0

I am using Apache Nifi on Kubernetes. I have deployed it and pods and service are working well. It works well when I port forward my apache nifi service with :

kubectl port-forward service/nifi-svc 8443:8443 -n mynamespace

But when I try to create an ingress with Traefik I have the error "Internal server error". Here is my yaml for ingress:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nifi-ingress
  namespace: mynamespace
spec:
  entryPoints:
    - websecure
  routes:
  - kind: Rule
    match: Host(`XXX`)
    services:
    - name: nifi-svc 
      port: 8443
  tls: {}

I don't know where I am wrong in my yaml file for ingress.

UPDATE BELOW WITH YAML files I did

To deploy the pods I did this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-tests-nifi
  namespace: mynamespace
  labels:
    name : ingress-tests-nifi
    app : ingress-tests-nifi
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: ingress-tests-nifi
  template:
    metadata:
      labels:
        app: ingress-tests-nifi
    spec:
      restartPolicy: Always
      containers:
      - name: nifi2
        image: XXX
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8443
          name: nifi2
        env:
        - name: "NIFI_SENSITIVE_PROPS_KEY"
          value: "XXX"
        - name: ALLOW_ANONYMOUS_LOGIN
          value: "no"
        - name: SINGLE_USER_CREDENTIALS_USERNAME 
          value: XXX
        - name: SINGLE_USER_CREDENTIALS_PASSWORD 
          value: XXX
        - name: NIFI_WEB_HTTPS_HOST
          value: "0.0.0.0"
        - name: NIFI_WEB_HTTPS_PORT
          value: "8443"
        - name: NIFI_WEB_PROXY_HOST
          value: 0.0.0.0:8443
        - name: HOSTNAME
          value: "nifi1"
        - name: NIFI_ANALYTICS_PREDICT_ENABLED
          value: "true"
        - name: NIFI_ELECTION_MAX_CANDIDATES
          value: "1"
        - name: NIFI_ELECTION_MAX_WAIT
          value: "20 sec"
        - name: NIFI_JVM_HEAP_INIT
          value: "1g"
        - name: NIFI_JVM_HEAP_MAX
          value: "1g"
        volumeMounts:
          - name: pv-XXX
            mountPath: /opt/nifi/nifi-current/data
            subPath: data
        livenessProbe:
          exec:
            command:
              - pgrep
              - java
          initialDelaySeconds: 60
          periodSeconds: 30
          timeoutSeconds: 10
          failureThreshold: 3
          successThreshold: 1
        readinessProbe:
          tcpSocket:
              port: 8443
          initialDelaySeconds: 240
          periodSeconds: 30
          timeoutSeconds: 10
          failureThreshold: 3
          successThreshold: 1
        resources:
          requests:
            cpu: 400m
            ephemeral-storage: 1Gi
            memory: 1Gi
          limits:
            cpu: 500m
            ephemeral-storage: 1Gi
            memory: 1Gi
      imagePullSecrets:
      - name: depot-secret
      volumes:
        - name: pv-XXX
          persistentVolumeClaim:
            claimName: pv-XXX

And for the service yaml I did this:

apiVersion: v1
kind: Service
metadata:
  name: ingress-tests-nifi-svc
  namespace: mynamespace
spec:
  selector:
    app: ingress-tests-nifi
  ports:
  - port: 8443
    protocol: TCP
    targetPort: 8443
lbened
  • 65
  • 6

1 Answers1

2

Check if the ingress host is present in the nifi.web.proxy.host property in the nifi.properties file. If your nifi is secured, appropriate certificates must be set up (the ingress host and nifi must trust each other).

Checking the nifi logs for the exception might help. Check any of app-log.log, nifi-bootstrap.log and nifi-user.log . They are usually in ${NIFI_HOME}/logs/ in your container.

mmml
  • 31
  • 2
  • Thanks @mmml , for nifi.web.proxy.host the ingress has not been added. In my yaml file to deploy pods I have this env variable NIFI_WEB_PROXY_HOST. But I don't what do I have to put for the ingress. I have this for env value : 0.0.0.0:8443, but I don't know what I have to add for the ingress. Is it the IP:port of the service ? Or the url_service:port ? – lbened Dec 09 '22 at 09:18
  • Try adding the 'XXX' host to the nifi web proxy host property. Whatever host you will use to reach nifi should be in this list. However if you use unsecured nifi this might not fix the issue and you should check the logs for errors. – mmml Dec 09 '22 at 11:23
  • By unsecure do you mean by using or not a nifi that I can access with a login and a password ? – lbened Dec 09 '22 at 11:29
  • 1
    Yes, nifi with authentication (can be single user+pw mode) and https. – mmml Dec 09 '22 at 11:37
  • Yes that is what I am using. Nifi also has a 8080 port (http), I don't know if websecure can make this http port secure too. Maybe I can use it instead of 8443 port – lbened Dec 09 '22 at 11:41
  • Then you should make sure the ingress is encrypting traffic to nifi. Secured nifi requires https, so if your ingress is terminating tls it won't work.You could check if this is the issue by disabling nifi security (http only) and see if the ingress works in this case. – mmml Dec 09 '22 at 11:46
  • Port 8080 doesn't asked me authentication so it can't work. I added host in NIFI_WEB_PROXY_HOST but doesn't solve the problem. I am updating my question with yaml concerning pod and service deployment – lbened Dec 09 '22 at 12:45