Thanks a million Sushil finally was able to get it up and running(With SSL). You just made my day, even though it's night time now :). After the tweaks you suggested, it worked all fine.
Thanks again, Atul On Mon, Jul 27, 2020 at 11:49 PM Atul Wankhade <[email protected]> wrote: > That's awesome, sure will take a look. > > Thanks, > Atul > > On Mon, Jul 27, 2020, 10:52 PM Sushil Kumar <[email protected]> wrote: > >> Hello Atul >> >> You can have a look at the chart at >> https://github.com/sushilkm/nifi-chart repository. >> I used this chart to generate and use self-signed certificates, and >> deploy it over azure. >> >> Couple of things to note before you use it: >> storageclass -> you might need to change the value of storageclass >> parameter as per where you trying to deploy >> https://github.com/sushilkm/nifi-chart/blob/master/nifi/values.yaml#L58 >> You might need to tweak memory parameters as per your requirement, but it >> should not matter to test deploy. >> https://github.com/sushilkm/nifi-chart/blob/master/nifi/values.yaml#L49-L54 >> Do not forget to update the default sizes of volumes. >> https://github.com/sushilkm/nifi-chart/blob/master/nifi/values.yaml#L57-L64 >> >> There are helpful READMEs in project home as well as in the chart >> directory. >> FYI, this is not a production code, use at your own risk. >> >> Let me know if you have any questions. >> >> Thanks >> Sushil Kumar >> >> On Mon, Jul 27, 2020 at 9:15 AM Atul Wankhade <[email protected]> >> wrote: >> >>> >>> Hi Sushil, >>> >>> Would you be kind enough to share the Helm chart unless it's >>> confidential? I really want to make this setup work. As said above I am >>> generating the certs in the init container, but I am not sure where they >>> are getting stored, when I am redirecting to a volume mount I am getting >>> below error. >>> initContainers: >>> - name: nifi-init >>> image: "apache/nifi:1.11.1" >>> imagePullPolicy: "IfNotPresent" >>> command: [*'sh', '-c', >>> '/opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh client -c nifi-ca-cs -t >>> Mytesttoken12345 --dn "CN=$(hostname -f), >>> OU=NIFI"','>','/opt/nifi/flowfile_repository/'*] >>> # volumeMounts: >>> # - mountPath: /opt/certs/ >>> # name: certs >>> volumeMounts: >>> - name: "flowfile-repository" >>> mountPath: /opt/nifi/flowfile_repository >>> [image: image.png] >>> I even tried to write the whole command within the same quotes, no luck. >>> Gave cetic helm chart a try after getting rid of that error, now nifi pods >>> aren't coming up at all :( >>> Will it possible for to connect personally? Below is my whatsapp number. >>> >>> Thanks again for the helping hand, >>> Atul >>> +91 9766545790 >>> >>> On Sun, Jul 26, 2020 at 11:57 PM Sushil Kumar <[email protected]> wrote: >>> >>>> Hello Atul >>>> >>>> I wrote the chart myself. >>>> Cert generation pattern was similar to what you are trying. >>>> I ran the server as a separate container, and generated client certs in >>>> init-container. >>>> >>>> Thanks >>>> Sushil >>>> >>>> On Sun, Jul 26, 2020, 9:46 AM Atul Wankhade <[email protected]> >>>> wrote: >>>> >>>>> Hi Sushil, >>>>> >>>>> I am using Cetic helm chart only. May I know which did you use? Where >>>>> did you generate the certs? >>>>> >>>>> Thanks, >>>>> Atul >>>>> >>>>> On Sat, Jul 25, 2020 at 2:00 AM Sushil Kumar <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello Atul >>>>>> >>>>>> I