Merge branch 'develop'

cetic · Oct 12, 2020 · 7ad090b · 7ad090b
2 parents b8927f7 + 6fb42d1
commit 7ad090b
Show file tree

Hide file tree

Showing 16 changed files with 242 additions and 12 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: nifi
-version: 0.5.4
+version: 0.5.5
 appVersion: 1.12.1
 description: Apache NiFi is a software project from the Apache Software Foundation designed to automate the flow of data between software systems.
 keywords:
@@ -27,5 +27,5 @@ dependencies:
     repository: https://dysnix.github.io/charts/
     condition: registry.enabled
   - name: ca
-    version: 1.0.0
+    version: 1.0.1
     condition: ca.enabled
diff --git a/README.md b/README.md
@@ -88,6 +88,8 @@ The following table lists the configurable parameters of the nifi chart and the
 | `securityContext.runAsUser`                                                 | nifi Docker User                                                                                                   | `1000`                          |
 | `securityContext.fsGroup`                                                   | nifi Docker Group                                                                                                  | `1000`                          |
 | **sts**                                                                     |
+| `sts.serviceAccount.create`    | If true, a service account will be created and used by the statefulset | `false` |
+| `sts.serviceAccount.name`       | When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options | `nil` |
 | `sts.podManagementPolicy`                                                   | Parallel podManagementPolicy                                                                                       | `Parallel`                      |
 | `sts.AntiAffinity`                                                          | Affinity for pod assignment                                                                                        | `soft`                          |
 | `sts.pod.annotations`                                                       | Pod template annotations                                                                                           | `security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000`                          |
@@ -177,6 +179,11 @@ The following table lists the configurable parameters of the nifi chart and the
 | `env`                                                                       | Additional environment variables for the nifi-container (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envvar-v1-core) for details)  | `[]`                            |
 | **extraContainers**                                                         |
 | `extraContainers`                                                           | Additional container-specifications that should run within the pod (see [spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core) for details)  | `[]`                            |
+| **openshift**                                                                     |
+| `openshift.scc.enabled`                                                     | If true, a openshift security context will be created permitting to run the statefulset as AnyUID | `false` |
+| `openshift.route.enabled`                                                   | If true, a openshift route will be created. This option cannot be used together with Ingress as a route object replaces the Ingress. The property `properties.externalSecure` will configure the route in edge termination mode, the default is passthrough. The property `properties.httpsPort` has to be set if the cluster is intended to work with SSL termination | `false` |
+| `openshift.route.host`                                                      | The hostname intended to be used in order to access NiFi web interface | `nil` |
+| `openshift.route.path`                                                      | Path to access frontend, works the same way as the ingress path option | `nil` |
 | **zookeeper**                                                               |
 | `zookeeper.enabled`                                                         | If true, deploy Zookeeper                                                                                          | `true`                          |
 | `zookeeper.url`                                                             | If the Zookeeper Chart is disabled a URL and port are required to connect                                          | `nil`                           |
@@ -191,6 +198,9 @@ The following table lists the configurable parameters of the nifi chart and the
 | `ca.port`                                                                   | CA server port number                                          | `9090`                            |
 | `ca.token`                                                                  | The token to use to prevent MITM                                          | `80`                            |
 | `ca.admin.cn`                                                               | CN for admin certificate                                          | `admin`                            |
+| `ca.serviceAccount.create`                                                 | If true, a service account will be created and used by the deployment                                         | `false`                            |
+| `ca.serviceAccount.name`                                                 |When set, the set name will be used as the service account name. If a value is not provided a name will be generated based on Chart options | `nil` |
+| `ca.openshift.scc.enabled`                                                     | If true, an openshift security context will be created permitting to run the deployment as AnyUID | `false` |
 
 ## Credits
 

diff --git a/charts/ca/Chart.yaml b/charts/ca/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: ca
-version: 1.0.0
+version: 1.0.1
 # We are using the nifi version as appVersion
 appVersion: 1.11.4
 description: A Helm chart to deploy ca server to generate self-signed certificates using nifi-toolkit.

