Member Attribute">{{.Values.auth.ldap.groupMemberAttribute}}</property>
         <property name="Group Member Attribute - Referenced User Attribute"></property>
     </userGroupProvider>
-    {{- end}}
+    {{- end }}
 
     <!--
         The CompositeUserGroupProvider will provide support for retrieving users and groups from multiple sources.
@@ -165,14 +170,14 @@
             NOTE: Any identity mapping rules specified in nifi.properties are not applied in this implementation. This behavior
             would need to be applied by the base implementation.
     -->
-    {{- if .Values.auth.ldap.enabled}}
+    {{- if .Values.auth.ldap.enabled }}
     <userGroupProvider>
         <identifier>composite-configurable-user-group-provider</identifier>
         <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
         <property name="Configurable User Group Provider">file-user-group-provider</property>
         <property name="User Group Provider 1">ldap-user-group-provider</property>
     </userGroupProvider>
-    {{- end}}
+    {{- end }}
 
     <!--
         The CompositeConfigurableUserGroupProvider will provide support for retrieving users and groups from multiple sources.
@@ -230,7 +235,7 @@
         {{- end}}
         <property name="Legacy Authorized Users File"></property>
         {{- range $i := until $replicas }}
-        <property name="Node Identity {{ $i }}">CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
+        <property name="Node Identity {{ $i }}">CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI</property>
         {{- end }}
         <property name="Node Identity"></property>
     </accessPolicyProvider>

diff --git a/configs/nifi.properties b/configs/nifi.properties
@@ -147,7 +147,7 @@ nifi.sensitive.props.algorithm={{ .Values.properties.algorithm }}
 nifi.sensitive.props.provider=BC
 nifi.sensitive.props.additional.keys=
 
-{{if .Values.auth.clientAuth.enabled}}
+{{- if .Values.auth.clientAuth.enabled }}
 nifi.security.keystore=/opt/nifi/nifi-current/config-data/certs/keystore.jks
 nifi.security.keystoreType=jks
 nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
@@ -157,18 +157,23 @@ nifi.security.truststoreType=jks
 nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
 nifi.security.user.authorizer=managed-authorizer
 nifi.security.user.login.identity.provider=
-{{else if .Values.auth.ldap.enabled}}
+{{- else if .Values.auth.ldap.enabled }}
+{{- if .Values.certManager.enabled }}
+nifi.security.truststore=/opt/nifi/nifi-current/tls/truststore.jks
 nifi.security.keystore=/opt/nifi/nifi-current/tls/keystore.jks
+{{- else }}
+nifi.security.truststore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{.Values.clusterDomain}}/truststore.jks
+nifi.security.keystore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{.Values.clusterDomain}}/keystore.jks
+{{- end }}
 nifi.security.keystoreType=jks
 nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
 nifi.security.keyPasswd={{.Values.auth.SSL.keystorePasswd}}
-nifi.security.truststore=/opt/nifi/nifi-current/tls/truststore.jks
 nifi.security.truststoreType=jks
 nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
 proxiedEntity={{.Values.auth.ldap.initialAdmin}}
 nifi.security.user.authorizer=managed-authorizer
 nifi.security.user.login.identity.provider=ldap-provider
-{{else if .Values.auth.oidc.enabled}}
+{{- else if .Values.auth.oidc.enabled }}
 nifi.security.keystore=/opt/nifi/nifi-current/conf/keystore.p12
 nifi.security.keystoreType=PKCS12
 nifi.security.keystorePasswd=
@@ -177,7 +182,7 @@ nifi.security.truststore=/opt/nifi/nifi-current/conf/truststore.p12
 nifi.security.truststoreType=PKCS12
 nifi.security.truststorePasswd=
 nifi.security.user.authorizer=managed-authorizer
-{{ else }}
+{{- else }}
 nifi.security.keystore=./conf/keystore.p12
 nifi.security.keystoreType=PKCS12
 nifi.security.keystorePasswd=
@@ -187,10 +192,10 @@ nifi.security.truststoreType=PKCS12
 nifi.security.truststorePasswd=
 nifi.security.user.login.identity.provider=single-user-provider
 nifi.security.user.authorizer=single-user-authorizer
-{{end}}
+{{- end }}
 nifi.security.needClientAuth={{.Values.properties.needClientAuth}}
 
