This repository has been archived by the owner on Feb 12, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 230
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Restore safetyValve and singleUser, including tests * Align NOTES.txt to values.yaml service type * Add checks for persistence vs. non-persistence * Working OIDC and test scaffolding * First attempt at NiFi OIDC login test * Values file for minimal 2-way cluster * Certs injected with proper DNS names * cert-manager sidecar working but not logins * Eliminate spoditor and external ClusterIssuer * Consolidate SOCKS5 installation * Install golang-go instead of running a container twice * Update Services to support site-to-site * Implement certManager.caSecrets settable value * Support nifi.security.autoload * Defensive script logic and autorotate certs * Upgrade Ingress template to networking.k8s.io/v1 * Properly template certificate names * Optionally override default Java truststore * Set replaceDefaultTrustStore default * Bump Nifi registry version to 0.3.8 * Add properties.sensitiveKeySetFile * secure site-to-site test * Add sensitiveKeyPrior * OIDC: persist users & authorizations * add configurable startupProbe for server * Test Startup Probe * add graceful shutdown for sidecars & node vs. non-node * Add support to ingressClassName * Test OIDC login via Ingress to secure cluster * Redundant socks5 setup yaml files * Update registry and zookeeper chart versions * kubectl rollout status rather than kubectl wait * link to customFlow example * Bump chart version Co-authored-by: Sebastien Dupont <[email protected]> Co-authored-by: Greg Foreman <[email protected]> Co-authored-by: zakaria2905 <[email protected]> Co-authored-by: Eliel <[email protected]>
- Loading branch information
1 parent
8e1902c
commit 0a959e3
Showing
30 changed files
with
1,520 additions
and
91 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,12 @@ | ||
name: Test-OIDC | ||
name: OIDC Logins | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
test-oidc: | ||
name: Test NiFi Helm Chart OIDC | ||
oidc-insecure: | ||
name: OIDC (Insecure) | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
|
@@ -33,32 +33,82 @@ jobs: | |
- name: Install test framework components | ||
run: | | ||
kubectl apply -f tests/04-oidc-test-framework | ||
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js | ||
kubectl wait --for=condition=Ready pod/browserless-0 --timeout=5m | ||
kubectl wait --for=condition=Ready pod/keycloak-0 --timeout=5m | ||
kubectl wait --for=condition=Ready pod/socks5-0 --timeout=5m | ||
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js | ||
kubectl rollout status --watch statefulset/browserless --timeout=5m | ||
kubectl rollout status --watch statefulset/keycloak --timeout=5m | ||
kubectl rollout status --watch statefulset/socks5 --timeout=5m | ||
tests/04-oidc-keycloak-setup.bash | ||
- name: Install Nifi | ||
run: helm install nifi . -f tests/04-oidc-values.yaml | ||
- name: Check deployment status | ||
run: | | ||
kubectl rollout status --timeout=5m --watch statefulset/nifi | ||
kubectl wait --for=condition=Ready pod/nifi-0 --timeout=20m | ||
- name: Wait for NiFi web server to start | ||
kubectl rollout status --watch statefulset/nifi --timeout=20m | ||
- name: Check that OIDC login works | ||
run: | | ||
export K8SNODEIP=$(kubectl get node -o json | jq -r '.items[0].status.addresses[0].address') | ||
export K8SPORT=$(kubectl get svc browserless -o json | jq -r '.spec.ports[0].nodePort') | ||
export NIFIURL='https://nifi.default.svc.cluster.local:8443/nifi/' | ||
cd $HOME | ||
mkdir -p $HOME/screenshots | ||
node_modules/mocha/bin/_mocha $GITHUB_WORKSPACE/tests/04-oidc-login-test.js --timeout 30000 | ||
- name: Archive screenshots | ||
if: ${{ success() || failure() || cancelled() }} | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: screenshots-insecure | ||
path: ~/screenshots/ | ||
|
||
oidc-cluster-ingress-cert-manager-local-issuer: | ||
name: OIDC (cluster, Ingress, cert-manager local issuer) | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh | ||
sudo bash nodesource_setup.sh | ||
sudo apt-get install -y jq yarn | ||
yarn add puppeteer-core --cwd $HOME | ||
yarn add chai --cwd $HOME | ||
yarn add mocha --cwd $HOME | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install test framework components | ||
run: | | ||
kubectl apply -f tests/04-oidc-test-framework | ||
kubectl create configmap 04-oidc-login-test --from-file=tests/04-oidc-login-test.js | ||
kubectl rollout status --watch statefulset/browserless --timeout=5m | ||
kubectl rollout status --watch statefulset/keycloak --timeout=5m | ||
kubectl rollout status --watch statefulset/socks5 --timeout=5m | ||
tests/04-oidc-keycloak-setup.bash | ||
tests/05-install-cert-manager.bash | ||
minikube addons enable ingress | ||
kubectl apply -f tests/07-increase-webhook-timeout.yaml | ||
- name: Install Nifi and wait for start | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if kubectl logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started' | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not start for 300 seconds! | ||