diff --git a/charts/ca/templates/_helpers.tpl b/charts/ca/templates/_helpers.tpl
@@ -23,3 +23,14 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Set the service account name
+*/}}
+{{- define "ca.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ca.fullname" .) .Values.serviceAccount.name }}-sa
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/ca/templates/deployment.yaml b/charts/ca/templates/deployment.yaml
@@ -20,6 +20,7 @@ spec:
         app: {{ template "ca.name" . }}-ca
         release: {{ .Release.Name }}
     spec:
+      serviceAccountName: {{ include "ca.serviceAccountName" . }}
       containers:
       - name: ca
         imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
@@ -62,6 +63,7 @@ spec:
         name: volume-permissions
         resources: {}
         securityContext:
+          runAsUser: 0
           allowPrivilegeEscalation: false
           capabilities: {}
           privileged: false

diff --git a/charts/ca/templates/scc.yaml b/charts/ca/templates/scc.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.openshift.scc.enabled -}}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    app: {{ template "ca.name" . }}-ca
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  annotations:
+    kubernetes.io/description: nifi provides all features of the restricted SCC but
+      allows users to run with any UID and any GID.
+  name: {{ template "ca.fullname" . }}-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ include "ca.serviceAccountName" . }}
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+{{- end }}
diff --git a/charts/ca/templates/serviceaccount.yaml b/charts/ca/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "ca.name" . }}-ca
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  name: {{ include "ca.serviceAccountName" . }}
+{{- end }}
diff --git a/charts/ca/values.yaml b/charts/ca/values.yaml
@@ -49,3 +49,13 @@ token: sixteenCharacters
 securityContext:
   fsGroup: 1000
   runAsUser: 1000
+
+serviceAccount:
+  create: false
+  #name: nifi-ca
+
+## Openshift support
+## Use the following varables in order to enable Route and Security Context Constraint creation
+openshift:
+  scc:
+    enabled: false
diff --git a/configs/nifi.properties b/configs/nifi.properties
@@ -34,6 +34,7 @@ nifi.ui.banner.text=
 nifi.ui.autorefresh.interval=30 sec
 nifi.nar.library.directory=./lib
 nifi.nar.library.directory.custom={{.Values.properties.customLibPath}}
+nifi.nar.library.autoload.directory=./extensions
 nifi.nar.working.directory=./work/nar/
 nifi.documentation.working.directory=./work/docs/components
 
@@ -151,11 +152,11 @@ nifi.sensitive.props.provider=BC
 nifi.sensitive.props.additional.keys=
 
 nifi.security.keystore=
-nifi.security.keystoreType=jks
+nifi.security.keystoreType=
 nifi.security.keystorePasswd=
 nifi.security.keyPasswd=
 nifi.security.truststore=
-nifi.security.truststoreType=jks
+nifi.security.truststoreType=
 nifi.security.truststorePasswd=
 nifi.security.needClientAuth={{.Values.properties.needClientAuth}}
 nifi.security.user.authorizer={{.Values.properties.authorizer}}

