• This repository has been archived on 12/Feb/2024
  • Stars
    star
    213
  • Rank 185,410 (Top 4 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Helm Chart for Apache Nifi

Helm Chart for Apache NiFi

CircleCI License version test

Introduction

This Helm chart installs Apache NiFi 1.16.3 in a Kubernetes cluster.

Prerequisites

  • Kubernetes cluster 1.10+
  • Helm 3.0.0+
  • Persistent Volumes (PV) provisioner support in the underlying infrastructure.

Installation

Add Helm repository

helm repo add cetic https://cetic.github.io/helm-charts
helm repo update

Configure the chart

The following items can be set via --set flag during installation or configured by editing the values.yaml file directly (need to download the chart first).

Configure how to expose nifi service

  • Ingress: The ingress controller must be installed in the Kubernetes cluster.
  • ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
  • NodePort: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting NodeIP:NodePort.
  • LoadBalancer: Exposes the service externally using a cloud provider’s load balancer.

Configure how to persist data

  • Disable(default): The data does not survive the termination of a pod.
  • Persistent Volume Claim: Enable persistence so that data survives termination of the pod. There is the choice of using one large persistent volume (using subPath) or seven separate persistent volumes for config, data, logs, repos, etc.
    A default StorageClass is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the persistence.storageClass setting.

Configure authentication

  • By default, the authentication is a Single-User authentication. You can optionally enable ldap or oidc to provide an external authentication. See the configuration section or doc folder for more details.

Use custom processors

To add custom processors, the values.yaml file nifi section should contain the following options, where CUSTOM_LIB_FOLDER should be replaced by the path where the libs are:

  extraVolumeMounts:
    - name: mycustomlibs
      mountPath: /opt/configuration_resources/custom_lib
  extraVolumes: # this will create the volume from the directory
    - name: mycustomlibs
      hostPath:
        path: "CUSTOM_LIB_FOLDER"
  properties:
    customLibPath: "/opt/configuration_resources/custom_lib"

Configure prometheus monitoring

  • You first need monitoring to be enabled which can be accomplished by enabling the appropriate metrics flag (metrics.prometheus.enabled to true). To enable the creation of prometheus metrics within Nifi we need to create a Reporting Task. Login to the Nifi UI and go to the Hamburger menu on the top right corner, click Controller Settings --> Reporting Tasks After that use the + icon to add a task. Click on the Reporting in the wordcloud on the left and select PrometheusReportingTask --> change Send JVM metrics to true and click on the play button to enable this task.

If you plan to use Grafana for the visualization of the metrics data the following dashboard is compatible with the exposed metrics.

Install the chart

Install the nifi helm chart with a release name my-release:

helm install my-release cetic/nifi

Install from local clone

You will find how to perform an installation from a local clone on this page.

Uninstallation

To uninstall/delete the my-release deployment:

helm uninstall my-release

Configuration

The following table lists the configurable parameters of the nifi chart and the default values.

