From 95183a28e14a21d27067a1a5e4dea8c3a2d74da1 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 18 Mar 2025 10:36:19 +0100 Subject: [PATCH 1/2] docs: Add troubleshooting guide on Ingress problems --- .../nifi/pages/troubleshooting/index.adoc | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 55b3c7dc..c342b135 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -18,3 +18,56 @@ spec: sizeLimit: 1Gi name: log ---- + +== `HTTP ERROR 400 Invalid SNI` + +You are very likely accessing a NiFi >= 2.0 stacklet using HTTPS to secure it's WebUI and an Ingress in front of it. +The URL requested by the ingress-controller (such as nginx) needs to be the FQDN of the nifi service, not only the service name. +You can instruct nginx ingress to use the FQDN by setting the following annotation: + +[source,yaml] +---- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + # We need to use the FQDN, so that NiFi has a cert for the host and does not throw + # HTTP ERROR 400 Invalid SNI + nginx.ingress.kubernetes.io/upstream-vhost: "nifi.default.svc.cluster.local" + name: nifi-ingress +spec: + ingressClassName: nginx + rules: + - host: nifi.my.corp + http: + paths: + - backend: + service: + name: nifi + port: + number: 8443 + path: / + pathType: Prefix +# ... +---- + +For details please read on https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article]. + +== `authorization_request_not_found` when using multiple NiFi nodes + +In case you are using multiple NiFi nodes und OpenID connect as authentication method, it is important that a client (such as your Browser) always accesses the same NiFi instance. +Otherwise the `authorization_request_not_found` error is returned. + +If you are using an nginx ingress, you can achieve this with the following annotations: + +[source,yaml] +---- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-name: "route" + nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" +---- From 0759346ba9ea7744f72276b00ec6248cf6f1a034 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 18 Mar 2025 10:45:57 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Malte Sander --- docs/modules/nifi/pages/troubleshooting/index.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index c342b135..020770b3 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -21,7 +21,7 @@ spec: == `HTTP ERROR 400 Invalid SNI` -You are very likely accessing a NiFi >= 2.0 stacklet using HTTPS to secure it's WebUI and an Ingress in front of it. +You are very likely accessing a NiFi >= 2.0 stacklet using HTTPS to secure its WebUI and an Ingress in front of it. The URL requested by the ingress-controller (such as nginx) needs to be the FQDN of the nifi service, not only the service name. You can instruct nginx ingress to use the FQDN by setting the following annotation: @@ -56,7 +56,7 @@ For details please read on https://medium.com/@chnzhoujun/how-to-resolve-sni-iss == `authorization_request_not_found` when using multiple NiFi nodes -In case you are using multiple NiFi nodes und OpenID connect as authentication method, it is important that a client (such as your Browser) always accesses the same NiFi instance. +In case you are using multiple NiFi nodes and OpenID connect as authentication method, it is important that a client (such as your Browser) always accesses the same NiFi instance. Otherwise the `authorization_request_not_found` error is returned. If you are using an nginx ingress, you can achieve this with the following annotations: