Dysnix Helm charts
License: Other
To add dysnix charts repository:
helm repo add dysnix https://dysnix.github.io/chartsIt's strongly advised to enable client-side .git/hooks!
cat <<EHD > .git/hooks/pre-push
#!/bin/bash
set -e
repo_path="$(git rev-parse --show-toplevel)"
${repo_path}/githooks/pre-push/chart-version
${repo_path}/githooks/pre-push/helm-lint
${repo_path}/githooks/pre-push/yaml-lint
${repo_path}/githooks/pre-push/kubeval
EHD
chmod +x .git/hooks/pre-push
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
When trying to deploy this chart as a part of https://github.com/cetic/helm-nifi, I got the issue Secret "nifi-registry-config" is invalid: metadata.annotations: Too long: must have at most 262144 characters. I needed to remove the sample database and secret to get this to deploy correctly.
Hello!
I'm trying to deploy nifi-registry with security and OIDC authnetication. This is my configuration values.yaml:
cat charts/nifi-registry/values.yaml
# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: apache/nifi-registry
pullPolicy: IfNotPresent
tag: "0.8.0"
initContainers:
git:
image: alpine/git
tag: v2.26.2
alpine:
image: alpine
tag: 3.6
# Additional environment variables to set for the initContainers
extraEnvs: []
# extraEnvs:
# - name: FOO
# value: bar
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 18080
ingress:
#### enabled: false
#### annotations: {}
#### # kubernetes.io/ingress.class: nginx
#### # kubernetes.io/tls-acme: "true"
#### hosts:
#### - host: chart-example.local
#### paths: []
#### tls: []
#### # - secretName: chart-example-tls
#### # hosts:
#### # - chart-example.local
enabled: true
annotations: {
nginx.ingress.kubernetes.io/backend-protocol: "HTTP",
nginx.ingress.kubernetes.io/ssl-redirect: "true" ,
nginx.ingress.kubernetes.io/affinity: cookie
}
hosts:
- host: registry-cetic.domain.net
paths:
- /
tls:
- hosts:
- registry-cetic.domain.net
## Persist data to a persistent volume
persistence:
enabled: true
database:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
flowStorage:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 10Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
flowProvider:
git:
enabled: false
# Repository to be cloned at pod startup
url:
# Sets NIFI_REGISTRY_GIT_REMOTE for update_flow_provider.sh
remote: origin
# Sets NIFI_REGISTRY_GIT_USER for update_flow_provider.sh
user:
# Sets NIFI_REGISTRY_GIT_PASSWORD for update_flow_provider.sh
password:
# Global Git configuration See https://git-scm.com/docs/git-config for more details.
config:
enabled: false
data: ""
# data: |
# [credential "https://github.com"]
# username = foo
ssh:
# To use an SSH public/private keypair as a Kubernetes secret:
# 1. Generate a SSH key named id_rsa:
# ssh-keygen -q -N "" -f ./id_rsa
# 2. Create a Kubernetes secret:
# kubectl -n nifi-registry create secret generic nifi-registry-git-ssh --from-file=./id_rsa
# 3. Don't check these key files into your Git repository! Once you've created
# the Kubernetes secret, Delete the private key:
# rm ./id_rsa
# 4. Add ./id_rsa.pub as a deployment key with write access in your Git repo
# 5. Set the secret name (e.g., nifi-registry-git-ssh) here:
secretName:
# 6. Provide the public key(s) of the SSH server(s) for $HOME/.ssh/known_hosts
known_hosts:
# 7. Set the GIT_SSH_COMMAND
gitSshCommand: "ssh -v"