Parameter Description Default
ReplicaCount
replicaCount Number of nifi nodes 1
Image
image.repository nifi Image name apache/nifi
image.tag nifi Image tag 1.16.3
image.pullPolicy nifi Image pull policy IfNotPresent
image.pullSecret nifi Image pull secret nil
SecurityContext
securityContext.runAsUser nifi Docker User 1000
securityContext.fsGroup nifi Docker Group 1000
sts
sts.useHostNetwork If true, use the host's network nil
sts.serviceAccount.create If true, a service account will be created and used by the statefulset false
sts.serviceAccount.name When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options nil
sts.serviceAccount.annotations Service account annotations {}
sts.podManagementPolicy Parallel podManagementPolicy Parallel
sts.AntiAffinity Affinity for pod assignment soft
sts.pod.annotations Pod template annotations security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000
sts.hostAliases Add entries to Pod /etc/hosts []
sts.startupProbe.enabled enable Startup Probe on Nifi server container false
sts.startupProbe.failureThreshold sets Startup Probe failureThreshold field value 60
sts.startupProbe.periodSeconds sets Startup Probe periodSeconds field value 10
secrets
secrets Pass any secrets to the nifi pods. The secret can also be mounted to a specific path if required. nil
configmaps
configmaps Pass any configmaps to the nifi pods. The configmap can also be mounted to a specific path if required. nil
nifi properties
properties.algorithm Encryption method NIFI_PBKDF2_AES_GCM_256
properties.sensitiveKey Encryption password (at least 12 characters) changeMechangeMe
properties.sensitiveKeySetFile Update Sensitive Properties Key if this file does not exist, and then create it. nil
properties.sensitiveKeyPrior Prior sensitiveKey when updating via sensitiveKeySetFile mechanism nil
properties.externalSecure externalSecure for when inbound SSL false
properties.isNode cluster node properties (only configure for cluster nodes) false
properties.httpPort web properties HTTP port 8080
properties.httpsPort web properties HTTPS port null
properties.clusterPort cluster node port 6007
properties.provenanceStorage nifi provenance repository max storage size 8 GB
properties.provenanceMaxStorageTime nifi provenance repository max storage time 10 days
properties.siteToSite.secure Site to Site properties Secure mode false
properties.siteToSite.port Site to Site properties Secure port 10000
properties.safetyValve Map of explicit 'property: value' pairs that overwrite other configuration nil
properties.customLibPath Path of the custom libraries folder nil
properties.webProxyHost Proxy to access to Nifi through the cluster ip address Port:30236
Authentication
Single-user authentication Automatically disabled if Client Certificate, OIDC, or LDAP enabled
auth. admin Default admin identity. It will overwrite the LDAP Bind DN for this purpose, when both is filled CN=admin, OU=NIFI
auth.singleUser.username Single user identity username
auth.singleUser.password Single user password changemechangeme
Client Certificate authentication
auth.clientAuth.enabled Enable User auth via Client Certificates false
Ldap authentication
auth.ldap.admin Default admin identity and LDAP Bind DN
auth.ldap.enabled Enable User auth via ldap false
auth.ldap.host ldap hostname ldap://<hostname>:<port>
auth.ldap.searchBase ldap searchBase CN=Users,DC=example,DC=com
auth.ldap.searchFilter ldap searchFilter CN=john
auth.ldap.userSearchScope ldap userSearchScope ONE_LEVEL
auth.ldap.groupSearchScope ldap groupSearchScope ONE_LEVEL
Oidc authentication
auth.oidc.enabled Enable User auth via oidc false
auth.oidc.discoveryUrl oidc discover url https://<provider>/.well-known/openid-configuration
auth.oidc.clientId oidc clientId nil
auth.oidc.clientSecret oidc clientSecret nil
auth.oidc.claimIdentifyingUser oidc claimIdentifyingUser email
auth.oidc.admin Default OIDC admin identity [email protected]
Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions See background Also how
postStart
postStart Include additional libraries in the Nifi containers by using the postStart handler nil
Headless Service
headless.type Type of the headless service for nifi ClusterIP
headless.annotations Headless Service annotations service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
UI Service
service.type Type of the UI service for nifi NodePort
service.httpPort Port to expose service 8080
service.httpsPort Port to expose service in tls 443
service.annotations Service annotations {}
service.loadBalancerIP LoadBalancerIP if service type is LoadBalancer nil
service.loadBalancerSourceRanges Address that are allowed when svc is LoadBalancer []
service.processors.enabled Enables additional port/ports to nifi service for internal processors false
service.processors.ports Specify "name/port/targetPort/nodePort" for processors sockets []
ContainerPorts
containerPorts Additional containerPorts for the nifi-container. Example is given in values.yaml []
Ingress
ingress.enabled Enables Ingress false
ingress.className Ingress controller Class nginx
ingress.annotations Ingress annotations {}
ingress.path Path to access frontend (See issue #22) /
ingress.hosts Ingress hosts []
ingress.tls Ingress TLS configuration []
Persistence
persistence.enabled Use persistent volume to store data false
persistence.storageClass Storage class name of PVCs (use the default type if unset) nil
persistence.accessMode ReadWriteOnce or ReadOnly [ReadWriteOnce]
persistence.subPath.enabled Use only one persistent volume with subPath instead of seven separate persistent volumes false
persistence.subPath.name Name of the one persistent volume claim when using subPath data
