nifi-registry and istio

[bmgante]

Hi
I am using nifi-registry 0.3.5 deployed in k8s with istio enabled and i am able to reach registry UI (after setting hostname to "0.0.0.0").

However, when configuring the registry url (https://nifi-registry.network-packet.staging.xxx.net/nifi-registry) on nifi and then trying to start version control in a PG have the following error:

Seems nifi does not trust CA which is let´s encrypt. Isn´t registry compatible with istio? Any idea on how to overcome this issue?

Below my config.

Values.yaml:

# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: apache/nifi-registry
  pullPolicy: IfNotPresent
  tag: "0.8.0"

initContainers:
  git:
    image: alpine/git
    tag: v2.26.2
  alpine:
    image: alpine
    tag: 3.6
  # Additional environment variables to set for the initContainers
  extraEnvs: []
  # extraEnvs:
  #   - name: FOO
  #     value: bar

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}
#podAnnotations:
#  sidecar.istio.io/inject: "false"


podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 18080

ingress:
  enabled: false
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths: []
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

## Persist data to a persistent volume
persistence:
  enabled: true
  database:
    # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 1Gi
  flowStorage:
    # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 1Gi

#resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

resources:
  requests:
    memory: 512Mi
    cpu: 100m
  limits:
    memory: 1Gi
    cpu: 200m


#Required to use dedicated compute
#nodeSelector: {}
nodeSelector:
  function: nifi-network-packet

#Required to use dedicated compute
#tolerations: []
tolerations:
- effect: NoSchedule
  key: function
  operator: Equal
  value: nifi-network-packet

affinity: {}


flowProvider:
  git:
    enabled: false
    url:
    remote: origin
    user:
    password:
    # The secret name can be used to supply your own SSH key:
    # 1. Generate a SSH key named identity:
    #      ssh-keygen -q -N "" -f ./identity
    # 2. Create a Kubernetes secret:
    #      kubectl -n nifi-registry create secret generic nifi-registry-git-deploy --from-file=./identity
    # 3. Don't check these key files into your Git repository! Once you've created
    #    the Kubernetes secret, Delete the private key:
    #      rm ./identity
    # 4. Add ./identity.pub as a deployment key with write access in your Git repo
    # 5. Set the secret name (default: nifi-registry-git-deploy) below
    secretName:
    # Global Git configuration See https://git-scm.com/docs/git-config for more details.
    config:
      enabled: false
      secretName: ""
      data: ""
      # data: |
      #   [credential "https://github.com"]
      #           username = foo
  postgres:
    enabled: false
    driverURL: https://jdbc.postgresql.org/download/
    fileName: postgresql-42.2.6.jar
    driverClass: org.postgresql.Driver
    url: jdbc:postgresql://localhost/nifireg
    username: nifireg
    password: nifireg


# Additional environment variables to set
#extraEnvs: []
#extraEnvs:
#- name: NIFI_REGISTRY_WEB_HTTP_HOST
#  value: "0.0.0.0"

ssh:
  # Overrides for git over SSH. If you use your own git server, you
  # will likely need to provide a host key for it in this field.
  known_hosts: ""
  config: ""
    # specify the config which would go in /home/nifi/.ssh/config file
    # for e.g.
  # config: |
  #   Host github.com
  #   ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
  #   User git
  #   Hostname ssh.github.com
  #   Port 443
  #   IdentityFile /etc/fluxd/ssh/identity

tests:
  images:
    busybox:
      image: busybox
      tag: 1.33.1

Statefulset.yaml:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ include "nifi-registry.fullname" . }}
  labels:
    {{- include "nifi-registry.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "nifi-registry.selectorLabels" . | nindent 6 }}
  serviceName: {{ include "nifi-registry.fullname" . }}
  template:
    metadata:
    {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
    {{- end }}
      labels:
        {{- include "nifi-registry.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "nifi-registry.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      initContainers:
        {{- if .Values.flowProvider.git.enabled }}
        - name: git-clone
          image: "{{ .Values.initContainers.git.image }}:{{ .Values.initContainers.git.tag }}"
          command:
            - sh
            - -cex
            - |
              git clone $(NIFI_REGISTRY_GIT_URL) "/tmp/flow_storage" || git -C "/tmp/flow_storage" pull
              cp --dereference /ssh/id_rsa /ssh-dest/