# 8. specify the config which would go in $HOME/.ssh/config file, for e.g.
# config: |
# Host github.com
# ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
# User git
# Hostname ssh.github.com
# Port 443
# IdentityFile /etc/fluxd/ssh/identity
# or, if using an SSH public/private keypair:
config: |
StrictHostKeyChecking accept-new
postgres:
enabled: false
driverURL: https://jdbc.postgresql.org/download/
fileName: postgresql-42.2.6.jar
driverClass: org.postgresql.Driver
url: jdbc:postgresql://localhost/nifireg
username: nifireg
password: nifireg
# Additional environment variables to set
extraEnvs: []
# extraEnvs:
# - name: FOO
# value: bar
tests:
images:
busybox:
image: busybox
tag: 1.33.1
# Configuration to run NiFi Registry securely
# c.f. https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#security_configuration
# TLS keystores and truststores must be configured to run secure;
# see (e.g.) certManager (below)
security:
# Disabled by default (following the principle of least astonishment)
#### enabled: false
enabled: true
#### needClientAuth: true
needClientAuth: true
httpsHost: "0.0.0.0"
httpsPort: 18443
admin: [email protected]
persistence:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
# ConfigMap with users.xml and authorizations.xml keys; note that these
# settings will override the admin: key above if present
authConf:
# cert-manager support
# Setting this true will have cert-manager create a private CA just for NiFi Registry,
# including certificates for each NiFi Registry node.
certManager:
# If true, use cert-manager to create and rotate intra-NiFi-Registry-cluster
# TLS keys (note that cert-manager is a Kubernetes cluster-wide resource, so
# is not installed automatically by this chart); c.f. https://cert-manager.io
enabled: true
# TLS Common Name of a client, suitable for using as an initial administrator.
# The client certificate (including private key) will be in a Kubernetes
# TLS secret of the name {{ template "nifi-registry.fullname"}}-client
clientCommonName: ""
# Kubernetes cluster top level domain, to generate fully qualified domain names
# for certificate Common Names
clusterDomain: cluster.local
# Java Key Store (JKS) password for NiFi Registry keystore
keystorePasswd: XXXXXXXXXXXXXX
# Java Key Store (JKS) password for NiFi Registry truststore
truststorePasswd: XXXXXXXXXXXXXX
# Additional DNS names to incorporate into TLS certificates (e.g. where users
# point browsers to access the NiFi Registry UI)
additionalDnsNames:
- localhost
- registry-cetic.domain.net
# Names of Kubernetes secrets containing ca.crt keys to add to the
# NiFi Registry truststore (e.g. CAs of NiFi Registry clients)
caSecrets:
# If your (e.g.) OIDC server is using TLS with a private CA, then set this
# to true so that Java will use the cert-manager-derived TrustStore:
replaceDefaultTrustStore: true
# How often the sidecar refreshes the NiFi keystore and truststore from
# the cert-manager Kubernetes secrets (and other caSecrets)
refreshSeconds: 300
# sidecar resources needed to populate and refresh those secrets
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 100m
memory: 128Mi
# cert-manager takes care of rotating the TLS certificates, so default
# their lifetime to 90 days. But when the CA expires you may need to
# 'helm delete' the cluster, delete all the TLS certificates and secrets,
# and then 'helm install' the NiFi Registry cluster again. If a site-to-site trusted
# CA or a NiFi Registry CA certificate expires, you'll need to restart all
# pods to pick up the new version of the CA certificate. So default the CA
# lifetime to 10 years to avoid that happening very often.
# c.f. https://github.com/cert-manager/cert-manager/issues/2478#issuecomment-1095545529
certDuration: 2160h
caDuration: 87660h
# oidc support
oidc:
# If true, use OIDC for authentication.
enabled: true
# URL for NiFi to discover the OIDC provider
discoveryURL: https://sso.example.com/realms/nifi-registry-sand/.well-known/openid-configuration
# Client ID
clientId: nifi-registry-sand
# Client Secret
clientSecret: XXXXXXXXXXXXXXXXXXXXXXX
# OIDC Claim that identifies the user
claimIdentifyingUser: email
# OIDC Connection Timeout
connectTimeout: "5 secs"
# OIDC Read Timeout
readTimeout: "5 secs"
And the result when I trying to upgrade helm release:
helm upgrade nifi -n oidc-nifi ./
coalesce.go:163: warning: skipped value for initContainers: Not a table.
W0915 13:03:43.029418 8302 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
W0915 13:03:43.033441 8302 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
W0915 13:03:43.041271 8302 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Error: UPGRADE FAILED: failed to create resource: admission webhook "webhook.cert-manager.io" denied the request: spec.commonName: Too long: must have at most 64 bytesI got the integration of a three nodes NiFi cluster with oidc authentication provided by keycloak, but I can't resolve this issue.
Can anybody help me?
Thank's so much!!!
