Multiple fixes related to secure clusters (#93)

* Use the proper port variable when clusterSecure is enabled. The Ingress definition was using the httpPort by default instead of the httpsPort when the cluster was installed in secure mode. * Bump chart version to 0.5.5 * Leave all the security configurations blank in nifi.properties by default. Nifi 1.12.1 checks whether any of these `nifi.security.XXX` values is non-empty to determine whether the user wants to set a keystore or not. We leave them blank by default so unsecured clusters will at least run. Fixes the "TlsException: The keystore properties are not valid" error when starting up. Fixes #77 * Set the keystore and truststore types to jks when clusterSecure is true This is a continuation of c5322c5 , it allows secured clusters to start up again by setting the keystore types to their expected values. * Corrected the label key for the soft antiAffinity configuration It was previously using "component" as the key, which doesn't actually exist by default, the proper key should be "app". Co-authored-by: Alexandre Nuttinck <alexandre.nuttinck@cetic.be>
cetic · Oct 12, 2020 · a7cc861 · a7cc861
1 parent b641cc2
commit a7cc861
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/configs/nifi.properties b/configs/nifi.properties
@@ -152,11 +152,11 @@ nifi.sensitive.props.provider=BC
 nifi.sensitive.props.additional.keys=
 
 nifi.security.keystore=
-nifi.security.keystoreType=jks
+nifi.security.keystoreType=
 nifi.security.keystorePasswd=
 nifi.security.keyPasswd=
 nifi.security.truststore=
-nifi.security.truststoreType=jks
+nifi.security.truststoreType=
 nifi.security.truststorePasswd=
 nifi.security.needClientAuth={{.Values.properties.needClientAuth}}
 nifi.security.user.authorizer={{.Values.properties.authorizer}}

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
@@ -2,7 +2,11 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "apache-nifi.fullname" . -}}
 {{- $ingressPath := .Values.ingress.path -}}
+{{- if .Values.properties.clusterSecure -}}
+{{- $ingressPort := .Values.service.httpsPort -}}
+{{- else }}
 {{- $ingressPort := .Values.service.httpPort -}}
+{{- end }}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:

diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
@@ -51,7 +51,7 @@ spec:
                podAffinityTerm:
                  labelSelector:
                     matchExpressions:
-                      - key: "component"
+                      - key: "app"
                         operator: In
                         values:
                          - {{ include "apache-nifi.name" . | quote }}
@@ -189,9 +189,11 @@ spec:
 {{- if .Values.properties.clusterSecure }}
           # Update nifi.properties for security properties
           prop_replace nifi.web.https.host ${FQDN}
+          prop_replace nifi.security.keystoreType jks
           prop_replace nifi.security.keystore   ${NIFI_HOME}/config-data/certs/keystore.jks
           prop_replace nifi.security.keystorePasswd     $(jq -r .keyStorePassword ${NIFI_HOME}/config-data/certs/config.json)
           prop_replace nifi.security.keyPasswd          $(jq -r .keyPassword ${NIFI_HOME}/config-data/certs/config.json)
+          prop_replace nifi.security.truststoreType jks
           prop_replace nifi.security.truststore   ${NIFI_HOME}/config-data/certs/truststore.jks
           prop_replace nifi.security.truststorePasswd   $(jq -r .trustStorePassword ${NIFI_HOME}/config-data/certs/config.json)