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -78,4 +78,15 @@ Create ca.server
 {{- else -}}
 {{- printf "%s" .Values.ca.server }}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Set the service account name
+*/}}
+{{- define "apache-nifi.serviceAccountName" -}}
+{{- if .Values.sts.serviceAccount.create }}
+{{- default (include "apache-nifi.fullname" .) .Values.sts.serviceAccount.name }}-sa
+{{- else }}
+{{- default "default" .Values.sts.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/templates/ingress.yaml b/templates/ingress.yaml
@@ -2,7 +2,8 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "apache-nifi.fullname" . -}}
 {{- $ingressPath := .Values.ingress.path -}}
-{{- $ingressPort := .Values.service.httpPort -}}
+{{- $ingressHttpsPort := .Values.service.httpsPort -}}
+{{- $ingressHttpPort := .Values.service.httpPort -}}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
@@ -28,6 +29,7 @@ spec:
       secretName: {{ .secretName }}
   {{- end }}
 {{- end }}
+{{- if .Values.properties.clusterSecure}}
   rules:
   {{- range .Values.ingress.hosts }}
     - host: {{ . }}
@@ -36,6 +38,18 @@ spec:
           - path: {{ $ingressPath }}
             backend:
               serviceName: {{ $fullName }}
-              servicePort: {{ $ingressPort }}
+              servicePort: {{ $ingressHttpsPort }}
+  {{- end }}
+{{- else}}
+  rules:
+  {{- range .Values.ingress.hosts }}
+    - host: {{ . }}
+      http:
+        paths:
+          - path: {{ $ingressPath }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $ingressHttpPort }}
   {{- end }}
 {{- end }}
+{{- end }}
diff --git a/templates/route.yaml b/templates/route.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.openshift.route.enabled -}}
+{{- $fullName := include "apache-nifi.fullname" . -}}
+{{- $ingressPath := .Values.openshift.route.path -}}
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  labels:
+    app: {{ include "apache-nifi.name" . | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  name: {{ template "apache-nifi.fullname" . }}
+spec:
+  {{- if .Values.openshift.route.host }}
+  host: {{ .Values.openshift.route.host }}
+  {{- end }}
+  {{- if .Values.openshift.route.host }}
+  path: {{ $ingressPath }}
+  {{- end }}
+  to:
+    kind: Service
+    name: {{ $fullName }}
+    weight: 100
+  port:
+{{- if .Values.properties.clusterSecure }}
+    targetPort: https
+  tls:
+    {{- if .Values.properties.externalSecure }}
+    termination: edge
+    {{- else }}
+    termination: passthrough
+    {{- end }}
+    insecureEdgeTerminationPolicy: Redirect
+{{- else }}
+    targetPort: http
+{{- end }}
+{{- end }}
diff --git a/templates/scc.yaml b/templates/scc.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.openshift.scc.enabled -}}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  labels:
+    app: {{ include "apache-nifi.name" . | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  annotations:
+    kubernetes.io/description: {{ template "apache-nifi.fullname" . }}-scc provides all features of the restricted SCC but
+      allows users to run with any UID and any GID.
+  name: {{ template "apache-nifi.fullname" . }}-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ include "apache-nifi.serviceAccountName" . }}
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+{{- end }}
diff --git a/templates/serviceaccount.yaml b/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.sts.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ include "apache-nifi.name" . | quote }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+  name: {{ include "apache-nifi.serviceAccountName" . }}
+{{- end }}
diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
@@ -31,6 +31,7 @@ spec:
         release: {{ .Release.Name | quote }}
         heritage: {{ .Release.Service | quote }}
     spec:
+      serviceAccountName: {{ include "apache-nifi.serviceAccountName" . }}
       {{- if eq .Values.sts.AntiAffinity "hard"}}
       affinity:
         podAntiAffinity:
@@ -50,7 +51,7 @@ spec:
                podAffinityTerm:
                  labelSelector:
                     matchExpressions:
-                      - key: "component"
+                      - key: "app"
                         operator: In
                         values:
                          - {{ include "apache-nifi.name" . | quote }}
@@ -177,9 +178,9 @@ spec:
             cat "${NIFI_HOME}/conf/authorizers.empty" > "${NIFI_HOME}/conf/authorizers.xml"
           fi
 
-          # if ! test -f /opt/nifi/data/flow.xml.gz && test -f /opt/nifi/data/flow.xml; then
-          #   gzip /opt/nifi/data/flow.xml
-          # fi
+          if ! test -f /opt/nifi/data/flow.xml.gz && test -f /opt/nifi/data/flow.xml; then
+            gzip /opt/nifi/data/flow.xml
+          fi
 
           prop_replace nifi.remote.input.host ${FQDN}
           prop_replace nifi.cluster.node.address ${FQDN}
@@ -188,9 +189,11 @@ spec:
 {{- if .Values.properties.clusterSecure }}
           # Update nifi.properties for security properties
           prop_replace nifi.web.https.host ${FQDN}
+          prop_replace nifi.security.keystoreType jks
           prop_replace nifi.security.keystore   ${NIFI_HOME}/config-data/certs/keystore.jks
           prop_replace nifi.security.keystorePasswd     $(jq -r .keyStorePassword ${NIFI_HOME}/config-data/certs/config.json)
           prop_replace nifi.security.keyPasswd          $(jq -r .keyPassword ${NIFI_HOME}/config-data/certs/config.json)
+          prop_replace nifi.security.truststoreType jks
           prop_replace nifi.security.truststore   ${NIFI_HOME}/config-data/certs/truststore.jks
           prop_replace nifi.security.truststorePasswd   $(jq -r .trustStorePassword ${NIFI_HOME}/config-data/certs/config.json)