Hello,
your proxysql is working very nice, thx for you work!,
can we add this things:
select * from mysql_replication_hostgroups; mysql_replication_hostgroups:
- comment: "cluster1"
writer_hostgroup: "1"
reader_hostgroup: "2"
if i do this manually, its working, before next reboot of proxysql
INSERT INTO mysql_replication_hostgroups (writer_hostgroup,reader_hostgroup,comment) VALUES (1,2,'cluster1');
2) storageclass for saving configs, each reboot/restart daemonset proxysql, clean my mysql_replication_hostgroups
Currently, ProxySQL stores sensitive data (e.g. user passwords) in the ConfigMap. If I were to make a PR with the below would that be merged?
Hi,
Im reviewing your Nifi Registry chart and found that the app version is not the same as the docker image which is version 0.7.0:
appVersion: 0.6.0
Im thinking about making a PR to bump the version to 0.0.8, do you want this fixed first or just skip this?
I see the pritunl service is fixed with LoadBalancer: https://github.com/dysnix/charts/blob/master/dysnix/pritunl/templates/service.yaml#L13
Any objections to allow this to be configurable?
I'm trying to expose it with ClusterIP and route using nginx-ingress-controller
Hello !
Im trying to run the nifi registry chart and I switched the service from clusterip to LoadBalancer, the notes tells me that I need to wait a few minutes for load balancer goes up, but even after hours the deploy dont work.
Is this a normal behavior ?
Ps: Im using the latest version of the chart
✖︎ geth => (version: "0.3.0", path: "dysnix/geth") > Error waiting for process: exit status 1
✔︎ grafana-dashboards => (version: "0.2.1", path: "dysnix/grafana-dashboards")
✖︎ kafkamagic => (version: "0.2.2", path: "dysnix/kafkamagic") > Chart doesn't have maintainers
✔︎ nginx => (version: "7.1.7", path: "dysnix/nginx")
✔︎ nifi-registry => (version: "0.2.1", path: "dysnix/nifi-registry")
✔︎ pritunl => (version: "0.1.13", path: "dysnix/pritunl")
✔︎ proxysql => (version: "0.1.4", path: "dysnix/proxysql")
✖︎ pullsecrets => (version: "0.2.0", path: "dysnix/pullsecrets") > Chart doesn't have maintainers
In the given values I only see two fields for external MongoDB and no explanation for what type of data needs to be inserted. After I tried to insert default mongo connection string like this:
mongodb://user:password@host/db
I got the error on pod start: Error: secret "pritunl-mongodb" not found
Can you please explain how to achieve configuration with external MongoDB?
Hi, could you add a License and a README?
Hi
Just noticed that chart-releaser uploaded the nifi-registry 0.3.2 release, but the index.yaml update was not triggered, see the actions log and the index.yaml is still showing the 0.3.1 release as the latest version. Is there still a manual action that needs to trigger the update for the index.yaml or is this a bug?
Hi,
I am trying to add oidc for NiFi registry and therefore was trying to enable security for NiFi Registry by changing enabled=true for security. However, I am getting this error: "Failed to start web server: nifi.registry.security.keystore must be provided to configure Jetty for HTTPs while enabling oidc". Can you please let me know how to handle this error.
Dear nifi-registry chart support,
Could we add git branch support for nifi-registry's values.yaml?
I tried to add branch name like - branch: 'develop' but no luck, all flow files always write to master branch instead. How do I use and integrate with specific branch with nifi-registry in values.yaml?
thanks a lot for help!