have recently tried using self signed certificates generated using >>>>>> nifi toolkit while using helm chart. >>>>>> cetic helm chart is not written completely to accomplish this, >>>>>> I may be able to help if you can share your helm chart. >>>>>> >>>>>> However, as of now the error is in your values.yaml file. >>>>>> >>>>>> Thanks >>>>>> Sushil Kumar >>>>>> >>>>>> On Fri, Jul 24, 2020 at 9:14 AM Chris Sampson < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I don't use our know much about helm, but that error suggests you've >>>>>>> got something wrong on line 202 of your yaml, so what's on that line (or >>>>>>> the lines immediately before/after)? >>>>>>> >>>>>>> Notice you're using nifi 1.11.1, might be worth considering 1.11.4 >>>>>>> if you can to take advantage of several high priority by fixes in nifi >>>>>>> (but >>>>>>> that won't affect your helm chart). Also, suggest using the >>>>>>> apache/nifi-toolkit image for running the toolkit in tls server mode >>>>>>> (much >>>>>>> lighter weight), but again that's not likely to be causing you a problem >>>>>>> here. >>>>>>> >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Chris Sampson >>>>>>> >>>>>>> On Fri, 24 Jul 2020, 15:05 Atul Wankhade, <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Chris I am trying what you have suggested, while passing the init >>>>>>>> container params in values.yaml getting below error, can you please >>>>>>>> help to >>>>>>>> get around this issue. >>>>>>>> *Error: cannot load values.yaml: error converting YAML to JSON: >>>>>>>> yaml: line 202: did not find expected ',' or '}'* >>>>>>>> I am adding below init container config: tried to edit it in >>>>>>>> multiple ways no luck :( >>>>>>>> >>>>>>>> initContainers: { >>>>>>>> name: nifi-init >>>>>>>> image: "apache/nifi:1.11.1" >>>>>>>> imagePullPolicy: "IfNotPresent" >>>>>>>> command: ['sh', '-c', >>>>>>>> '/opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh client -c >>>>>>>> nifi-ca-cs -t >>>>>>>> Mytesttoken12345 --dn "CN=$(hostname -f), OU=NIFI"','>','/opt/certs'] >>>>>>>> volumeMounts: >>>>>>>> - mountPath: /opt/certs/ >>>>>>>> name: certs >>>>>>>> } >>>>>>>> >>>>>>>> Created CA service as below: >>>>>>>> apiVersion: apps/v1 >>>>>>>> kind: ReplicaSet >>>>>>>> metadata: >>>>>>>> name: nifi-ca >>>>>>>> namespace: nifi >>>>>>>> labels: >>>>>>>> app: nifi-ca >>>>>>>> spec: >>>>>>>> # modify replicas according to your case >>>>>>>> replicas: 1 >>>>>>>> selector: >>>>>>>> matchLabels: >>>>>>>> app: nifi-ca >>>>>>>> template: >>>>>>>> metadata: >>>>>>>> namespace: nifi >>>>>>>> labels: >>>>>>>> app: nifi-ca >>>>>>>> spec: >>>>>>>> containers: >>>>>>>> - name: nifi-ca >>>>>>>> image: apache/nifi:1.9.2 >>>>>>>> ports: >>>>>>>> - containerPort: 8443 >>>>>>>> name: ca-client-port >>>>>>>> command: >>>>>>>> - bash >>>>>>>> - -c >>>>>>>> - | >>>>>>>> ../nifi-toolkit-current/bin/tls-toolkit.sh server -c >>>>>>>> nifi-ca-cs -t <token> >>>>>>>> --- >>>>>>>> # Create service for the nifi-ca replica set >>>>>>>> apiVersion: v1 >>>>>>>> kind: Service >>>>>>>> metadata: >>>>>>>> name: nifi-ca-cs >>>>>>>> namespace: nifi >>>>>>>> labels: >>>>>>>> app: nifi-ca >>>>>>>> spec: >>>>>>>> ports: >>>>>>>> - port: 8443 >>>>>>>> name: ca-client-port >>>>>>>> targetPort: 8443 >>>>>>>> selector: >>>>>>>> app: nifi-ca >>>>>>>> >>>>>>>> On Fri, Jul 24, 2020 at 10:13 AM Atul Wankhade < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Andy, >>>>>>>>> >>>>>>>>> Sorry for the confusion, Nifi is running inside a container on the >>>>>>>>> node(Image has java prebuilt). It seems I need to tweak the image to >>>>>>>>> generate the certs inside the container. I have done the same >>>>>>>>> setup(worked >>>>>>>>> fine) On Azure where I used to generate the certs on VM itself for >>>>>>>>> Node >>>>>>>>> Identity so I was trying the same on Kubernetes Node but no Java >>>>>>>>> here. I am >>>>>>>>> new to K8S/Docker so limited by imagination I assume. TLS toolkit is >>>>>>>>> part >>>>>>>>> of the NiFi image but nowhere documented as how to use it inside the >>>>>>>>> container(k8s env). >>>>>>>>> Need to explore more on what Chris said. >>>>>>>>> >>>>>>>>> Thank you guys >>>>>>>>> Atul >>>>>>>>> >>>>>>>>> On Thu, Jul 23, 2020 at 9:27 PM Andy LoPresto < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Chris has a lot of good suggestions there. NiFi can accept >>>>>>>>>> certificates from any provider as long as they meet certain >>>>>>>>>> requirements >>>>>>>>>> (EKU, SAN, no wildcard, etc.). The toolkit was designed to make the >>>>>>>>>> process >>>>>>>>>> easier for people who could not obtain their certificates elsewhere. >>>>>>>>>> >>>>>>>>>> Maybe I am misunderstanding your statement, but I am curious why >>>>>>>>>> the toolkit can’t run on the node — if you don’t have Java >>>>>>>>>> available, how >>>>>>>>>> does NiFi itself run? >>>>>>>>>> >>>>>>>>>> Andy LoPresto >>>>>>>>>> [email protected] >>>>>>>>>> *[email protected] <[email protected]>* >>>>>>>>>> He/Him >>>>>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D >>>>>>>>>> EF69 >>>>>>>>>> >>>>>>>>>> On Jul 23, 2020, at 12:35 AM, Chris Sampson < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> My suggestion would be to run the apache/nifi-toolkit image as >>>>>>>>>> another Pod within your k8s namespace and have it running as a TLS >>>>>>>>>> Server[1]. You'll probably need to do that separately from your Helm >>>>>>>>>> chart >>>>>>>>>> (I'm not familiar with Helm or this chart). >>>>>>>>>> >>>>>>>>>> Then connect to that from your NiFi instances as they start up, >>>>>>>>>> e.g. with an init-container based on the same apache/nifi-toolkit >>>>>>>>>> image >>>>>>>>>> using the TLS client function [1] to obtain the required TLS >>>>>>>>>> certificate >>>>>>>>>> files from the TLS Server. You can use an emptyDir [2] volume to >>>>>>>>>> pass the >>>>>>>>>> files from the init-container to the NiFi container within the Pod. >>>>>>>>>> >>>>>>>>>> If you run the TLS Server as a StatefulSet (or a Deployment) with >>>>>>>>>> a Persistent Volume Claim that backed by an external volume within >>>>>>>>>> your >>>>>>>>>> cloud provider (whatever the GKE equivalent is of AWS's EBS >>>>>>>>>> volumes), then >>>>>>>>>> the TLS Server can be setup with its own Certificate Authority that >>>>>>>>>> persists between Pod restarts and thus your NiFi certificates >>>>>>>>>> shouldn't >>>>>>>>>> become invalid over time (if the TLS Server is restarted and >>>>>>>>>> generates a >>>>>>>>>> new CA, then subsequent NiFi restarts would mean your NiFi cluster >>>>>>>>>> instances would no longer be able to communicate with one another as >>>>>>>>>> they >>>>>>>>>> wouldn't trust one another's certificates). >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> An alternative, if it's available in your k8s cluster, is to use >>>>>>>>>> something like cert-manager [3] to provision certificates for your >>>>>>>>>> instances, then use an init-container within the NiFi Pods to >>>>>>>>>> convert the >>>>>>>>>> PEM files to Java Keystore or PKCS12 format as required by NiFi. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1]: >>>>>>>>>> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#client-server >>>>>>>>>> [2]: >>>>>>>>>> https://kubernetes.io/docs/concepts/storage/volumes/#emptydir >>>>>>>>>> [3]: https://github.com/jetstack/cert-manager >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Chris Sampson* >>>>>>>>>> IT Consultant >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, 23 Jul 2020 at 07:09, Atul Wankhade < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Thanks a lot Andy for your reply, it definitely helped >>>>>>>>>>> pinpointing what is going wrong. I tried simulating the same with >>>>>>>>>>> the >>>>>>>>>>> docker image from Apache and generating the keystore/truststore >>>>>>>>>>> files on >>>>>>>>>>> the Docker host. For one node NiFi it worked fine. The problem >>>>>>>>>>> comes when I >>>>>>>>>>> am trying the same on Kubernetes. Nodes in GKE have Container >>>>>>>>>>> optimized OS >>>>>>>>>>> (no pkg installer) , so it does not support using NiFi tls-toolkit >>>>>>>>>>> as Java >>>>>>>>>>> cannot be installed. Can you please give some pointers/workaround >>>>>>>>>>> on how to >>>>>>>>>>> solve this issue with k8s? >>>>>>>>>>> Once the files are generated we can mount it using Host mount in >>>>>>>>>>> the pod. >>>>>>>>>>> >>>>>>>>>>> Thanks again for your help :) >>>>>>>>>>> Atul >>>>>>>>>>> >>>>>>>>>>> On Tue, Jul 21, 2020 at 10:37 PM Andy LoPresto < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Atul, >>>>>>>>>>>> >>>>>>>>>>>> I am not a Kubernetes/ingress expert, but that error is >>>>>>>>>>>> indicating that you specified NiFi should be secure (i.e. use >>>>>>>>>>>> TLS/HTTPS) >>>>>>>>>>>> and yet there is no keystore or truststore provided to the >>>>>>>>>>>> application, so >>>>>>>>>>>> it fails to start. NiFi differs from some other applications in >>>>>>>>>>>> that you >>>>>>>>>>>> cannot configure authentication and authorization without >>>>>>>>>>>> explicitly >>>>>>>>>>>> enabling and configuring TLS for NiFi itself, not just delegating >>>>>>>>>>>> that data >>>>>>>>>>>> in transit encryption to an external system (like a load balancer, >>>>>>>>>>>> proxy, >>>>>>>>>>>> or service mesh). >>>>>>>>>>>> >>>>>>>>>>>> I suggest you read the NiFi walkthrough for “Securing NiFi with >>>>>>>>>>>> TLS” [1] which will provide some context around what the various >>>>>>>>>>>> requirements are, and the Admin Guide [2] sections on >>>>>>>>>>>> authentication and >>>>>>>>>>>> authorization for more background. >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-tls >>>>>>>>>>>> [2] >>>>>>>>>>>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Andy LoPresto >>>>>>>>>>>> [email protected] >>>>>>>>>>>> *[email protected] <[email protected]>* >>>>>>>>>>>> He/Him >>>>>>>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D >>>>>>>>>>>> EF69 >>>>>>>>>>>> >>>>>>>>>>>> On Jul 20, 2020, at 11:58 PM, Atul Wankhade < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi All, >>>>>>>>>>>> I am trying to install NiFi with SSL on Kubernetes using >>>>>>>>>>>> Helm(cetic/nifi), Below is my