Allow mounting extra volumes into NiFi pods that processors may depend on (#434)

# Description

Add option to specify extra Volumes that will be mounted into the NiFi containern to allow providing files that processors may need.
This could be certificates, scheml files, configuration files for services to connect to ....



Co-authored-by: Sönke Liebau <soenke.liebau@stackable.de>

Author: soenkeliebau

CHANGELOG.md

@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 
 - Enabled logging and log aggregation ([#418])
 - Deploy default and support custom affinities ([#436]).
+- Added the ability to mount extra volumes for files that may be needed for NiFi processors to work ([#434])
 
 ### Changed
 
@@ -17,6 +18,7 @@ All notable changes to this project will be documented in this file.
 
 [#417]: https://github.com/stackabletech/nifi-operator/pull/417
 [#418]: https://github.com/stackabletech/nifi-operator/pull/418
+[#434]: https://github.com/stackabletech/nifi-operator/pull/434
 [#436]: https://github.com/stackabletech/nifi-operator/pull/436
 
 ## [23.1.0] - 2023-01-23

deploy/helm/nifi-operator/crds/crds.yaml

@@ -0,0 +1,18 @@
+= Adding External Files to the NiFi Servers
+
+Since Apache NiFi allows executing pretty much arbitrary workflows depending on which processors are used, it may become necessary to add external files to the pods.
+These could for example be client certificates used to configure a `PollHTTP` processor, a keytab to obtain a Kerberos ticket, or similar things.
+
+In order to make these files available the operator allows specifying extra volumes that will be added to the NiFi pods.
+
+[source,yaml]
+----
+spec:
+  clusterConfig:
+    extraVolumes:
+      - name: nifi-client-certs
+        secret:
+          secretName: nifi-client-certs
+----
+
+All `Volumes` specified in this section will be made available under `/stackable/userdata/{volumename}`.

docs/modules/nifi/pages/usage_guide/extra_volumes.adoc

@@ -6,6 +6,7 @@
 * xref:nifi:usage_guide/index.adoc[]
 ** xref:nifi:usage_guide/security.adoc[]
 ** xref:nifi:usage_guide/resource-configuration.adoc[]
+** xref:nifi:usage_guide/extra_volumes.adoc[]
 ** xref:nifi:usage_guide/monitoring.adoc[]
 ** xref:nifi:usage_guide/log-aggregation.adoc[]
 ** xref:nifi:usage_guide/configuration-environment-overrides.adoc[]

docs/modules/nifi/partials/nav.adoc

@@ -1,18 +1,6 @@
 # Deploy a NiFi cluster, a user secret amd a ZooKeeper cluster and a respective
 # ZNode `simple-nifi-znode` which will be referenced
----
-apiVersion: zookeeper.stackable.tech/v1alpha1
-kind: ZookeeperCluster
-metadata:
-  name: simple-zk
-spec:
-  image:
-    productVersion: 3.8.0
-    stackableVersion: "23.4.0-rc1"
-  servers:
-    roleGroups:
-      default:
-        replicas: 3
+
 ---
 apiVersion: zookeeper.stackable.tech/v1alpha1
 kind: ZookeeperZnode

examples/simple-nifi-cluster.yaml

@@ -2,10 +2,12 @@ pub mod affinity;
 pub mod authentication;
 
 use crate::authentication::NifiAuthenticationConfig;
+use std::collections::BTreeMap;
 
 use affinity::get_affinity;
 use serde::{Deserialize, Serialize};
 use snafu::{OptionExt, ResultExt, Snafu};
+use stackable_operator::k8s_openapi::api::core::v1::Volume;
 use stackable_operator::{
     commons::{
         affinity::StackableAffinity,
@@ -27,7 +29,6 @@ use stackable_operator::{
     role_utils::{Role, RoleGroup, RoleGroupRef},
     schemars::{self, JsonSchema},
 };
-use std::collections::BTreeMap;
 
 pub const APP_NAME: &str = "nifi";
 
@@ -90,7 +91,7 @@ pub struct NifiSpec {
     pub stopped: Option<bool>,
 }
 
-#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+#[derive(Clone, Debug, Deserialize, JsonSchema, PartialEq, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct NifiClusterConfig {
     /// A reference to a Secret containing username/password for the initial admin user
@@ -103,6 +104,11 @@ pub struct NifiClusterConfig {
     pub vector_aggregator_config_map_name: Option<String>,
     /// The reference to the ZooKeeper cluster
     pub zookeeper_config_map_name: String,
+    /// Extra volumes to mount into every container, this can be useful to for example make client
+    /// certificates, keytabs or similar things available to processors
+    /// These volumes will be mounted below `/stackable/userdata/{volumename}`
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub extra_volumes: Vec<Volume>,
 }
 