flowProvider:
git:
enabled: true
url: 'https://user:[email protected]/developers/nifi_flows'
remote: 'origin'
branch: 'develop'
user: 'user'
password: 'passwd'
Hello
I'm using the helm chart nifi-registry version 1.1.4, and it seems that when I deploy it with the following custom values, the flowPersistenceProvider in the file conf/providers.xml, is not set to org.apache.nifi.registry.provider.flow.DatabaseFlowPersistenceProvider, but to the default value org.apache.nifi.registry.provider.flow.FileSystemFlowPersistenceProvider
I'm using the docker image apache/nifi-registry:1.22.0
image:
repository: apache/nifi-registry
pullPolicy: IfNotPresent
tag: "1.22.0"
flowProvider:
postgres:
driverClass: org.postgresql.Driver
driverURL: https://jdbc.postgresql.org/download/
enabled: true
fileName: postgresql-42.2.6.jar
password: ******
url: jdbc:postgresql://postgresql/nifiregistry
username: *****
persistence:
enabled: false
I think that it's related to the bash script /opt/nifi-registry/scripts/update_flow_provider.sh, that takes into account the env variable NIFI_REGISTRY_FLOW_PROVIDER and the possible values git, file, database. In my case the env variable NIFI_REGISTRY_FLOW_PROVIDER is set to postgres and not to database
Thanks in advance for your help
Hello guys, can we implement multi port to deploy multi Organization configuration and multi servers , because just port 1194 are reachable, but for multi organization and multi servers we need more that one 1195, 1196 etc
It is good to have possibility to configure in from values file
Dear dysnix/charts support team,
I was redirected from cetic/helm-nifi#182 by cetic/helm-nifi support team, thinking this maybe related to chart maintained here.
All the detail of this issue has been listed in cetic/helm-nifi#182, but I can capture all here:
Wish to seek help to overcome this strange issue accessing nifi-registry service via k8s port-forward. I had k8s cluster at remote so access all services UI via k8s port-forward. However, for accessing nifi-registry via k8s port-forward, no matter what local port I use, nifi-registry service seems never respond to request, but nifi service always works.
Why nifi service always works while nifi-registry service never regardless local port chosen? Is there any specifically additional tricks need to setup for nifi-registry in this helm-chart? Anything I might missed in value.yaml may caused this?
Here is my helm chart setup:
nifi:
helm:
# https://github.com/cetic/helm-nifi/tree/0.7.8
version: 0.7.8
image:
# https://hub.docker.com/r/apache/nifi/tags
tag: 1.13.0
value.yaml contains following to enable nifi-registry pod and service
registry:
enabled: true
port: 80
url: "nifi-registry"
% kubectl get svc -n data-pipeline -o wide
...
nifi ClusterIP 100.70.32.121 8080/TCP,9929/TCP 25h app=nifi,release=nifi
nifi-headless ClusterIP None 8080/TCP,6007/TCP 25h app=nifi,release=nifi
nifi-registry ClusterIP 100.71.235.65 80/TCP 25h app.kubernetes.io/instance=nifi,app.kubernetes.io/name=registry
nifi-registry service (tcp port 80) works fine if access inside k8s cluster. However, if I try to access after k8s port-forward, it never respond.
-- from terminal A:
% kubectl port-forward sts/nifi-registry --namespace data-pipeline 20337:80
Forwarding from 127.0.0.1:20337 -> 80
Forwarding from [::1]:20337 -> 80
Handling connection for 20337
E1025 11:56:34.256702 10540 portforward.go:400] an error occurred forwarding 20337 -> 80: error forwarding port 80 to pod 559b96d74c2830f98345b7a4ea031153c5dc750175197e1e02d0f04626c57e43, uid : exit status 1: 2021/10/25 18:56:34 socat[2684522] E connect(5, AF=2 127.0.0.1:80, 16): Connection refused
E1025 11:56:34.256719 10540 portforward.go:400] an error occurred forwarding 20337 -> 80: error forwarding port 80 to pod 559b96d74c2830f98345b7a4ea031153c5dc750175197e1e02d0f04626c57e43, uid : exit status 1: 2021/10/25 18:56:34 socat[2684523] E connect(5, AF=2 127.0.0.1:80, 16): Connection refused
Handling connection for 20337
-- from terminal B:
% curl -vv http://localhost:20337/nifi-registry/
- Trying ::1...
- TCP_NODELAY set
- Connected to localhost (::1) port 20337 (#0)
GET /nifi-registry/ HTTP/1.1
Host: localhost:20337
User-Agent: curl/7.64.1
Accept: /
- Empty reply from server
However, if I port-forward to nifi (similarly to all other k8s service) via port-forward, it will respond request and access UI always works.
% curl -vv http://localhost:20337/nifi
- Trying ::1...
- TCP_NODELAY set
- Connected to localhost (::1) port 20337 (#0)
GET /nifi HTTP/1.1
Host: localhost:20337
User-Agent: curl/7.64.1
Accept: /< HTTP/1.1 302 Found
< Date: Mon, 25 Oct 2021 19:20:55 GMT
< Location: http://localhost:20337/nifi/
< Content-Length: 0
< Server: Jetty(9.4.35.v20201120)
Thank you very much for your kind help!
