Yes, this is for a secured cluster deployed as a Kubernetes stateful set. The certificate parameters are apparently not needed to just get the status of the nodes using the command below.
________________________________ From: Sushil Kumar <[email protected]> Sent: Tuesday, October 13, 2020 4:01 PM To: [email protected] <[email protected]> Subject: Re: Clustered nifi issues Did you say that the same line of code works fine for secured clusters too. I asked because nifi-toolkit has a separate set of parameters asking for certificates and everything else related to secure clusters. On Tue, Oct 13, 2020 at 12:14 PM Wyll Ingersoll <[email protected]<mailto:[email protected]>> wrote: I found that instead of dealing with nifi client certificate hell, the nifi-toolkit cli.sh will work just fine for testing the readiness of the cluster. Here is my readiness script which seems to work just fine with in kubernetes with the apache/nifi docker container version 1.12.1 #!/bin/bash $NIFI_TOOLKIT_HOME/bin/cli.sh nifi get-nodes -ot json > /tmp/cluster.state if [ $? -ne 0 ]; then cat /tmp/cluster.state exit 1 fi STATUS=$(jq -r ".cluster.nodes[] | select((.address==\"$(hostname -f)\") or .address==\"localhost\") | .status" /tmp/cluster.state) if [[ ! $STATUS = "CONNECTED" ]]; then echo "Node not found with CONNECTED state. Full cluster state:" jq . /tmp/cluster.state exit 1 fi ________________________________ From: Chris Sampson <[email protected]<mailto:[email protected]>> Sent: Thursday, October 1, 2020 9:03 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: Clustered nifi issues For info, the probes we currently use for our StatefulSet Pods are: * livenessProbe - tcpSocket to ping the NiFi instance port (e.g. 8080) * readinessProbe - exec command to curl the nifi-api/controller/cluster endpoint to check the node's cluster connection status, e.g.: readinessProbe: exec: command: - bash - -c - | if [ "${SECURE}" = "true" ]; then INITIAL_ADMIN_SLUG=$(echo "${INITIAL_ADMIN}" | tr '[:upper:]' '[:lower:]' | tr ' ' '-') curl -v \ --cacert ${NIFI_HOME}/data/conf/certs/${INITIAL_ADMIN_SLUG}/nifi-cert.pem \ --cert ${NIFI_HOME}/data/conf/certs/${INITIAL_ADMIN_SLUG}/${INITIAL_ADMIN_SLUG}-cert.pem \ --key ${NIFI_HOME}/data/conf/certs/${INITIAL_ADMIN_SLUG}/${INITIAL_ADMIN_SLUG}-key.pem \ https://$(hostname -f):8080/nifi-api/controller/cluster > /tmp/cluster.state else curl -kv http://$(hostname -f):8080/nifi-api/controller/cluster > /tmp/cluster.state fi STATUS=$(jq -r ".cluster.nodes[] | select((.address==\"$(hostname -f)\") or .address==\"localhost\") | .status" /tmp/cluster.state) if [[ ! $STATUS = "CONNECTED" ]]; then echo "Node not found with CONNECTED state. Full cluster state:" jq . /tmp/cluster.state exit 1 fi Note that INITIAL_ADMIN is the CN of a user with appropriate permissions to call the endpoint and for whom our pod contains a set of certificate files in the indicated locations (generated from NiFi Toolkit in an init-container before the Pod starts); jq utility was added into our customised version of the apache/nifi Docker Image. --- Chris Sampson IT Consultant [email protected]<mailto:[email protected]> [https://docs.google.com/uc?export=download&id=1oPtzd0P7DqtuzpjiTRAa6h6coFitpqom&revid=0B9aXwC5rMc6lVlZ2OWpUaVlFVmUwTlZBdjQ0KzAxb1dZS2hJPQ]<https://www.naimuri.com/>
