Atul, I am not a Kubernetes/ingress expert, but that error is indicating that you specified NiFi should be secure (i.e. use TLS/HTTPS) and yet there is no keystore or truststore provided to the application, so it fails to start. NiFi differs from some other applications in that you cannot configure authentication and authorization without explicitly enabling and configuring TLS for NiFi itself, not just delegating that data in transit encryption to an external system (like a load balancer, proxy, or service mesh).
I suggest you read the NiFi walkthrough for “Securing NiFi with TLS” [1] which will provide some context around what the various requirements are, and the Admin Guide [2] sections on authentication and authorization for more background. [1] https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-tls [2] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security_configuration> Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 20, 2020, at 11:58 PM, Atul Wankhade <atul.wankhad...@gmail.com> wrote: > > Hi All, > I am trying to install NiFi with SSL on Kubernetes using Helm(cetic/nifi), > Below is my values.yaml. I keep getting an error on NiFi containers as - Am I > missing something? > Caused by: org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'clusterCoordinationProtocolSender' defined in class > path resource [nifi-cluster-protocol-context.xml]: Cannot resolve reference > to bean 'protocolSocketConfiguration' while setting constructor argument; > nested exception is org.springframework.beans.factory.BeanCreationException: > Error creating bean with name 'protocolSocketConfiguration': FactoryBean > threw exception on object creation; nested exception is > java.io.FileNotFoundException: (No such file or directory) > > VALUES.YAML: > --- > # Number of nifi nodes > replicaCount: 1 > > ## Set default image, imageTag, and imagePullPolicy. > ## ref: https://hub.docker.com/r/apache/nifi/ > <https://hub.docker.com/r/apache/nifi/> > ## > image: > repository: apache/nifi > tag: "1.11.4" > pullPolicy: IfNotPresent > > ## Optionally specify an imagePullSecret. > ## Secret must be manually created in the namespace. > ## ref: > https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ > > <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/> > ## > # pullSecret: myRegistrKeySecretName > > securityContext: > runAsUser: 1000 > fsGroup: 1000 > > sts: > # Parallel podManagementPolicy for faster bootstrap and teardown. Default > is OrderedReady. > podManagementPolicy: Parallel > AntiAffinity: soft > hostPort: null > > ## Useful if using any custom secrets > ## Pass in some secrets to use (if required) > # secrets: > # - name: myNifiSecret > # keys: > # - key1 > # - key2 > # mountPath: /opt/nifi/secret > > ## Useful if using any custom configmaps > ## Pass in some configmaps to use (if required) > # configmaps: > # - name: myNifiConf > # keys: > # - myconf.conf > # mountPath: /opt/nifi/custom-config > > > properties: > # use externalSecure for when inbound SSL is provided by nginx-ingress or > other external mechanism > externalSecure: true > isNode: true > httpPort: null > httpsPort: 8443 > clusterPort: 6007 > clusterSecure: true > needClientAuth: true > provenanceStorage: "8 GB" > siteToSite: > secure: true > port: 10000 > authorizer: managed-authorizer > # use properties.safetyValve to pass explicit 'key: value' pairs that > overwrite other configuration > safetyValve: > #nifi.variable.registry.properties: "${NIFI_HOME}/example1.properties, > ${NIFI_HOME}/example2.properties" > nifi.web.http.network.interface.default: eth0 > # listen to loopback interface so "kubectl port-forward ..." works > nifi.web.http.network.interface.lo: lo > > ## Include additional libraries in the Nifi containers by using the postStart > handler > ## ref: > https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ > > <https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/> > # postStart: /opt/nifi/psql; wget -P /opt/nifi/psql > https://jdbc.postgresql.org/download/postgresql-42.2.6.jar > <https://jdbc.postgresql.org/download/postgresql-42.2.6.jar> > > # Nifi User Authentication > auth: > ldap: > enabled: false > host: ldap://<hostname>:<port> > searchBase: CN=Users,DC=example,DC=com > searchFilter: CN=john > > ## Expose the nifi service to be accessed from outside the cluster > (LoadBalancer service). > ## or access it from within the cluster (ClusterIP service). Set the service > type and the port to serve it. > ## ref: http://kubernetes.io/docs/user-guide/services/ > <http://kubernetes.io/docs/user-guide/services/> > ## > > # headless service > headless: > type: ClusterIP > annotations: > service.alpha.kubernetes.io/tolerate-unready-endpoints > <http://service.alpha.kubernetes.io/tolerate-unready-endpoints>: "true" > > # ui service > service: > type: LoadBalancer > httpPort: 80 > httpsPort: 443 > annotations: {} > # loadBalancerIP: > ## Load Balancer sources > ## > https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service > > <https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service> > ## > # loadBalancerSourceRanges: > # - 10.10.10.0/24 <http://10.10.10.0/24> > > # Enables additional port/ports to nifi service for internal processors > processors: > enabled: false > ports: > - name: processor01 > port: 7001 > targetPort: 7001 > #nodePort: 30701 > - name: processor02 > port: 7002 > targetPort: 7002 > #nodePort: 30702 > > ## Configure Ingress based on the documentation here: > https://kubernetes.io/docs/concepts/services-networking/ingress/ > <https://kubernetes.io/docs/concepts/services-networking/ingress/> > ## > ingress: > enabled: false > annotations: {} > tls: [] > hosts: [] > path: / > rule: [] > # If you want to change the default path, see this issue > https://github.com/cetic/helm-nifi/issues/22 > <https://github.com/cetic/helm-nifi/issues/22> > > # Amount of memory to give the NiFi java heap > jvmMemory: 2g > > # Separate image for tailing each log separately > sidecar: > image: ez123/alpine-tini > > # Busybox image > busybox: > image: busybox > > ## Enable persistence using Persistent Volume Claims > ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ > <http://kubernetes.io/docs/user-guide/persistent-volumes/> > ## > persistence: > enabled: false > > # When creating persistent storage, the NiFi helm chart can either > reference an already-defined > # storage class by name, such as "standard" or can define a custom storage > class by specifying > # customStorageClass: true and providing the "storageClass", > "storageProvisioner" and "storageType". > # For example, to use SSD storage on Google Compute Engine see > values-gcp.yaml > # > # To use a storage class that already exists on the Kubernetes cluster, we > can simply reference it by name. > # For example: > # storageClass: standard > # > # The default storage class is used if this variable is not set. > > accessModes: [ReadWriteOnce] > ## Storage Capacities for persistent volumes > # Storage capacity for the 'data' directory, which is used to hold things > such as the flow.xml.gz, configuration, state, etc. > dataStorage: > size: 1Gi > # Storage capacity for the FlowFile repository > flowfileRepoStorage: > size: 10Gi > # Storage capacity for the Content repository > contentRepoStorage: > size: 10Gi > # Storage capacity for the Provenance repository. When changing this, one > should also change the properties.provenanceStorage value above, also. > provenanceRepoStorage: > size: 10Gi > # Storage capacity for nifi logs > logStorage: > size: 5Gi > > ## Configure resource requests and limits > ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ > <http://kubernetes.io/docs/user-guide/compute-resources/> > ## > resources: {} > # We usually recommend not to specify default resources and to leave this > as a conscious > # choice for the user. This also increases chances charts run on > environments with little > # resources, such as Minikube. If you do want to specify resources, > uncomment the following > # lines, adjust them as necessary, and remove the curly braces after > 'resources:'. > # limits: > # cpu: 100m > # memory: 128Mi > # requests: > # cpu: 100m > # memory: 128Mi > > logresources: > requests: > cpu: 10m > memory: 10Mi > limits: > cpu: 50m > memory: 50Mi > > nodeSelector: {} > > tolerations: [] > > initContainers: {} > # foo-init: # <- will be used as container name > # image: "busybox:1.30.1" > # imagePullPolicy: "IfNotPresent" > # command: ['sh', '-c', 'echo this is an initContainer'] > # volumeMounts: > # - mountPath: /tmp/foo > # name: foo > > extraVolumeMounts: [] > > extraVolumes: [] > > ## Extra containers > extraContainers: [] > > terminationGracePeriodSeconds: 30 > > ## Extra environment variables that will be pass onto deployment pods > env: [] > > # > ------------------------------------------------------------------------------ > # Zookeeper: > # > ------------------------------------------------------------------------------ > zookeeper: > ## If true, install the Zookeeper chart > ## ref: > https://github.com/kubernetes/charts/tree/master/incubator/zookeeper > <https://github.com/kubernetes/charts/tree/master/incubator/zookeeper> > enabled: true > ## If the Zookeeper Chart is disabled a URL and port are required to connect > url: "" > port: 2181 > > Complete stacktrace: > Caused by: org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'clusterCoordinationProtocolSender' defined in class > path resource [nifi-cluster-protocol-context.xml]: Cannot resolve reference > to bean 'protocolSocketConfiguration' while setting constructor argument; > nested exception is org.springframework.beans.factory.BeanCreationException: > Error creating bean with name 'protocolSocketConfiguration': FactoryBean > threw exception on object creation; nested exception is > java.io.FileNotFoundException: (No such file or directory) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108) > at > org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648) > at > org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1198) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1100) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511) > at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481) > at > org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312) > at > org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) > ... 75 common frames omitted > Caused by: org.springframework.beans.factory.BeanCreationException: Error > creating bean with name 'protocolSocketConfiguration': FactoryBean threw > exception on object creation; nested exception is > java.io.FileNotFoundException: (No such file or directory) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:185) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1640) > at > org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323) > at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) > at > org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351) > ... 87 common frames omitted > Caused by: java.io.FileNotFoundException: (No such file or directory) > at java.io.FileInputStream.open0(Native Method) > at java.io.FileInputStream.open(FileInputStream.java:195) > at java.io.FileInputStream.<init>(FileInputStream.java:138) > at java.io.FileInputStream.<init>(FileInputStream.java:93) > at > org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:66) > at > org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:45) > at > org.apache.nifi.cluster.protocol.spring.SocketConfigurationFactoryBean.getObject(SocketConfigurationFactoryBean.java:30) > at > org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178) > ... 92 common frames omitted > 2020-07-17 11:04:25,204 INFO [Thread-1] org.apache.nifi.NiFi Initiating > shutdown of Jetty web server... > 2020-07-17 11:04:25,214 INFO [Thread-1] > o.eclipse.jetty.server.AbstractConnector Stopped > ServerConnector@700f518a{SSL,[ssl, http/1.1]}{0.0.0.0:8443 > <http://0.0.0.0:8443/>} > 2020-07-17 11:04:25,214 INFO [Thread-1] org.eclipse.jetty.server.session > node0 Stopped scavenging > > Any help to resolve this is appreciated. > Atul Wankhade