Hi Team,
Could you please remove the redundant command key from the manifest as it's causing deployment to fail while deploying through flux?
https://github.com/dysnix/charts/blob/master/dysnix/nifi-registry/templates/statefulset.yaml#L68
Thanks,
Hussain
When deploying the NiFi Registry, a permission error may occur on the auth-conf folder.
This is due to a bug in helm chart which omits the setting of permissions on this folder.
Either the permissions on this folder have to be set manually once, or the folder has to be added to the initContainers script.
svc-monitoring.yaml creates Kubernetes service with targetPort: monitoring:
ports:
- name: monitoring
port: 6060
targetPort: monitoring
But monitoring port is not defined in statefulset.yaml:
ports:
- name: rpc
containerPort: {{ .Values.http.port }}
- name: ws
containerPort: {{ .Values.ws.port }}
Please add "monitoring" port in StatefulSet
Thank you
Hello, Please help!!
I am trying to use nifi-registry in secured mode. I have install cert-manager and turn on security in the values.yaml file.
Everything look fine. I can get the certificates with the kubectl tool.
The problem is when I try to access the UI of the nifi-registry, I get the following error.
This site can’t provide a secure connectionlocalhost didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
I have already install the client certificate generate by cert manager to my OS.
Please help me. What am I doing wrong?
Thank you
Hi,
Is this chart compatible with authentication for registry?
Can you provide some guidance on how to configure it in order to avoid having anonymous users?
am deploying nifi and nifi-registry on aks and everything is working but the integration with git.
I try almost everything
change persistance from true to false, tried username and password auth.
this code is part of the values.yaml of nifi.
registry:
## If true, install the Nifi registry
enabled: true
url: ""
port: 80
# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: apache/nifi-registry
pullPolicy: Always
tag: "0.8.0"
initContainers:
git:
image: alpine/git
tag: v2.26.2
# alpine:
# image: alpine
# tag: "3.6"
# Additional environment variables to set for the initContainers
extraEnvs: []
# extraEnvs:
# - name: FOO
# value: bar
service:
type: LoadBalancer
httpsport: 18080
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## Persist data to a persistent volume
persistence:
enabled: false
database:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
flowStorage:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
bundleProvider:
file:
enabled: true
# -- the path in the running pod where the git repo will be cloned into
# either absolute or relative to the container working directory, which is NIFI_REGISTRY_HOME
# If you elect to use a non-default location, you must also update the property associated.
storageDirectory: ./extension_bundles
flowProvider:
git:
enabled: true
# Repository to be cloned at pod startup
url: '[email protected]:N****ni/***.git'
# Sets NIFI_REGISTRY_GIT_REMOTE for update_flow_provider.sh
remote: 'origin'
# Sets NIFI_REGISTRY_GIT_USER for update_flow_provider.sh
user:
# Sets NIFI_REGISTRY_GIT_PASSWORD for update_flow_provider.sh
password:
# passwordSecret(Name|Key) is the name and key of the k8s secret holding the password (can be used instead of password)
# passwordSecretName:
# passwordSecretKey:
# Global Git configuration See https://git-scm.com/docs/git-config for more details.
config:
enabled: false
data: ""
# data: |
# [credential "https://github.com"]
# username = foo
ssh:
# To use an SSH public/private keypair as a Kubernetes secret:
# 1. Generate a SSH key named id_rsa:
# ssh-keygen -q -N "" -f ./id_rsa
# 2. Create a Kubernetes secret:
# kubectl -n nifi-registry create secret generic nifi-registry-git-ssh --from-file=./id_rsa
# 3. Don't check these key files into your Git repository! Once you've created
# the Kubernetes secret, Delete the private key:
# rm ./id_rsa
# 4. Add ./id_rsa.pub as a deployment key with write access in your Git repo
# 5. Set the secret name (e.g., nifi-registry-git-ssh) here:
secretName: 'nifi-registry-git-ssh'
# 6. Provide the public key(s) of the SSH server(s) for $HOME/.ssh/known_hosts
knownHosts: |
github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
# 7. Set the GIT_SSH_COMMAND
gitSshCommand: "ssh -v"
