Failed to decode x509 certificate from PEM

[wandersonpereira]

Hi Guys!

I'm trying to start nifi in k8s and I've configured sslSecrets, but it's responsing error of decode PEM.

2021-12-15T14:05:56.529Z        ERROR   controller-runtime.manager.controller.nificluster       Reconciler error        {"reconciler group": "nifi.orange.com", "reconciler kind": "NifiCluster", "name": "nifi-cluster", "namespace": "operator", "error": "failed to decode certificate: Failed to decode x509 certificate from PEM", "errorVerbose": "Failed to decode x509 certificate from PEM\nfailed to decode certificate\ngithub.com/Orange-OpenSource/nifikop/pkg/resources/nifi.(*Reconciler).getServerAndClientDetails\n\t/workspace/pkg/resources/nifi/nifi.go:441\ngithub.com/Orange-OpenSource/nifikop/pkg/resources/nifi.(*Reconciler).Reconcile\n\t/workspace/pkg/resources/nifi/nifi.go:148\ngithub.com/Orange-OpenSource/nifikop/controllers.(*NifiClusterReconciler).Reconcile\n\t/workspace/controllers/nificluster_controller.go:135\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:235\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:198\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1374"}

I've tried same configuration of the tutorials, but it not found.

My Configuration:

apiVersion: nifi.orange.com/v1alpha1
kind: NifiCluster
metadata:
  name: nifi-cluster
spec:
  service:
    headlessEnabled: true
  zkAddress: "MY_SERVICE_OF_ZK:2181"
  zkPath: "/hmlnificluster"
  clusterImage: "apache/nifi:1.13.2"
  oneNifiNodePerNode: false
  managedAdminUsers:
    -  identity : "[email protected]"
       name: "wanderson.pereira"
  managedReaderUsers:
    -  identity : "[email protected]"
       name: "wanderson.pereira"
  propagateLabels: true
  nifiClusterTaskSpec:
    retryDurationMinutes: 10
  readOnlyConfig:
    nifiProperties:
      webProxyHosts:
        - nifi-hubb2b-hml.ifcshop.com.br:8443
      overrideConfigs: |
        nifi.web.http.network.interface.default=eth0
        nifi.web.http.network.interface.lo=lo
        xxxx
    bootstrapNotificationServicesConfig:
        replaceConfigMap: 
          name: config-map-nifi
          namespace: operator
          data: bootstrap_notifications_services.xml
  nodeConfigGroups:
    default_group:
      isNode: true
      storageConfigs:
        - mountPath: "/opt/nifi/nifi-current/logs"
          name: logs
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "nifi-storage"
            resources:
              requests:
                storage: 10Gi
      serviceAccountName: "default"
      resourcesRequirements:
        limits:
          cpu: "1.25"
          memory: 4Gi
        requests:
          cpu: "1.25"
          memory: 2Gi
  nodes:
    - id: 1
      nodeConfigGroup: "default_group"
    - id: 2
      nodeConfigGroup: "default_group"
  listenersConfig:
    internalListeners:
      - type: "https"
        name: "https"
        containerPort: 8443
      - type: "cluster"
        name: "cluster"
        containerPort: 6007
      - type: "s2s"
        name: "s2s"
        containerPort: 10000
      - type: "prometheus"
        name: "prometheus"
        containerPort: 9090
    sslSecrets:
      tlsSecretName: "nifi-staging-tls"
      create: true

I tried to use same version of cert-manager:

• https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml
• https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.crds.yaml
• https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.crds.yaml

Environment

• nifikop version: 0.7.5

• Kubernetes version information: 1.20.9

• Kubernetes cluster kind: AKS

• NiFi version: apache/nifi:1.13.2

[wandersonpereira]

I've resolved using the exemple:
https://github.com/Orange-OpenSource/nifikop/tree/master/config/samples/keycloak-example.

[Sreenivas-Ratakonda]

Hi
Are the Managed Users are getting created for you, can you please confirm how or which user you are using to login Into Nifi UI.
appreciate your response.

[wandersonpereira]

Hello @Sreenivas-Ratakonda!

I'm creating users and groups with the NifiUser and NifUserGroup:

https://orange-opensource.github.io/nifikop/docs/5_references/2_nifi_user
https://orange-opensource.github.io/nifikop/docs/5_references/6_nifi_usergroup

[Sreenivas-Ratakonda]

@wandersonpereira
I have followed the same exact approach for user creation but they are not getting created. atleast nifikop says it created but the user is not there in Nificluster
please have a look: https://github.com/Orange-OpenSource/nifikop/issues/179
Just wanted to check with you did you deploy the Nifikop in AWS EKS in private subnets I facing a lot of issues
Your response is appreciated.