 #[derive(Clone, Debug, Default, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]

rust/crd/src/lib.rs

@@ -1,20 +1,14 @@
 //! Ensures that `Pod`s are configured and running for each [`NifiCluster`]
-use crate::config::{
-    build_bootstrap_conf, build_nifi_properties, build_state_management_xml,
-    validated_product_config, NifiRepository, NIFI_BOOTSTRAP_CONF, NIFI_PROPERTIES,
-    NIFI_STATE_MANAGEMENT_XML,
+use std::{
+    borrow::Cow,
+    collections::{BTreeMap, HashMap},
+    ops::Deref,
+    sync::Arc,
+    time::Duration,
 };
-use crate::product_logging::{extend_role_group_config_map, resolve_vector_aggregator_address};
-use crate::{config, OPERATOR_NAME};
 
 use rand::{distributions::Alphanumeric, Rng};
 use snafu::{OptionExt, ResultExt, Snafu};
-use stackable_nifi_crd::{
-    authentication::ResolvedAuthenticationMethod, Container, NifiCluster, NifiConfig,
-    NifiConfigFragment, NifiRole, NifiStatus, APP_NAME, BALANCE_PORT, BALANCE_PORT_NAME,
-    HTTPS_PORT, HTTPS_PORT_NAME, LOG_VOLUME_SIZE_IN_MIB, METRICS_PORT, METRICS_PORT_NAME,
-    PROTOCOL_PORT, PROTOCOL_PORT_NAME, STACKABLE_LOG_CONFIG_DIR, STACKABLE_LOG_DIR,
-};
 use stackable_operator::{
     builder::{
         ConfigMapBuilder, ContainerBuilder, ObjectMetaBuilder, PodBuilder,
@@ -52,16 +46,24 @@ use stackable_operator::{
     },
     role_utils::{Role, RoleGroupRef},
 };
-use std::{
-    borrow::Cow,
-    collections::{BTreeMap, HashMap},
-    ops::Deref,
-    sync::Arc,
-    time::Duration,
-};
 use strum::{EnumDiscriminants, IntoStaticStr};
 use tracing::Instrument;
 
+use stackable_nifi_crd::{
+    authentication::ResolvedAuthenticationMethod, Container, NifiCluster, NifiConfig,
+    NifiConfigFragment, NifiRole, NifiStatus, APP_NAME, BALANCE_PORT, BALANCE_PORT_NAME,
+    HTTPS_PORT, HTTPS_PORT_NAME, LOG_VOLUME_SIZE_IN_MIB, METRICS_PORT, METRICS_PORT_NAME,
+    PROTOCOL_PORT, PROTOCOL_PORT_NAME, STACKABLE_LOG_CONFIG_DIR, STACKABLE_LOG_DIR,
+};
+
+use crate::config::{
+    build_bootstrap_conf, build_nifi_properties, build_state_management_xml,
+    validated_product_config, NifiRepository, NIFI_BOOTSTRAP_CONF, NIFI_PROPERTIES,
+    NIFI_STATE_MANAGEMENT_XML,
+};
+use crate::product_logging::{extend_role_group_config_map, resolve_vector_aggregator_address};
+use crate::{config, OPERATOR_NAME};
+
 pub const CONTROLLER_NAME: &str = "nificluster";
 
 const KEYSTORE_VOLUME_NAME: &str = "keystore";
@@ -629,6 +631,8 @@ fn build_node_rolegroup_service(
     })
 }
 
+const USERDATA_MOUNTPOINT: &str = "/stackable/userdata";
+
 /// The rolegroup [`StatefulSet`] runs the rolegroup, as configured by the administrator.
 ///
 /// The [`Pod`](`stackable_operator::k8s_openapi::api::core::v1::Pod`)s are accessible through the
@@ -857,6 +861,24 @@ async fn build_node_rolegroup_statefulset(
         .resources(merged_config.resources.clone().into());
 
     let mut pod_builder = PodBuilder::new();
+
+    // Add user configured extra volumes if any are specified
+    for volume in &nifi.spec.cluster_config.extra_volumes {
+        // Extract values into vars so we make it impossible to log something other than
+        // what we actually use to create the mounts - maybe paranoid, but hey ..
+        let volume_name = &volume.name;
+        let mount_point = format!("{USERDATA_MOUNTPOINT}/{}", volume.name);
+
+        tracing::info!(
+            ?volume_name,
+            ?mount_point,
+            ?role,
+            "Adding user specified extra volume",
+        );
+        pod_builder.add_volume(volume.clone());
+        container_nifi.add_volume_mount(volume_name, mount_point);
+    }
+
     // We want to add nifi container first for easier defaulting into this container
     pod_builder.add_container(container_nifi.build());