-{{if .Values.auth.oidc.enabled}}
+{{- if .Values.auth.oidc.enabled }}
 # OpenId Connect SSO Properties #
 nifi.security.user.oidc.discovery.url={{.Values.auth.oidc.discoveryUrl}}
 nifi.security.user.oidc.connect.timeout=5 secs
@@ -200,7 +205,7 @@ nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}}
 nifi.security.user.oidc.preferred.jwsalgorithm=
 nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}}
 nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}}
-{{end}}
+{{- end }}
 
 
 # Apache Knox SSO Properties #

diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
@@ -251,12 +251,12 @@ spec:
 
 {{- /* if .Values.certManager.enabled */}}{{ else }}
 
-          if [ ! -r "${NIFI_HOME}/conf/nifi-cert.pem" ]
+          if [ ! -r "${NIFI_HOME}/tls/nifi-cert.pem" ]
           then
             /opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone \
-              -n '{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \
+              -n '{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \
               -C '{{.Values.auth.admin}}' \
-              -o "${NIFI_HOME}/conf/" \
+              -o "${NIFI_HOME}/tls" \
               -P {{.Values.auth.SSL.truststorePasswd}} \
               -S {{.Values.auth.SSL.keystorePasswd}} \
               --nifiPropertiesFile /opt/nifi/nifi-current/conf/nifi.properties
@@ -523,11 +523,8 @@ spec:
               {{- end }}
             {{- end }}
           {{- end }}
-{{- if .Values.certManager.enabled }}
           - name: "tls"
             mountPath: /opt/nifi/nifi-current/tls
-            readOnly: true
-{{- /* if .Values.certManager.enabled */}}{{ end }}
           {{- if .Values.extraVolumeMounts }}
 {{ toYaml .Values.extraVolumeMounts | indent 10 }}
           {{- end }}
@@ -755,12 +752,12 @@ spec:
           items:
             - key: "logback.xml"
               path: "logback.xml"
+      - name: "tls"
+        emptyDir: {}
 {{- if .Values.certManager.enabled }}
       - name: secret-reader-token
         secret:
           secretName: {{ template "apache-nifi.fullname" $ }}-secret-reader-token
-      - name: tls
-        emptyDir: {}
       {{- range .Values.certManager.caSecrets }}
       - name: {{ include "apache-nifi.fullname" $ }}-{{ . }}
         secret:

diff --git a/tests/03-ldap-values.yaml b/tests/03-ldap-values.yaml
@@ -8,7 +8,8 @@ auth:
   ldap:
     enabled: true
     host: ldap://openldap:389
-    searchBase: ou=users,dc=example,dc=org
-    admin: cn=user1,ou=users,dc=example,dc=org
-    pass: password1
+    userSearchBase: ou=users,dc=example,dc=org
+    managerDN: cn=user1,ou=users,dc=example,dc=org
+    initialAdmin: cn=user1,ou=users,dc=example,dc=org
+    managerPassword: password1
     authStrategy: SIMPLE
diff --git a/values.yaml b/values.yaml
@@ -125,10 +125,10 @@ logbackXml:
 # Nifi User Authentication
 auth:
   # If set while LDAP is enabled, this value will be used for the initial admin and not the ldap bind dn / admin
-  admin: nifiAdmin # Initial Admin account username from LDAP-server. You can set the property aka env var
+  admin: CN=admin, OU=NIFI # Initial Admin account username. You can set the property aka env var
   SSL:
-    keystorePassword: changeMe
-    truststorePassword: changeMe
+    keystorePasswd: changeMe
+    truststorePasswd: changeMe
 
   # Automaticaly disabled if OIDC or LDAP enabled
   singleUser:
@@ -143,19 +143,19 @@ auth:
     host: ldap://ldap-server.example.com:389
     userSearchBase: ou=People,dc=example,dc=com
     initialAdmin: nifiAdmin # LDAP account for initialize as admin user
-    userSearchFilter: (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com)
-    userIdentityAttribute: uid
+    userSearchFilter: (objectClass=*) # (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com)
+    userIdentityAttribute: # uid
     authenticationStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
     identityStrategy: USE_USERNAME # USE_DN or USE_USERNAME
     authExpiration: 12 hours
-    groupSearchBase: ou=Groups,dc=example,dc=com
-    groupObjectClass: groupOfNames
-    referralStrategy: FOLLOW
-    groupNameAttribute: cn
-    groupMemberAttribute: member
+    groupSearchBase: # ou=Groups,dc=example,dc=com
+    groupObjectClass: group # groupOfNames
+    referralStrategy: IGNORE # FOLLOW
+    groupNameAttribute: # cn
+    groupMemberAttribute: # member
     groupSearchScope: ONE_LEVEL # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
     userSearchScope: SUBTREE # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
-    userGroupNameAttribute: memberOf
+    userGroupNameAttribute: # memberOf
     managerDN: uid=nifiAdmin,ou=People,dc=example,dc=com # account DN for connection to LDAP-server. You can set the property aka env var
     managerPassword: changeMechangeMe # account password for connection to LDAP-server. You can set the property aka env var
     providerUserSearchFilter: (uid={0})
@@ -234,23 +234,23 @@ service:
 ingress:
   enabled: false
   # className: nginx
-  annotations:
-    kubernetes.io/ingress.class: 'nginx'
-    cert-manager.io/cluster-issuer: your-issuer
-    nginx.ingress.kubernetes.io/affinity: cookie
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:8443"
-    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443"
-    nginx.ingress.kubernetes.io/proxy-redirect-to: "nifi.example.com"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      proxy_set_header 'X-ProxyScheme' 'https';
-      proxy_set_header 'X-ProxyPort' '443';
-  tls:
-    - secretName: nifi-ingress-tls
-      hosts:
-        - nifi.example.com
-  hosts:
-    - nifi.example.com
+  annotations: {}
+#    kubernetes.io/ingress.class: 'nginx'
+#    cert-manager.io/cluster-issuer: your-issuer
+#    nginx.ingress.kubernetes.io/affinity: cookie
+#    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+#    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:8443"
+#    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443"
+#    nginx.ingress.kubernetes.io/proxy-redirect-to: "nifi.example.com"
+#    nginx.ingress.kubernetes.io/configuration-snippet: |
+#      proxy_set_header 'X-ProxyScheme' 'https';
+#      proxy_set_header 'X-ProxyPort' '443';
+  tls: []
+#    - secretName: nifi-ingress-tls
+#      hosts:
+#        - nifi.example.com
+  hosts: []
+#    - nifi.example.com
   path: /
   # If you want to change the default path, see this issue https://github.com/cetic/helm-nifi/issues/22
 
@@ -279,7 +279,7 @@ persistence:
   # storageClass: standard
   #
   # The default storage class is used if this variable is not set.
-  storageClass: ''
+
   accessModes: [ReadWriteOnce]
   ## Storage Capacities for persistent volumes
   configStorage:
@@ -379,16 +379,16 @@ openshift:
 ca:
   ## If true, enable the nifi-toolkit certificate authority
   enabled: false
+  persistence:
+    enabled: true
+  server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}"
   envFrom: []
   image:
     repository: apache/nifi-toolkit
-  persistence:
-    enabled: false
     accessModes: [ReadWriteOnce]
     storageClass : ''
     initContainer:
       image: busybox:1.32.0
-  server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}"
   service:
     port: 9090
   token: sixteenCharacters
@@ -409,7 +409,7 @@ certManager:
   keystorePasswd: changeme
   truststorePasswd: changeme
   replaceDefaultTrustStore: false
-  # For security reason, define secret aka source of env variable for keystorePassword and truststorePassword
+  # For security reason, define secret aka source of env variable for keystorePasswd and truststorePasswd
   envFrom: {}
   # - secretRef:
   #     name: test