Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

Commit

Permalink
Feature/cert manager (#218)
Browse files Browse the repository at this point in the history
* Restore safetyValve and singleUser, including tests
* Align NOTES.txt to values.yaml service type
* Add checks for persistence vs. non-persistence
* Working OIDC and test scaffolding
* First attempt at NiFi OIDC login test
* Values file for minimal 2-way cluster
* Certs injected with proper DNS names
* cert-manager sidecar working but not logins
* Eliminate spoditor and external ClusterIssuer
* Consolidate SOCKS5 installation
* Install golang-go instead of running a container twice
* Update Services to support site-to-site
* Implement certManager.caSecrets settable value
* Support nifi.security.autoload
* Defensive script logic and autorotate certs
* Upgrade Ingress template to networking.k8s.io/v1
* Properly template certificate names
* Optionally override default Java truststore
* Set replaceDefaultTrustStore default
* Bump Nifi registry version to 0.3.8
* Add properties.sensitiveKeySetFile
* secure site-to-site test
* Add sensitiveKeyPrior
* OIDC: persist users & authorizations
* add configurable startupProbe for server
* Test Startup Probe
* add graceful shutdown for sidecars & node vs. non-node
* Add support to ingressClassName
* Test OIDC login via Ingress to secure cluster
* Redundant socks5 setup yaml files
* Update registry and zookeeper chart versions
* kubectl rollout status rather than kubectl wait
* link to customFlow example
* Bump chart version

Co-authored-by: Sebastien Dupont <dupont.sebastien@gmail.com>
Co-authored-by: Greg Foreman <gforeman@spinnerconsulting.com>
Co-authored-by: zakaria2905 <48456087+zakaria2905@users.noreply.github.com>
Co-authored-by: Eliel <eliel@ganex.com.br>
  • Loading branch information
5 people authored Jun 21, 2022
1 parent 8e1902c commit 0a959e3
Show file tree
Hide file tree
Showing 30 changed files with 1,520 additions and 91 deletions.
8 changes: 3 additions & 5 deletions .github/workflows/test-ldap.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Test-LDAP
on:
push:
pull_request:

jobs:
test-ldap:
name: Test NiFi Helm Chart LDAP
Expand All @@ -28,13 +28,12 @@ jobs:
- name: Install openldap
run: |
kubectl apply -f tests/03-ldap
kubectl wait --for=condition=Ready pod --selector=app.kubernetes.io/name=openldap --timeout=5m
kubectl rollout status --watch deployment/openldap --timeout=5m
- name: Install Nifi
run: helm install nifi . -f tests/03-ldap-values.yaml
- name: Check deployment status
run: |
kubectl rollout status --timeout=5m --watch statefulset/nifi
kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Wait for NiFi web server to start
run: |
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
Expand All @@ -55,4 +54,3 @@ jobs:
run: |
kubectl exec nifi-0 -c server -- curl -d username=user1 -d password=password2 -sk https://localhost:8443/nifi-api/access/token | \
grep 'The supplied username and password are not valid.'
94 changes: 72 additions & 22 deletions .github/workflows/test-oidc.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
name: Test-OIDC
name: OIDC Logins

on:
push:
pull_request:

jobs:
test-oidc:
name: Test NiFi Helm Chart OIDC
oidc-insecure:
name: OIDC (Insecure)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -33,32 +33,82 @@ jobs:
- name: Install test framework components
run: |
kubectl apply -f tests/04-oidc-test-framework
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js
kubectl wait --for=condition=Ready pod/browserless-0 --timeout=5m
kubectl wait --for=condition=Ready pod/keycloak-0 --timeout=5m
kubectl wait --for=condition=Ready pod/socks5-0 --timeout=5m
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js
kubectl rollout status --watch statefulset/browserless --timeout=5m
kubectl rollout status --watch statefulset/keycloak --timeout=5m
kubectl rollout status --watch statefulset/socks5 --timeout=5m
tests/04-oidc-keycloak-setup.bash
- name: Install Nifi
run: helm install nifi . -f tests/04-oidc-values.yaml
- name: Check deployment status
run: |
kubectl rollout status --timeout=5m --watch statefulset/nifi
kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
- name: Wait for NiFi web server to start
kubectl rollout status --watch statefulset/nifi --timeout=20m
- name: Check that OIDC login works
run: |
export K8SNODEIP=$(kubectl get node -o json | jq -r '.items[0].status.addresses[0].address')
export K8SPORT=$(kubectl get svc browserless -o json | jq -r '.spec.ports[0].nodePort')
export NIFIURL='https://nifi.default.svc.cluster.local:8443/nifi/'
cd $HOME
mkdir -p $HOME/screenshots
node_modules/mocha/bin/_mocha $GITHUB_WORKSPACE/tests/04-oidc-login-test.js --timeout 30000
- name: Archive screenshots
if: ${{ success() || failure() || cancelled() }}
uses: actions/upload-artifact@v3
with:
name: screenshots-insecure
path: ~/screenshots/

oidc-cluster-ingress-cert-manager-local-issuer:
name: OIDC (cluster, Ingress, cert-manager local issuer)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Setup Minikube
uses: manusa/actions-setup-minikube@v2.4.1
with:
minikube version: 'v1.20.0'
kubernetes version: 'v1.20.2'
- name: Checkout code
uses: actions/checkout@v1
- name: Install dependencies
run: |
curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh
sudo bash nodesource_setup.sh
sudo apt-get install -y jq yarn
yarn add puppeteer-core --cwd $HOME
yarn add chai --cwd $HOME
yarn add mocha --cwd $HOME
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add dysnix https://dysnix.github.io/charts/
helm repo update
helm dep up
- name: Install test framework components
run: |
kubectl apply -f tests/04-oidc-test-framework
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js
kubectl rollout status --watch statefulset/browserless --timeout=5m
kubectl rollout status --watch statefulset/keycloak --timeout=5m
kubectl rollout status --watch statefulset/socks5 --timeout=5m
tests/04-oidc-keycloak-setup.bash
tests/05-install-cert-manager.bash
minikube addons enable ingress
kubectl apply -f tests/07-increase-webhook-timeout.yaml
- name: Install Nifi and wait for start
run: |
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
do
if kubectl logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started'
then
exit 0
fi
sleep 30
done
echo NiFi did not start for 300 seconds!
exit 1
helm install nifi . -f tests/07-oidc-cluster-values.yaml
kubectl rollout status --watch statefulset/nifi --timeout=20m
- name: Check that OIDC login works
run: |
export K8SNODEIP=$(kubectl get node -o json | jq -r '.items[0].status.addresses[0].address')
export K8SPORT=$(kubectl get svc browserless -o json | jq -r '.spec.ports[0].nodePort')
export NIFIURL='https://ingress-nginx-controller.ingress-nginx.svc.cluster.local/nifi/'
cd $HOME
node_modules/mocha/bin/mocha $GITHUB_WORKSPACE/tests/04-oidc-login-test.js --timeout 30000
mkdir -p $HOME/screenshots
node_modules/mocha/bin/_mocha $GITHUB_WORKSPACE/tests/07-oidc-cluster-login-test.js --timeout 30000
- name: Archive screenshots
if: ${{ success() || failure() || cancelled () }}
uses: actions/upload-artifact@v3
with:
name: screenshots-certMgr-localIssuer
path: ~/screenshots/
14 changes: 8 additions & 6 deletions .github/workflows/test-persistence.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Test-Persistence
on:
push:
pull_request:

jobs:
test-persistence:
name: Test NiFi Helm Chart Persistence
Expand All @@ -29,8 +29,7 @@ jobs:
run: helm install nifi . -f tests/02-persistence-enabled-values.yaml
- name: Check deployment status
run: |
kubectl rollout status --timeout=5m --watch statefulset/nifi
kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Get First .processGroupFlow.uri
id: first-pgfuri
run: |
Expand All @@ -53,7 +52,8 @@ jobs:
- name: Install NiFi
run: helm install nifi . -f tests/02-persistence-enabled-values.yaml
- name: Check deployment status
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
run: |
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Get Second .processGroupFlow.uri
id: second-pgfuri
run: |
Expand Down Expand Up @@ -97,7 +97,8 @@ jobs:
- name: Install Nifi
run: helm install nifi . -f tests/02-persistence-disabled-values.yaml
- name: Check deployment status
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
run: |
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Get First .processGroupFlow.uri
id: first-pgfuri
run: |
Expand All @@ -120,7 +121,8 @@ jobs:
- name: Install NiFi
run: helm install nifi . -f tests/02-persistence-disabled-values.yaml
- name: Check deployment status
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
run: |
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Get Second .processGroupFlow.uri
id: second-pgfuri
run: |
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/test-safetyvalve.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Test-SafetyValve
on:
push:
pull_request:

jobs:
test-safetyvalve:
name: Test NiFi Helm Chart SafetyValve Properties
Expand All @@ -16,7 +16,7 @@ jobs:
with:
minikube version: 'v1.20.0'
kubernetes version: 'v1.20.2'
#github token: ${{ secrets.GITHUB_TOKEN }}
#github token: ${{ secrets.GITHUB_TOKEN }}
#- run: minikube addons list
#- name: Interact with the cluster
# run: kubectl get nodes
Expand All @@ -27,13 +27,12 @@ jobs:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add dysnix https://dysnix.github.io/charts/
helm repo update
helm dep up
helm dep up
- name: Install Nifi
run: helm install nifi . -f tests/01-safetyValve-values.yaml
- name: Check deployment status
run: |
kubectl rollout status --timeout=5m --watch statefulset/nifi
kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Wait for NiFi web server to start
run: |
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
Expand Down
8 changes: 3 additions & 5 deletions .github/workflows/test-singleuser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: Test-SingleUser
on:
push:
pull_request:

jobs:
test-singleuser:
name: Test NiFi Helm Chart Single User
Expand All @@ -28,13 +28,12 @@ jobs:
- name: Install openldap
run: |
kubectl apply -f tests/03-ldap
kubectl wait --for=condition=Ready pod --selector=app.kubernetes.io/name=openldap --timeout=5m
kubectl rollout status --watch deployment/openldap --timeout=5m
- name: Install Nifi
run: helm install nifi .
- name: Check deployment status
run: |
kubectl rollout status --timeout=5m --watch statefulset/nifi
kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m
kubectl rollout status --watch statefulset/nifi --timeout=5m
- name: Wait for NiFi web server to start
run: |
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
Expand All @@ -55,4 +54,3 @@ jobs:
run: |
kubectl exec nifi-0 -c server -- curl -d username=username -d password=donotchangeme -sk https://localhost:8443/nifi-api/access/token | \
grep 'The supplied username and password are not valid.'
114 changes: 114 additions & 0 deletions .github/workflows/test-site-to-site.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: Test-Site-to-Site

on:
push:
pull_request:

jobs:
test-oidc:
name: Test NiFi Helm Chart Secure Site-to-Site
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Setup Minikube
uses: manusa/actions-setup-minikube@v2.4.1
with:
minikube version: 'v1.20.0'
kubernetes version: 'v1.20.2'
- name: Checkout code
uses: actions/checkout@v1
- name: Install dependencies
run: |
sudo apt-get install -y jq
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add dysnix https://dysnix.github.io/charts/
helm repo update
helm dep up
- name: Install cert-manager
run: tests/05-install-cert-manager.bash
- name: Install ALPHA and BRAVO instances of NiFi
run: tests/06-site-to-site.bash
- name: Check deployment status
run: |
kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m
kubectl -n bravo rollout status --watch statefulset/nifi --timeout=5m
- name: Wait for BRAVO NiFi web server to start
run: |
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
do
if kubectl -n bravo logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started'
then
exit 0
fi
sleep 30
done
echo NiFi did not start for 300 seconds!
echo ===ALPHA SERVER LOGS===
kubectl -n alpha logs pod/nifi-0 -c server
echo ===ALPHA APP LOGS===
kubectl -n alpha logs pod/nifi-0 -c app-log
echo ===ALPHA USER LOGS===
kubectl -n alpha logs pod/nifi-0 -c user-log
echo ===BRAVO SERVER LOGS===
kubectl -n bravo logs pod/nifi-0 -c server
echo ===BRAVO APP LOGS===
kubectl -n bravo logs pod/nifi-0 -c app-log
echo ===BRAVO USER LOGS===
kubectl -n bravo logs pod/nifi-0 -c user-log
exit 1
- name: Wait for items on BravoInput
run: |
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
do
ITEMS=$(kubectl -n bravo exec nifi-0 -c server -- curl -s http://localhost:9092/metrics/ | grep 'name="BravoInput"' | grep ^nifi_amount_items_output | cut -f2 -d' ')
echo Got $ITEMS items so far
if [ $ITEMS != "0.0" ]
then
exit 0
fi
sleep 30
done
echo Got no items for 300 seconds!
echo ===ALPHA SERVER LOGS===
kubectl -n alpha logs pod/nifi-0 -c server
echo ===ALPHA APP LOGS===
kubectl -n alpha logs pod/nifi-0 -c app-log
echo ===ALPHA USER LOGS===
kubectl -n alpha logs pod/nifi-0 -c user-log
echo ===BRAVO SERVER LOGS===
kubectl -n bravo logs pod/nifi-0 -c server
echo ===BRAVO APP LOGS===
kubectl -n bravo logs pod/nifi-0 -c app-log
echo ===BRAVO USER LOGS===
kubectl -n bravo logs pod/nifi-0 -c user-log
exit 1
- name: Confirm certificate rotation
run: |
OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start)
echo Certificate "$OLDCERTSTART"
cmctl -n alpha renew nifi-0
for n in [ 0 1 2 3 4 5 6 7 8 9 ]
do
NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start)
echo Certificate "$NEWCERTSTART"
if [ \""$OLDCERTSTART"\" != \""$NEWCERTSTART"\" ]
then
exit 0
fi
sleep 30
done
echo Certificate did not update for 300 seconds!
echo ===ALPHA SERVER LOGS===
kubectl -n alpha logs pod/nifi-0 -c server
echo ===ALPHA APP LOGS===
kubectl -n alpha logs pod/nifi-0 -c app-log
echo ===ALPHA USER LOGS===
kubectl -n alpha logs pod/nifi-0 -c user-log
echo ===BRAVO SERVER LOGS===
kubectl -n bravo logs pod/nifi-0 -c server
echo ===BRAVO APP LOGS===
kubectl -n bravo logs pod/nifi-0 -c app-log
echo ===BRAVO USER LOGS===
kubectl -n bravo logs pod/nifi-0 -c user-log
exit 1
Loading

0 comments on commit 0a959e3

Please sign in to comment.