This repository has been archived by the owner on Feb 12, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 230
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Restore safetyValve and singleUser when not using LDAP or OIDC (#212)
* Fix NOTES.txt suitable for the default ClusterIP service * Add test to confirm persistent storage works (with possible fixes) * Add test to confirm LDAP works (with possible fixes) * Add test to confirm OIDC works (with possible fixes) * Adjust github workflow definition to run in master branch too
- Loading branch information
1 parent
2dcd708
commit cb3f5c0
Showing
31 changed files
with
801 additions
and
352 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: Test-LDAP | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
test-ldap: | ||
name: Test NiFi Helm Chart LDAP | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get install -y jq | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install openldap | ||
run: | | ||
kubectl apply -f tests/03-ldap | ||
kubectl wait --for=condition=Ready pod --selector=app.kubernetes.io/name=openldap --timeout=5m | ||
- name: Install Nifi | ||
run: helm install nifi . -f tests/03-ldap-values.yaml | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Wait for NiFi web server to start | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if kubectl logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started' | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not start for 300 seconds! | ||
exit 1 | ||
- name: Check that LDAP login works | ||
run: | | ||
kubectl exec nifi-0 -c server -- curl -d username=user1 -d password=password1 -sk https://localhost:8443/nifi-api/access/token | \ | ||
grep -v 'The supplied username and password are not valid.' | ||
- name: Check that LDAP incorrect password fails | ||
run: | | ||
kubectl exec nifi-0 -c server -- curl -d username=user1 -d password=password2 -sk https://localhost:8443/nifi-api/access/token | \ | ||
grep 'The supplied username and password are not valid.' | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
name: Test-OIDC | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
test-oidc: | ||
name: Test NiFi Helm Chart OIDC | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get install -y jq | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install test framework components | ||
run: | | ||
kubectl apply -f tests/04-oidc-test-framework | ||
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js | ||
kubectl wait --for=condition=Ready pod/browserless-0 --timeout=5m | ||
kubectl wait --for=condition=Ready pod/keycloak-0 --timeout=5m | ||
kubectl wait --for=condition=Ready pod/socks5-0 --timeout=5m | ||
tests/04-oidc-keycloak-setup.bash | ||
- name: Install Nifi | ||
run: helm install nifi . -f tests/04-oidc-values.yaml | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Wait for NiFi web server to start | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if kubectl logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started' | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not start for 300 seconds! | ||
exit 1 | ||
- name: Check that OIDC login works | ||
run: | | ||
kubectl apply -f tests/04-oidc-mocha-job.yaml | ||
while ! kubectl logs -f job/oidc-mocha | ||
do | ||
sleep 5 | ||
done | ||
kubectl get job/oidc-mocha -o json | jq -e -r '.status.succeeded == 1' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
name: Test-Persistence | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
test-persistence: | ||
name: Test NiFi Helm Chart Persistence | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get install -y jq | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install Nifi | ||
run: helm install nifi . -f tests/02-persistence-enabled-values.yaml | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Get First .processGroupFlow.uri | ||
id: first-pgfuri | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if NIFI_ACCESS_TOKEN=$(kubectl exec nifi-0 -c server -- curl -d username=username -d password=changemechangeme -sk https://localhost:8443/nifi-api/access/token) | ||
then | ||
PGFURI=$(kubectl exec nifi-0 -c server -- curl -H "Authorization: Bearer $NIFI_ACCESS_TOKEN" -sk https://localhost:8443/nifi-api/flow/process-groups/root | jq --raw-output .processGroupFlow.uri) | ||
echo "::set-output name=PGFURI::$PGFURI" | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not provide an access token for 300 seconds! | ||
exit 1 | ||
- name: Delete chart | ||
run: | | ||
helm delete nifi | ||
kubectl wait --for=delete pod/nifi-0 --timeout=120s | ||
- name: Install NiFi | ||
run: helm install nifi . -f tests/02-persistence-enabled-values.yaml | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Get Second .processGroupFlow.uri | ||
id: second-pgfuri | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if NIFI_ACCESS_TOKEN=$(kubectl exec nifi-0 -c server -- curl -d username=username -d password=changemechangeme -sk https://localhost:8443/nifi-api/access/token) | ||
then | ||
