Support Questions

Find answers, ask questions, and share your expertise

Setting up Nifi Registry with Nginx

avatar
Explorer

We are working on deploying the NiFi Registry platform on kubernetes, however, we are hitting some issues. I've added a diagram of our deployment to help give some context as well. 

Test Case 1: When proxying NiFi registry with settings as unsecure, the proxying works fine. We are able to connect to https://nifi-registry.company.domain.com and view the registry as needed. Note the HTTPS in the URL still - we are using SSL offloading in our nginx's.

Test Case 2: When proxying NiFi registry with settings as secure, we get ERR_TOO_MANY_REDIRECTS. I have attached our nifi-registry.properties file as well. One thing that we found interesting, was that when we tried the below curl request from within the pod we get back a normal response

curl -k --cacert /opt/nifi-registry/nifi-registry-current/tls/cert-manager/ca.crt --key /opt/nifi-registry/nifi-registry-current/tls/cert-manager/tls.key --cert /opt/nifi-registry/nifi-registry-current/tls/cert-manager/tls.crt https://localhost:18443/nifi-registry -vvvvvv -sS -D -  

The certs are valid as they are generated by cert manager. We are looking for any assistance that you can give, but some of our main questions are as follows:

  • In our kubernetes ingress details, should we set the path to just `/` or `/nifi-registry`?
  • Is it possible that the NiFi registry is redirecting the client from the HTTPS endpoint a normal HTTP endpoint? We see in the browser network tab that it seems to flip back and forth.
  • Is it 100% required to have the authorizers.xml completed in order to get this working?
  • Any other ideas of what could be causing this?

Deployment Diagram.png
9 REPLIES 9

avatar
Community Manager

@Bryson Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi Registry experts @ashinde @dyadav1  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Explorer

Hi @DianaTorres  / @ashinde  / @dyadav1  - do you have any tips for this? we're still kind of stuck on this issue

avatar
Community Manager

@bbahamondes @haridjh @ArtiW Do you have any insights here? Thanks!


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
New Contributor

I can answer your first question, the path at the ingress needs to be "/".

If you share more information about your setup (like the yaml files used for deploying), I might be able to help you more.

avatar
Community Manager

@Bryson Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. If you are still experiencing the issue, can you provide the information @Mosby has requested? Thanks.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Explorer

Apologies for the delay, I am currently using the helm chart: https://github.com/dysnix/charts/tree/main/dysnix/nifi-registry so I posted the values files that are generated from it.

If you need the actual kubernetes yaml, I can post that too, but I figured giving you the helm chart and values would do the same thing with less files

avatar
New Contributor

To use the certificates stored in the NiFi-Registry you would need to set the ingress to SSL-Passthrough, which means removing the annotiation "nginx.ingress.kubernetes.io/backend-protocol: HTTPS" and replacing it with "

nginx.ingress.kubernetes.io/ssl-passthrough: "true""
Also this feature needs to be enabled at the ingress-controller TLS/HTTPS - Ingress-Nginx Controller (kubernetes.github.io) for it to work.
 
- at least, thats what yorked for our setup, YMMV

avatar
Explorer

Okay, so I just tried this and it didnt work sadly... I still get ERR_TOO_MANY_REDIRECTS

avatar
New Contributor

Are you still in the need of help? Somehow i did not get a notification

This is our config, maybe it helps:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nifi-ingress
  namespace: nifi
  labels:
    app: nifi
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  ingressClassName: nginx
  rules:
  - host: <url>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nifi-service
            port:
              number: 8443
  tls:
  - hosts:
    - <url>