persistence.subPath.size Size of the one persistent volume claim when using subPath 36Gi
persistence.configStorage.size Size of persistent volume claim 100Mi
persistence.authconfStorage.size Size of persistent volume claim 100Mi
persistence.dataStorage.size Size of persistent volume claim 1Gi
persistence.flowfileRepoStorage.size Size of persistent volume claim 10Gi
persistence.contentRepoStorage.size Size of persistent volume claim 10Gi
persistence.provenanceRepoStorage.size Size of persistent volume claim 10Gi
persistence.logStorage.size Size of persistent volume claim 5Gi
jvmMemory
jvmMemory bootstrap jvm size 2g
SideCar
sidecar.image Separate image for tailing each log separately and checking zookeeper connectivity busybox
sidecar.tag Image tag 1.32.0
sidecar.imagePullPolicy Image imagePullPolicy IfNotPresent
Resources
resources Pod resource requests and limits for logs {}
logResources
logresources. Pod resource requests and limits {}
affinity
affinity Pod affinity scheduling rules {}
nodeSelector
nodeSelector Node labels for pod assignment {}
terminationGracePeriodSeconds
terminationGracePeriodSeconds Number of seconds the pod needs to terminate gracefully. For clean scale down of the nifi-cluster the default is set to 60, opposed to k8s-default 30. 60
tolerations
tolerations Tolerations for pod assignment []
initContainers
initContainers Container definition that will be added to the pod as initContainers []
extraVolumes
extraVolumes Additional Volumes available within the pod (see spec for format) []
extraVolumeMounts
extraVolumeMounts VolumeMounts for the nifi-server container (see spec for details) []
env
env Additional environment variables for the nifi-container (see spec for details) []
envFrom Additional environment variables for the nifi-container from config-maps or secrets (see spec for details) []
extraContainers
extraContainers Additional container-specifications that should run within the pod (see spec for details) []
extraLabels
extraLabels Additional labels for the nifi pod nil
openshift
openshift.scc.enabled If true, a openshift security context will be created permitting to run the statefulset as AnyUID false
openshift.route.enabled If true, a openshift route will be created. This option cannot be used together with Ingress as a route object replaces the Ingress. The property properties.externalSecure will configure the route in edge termination mode, the default is passthrough. The property properties.httpsPort has to be set if the cluster is intended to work with SSL termination false
openshift.route.host The hostname intended to be used in order to access NiFi web interface nil
openshift.route.path Path to access frontend, works the same way as the ingress path option nil
zookeeper
zookeeper.enabled If true, deploy Zookeeper true
zookeeper.url If the Zookeeper Chart is disabled a URL and port are required to connect nil
zookeeper.port If the Zookeeper Chart is disabled a URL and port are required to connect 2181
registry
registry.enabled If true, deploy Nifi Registry false
registry.url If the Nifi Registry Chart is disabled a URL and port are required to connect nil
registry.port If the Nifi Registry Chart is disabled a URL and port are required to connect 80
ca
ca.enabled If true, deploy Nifi Toolkit as CA false
ca.server CA server dns name nil
ca.port CA server port number 9090
ca.token The token to use to prevent MITM 80
ca.admin.cn CN for admin certificate admin
ca.serviceAccount.create If true, a service account will be created and used by the deployment false
ca.serviceAccount.name When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options nil
ca.openshift.scc.enabled If true, an openshift security context will be created permitting to run the deployment as AnyUID false
certManager
certManager.enabled If true, use cert-manager to create and rotate intra-NiFi-cluster TLS keys (note that cert-manager is a Kubernetes cluster-wide resource, so is not installed automatically by this chart) false
certManager.clusterDomain Kubernetes cluster top level domain, to generate fully qualified domain names for certificate Common Names cluster.local
certManager.keystorePasswd Java Key Store password for NiFi keystore changeme
certManager.truststorePasswd Java Key Store password for NiFi truststore changeme
certManager.additionalDnsNames Additional DNS names to incorporate into TLS certificates (e.g. where users point browsers to access the NiFi UI) [ localhost ]
certManager.caSecrets Names of Kubernetes secrets containing ca.crt keys to add to the NiFi truststore [ ]
certManager.refreshSeconds How often the sidecar refreshes the NiFi keystore (not truststore) from the cert-manager Kubernetes secrets 300
certManager.resources Memory and CPU resources for the node certificate refresh sidecar 100m CPU, 128MiB RAM
certManager.replaceDefaultTrustStore Use the certManager truststore, not the default Java trusted CA collection (for [e.g.] private OIDC provider) false
certManager.certDuration NiFi node certificate lifetime (90 days) 2160h
certManager.caDuration Certificate Authority certificate lifetime (10 years) 87660h
metrics
metrics.prometheus.enabled Enable prometheus to access nifi metrics endpoint false
metrics.prometheus.port Port where Nifi server will expose Prometheus metrics 9092
metrics.prometheus.serviceMonitor.enabled If true, creates a Prometheus Operator ServiceMonitor (also requires metrics.prometheus.enabled to be true) false
metrics.prometheus.serviceMonitor.namespace In which namespace the ServiceMonitor should be created
metrics.prometheus.serviceMonitor.labels Additional labels for the ServiceMonitor nil
customFlow
customFlow Use this file (uncompressed XML; possibly from a configmap) as the Flow definition nil