PGFURI=$(kubectl exec nifi-0 -c server -- curl -H "Authorization: Bearer $NIFI_ACCESS_TOKEN" -sk https://localhost:8443/nifi-api/flow/process-groups/root | jq --raw-output .processGroupFlow.uri) | ||
echo "::set-output name=PGFURI::$PGFURI" | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not provide an access token for 300 seconds! | ||
exit 1 | ||
- name: Compare 2 x root processGroupFlow .processGroupFlow.uri | ||
run: | | ||
echo Should be the same if persistence is enabled | ||
test ${{ steps.first-pgfuri.outputs.PGFURI }} = ${{ steps.second-pgfuri.outputs.PGFURI }} | ||
test-non-persistence: | ||
name: Test NiFi Helm Chart Non-Persistence | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get install -y jq | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install Nifi | ||
run: helm install nifi . -f tests/02-persistence-disabled-values.yaml | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Get First .processGroupFlow.uri | ||
id: first-pgfuri | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if NIFI_ACCESS_TOKEN=$(kubectl exec nifi-0 -c server -- curl -d username=username -d password=changemechangeme -sk https://localhost:8443/nifi-api/access/token) | ||
then | ||
PGFURI=$(kubectl exec nifi-0 -c server -- curl -H "Authorization: Bearer $NIFI_ACCESS_TOKEN" -sk https://localhost:8443/nifi-api/flow/process-groups/root | jq --raw-output .processGroupFlow.uri) | ||
echo "::set-output name=PGFURI::$PGFURI" | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not provide an access token for 300 seconds! | ||
exit 1 | ||
- name: Delete chart | ||
run: | | ||
helm delete nifi | ||
kubectl wait --for=delete pod/nifi-0 --timeout=120s | ||
- name: Install NiFi | ||
run: helm install nifi . -f tests/02-persistence-disabled-values.yaml | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Get Second .processGroupFlow.uri | ||
id: second-pgfuri | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if NIFI_ACCESS_TOKEN=$(kubectl exec nifi-0 -c server -- curl -d username=username -d password=changemechangeme -sk https://localhost:8443/nifi-api/access/token) | ||
then | ||
PGFURI=$(kubectl exec nifi-0 -c server -- curl -H "Authorization: Bearer $NIFI_ACCESS_TOKEN" -sk https://localhost:8443/nifi-api/flow/process-groups/root | jq --raw-output .processGroupFlow.uri) | ||
echo "::set-output name=PGFURI::$PGFURI" | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not provide an access token for 300 seconds! | ||
exit 1 | ||
- name: Compare 2 x root processGroupFlow .processGroupFlow.uri | ||
run: | | ||
echo Should not be the same if persistence is not enabled | ||
test ${{ steps.first-pgfuri.outputs.PGFURI }} != ${{ steps.second-pgfuri.outputs.PGFURI }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: Test-SingleUser | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
test-singleuser: | ||
name: Test NiFi Helm Chart Single User | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get install -y jq | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install openldap | ||
run: | | ||
kubectl apply -f tests/03-ldap | ||
kubectl wait --for=condition=Ready pod --selector=app.kubernetes.io/name=openldap --timeout=5m | ||
- name: Install Nifi | ||
run: helm install nifi . | ||
- name: Check deployment status | ||
run: kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Wait for NiFi web server to start | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if kubectl logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started' | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not start for 300 seconds! | ||
exit 1 | ||
- name: Check that singleUser login works | ||
run: | | ||
kubectl exec nifi-0 -c server -- curl -d username=username -d password=changemechangeme -sk https://localhost:8443/nifi-api/access/token | \ | ||
grep -v 'The supplied username and password are not valid.' | ||
- name: Check that singleUser incorrect password fails | ||
run: | | ||
kubectl exec nifi-0 -c server -- curl -d username=username -d password=donotchangeme -sk https://localhost:8443/nifi-api/access/token | \ | ||
grep 'The supplied username and password are not valid.' | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -139,9 +139,10 @@ The following table lists the configurable parameters of the nifi chart and the | |
| **Oidc authentication** | ||
| `auth.oidc.enabled` | Enable User auth via oidc | `false` | | ||
| `auth.oidc.discoveryUrl` | oidc discover url | `https://<provider>/.well-known/openid-configuration` | | ||
| `auth.oidc.clientId` | oidc clientId | `nil` | | ||
| `auth.oidc.clientSecret` | oidc clientSecret | `nil` | | ||
| `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | | ||
| `auth.oidc.clientId` | oidc clientId | `nil` | | ||
| `auth.oidc.clientSecret` | oidc clientSecret | `nil` | | ||
| `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | | ||
| `auth.oidc.admin` | Default OIDC admin identity | `[email protected]` | | ||
| **postStart** | | ||
| `postStart` | Include additional libraries in the Nifi containers by using the postStart handler | `nil` | | ||
| **Headless Service** | | ||
|
Oops, something went wrong.