values.yaml. I keep getting an error >>>>>>>>>>>> on NiFi >>>>>>>>>>>> containers as - Am I missing something? >>>>>>>>>>>> *Caused by: >>>>>>>>>>>> org.springframework.beans.factory.BeanCreationException: Error >>>>>>>>>>>> creating >>>>>>>>>>>> bean with name 'clusterCoordinationProtocolSender' defined in >>>>>>>>>>>> class path >>>>>>>>>>>> resource [nifi-cluster-protocol-context.xml]: Cannot resolve >>>>>>>>>>>> reference to >>>>>>>>>>>> bean 'protocolSocketConfiguration' while setting constructor >>>>>>>>>>>> argument; >>>>>>>>>>>> nested exception is >>>>>>>>>>>> org.springframework.beans.factory.BeanCreationException: Error >>>>>>>>>>>> creating >>>>>>>>>>>> bean with name 'protocolSocketConfiguration': FactoryBean threw >>>>>>>>>>>> exception >>>>>>>>>>>> on object creation; nested exception is >>>>>>>>>>>> java.io.FileNotFoundException: (No >>>>>>>>>>>> such file or directory)* >>>>>>>>>>>> >>>>>>>>>>>> VALUES.YAML: >>>>>>>>>>>> --- >>>>>>>>>>>> # Number of nifi nodes >>>>>>>>>>>> replicaCount: 1 >>>>>>>>>>>> >>>>>>>>>>>> ## Set default image, imageTag, and imagePullPolicy. >>>>>>>>>>>> ## ref: https://hub.docker.com/r/apache/nifi/ >>>>>>>>>>>> ## >>>>>>>>>>>> image: >>>>>>>>>>>> repository: apache/nifi >>>>>>>>>>>> tag: "1.11.4" >>>>>>>>>>>> pullPolicy: IfNotPresent >>>>>>>>>>>> >>>>>>>>>>>> ## Optionally specify an imagePullSecret. >>>>>>>>>>>> ## Secret must be manually created in the namespace. >>>>>>>>>>>> ## ref: >>>>>>>>>>>> https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ >>>>>>>>>>>> ## >>>>>>>>>>>> # pullSecret: myRegistrKeySecretName >>>>>>>>>>>> >>>>>>>>>>>> securityContext: >>>>>>>>>>>> runAsUser: 1000 >>>>>>>>>>>> fsGroup: 1000 >>>>>>>>>>>> >>>>>>>>>>>> sts: >>>>>>>>>>>> # Parallel podManagementPolicy for faster bootstrap and >>>>>>>>>>>> teardown. Default is OrderedReady. >>>>>>>>>>>> podManagementPolicy: Parallel >>>>>>>>>>>> AntiAffinity: soft >>>>>>>>>>>> hostPort: null >>>>>>>>>>>> >>>>>>>>>>>> ## Useful if using any custom secrets >>>>>>>>>>>> ## Pass in some secrets to use (if required) >>>>>>>>>>>> # secrets: >>>>>>>>>>>> # - name: myNifiSecret >>>>>>>>>>>> # keys: >>>>>>>>>>>> # - key1 >>>>>>>>>>>> # - key2 >>>>>>>>>>>> # mountPath: /opt/nifi/secret >>>>>>>>>>>> >>>>>>>>>>>> ## Useful if using any custom configmaps >>>>>>>>>>>> ## Pass in some configmaps to use (if required) >>>>>>>>>>>> # configmaps: >>>>>>>>>>>> # - name: myNifiConf >>>>>>>>>>>> # keys: >>>>>>>>>>>> # - myconf.conf >>>>>>>>>>>> # mountPath: /opt/nifi/custom-config >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> properties: >>>>>>>>>>>> # use externalSecure for when inbound SSL is provided by >>>>>>>>>>>> nginx-ingress or other external mechanism >>>>>>>>>>>> externalSecure: true >>>>>>>>>>>> isNode: true >>>>>>>>>>>> httpPort: null >>>>>>>>>>>> httpsPort: 8443 >>>>>>>>>>>> clusterPort: 6007 >>>>>>>>>>>> clusterSecure: true >>>>>>>>>>>> needClientAuth: true >>>>>>>>>>>> provenanceStorage: "8 GB" >>>>>>>>>>>> siteToSite: >>>>>>>>>>>> secure: true >>>>>>>>>>>> port: 10000 >>>>>>>>>>>> authorizer: managed-authorizer >>>>>>>>>>>> # use properties.safetyValve to pass explicit 'key: value' >>>>>>>>>>>> pairs that overwrite other configuration >>>>>>>>>>>> safetyValve: >>>>>>>>>>>> #nifi.variable.registry.properties: >>>>>>>>>>>> "${NIFI_HOME}/example1.properties, >>>>>>>>>>>> ${NIFI_HOME}/example2.properties" >>>>>>>>>>>> nifi.web.http.network.interface.default: eth0 >>>>>>>>>>>> # listen to loopback interface so "kubectl port-forward >>>>>>>>>>>> ..." works >>>>>>>>>>>> nifi.web.http.network.interface.lo: lo >>>>>>>>>>>> >>>>>>>>>>>> ## Include additional libraries in the Nifi containers by using >>>>>>>>>>>> the postStart handler >>>>>>>>>>>> ## ref: >>>>>>>>>>>> https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ >>>>>>>>>>>> # postStart: /opt/nifi/psql; wget -P /opt/nifi/psql >>>>>>>>>>>> https://jdbc.postgresql.org/download/postgresql-42.2.6.jar >>>>>>>>>>>> >>>>>>>>>>>> # Nifi User Authentication >>>>>>>>>>>> auth: >>>>>>>>>>>> ldap: >>>>>>>>>>>> enabled: false >>>>>>>>>>>> host: ldap://<hostname>:<port> >>>>>>>>>>>> searchBase: CN=Users,DC=example,DC=com >>>>>>>>>>>> searchFilter: CN=john >>>>>>>>>>>> >>>>>>>>>>>> ## Expose the nifi service to be accessed from outside the >>>>>>>>>>>> cluster (LoadBalancer service). >>>>>>>>>>>> ## or access it from within the cluster (ClusterIP service). >>>>>>>>>>>> Set the service type and the port to serve it. >>>>>>>>>>>> ## ref: http://kubernetes.io/docs/user-guide/services/ >>>>>>>>>>>> ## >>>>>>>>>>>> >>>>>>>>>>>> # headless service >>>>>>>>>>>> headless: >>>>>>>>>>>> type: ClusterIP >>>>>>>>>>>> annotations: >>>>>>>>>>>> service.alpha.kubernetes.io/tolerate-unready-endpoints: >>>>>>>>>>>> "true" >>>>>>>>>>>> >>>>>>>>>>>> # ui service >>>>>>>>>>>> service: >>>>>>>>>>>> type: LoadBalancer >>>>>>>>>>>> httpPort: 80 >>>>>>>>>>>> httpsPort: 443 >>>>>>>>>>>> annotations: {} >>>>>>>>>>>> # loadBalancerIP: >>>>>>>>>>>> ## Load Balancer sources >>>>>>>>>>>> ## >>>>>>>>>>>> https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service >>>>>>>>>>>> ## >>>>>>>>>>>> # loadBalancerSourceRanges: >>>>>>>>>>>> # - 10.10.10.0/24 >>>>>>>>>>>> >>>>>>>>>>>> # Enables additional port/ports to nifi service for internal >>>>>>>>>>>> processors >>>>>>>>>>>> processors: >>>>>>>>>>>> enabled: false >>>>>>>>>>>> ports: >>>>>>>>>>>> - name: processor01 >>>>>>>>>>>> port: 7001 >>>>>>>>>>>> targetPort: 7001 >>>>>>>>>>>> #nodePort: 30701 >>>>>>>>>>>> - name: processor02 >>>>>>>>>>>> port: 7002 >>>>>>>>>>>> targetPort: 7002 >>>>>>>>>>>> #nodePort: 30702 >>>>>>>>>>>> >>>>>>>>>>>> ## Configure Ingress based on the documentation here: >>>>>>>>>>>> https://kubernetes.io/docs/concepts/services-networking/ingress/ >>>>>>>>>>>> ## >>>>>>>>>>>> ingress: >>>>>>>>>>>> enabled: false >>>>>>>>>>>> annotations: {} >>>>>>>>>>>> tls: [] >>>>>>>>>>>> hosts: [] >>>>>>>>>>>> path: / >>>>>>>>>>>> rule: [] >>>>>>>>>>>> # If you want to change the default path, see this issue >>>>>>>>>>>> https://github.com/cetic/helm-nifi/issues/22 >>>>>>>>>>>> >>>>>>>>>>>> # Amount of memory to give the NiFi java heap >>>>>>>>>>>> jvmMemory: 2g >>>>>>>>>>>> >>>>>>>>>>>> # Separate image for tailing each log separately >>>>>>>>>>>> sidecar: >>>>>>>>>>>> image: ez123/alpine-tini >>>>>>>>>>>> >>>>>>>>>>>> # Busybox image >>>>>>>>>>>> busybox: >>>>>>>>>>>> image: busybox >>>>>>>>>>>> >>>>>>>>>>>> ## Enable persistence using Persistent Volume Claims >>>>>>>>>>>> ## ref: >>>>>>>>>>>> http://kubernetes.io/docs/user-guide/persistent-volumes/ >>>>>>>>>>>> ## >>>>>>>>>>>> persistence: >>>>>>>>>>>> enabled: false >>>>>>>>>>>> >>>>>>>>>>>> # When creating persistent storage, the NiFi helm chart can >>>>>>>>>>>> either reference an already-defined >>>>>>>>>>>> # storage class by