# 8. specify the config which would go in $HOME/.ssh/config file, for e.g.
# config: |
# Host github.com
# ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
# User git
# Hostname ssh.github.com
# Port 443
# IdentityFile /etc/fluxd/ssh/identity
# or, if using an SSH public/private keypair:
config: |
StrictHostKeyChecking accept-new
postgres:
enabled: false
driverURL: https://jdbc.postgresql.org/download/
fileName: postgresql-42.2.6.jar
driverClass: org.postgresql.Driver
url: jdbc:postgresql://localhost/nifireg
username: nifireg
password: nifireg
The values file of this chart provides a way to configure the NiFi Registry to use oidc and certificate based authentication for the secure mode.
For my usecase I require the option to use an LDAP server to do the user authentication since there is no oicd server.
Hi, the latest nifi-registry version which available in the repo (https://dysnix.github.io/charts) is 1.1.0.
I need version 1.1.1 in order to fix the ingress issue.
I can see the version in the releases page but not in the repo (also does'n exist here).
I think it because the action failed: https://github.com/dysnix/charts/actions/runs/2905447190/jobs/4624415687
Can you fix it please and deploy version 1.1.1?
Thank you!
file:
enabled: true
# -- the path in the running pod where the git repo will be cloned into
# either absolute or relative to the container working directory, which is NIFI_REGISTRY_HOME
# If you elect to use a non-default location, you must also update the property associated.
storageDirectory:
flowProvider:
git:
enabled: true
# Repository to be cloned at pod startup
url:
# Sets NIFI_REGISTRY_GIT_REMOTE for update_flow_provider.sh
remote: origin
# Sets NIFI_REGISTRY_GIT_USER for update_flow_provider.sh
user:
# Sets NIFI_REGISTRY_GIT_PASSWORD for update_flow_provider.sh
password:
I use this configuration in the nifi registry to connect with gitlab but it's not work
In the storage directory add the repo name with ./
In the URL section add the repo https URL
Add the Username and Password .In the Password section add the token of our gitlab
Please suggest a way to integrate the nifi-registry with gitlab
When using the chart with latest Nifi Registry, it never gets into a running state, because the readiness probe keeps getting connetion refused.
This has been observed with security.enabled=false
Hi
I am using nifi-registry 0.3.5 deployed in k8s with istio enabled and i am able to reach registry UI (after setting hostname to "0.0.0.0").
However, when configuring the registry url (https://nifi-registry.network-packet.staging.xxx.net/nifi-registry) on nifi and then trying to start version control in a PG have the following error:
Seems nifi does not trust CA which is let´s encrypt. Isn´t registry compatible with istio? Any idea on how to overcome this issue?
Below my config.
Values.yaml:
# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: apache/nifi-registry
pullPolicy: IfNotPresent
tag: "0.8.0"
initContainers:
git:
image: alpine/git
tag: v2.26.2
alpine:
image: alpine
tag: 3.6
# Additional environment variables to set for the initContainers
extraEnvs: []
# extraEnvs:
# - name: FOO
# value: bar
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
#podAnnotations:
# sidecar.istio.io/inject: "false"
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 18080
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## Persist data to a persistent volume
persistence:
enabled: true
database:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
flowStorage:
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
#resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources:
requests:
memory: 512Mi
cpu: 100m
limits:
memory: 1Gi
cpu: 200m
#Required to use dedicated compute
#nodeSelector: {}
nodeSelector:
function: nifi-network-packet
#Required to use dedicated compute
#tolerations: []
tolerations:
- effect: NoSchedule
key: function
operator: Equal
value: nifi-network-packet
affinity: {}
flowProvider:
git:
enabled: false
url:
remote: origin
user:
password:
# The secret name can be used to supply your own SSH key:
# 1. Generate a SSH key named identity:
# ssh-keygen -q -N "" -f ./identity
# 2. Create a Kubernetes secret:
# kubectl -n nifi-registry create secret generic nifi-registry-git-deploy --from-file=./identity
# 3. Don't check these key files into your Git repository! Once you've created
# the Kubernetes secret, Delete the private key:
# rm ./identity
# 4. Add ./identity.pub as a deployment key with write access in your Git repo
# 5. Set the secret name (default: nifi-registry-git-deploy) below
secretName:
# Global Git configuration See https://git-scm.com/docs/git-config for more details.
config:
enabled: false
secretName: ""
data: ""
# data: |
# [credential "https://github.com"]
# username = foo
postgres:
enabled: false
driverURL: https://jdbc.postgresql.org/download/
fileName: postgresql-42.2.6.jar
driverClass: org.postgresql.Driver
url: jdbc:postgresql://localhost/nifireg
username: nifireg
password: nifireg
# Additional environment variables to set
#extraEnvs: []
#extraEnvs:
#- name: NIFI_REGISTRY_WEB_HTTP_HOST
# value: "0.0.0.0"
ssh:
# Overrides for git over SSH. If you use your own git server, you
# will likely need to provide a host key for it in this field.
known_hosts: ""
config: ""
# specify the config which would go in /home/nifi/.ssh/config file
# for e.g.
# config: |
# Host github.com
# ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
# User git
# Hostname ssh.github.com
# Port 443
# IdentityFile /etc/fluxd/ssh/identity
tests:
images:
busybox:
image: busybox
tag: 1.33.1
Statefulset.yaml:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "nifi-registry.fullname" . }}
labels:
{{- include "nifi-registry.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "nifi-registry.selectorLabels" . | nindent 6 }}
serviceName: {{ include "nifi-registry.fullname" . }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "nifi-registry.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "nifi-registry.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
{{- if .Values.flowProvider.git.enabled }}
- name: git-clone
image: "{{ .Values.initContainers.git.image }}:{{ .Values.initContainers.git.tag }}"
command:
- sh
- -cex
- |
git clone $(NIFI_REGISTRY_GIT_URL) "/tmp/flow_storage" || git -C "/tmp/flow_storage" pull
cp --dereference /ssh/id_rsa /ssh-dest/
chown -R 1000:1000 /tmp/flow_storage /ssh-dest
env:
- name: NIFI_REGISTRY_GIT_URL
value: {{ .Values.flowProvider.git.url }}
- name: NIFI_REGISTRY_GIT_USER
value: {{ .Values.flowProvider.git.user }}
- name: NIFI_REGISTRY_GIT_PASSWORD
value: {{ .Values.flowProvider.git.password }}
{{- if .Values.initContainers.extraEnvs }}
{{ toYaml .Values.initContainers.extraEnvs | indent 12 }}
{{- end }}
volumeMounts:
- name: "flow-storage"
mountPath: /tmp
{{- if .Values.ssh.known_hosts }}
- name: sshdir
mountPath: /root/.ssh
readOnly: true
{{- end }}
- name: git-key
mountPath: /ssh
readOnly: true
- name: git-key-fixed
mountPath: /ssh-dest
{{- end }}
{{- if .Values.persistence.enabled }}
- name: take-data-dir-ownership
image: "{{ .Values.initContainers.alpine.image }}:{{ .Values.initContainers.alpine.tag }}"
command:
command:
- chown
- -R
- 1000:1000
- /opt/nifi-registry/nifi-registry-current/database
- /opt/nifi-registry/nifi-registry-current/flow_storage
volumeMounts:
- name: "database"
mountPath: /opt/nifi-registry/nifi-registry-current/database
- name: "flow-storage"
mountPath: /opt/nifi-registry/nifi-registry-current/flow_storage
subPath: flow_storage
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bash
- -ce
- |
{{- if .Values.flowProvider.postgres.enabled }}
cd /opt/nifi-registry/nifi-registry-current/ext
mkdir postgresql
cd postgresql
curl -k "{{ .Values.flowProvider.postgres.driverURL }}{{ .Values.flowProvider.postgres.fileName }}" -o "{{ .Values.flowProvider.postgres.fileName }}"
{{- end }}
${NIFI_REGISTRY_BASE_DIR}/scripts/start.sh
ports:
- name: http
containerPort: 18080
protocol: TCP
env:
- name: NIFI_REGISTRY_WEB_HTTP_HOST
value: "0.0.0.0"
{{- if .Values.flowProvider.git.enabled }}
- name: NIFI_REGISTRY_FLOW_PROVIDER
value: git
- name: NIFI_REGISTRY_GIT_REMOTE