Troubleshooting

Before filing a bug report, you may want to:

  • check the FAQ
  • check that persistent storage is configured on your cluster
  • keep in mind that a first installation may take a significant amount of time on a home internet connection
  • check if a pod is in error:
kubectl get pod
NAME                  READY   STATUS    RESTARTS   AGE
myrelease-nifi-0             3/4     Failed   1          56m
myrelease-nifi-registry-0    1/1     Running   0          56m
myrelease-nifi-zookeeper-0   1/1     Running   0          56m
myrelease-nifi-zookeeper-1   1/1     Running   0          56m
myrelease-nifi-zookeeper-2   1/1     Running   0          56m

Inspect the pod, check the "Events" section at the end for anything suspicious.

kubectl describe pod myrelease-nifi-0

Get logs on a failed container inside the pod (here the server one):

kubectl logs myrelease-nifi-0 server

Credits

Initially inspired from https://github.com/YolandaMDavis/apache-nifi.

TLS work/inspiration from https://github.com/sushilkm/nifi-chart.git.

Contributing

Feel free to contribute by making a pull request.

Please read the official Helm Contribution Guide from Helm for more information on how you can contribute to this Chart.

License

Apache License 2.0

More Repositories

1

unikernels

Unikernel and immutable infrastructures
C++
590
star
2

6lbr

A deployment-ready 6LoWPAN Border Router solution based on Contiki
C
337
star
3

foren6

6LoWPAN Diagnosis Tool
Makefile
71
star
4

TSimulus

A tool for generating random, yet realistic, time series values
Scala
69
star
5

helm-zabbix

Helm Chart For Zabbix
Mustache
56
star
6

helm-postgresql

Helm Chart for postgresql
Mustache
47
star
7

fadi

FADI - Ingest, store and analyse big data flows
JavaScript
46
star
8

helm-microservice

A Helm Chart for DRY microservice deployments
Smarty
32
star
9

helm-swagger-ui

Helm Chart for Swagger UI
Mustache
27
star
10

tinydtls

6LBR copy of TinyDTLS, see official repository for support outside 6LBR
C
27
star
11