name, such as "standard" or can define a >>>>>>>>>>>> custom storage class by specifying >>>>>>>>>>>> # customStorageClass: true and providing the "storageClass", >>>>>>>>>>>> "storageProvisioner" and "storageType". >>>>>>>>>>>> # For example, to use SSD storage on Google Compute Engine >>>>>>>>>>>> see values-gcp.yaml >>>>>>>>>>>> # >>>>>>>>>>>> # To use a storage class that already exists on the >>>>>>>>>>>> Kubernetes cluster, we can simply reference it by name. >>>>>>>>>>>> # For example: >>>>>>>>>>>> # storageClass: standard >>>>>>>>>>>> # >>>>>>>>>>>> # The default storage class is used if this variable is not >>>>>>>>>>>> set. >>>>>>>>>>>> >>>>>>>>>>>> accessModes: [ReadWriteOnce] >>>>>>>>>>>> ## Storage Capacities for persistent volumes >>>>>>>>>>>> # Storage capacity for the 'data' directory, which is used to >>>>>>>>>>>> hold things such as the flow.xml.gz, configuration, state, etc. >>>>>>>>>>>> dataStorage: >>>>>>>>>>>> size: 1Gi >>>>>>>>>>>> # Storage capacity for the FlowFile repository >>>>>>>>>>>> flowfileRepoStorage: >>>>>>>>>>>> size: 10Gi >>>>>>>>>>>> # Storage capacity for the Content repository >>>>>>>>>>>> contentRepoStorage: >>>>>>>>>>>> size: 10Gi >>>>>>>>>>>> # Storage capacity for the Provenance repository. When >>>>>>>>>>>> changing this, one should also change the >>>>>>>>>>>> properties.provenanceStorage >>>>>>>>>>>> value above, also. >>>>>>>>>>>> provenanceRepoStorage: >>>>>>>>>>>> size: 10Gi >>>>>>>>>>>> # Storage capacity for nifi logs >>>>>>>>>>>> logStorage: >>>>>>>>>>>> size: 5Gi >>>>>>>>>>>> >>>>>>>>>>>> ## Configure resource requests and limits >>>>>>>>>>>> ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ >>>>>>>>>>>> ## >>>>>>>>>>>> resources: {} >>>>>>>>>>>> # We usually recommend not to specify default resources and >>>>>>>>>>>> to leave this as a conscious >>>>>>>>>>>> # choice for the user. This also increases chances charts run >>>>>>>>>>>> on environments with little >>>>>>>>>>>> # resources, such as Minikube. If you do want to specify >>>>>>>>>>>> resources, uncomment the following >>>>>>>>>>>> # lines, adjust them as necessary, and remove the curly >>>>>>>>>>>> braces after 'resources:'. >>>>>>>>>>>> # limits: >>>>>>>>>>>> # cpu: 100m >>>>>>>>>>>> # memory: 128Mi >>>>>>>>>>>> # requests: >>>>>>>>>>>> # cpu: 100m >>>>>>>>>>>> # memory: 128Mi >>>>>>>>>>>> >>>>>>>>>>>> logresources: >>>>>>>>>>>> requests: >>>>>>>>>>>> cpu: 10m >>>>>>>>>>>> memory: 10Mi >>>>>>>>>>>> limits: >>>>>>>>>>>> cpu: 50m >>>>>>>>>>>> memory: 50Mi >>>>>>>>>>>> >>>>>>>>>>>> nodeSelector: {} >>>>>>>>>>>> >>>>>>>>>>>> tolerations: [] >>>>>>>>>>>> >>>>>>>>>>>> initContainers: {} >>>>>>>>>>>> # foo-init: # <- will be used as container name >>>>>>>>>>>> # image: "busybox:1.30.1" >>>>>>>>>>>> # imagePullPolicy: "IfNotPresent" >>>>>>>>>>>> # command: ['sh', '-c', 'echo this is an initContainer'] >>>>>>>>>>>> # volumeMounts: >>>>>>>>>>>> # - mountPath: /tmp/foo >>>>>>>>>>>> # name: foo >>>>>>>>>>>> >>>>>>>>>>>> extraVolumeMounts: [] >>>>>>>>>>>> >>>>>>>>>>>> extraVolumes: [] >>>>>>>>>>>> >>>>>>>>>>>> ## Extra containers >>>>>>>>>>>> extraContainers: [] >>>>>>>>>>>> >>>>>>>>>>>> terminationGracePeriodSeconds: 30 >>>>>>>>>>>> >>>>>>>>>>>> ## Extra environment variables that will be pass onto >>>>>>>>>>>> deployment pods >>>>>>>>>>>> env: [] >>>>>>>>>>>> >>>>>>>>>>>> # >>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>> # Zookeeper: >>>>>>>>>>>> # >>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>> zookeeper: >>>>>>>>>>>> ## If true, install the Zookeeper chart >>>>>>>>>>>> ## ref: >>>>>>>>>>>> https://github.com/kubernetes/charts/tree/master/incubator/zookeeper >>>>>>>>>>>> enabled: true >>>>>>>>>>>> ## If the Zookeeper Chart is disabled a URL and port are >>>>>>>>>>>> required to connect >>>>>>>>>>>> url: "" >>>>>>>>>>>> port: 2181 >>>>>>>>>>>> >>>>>>>>>>>> *Complete stacktrace:* >>>>>>>>>>>> Caused by: >>>>>>>>>>>> org.springframework.beans.factory.BeanCreationException: Error >>>>>>>>>>>> creating >>>>>>>>>>>> bean with name 'clusterCoordinationProtocolSender' defined in >>>>>>>>>>>> class path >>>>>>>>>>>> resource [nifi-cluster-protocol-context.xml]: Cannot resolve >>>>>>>>>>>> reference to >>>>>>>>>>>> bean 'protocolSocketConfiguration' while setting constructor >>>>>>>>>>>> argument; >>>>>>>>>>>> nested exception is >>>>>>>>>>>> org.springframework.beans.factory.BeanCreationException: Error >>>>>>>>>>>> creating >>>>>>>>>>>> bean with name 'protocolSocketConfiguration': FactoryBean threw >>>>>>>>>>>> exception >>>>>>>>>>>> on object creation; nested exception is >>>>>>>>>>>> java.io.FileNotFoundException: (No >>>>>>>>>>>> such file or directory) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1198) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1100) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) >>>>>>>>>>>> ... 75 common frames omitted >>>>>>>>>>>> Caused by: >>>>>>>>>>>> org.springframework.beans.factory.BeanCreationException: Error >>>>>>>>>>>> creating >>>>>>>>>>>> bean with name 'protocolSocketConfiguration': FactoryBean threw >>>>>>>>>>>> exception >>>>>>>>>>>> on object creation; nested exception is >>>>>>>>>>>> java.io.FileNotFoundException: (No >>>>>>>>>>>> such file or directory) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) >>>>>>>>>>>> ... 87 common frames omitted >>>>>>>>>>>> Caused by: java.io.FileNotFoundException: (No such file or >>>>>>>>>>>> directory) >>>>>>>>>>>> at java.io.FileInputStream.open0(Native Method) >>>>>>>>>>>> at >>>>>>>>>>>> java.io.FileInputStream.open(FileInputStream.java:195) >>>>>>>>>>>> at >>>>>>>>>>>> java.io.FileInputStream.<init>(FileInputStream.java:138) >>>>>>>>>>>> at >>>>>>>>>>>> java.io.FileInputStream.<init>(FileInputStream.java:93) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:66) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:45) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:30) >>>>>>>>>>>> at >>>>>>>>>>>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178) >>>>>>>>>>>> ... 92 common frames omitted >>>>>>>>>>>> 2020-07-17 11:04:25,204 INFO [Thread-1] org.apache.nifi.NiFi >>>>>>>>>>>> Initiating shutdown of Jetty web server... >>>>>>>>>>>> 2020-07-17 11:04:25,214 INFO [Thread-1] >>>>>>>>>>>> o.eclipse.jetty.server.AbstractConnector Stopped >>>>>>>>>>>> ServerConnector@700f518a{SSL,[ssl, >>>>>>>>>>>> http/1.1]}{0.0.0.0:8443} >>>>>>>>>>>> 2020-07-17 11:04:25,214 INFO [Thread-1] >>>>>>>>>>>> org.eclipse.jetty.server.session node0 Stopped scavenging >>>>>>>>>>>> >>>>>>>>>>>> Any help to resolve this is appreciated. >>>>>>>>>>>> Atul Wankhade >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> >>>>>> Thanks >>>>>> >>>>>> Sushil Kumar >>>>>> +1-(206)-698-4116 >>>>>> >>>>>> >> >> -- >> -- >> >> Thanks >> >> Sushil Kumar >> +1-(206)-698-4116 >> >>