value: {{ .Values.flowProvider.git.remote }}
- name: NIFI_REGISTRY_GIT_USER
value: {{ .Values.flowProvider.git.user }}
- name: NIFI_REGISTRY_GIT_PASSWORD
value: {{ .Values.flowProvider.git.password }}
{{- end }}
{{- if .Values.flowProvider.postgres.enabled }}
- name: NIFI_REGISTRY_FLOW_PROVIDER
value: postgres
- name: NIFI_REGISTRY_DB_DIR
value: ./ext/postgresql
- name: NIFI_REGISTRY_DB_CLASS
value: {{ .Values.flowProvider.postgres.driverClass }}
- name: NIFI_REGISTRY_DB_URL
value: {{ .Values.flowProvider.postgres.url }}
- name: NIFI_REGISTRY_DB_USER
value: {{ .Values.flowProvider.postgres.username }}
- name: NIFI_REGISTRY_DB_PASS
value: {{ .Values.flowProvider.postgres.password }}
{{- end }}
{{- if .Values.extraEnvs }}
{{ toYaml .Values.extraEnvs | indent 12 }}
{{- end }}
volumeMounts:
{{ if .Values.persistence.enabled }}
- name: "database"
mountPath: /opt/nifi-registry/nifi-registry-current/database
{{ end }}
{{ if or .Values.persistence.enabled .Values.flowProvider.git.enabled }}
- name: "flow-storage"
mountPath: /opt/nifi-registry/nifi-registry-current/flow_storage
subPath: flow_storage
{{ end }}
{{- if .Values.ssh.known_hosts }}
- name: sshdir
mountPath: /home/nifi/.ssh
readOnly: true
{{- end }}
{{- if .Values.flowProvider.git.enabled }}
{{- if .Values.flowProvider.git.config.enabled }}
- name: git-config
mountPath: /home/nifi/.gitconfig
subPath: gitconfig
readOnly: true
{{- end }}
- name: git-key-fixed
mountPath: /ssh
readOnly: true
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
readinessProbe:
tcpSocket:
port: 18080
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 2
failureThreshold: 3
volumes:
{{- if .Values.ssh.known_hosts }}
- name: sshdir
configMap:
name: {{ template "nifi-registry.fullname" . }}-ssh-config
defaultMode: 0644
{{- end }}
{{- if .Values.flowProvider.git.enabled }}
{{- if not .Values.persistence.enabled }}
- name: flow-storage
emptyDir: {}
{{- end }}
{{- if .Values.flowProvider.git.config.enabled }}
- name: git-config
secret:
secretName: {{ include "flowProvider.git.config.secretName" . }}
defaultMode: 0400
{{- end }}
- name: git-key
secret:
{{- if .Values.flowProvider.git.secretName }}
secretName: {{ .Values.flowProvider.git.secretName }}
{{- else }}
secretName: {{ template "nifi-registry.fullname" . }}-git-deploy
{{- end }}
defaultMode: 0400
- name: git-key-fixed
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: database
spec:
accessModes:
- ReadWriteOnce
{{ if .Values.persistence.database.storageClass }}
{{ if (eq "-" .Values.persistence.database.storageClass) }}
storageClassName: ""
{{ else }}
storageClassName: "{{ .Values.persistence.database.storageClass }}"
{{ end }}
{{ end }}
resources:
requests:
storage: {{ .Values.persistence.database.size | quote }}
- metadata:
name: flow-storage
spec:
accessModes:
- ReadWriteOnce
{{ if .Values.persistence.flowStorage.storageClass }}
{{ if (eq "-" .Values.persistence.flowStorage.storageClass) }}
storageClassName: ""
{{ else }}
storageClassName: "{{ .Values.persistence.flowStorage.storageClass }}"
{{ end }}
{{ end }}
resources:
requests:
storage: {{ .Values.persistence.flowStorage.size | quote }}
{{ end }}
virtualservice.yaml:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
labels:
app: nifi-registry
name: nifi-registry
namespace: network-packet
spec:
gateways:
- network-packet-gateway
hosts:
- nifi-registry.network-packet.staging.xxxx.net
http:
- match:
- uri:
prefix: /
route:
- destination:
host: nifi-registry.network-packet.svc.cluster.local
port:
number: 18080
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.