exit 1 | ||
helm install nifi . -f tests/07-oidc-cluster-values.yaml | ||
kubectl rollout status --watch statefulset/nifi --timeout=20m | ||
- name: Check that OIDC login works | ||
run: | | ||
export K8SNODEIP=$(kubectl get node -o json | jq -r '.items[0].status.addresses[0].address') | ||
export K8SPORT=$(kubectl get svc browserless -o json | jq -r '.spec.ports[0].nodePort') | ||
export NIFIURL='https://ingress-nginx-controller.ingress-nginx.svc.cluster.local/nifi/' | ||
cd $HOME | ||
node_modules/mocha/bin/mocha $GITHUB_WORKSPACE/tests/04-oidc-login-test.js --timeout 30000 | ||
mkdir -p $HOME/screenshots | ||
node_modules/mocha/bin/_mocha $GITHUB_WORKSPACE/tests/07-oidc-cluster-login-test.js --timeout 30000 | ||
- name: Archive screenshots | ||
if: ${{ success() || failure() || cancelled () }} | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: screenshots-certMgr-localIssuer | ||
path: ~/screenshots/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
name: Test-Site-to-Site | ||
|
||
on: | ||
push: | ||
pull_request: | ||
|
||
jobs: | ||
test-oidc: | ||
name: Test NiFi Helm Chart Secure Site-to-Site | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v1 | ||
- name: Setup Minikube | ||
uses: manusa/[email protected] | ||
with: | ||
minikube version: 'v1.20.0' | ||
kubernetes version: 'v1.20.2' | ||
- name: Checkout code | ||
uses: actions/checkout@v1 | ||
- name: Install dependencies | ||
run: | | ||
sudo apt-get install -y jq | ||
helm repo add bitnami https://charts.bitnami.com/bitnami | ||
helm repo add dysnix https://dysnix.github.io/charts/ | ||
helm repo update | ||
helm dep up | ||
- name: Install cert-manager | ||
run: tests/05-install-cert-manager.bash | ||
- name: Install ALPHA and BRAVO instances of NiFi | ||
run: tests/06-site-to-site.bash | ||
- name: Check deployment status | ||
run: | | ||
kubectl -n alpha rollout status --watch statefulset/nifi --timeout=5m | ||
kubectl -n bravo rollout status --watch statefulset/nifi --timeout=5m | ||
- name: Wait for BRAVO NiFi web server to start | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
if kubectl -n bravo logs pod/nifi-0 -c app-log | grep 'JettyServer NiFi has started' | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo NiFi did not start for 300 seconds! | ||
echo ===ALPHA SERVER LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c server | ||
echo ===ALPHA APP LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c app-log | ||
echo ===ALPHA USER LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c user-log | ||
echo ===BRAVO SERVER LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c server | ||
echo ===BRAVO APP LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c app-log | ||
echo ===BRAVO USER LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c user-log | ||
exit 1 | ||
- name: Wait for items on BravoInput | ||
run: | | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
ITEMS=$(kubectl -n bravo exec nifi-0 -c server -- curl -s http://localhost:9092/metrics/ | grep 'name="BravoInput"' | grep ^nifi_amount_items_output | cut -f2 -d' ') | ||
echo Got $ITEMS items so far | ||
if [ $ITEMS != "0.0" ] | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo Got no items for 300 seconds! | ||
echo ===ALPHA SERVER LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c server | ||
echo ===ALPHA APP LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c app-log | ||
echo ===ALPHA USER LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c user-log | ||
echo ===BRAVO SERVER LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c server | ||
echo ===BRAVO APP LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c app-log | ||
echo ===BRAVO USER LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c user-log | ||
exit 1 | ||
- name: Confirm certificate rotation | ||
run: | | ||
OLDCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) | ||
echo Certificate "$OLDCERTSTART" | ||
cmctl -n alpha renew nifi-0 | ||
for n in [ 0 1 2 3 4 5 6 7 8 9 ] | ||
do | ||
NEWCERTSTART=$(kubectl -n alpha exec nifi-0 -c server -- curl -kv https://localhost:8443 2>&1 | /bin/grep start) | ||
echo Certificate "$NEWCERTSTART" | ||
if [ \""$OLDCERTSTART"\" != \""$NEWCERTSTART"\" ] | ||
then | ||
exit 0 | ||
fi | ||
sleep 30 | ||
done | ||
echo Certificate did not update for 300 seconds! | ||
echo ===ALPHA SERVER LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c server | ||
echo ===ALPHA APP LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c app-log | ||
echo ===ALPHA USER LOGS=== | ||
kubectl -n alpha logs pod/nifi-0 -c user-log | ||
echo ===BRAVO SERVER LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c server | ||
echo ===BRAVO APP LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c app-log | ||
echo ===BRAVO USER LOGS=== | ||
kubectl -n bravo logs pod/nifi-0 -c user-log | ||
exit 1 |
Oops, something went wrong.