              chown -R 1000:1000 /tmp/flow_storage /ssh-dest
          env:
            - name: NIFI_REGISTRY_GIT_URL
              value: {{ .Values.flowProvider.git.url }}          
            - name: NIFI_REGISTRY_GIT_USER
              value: {{ .Values.flowProvider.git.user }}          
            - name: NIFI_REGISTRY_GIT_PASSWORD
              value: {{ .Values.flowProvider.git.password }}
          {{- if .Values.initContainers.extraEnvs }}
            {{ toYaml .Values.initContainers.extraEnvs | indent 12 }}
          {{- end }}
          volumeMounts:
            - name: "flow-storage"
              mountPath: /tmp
            {{- if .Values.ssh.known_hosts }}
            - name: sshdir
              mountPath: /root/.ssh
              readOnly: true
            {{- end }}
            - name: git-key
              mountPath: /ssh
              readOnly: true
            - name: git-key-fixed
              mountPath: /ssh-dest
        {{- end }}
        {{- if .Values.persistence.enabled }}
        - name: take-data-dir-ownership
          image: "{{ .Values.initContainers.alpine.image }}:{{ .Values.initContainers.alpine.tag }}"
          command:
          command:
            - chown
            - -R
            - 1000:1000
            - /opt/nifi-registry/nifi-registry-current/database
            - /opt/nifi-registry/nifi-registry-current/flow_storage
          volumeMounts:
            - name: "database"
              mountPath: /opt/nifi-registry/nifi-registry-current/database
            - name: "flow-storage"
              mountPath: /opt/nifi-registry/nifi-registry-current/flow_storage
              subPath: flow_storage
        {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - bash
            - -ce
            - |
            {{- if .Values.flowProvider.postgres.enabled }}
              cd /opt/nifi-registry/nifi-registry-current/ext
              mkdir postgresql
              cd postgresql
              curl -k "{{ .Values.flowProvider.postgres.driverURL }}{{ .Values.flowProvider.postgres.fileName }}" -o "{{ .Values.flowProvider.postgres.fileName }}"
            {{- end }}
              ${NIFI_REGISTRY_BASE_DIR}/scripts/start.sh
          ports:
            - name: http
              containerPort: 18080
              protocol: TCP
          env:
            - name: NIFI_REGISTRY_WEB_HTTP_HOST
              value: "0.0.0.0"
          {{- if .Values.flowProvider.git.enabled }}
            - name: NIFI_REGISTRY_FLOW_PROVIDER
              value: git
            - name: NIFI_REGISTRY_GIT_REMOTE
              value: {{ .Values.flowProvider.git.remote }}
            - name: NIFI_REGISTRY_GIT_USER
              value: {{ .Values.flowProvider.git.user }}          
            - name: NIFI_REGISTRY_GIT_PASSWORD
              value: {{ .Values.flowProvider.git.password }} 
          {{- end }}
          {{- if .Values.flowProvider.postgres.enabled }}
            - name: NIFI_REGISTRY_FLOW_PROVIDER
              value: postgres
            - name: NIFI_REGISTRY_DB_DIR
              value: ./ext/postgresql
            - name: NIFI_REGISTRY_DB_CLASS
              value: {{ .Values.flowProvider.postgres.driverClass }}
            - name: NIFI_REGISTRY_DB_URL
              value: {{ .Values.flowProvider.postgres.url }}
            - name: NIFI_REGISTRY_DB_USER
              value: {{ .Values.flowProvider.postgres.username }}
            - name: NIFI_REGISTRY_DB_PASS
              value: {{ .Values.flowProvider.postgres.password }}
          {{- end }}
          {{- if .Values.extraEnvs }}
            {{ toYaml .Values.extraEnvs | indent 12 }}
          {{- end }}
          volumeMounts:
            {{ if .Values.persistence.enabled }}
            - name: "database"
              mountPath: /opt/nifi-registry/nifi-registry-current/database
            {{ end }}
            {{ if or .Values.persistence.enabled .Values.flowProvider.git.enabled }}
            - name: "flow-storage"
              mountPath: /opt/nifi-registry/nifi-registry-current/flow_storage
              subPath: flow_storage
            {{ end }}
            {{- if .Values.ssh.known_hosts }}
            - name: sshdir
              mountPath: /home/nifi/.ssh
              readOnly: true
            {{- end }}
            {{- if .Values.flowProvider.git.enabled }}
            {{- if .Values.flowProvider.git.config.enabled }}
            - name: git-config
              mountPath: /home/nifi/.gitconfig
              subPath: gitconfig
              readOnly: true
            {{- end }}
            - name: git-key-fixed
              mountPath: /ssh
              readOnly: true
            {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          readinessProbe:
            tcpSocket:
              port: 18080
            initialDelaySeconds: 10
            periodSeconds: 5
            timeoutSeconds: 1
            successThreshold: 2
            failureThreshold: 3
      volumes:
        {{- if .Values.ssh.known_hosts }}
        - name: sshdir
          configMap:
            name: {{ template "nifi-registry.fullname" . }}-ssh-config
            defaultMode: 0644
        {{- end }}
        {{- if .Values.flowProvider.git.enabled }}
        {{- if not .Values.persistence.enabled }}
        - name: flow-storage
          emptyDir: {}
        {{- end }}
        {{- if .Values.flowProvider.git.config.enabled }}
        - name: git-config
          secret:
            secretName: {{ include "flowProvider.git.config.secretName" . }}
            defaultMode: 0400
        {{- end }}
        - name: git-key
          secret:
            {{- if .Values.flowProvider.git.secretName }}
            secretName: {{ .Values.flowProvider.git.secretName }}
            {{- else }}
            secretName: {{ template "nifi-registry.fullname" . }}-git-deploy
            {{- end }}
            defaultMode: 0400
        - name: git-key-fixed
          emptyDir: {}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
  {{ if .Values.persistence.enabled }}
  volumeClaimTemplates:
  - metadata:
      name: database
    spec:
      accessModes:
      - ReadWriteOnce
      {{ if .Values.persistence.database.storageClass }}
      {{ if (eq "-" .Values.persistence.database.storageClass) }}
      storageClassName: ""
      {{ else }}
      storageClassName: "{{ .Values.persistence.database.storageClass }}"
      {{ end }}
      {{ end }}
      resources:
        requests:
          storage: {{ .Values.persistence.database.size | quote }}
  - metadata:
      name: flow-storage
    spec:
      accessModes:
      - ReadWriteOnce
      {{ if .Values.persistence.flowStorage.storageClass }}
      {{ if (eq "-" .Values.persistence.flowStorage.storageClass) }}
      storageClassName: ""
      {{ else }}
      storageClassName: "{{ .Values.persistence.flowStorage.storageClass }}"
      {{ end }}
      {{ end }}
      resources:
        requests:
          storage: {{ .Values.persistence.flowStorage.size | quote }}
  {{ end }}

virtualservice.yaml:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  labels:
    app: nifi-registry
  name: nifi-registry
  namespace: network-packet
spec:
  gateways:
  - network-packet-gateway
  hosts:
  - nifi-registry.network-packet.staging.xxxx.net
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: nifi-registry.network-packet.svc.cluster.local
        port:
          number: 18080