python-msp430-tools

python-msp430-tools for TelosB, Z1 and WisMote
Python
19
star
12

helm-job

A Helm Chart for DRY k8s jobs
Smarty
19
star
13

helm-pgadmin

Helm Chart for pgAdmin
Shell
16
star
14

rbac-man

This project provides an implementation of the PEP/PDP/PIP/PAP access control pattern. The implementation is in Java. For the moment it implements an XACML PDP. It provides a web based user interface to manage users, roles, actions, assign actions to roles, and assign users to roles.
JavaScript
15
star
15

helm-adminer

Helm Chart for Adminer
Mustache
14
star
16

helm-fadi

Helm Chart for FADI
Mustache
13
star
17

TUH_EEG_Seizure_Detection

Pipeline of processing and modelisation for the detection of seizure on EEG data (dataset TUH/TUSZ)
Python
13
star
18

helm-phpLDAPadmin

Helm Chart for phpLDAPadmin
Shell
11
star
19

helm-charts

Kubernetes Helm charts by @cetic
10
star
20

ORS

Ontology Repository Services
Java
9
star
21

SimQRI

SimQRI editor for Eclipse based on Sirius
Java
7
star
22

tsquared

Python implementation of Hotelling's T2 for process monitoring + MYT decomposition
Python
7
star
23

6lbr-openwrt

OpenWRT package feed for 6LBR
Makefile
7
star
24

vacsine

Adaptive continuous security orchestration in polymorphous environments
7
star
25

tsimulus-ms

A microservice for accessing the realistic time series generator.
Scala
7
star
26

poroto

C to VDHL transformation toolchain
Python
6
star
27

tsimulus-cli

A CLI application generating random and realistic time series
Scala
6
star
28

sitcom

JavaScript
5
star
29

tsimulus-saas

TSimulus As A Service - TSAAS
Scala
5
star
30

ansible-role-liferay

Ansible Role - Liferay
Shell
5
star
31

ansible-role-alfresco

Ansible Role - Alfresco
Shell
5
star
32

contiki-docs

Slides, documentation, examples, etc, about Contiki and the IoT
4
star
33

cooja-radiologger-headless

Headless Radio Logger for COOJA
Java
4
star
34

helm-thingsboard

A helm chart for tb-postgres thingsboard.
Smarty
4
star
35

ansible-role-tomcat8.5

Ansible Role - Tomcat v8.5
3
star
36

python-deb

A way to convert python projet into debian package in CI Pipeline
Go
3
star
37

pg-ldap-sync-docker

pg-ldap-sync Docker Image
Dockerfile
3
star
38

lora-packet-forwarder-docker

Shell
3
star
39

messagebrokers-presentation

Definition and classification of message brokers
JavaScript
2
star
40

certif-tp

2
star
41

docker-nifi-python

Dockerfile
2
star
42

push2firehose

A script to push simple files to a firehose stream on AWS
Python
2
star
43

kubeedge-edge-worker

Go
2
star
44

puppeteer-jest

A minimal Docker image with Puppeteer (headless Google Chrome) and Jest test runner.
Dockerfile
2
star
45

rbac-man.frontend

JavaScript
2
star
46

foren6-gui-qt

C++
2
star
47

helm-static

Helm Chart to deploy static k8s files
HTML
2
star
48

db-main-plugins

DB-MAIN mapping plugins: manage the mapping between two schemas
Java
1
star
49

tsimulus-gui

TSimulus web interface
JavaScript
1
star
50

inah-commons

Common toolset for the Inah project
XSLT
1
star
51

artifactory-vagrant-docker

Artifactory Docker installation inside a VirtualBox VM using Vagrant
Shell
1
star
52

hub-carto-frontend-map

JavaScript
1
star
53

ORS-Protege-plugin

Generate the Java Model of your OWL ontology directly from the Protege ontology editor
Java
1
star
54

KubeEdge-edgeSite-deploy

Shell
1
star
55

zwave2mqtt

Z-Wave to MQTT with docker on Rasperry pi 0w :
JavaScript
1
star
56

dmway

1
star
57

kubeedge-mapper

edge side application that control the edge device and send data to the cloud
Go
1
star