All notable changes to this project will be documented in this file.
- Support objectOverrides using
.spec.objectOverrides. See objectOverrides concepts page for details (#885). - Enable the restart-controller, so that the Pods are automatically restarted on config changes (#888).
- Added support for
2.7.2(#893).
- Gracefully shutdown all concurrent tasks by forwarding the SIGTERM signal (#894).
- BREAKING: Reworked authorization config to closer match the Apache NiFi internal authorizer interfaces (#884).
- Also listen on the loopback interface so that k8s port-forwards work (#870).
- The operator now utilizes the
.spec.clusterConfig.authorization.opa.packageproperty instead of hard-coding the package name tonifi(#881). - An
initialAdminUsercan now be provided for file-based authorization (e.g. LDAP) (#884).
- Removed support for
1.27.0and2.4.0(#893).
- Helm: Allow Pod
priorityClassNameto be configured (#840). - Add support for
2.6.0(#849). - Add
prometheus.io/path|port|schemeannotations to metrics service (#855). - Add end-of-support checker (#860).
EOS_CHECK_MODE(--eos-check-mode) to set the EoS check mode. Currently, only "offline" is supported.EOS_INTERVAL(--eos-interval) to set the interval in which the operator checks if it is EoS.EOS_DISABLED(--eos-disabled) to disable the EoS checker completely.
- Add support for OPA with TLS enabled (#863).
- Bump stackable-operator to
0.100.1and product-config to0.8.0(#859). - Deprecate support for
1.27.0,1.28.1, and2.4.0(#849). - Bump testing-tools to
0.3.0-stackable0.0.0-dev(#882).
-
Previously we had a bug that could lead to missing certificates (#844).
This could be the case when you specified multiple CAs in your SecretClass. We now correctly handle multiple certificates in this cases. See this GitHub issue for details
- Add rolling upgrade support for upgrades between NiFi 2 versions (#771).
- BREAKING: Added Listener support for NiFi (#784, #818, #819, #822).
- Adds new telemetry CLI arguments and environment variables (#782).
- Use
--file-log-max-files(orFILE_LOG_MAX_FILES) to limit the number of log files kept. - Use
--file-log-rotation-period(orFILE_LOG_ROTATION_PERIOD) to configure the frequency of rotation. - Use
--console-log-format(orCONSOLE_LOG_FORMAT) to set the format toplain(default) orjson.
- Use
- NiFi 2.x now supports storing cluster state in Kubernetes instead of ZooKeeper (#775).
- Add test for Apache Iceberg integration (#785).
- Add support for custom components via git-sync (#793).
- Add RBAC rule to helm template for automatic cluster domain detection (#817).
- BREAKING: Replace stackable-operator
initialize_loggingwith stackable-telemetryTracing(#767, #776, #782).- The console log level was set by
NIFI_OPERATOR_LOG, and is now set byCONSOLE_LOG_LEVEL. - The file log level was set by
NIFI_OPERATOR_LOG, and is now set byFILE_LOG_LEVEL. - The file log directory was set by
NIFI_OPERATOR_LOG_DIRECTORY, and is now set byFILE_LOG_DIRECTORY(or via--file-log-directory <DIRECTORY>). - Replace stackable-operator
print_startup_stringwithtracing::info!with fields.
- The console log level was set by
- BREAKING: Inject the vector aggregator address into the vector config using the env var
VECTOR_AGGREGATOR_ADDRESSinstead of having the operator write it to the vector config (#772). - test: Bump to Vector
0.46.1(#789). - The ReportingTask metrics ports now is only exposed in NiFi 1.x.x (#794)
- BREAKING: Previously this operator would hardcode the UID and GID of the Pods being created to 1000/0, this has changed now (#801)
- The
runAsUserandrunAsGroupfields will not be set anymore by the operator - The defaults from the docker images itself will now apply, which will be different from 1000/0 going forward
- This is marked as breaking because tools and policies might exist, which require these fields to be set
- The
- test: Bump trino to 476 (#808).
- BREAKING: Bump stackable-operator to 0.94.0 and update other dependencies (#817).
- The default Kubernetes cluster domain name is now fetched from the kubelet API unless explicitly configured.
- This requires operators to have the RBAC permission to get nodes/proxy in the apiGroup "". The helm-chart takes care of this.
- The CLI argument
--kubernetes-node-nameor env variableKUBERNETES_NODE_NAMEneeds to be set. The helm-chart takes care of this.
- The operator helm-chart now grants RBAC
patchpermissions onevents.k8s.io/events, so events can be aggregated (e.g. "error happened 10 times over the last 5 minutes") (#824).
- Use
jsonfile extension for log files (#774). - Fix a bug where changes to ConfigMaps that are referenced in the NifiCluster spec didn't trigger a reconciliation (#772).
- The operator now emits a warning (1.x.x) or errors out (2.x.x) if a deprecated or unsupported sensitive properties algorithm is used (#799).
- Allow uppercase characters in domain names (#817).
- test: ZooKeeper 3.9.2 removed (#787).
- Remove the
lastUpdateTimefield from the stacklet status (#817). - Remove role binding to legacy service accounts (#817).
- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup
config property
requestedSecretLifetime. This helps reducing frequent Pod restarts (#722). - Run a
containerdebugprocess in the background of each Nifi container to collect debugging information (#730). - Support configuring JVM arguments (#724).
- Aggregate emitted Kubernetes events on the CustomResources (#742).
- Document flow versioning with NiFi 2 (#761).
- Bump Rust dependencies (#758).
stackable-operatorto 0.87.0stackable-versionedto 0.6.0randto 0.9
- Default to OCI for image metadata and product image selection (#741).
- Fix OIDC endpoint construction in case the
rootPathdoes not have a trailing slash (#718). - BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after restart (#717).
- Support OpenID Connect authentication (#660).
- Allow configuring proxy host behavior (#668).
- Support disabling the
create-reporting-taskJob (#690). - Support podOverrides on the
create-reporting-taskJob using the fieldspec.clusterConfig.createReportingTaskJob.podOverrides(#690). - The operator can now run on Kubernetes clusters using a non-default cluster domain.
Use the env var
KUBERNETES_CLUSTER_DOMAINor the operator Helm chart propertykubernetesClusterDomainto set a non-default cluster domain (#694).
- Reduce CRD size from
637KBto105KBby accepting arbitrary YAML input instead of the underlying schema for the following fields (#664):podOverridesaffinityextraVolumes
- Increase
logVolume size from 33 MiB to 500 MiB (#671). - Replaced experimental NiFi
2.0.0-M4with2.0.0(#702). - Don't deploy the
PrometheusReportingTaskJob for NiFi versions2.x.xand up (#708).
- Switch from
flow.xml.gztoflow.json.gzto allow seamless upgrades to version 2.0 (#675). - Failing to parse one
NifiCluster/AuthenticationClassshould no longer cause the whole operator to stop functioning (#662). - NiFi will now use the JDK trust store when an OIDC provider uses WebPKI as CA (#686, #698).
- Support specifying the SecretClass that is used to obtain TLS certificates (#622).
- Support for NiFi
1.27.0and2.0.0-M4(#639).
- Bump
stackable-operatorfrom0.64.0to0.70.0(#641). - Bump
product-configfrom0.6.0to0.7.0(#641). - Bump other dependencies (#642).
- Make it easy to test custom NiFi images (#616).
- Use config-utils for text-replacement of variables in configs. This fixes escaping problems, especially when you have special characters in your password (#627).
- Processing of corrupted log events fixed; If errors occur, the error messages are added to the log event (#628).
- Removed support for
1.23.2(#639).
- Various documentation of the CRD (#537).
- Document support for Apache Iceberg extensions (#556).
- Helm: support labels in values.yaml (#560).
- Support for NiFi
1.25.0(#571).
- A service for a single NiFi node is created for the reporting task to avoid JWT issues (#571).
- Default stackableVersion to operator version. It is recommended to remove
spec.image.stackableVersionfrom your custom resources (#493). - Configuration overrides for the JVM security properties, such as DNS caching (#497).
- Support PodDisruptionBudgets (#509).
- Support for 1.23.2 (#513).
- Support graceful shutdown (#528).
vector0.26.0->0.33.0(#494, #513).operator-rs0.44.0->0.55.0(#493, #498, #509, #513).- [BREAKING] Consolidated authentication config to a list of AuthenticationClasses (#498).
- Let secret-operator handle certificate conversion (#505).
- [BREAKING] Removed crd support for nifi.security.allow.anonymous.authentication that was never actually used (#498).
- [BREAKING] Removed crd support for the auto generation of admin credentials (obsolete since the user now always has to provide an AuthenticationClass) (#498).
- Support for 1.15.x, 1.16.x, 1.18.x, 1.20.x (#513).
- Added support for NiFi versions 1.20.0 and 1.21.0 (#464).
- Generate OLM bundle for Release 23.4.0 (#467).
- Missing CRD defaults for
status.conditionsfield (#471). - Set explicit resources on all containers (#476).
- Support podOverrides (#483).
operator-rs0.40.2->0.44.0(#461, #486).- Use 0.0.0-dev product images for testing (#463)
- Use testing-tools 0.2.0 (#463)
- Added kuttl test suites (#480)
- Use ou with spaces in LDAP tests (#466).
- Reporting task now escapes user and password input in case of whitespaces (#466).
- Increase the size limit of the log volume (#486).
- Enabled logging and log aggregation (#418)
- Deploy default and support custom affinities (#436, #451)
- Added the ability to mount extra volumes for files that may be needed for NiFi processors to work (#434)
- Openshift compatibility (#446).
- Extend cluster resources for status and cluster operation (paused, stopped) (#447)
- Cluster status conditions (#448)
- [BREAKING]: Renamed global
configtoclusterConfig(#417) - [BREAKING]: Moved
zookeeper_configmap_nametoclusterConfig(#417) operator-rs0.33.0->0.40.2(#418, #447, #452)- [BREAKING] Support specifying Service type.
This enables us to later switch non-breaking to using
ListenerClassesfor the exposure of Services. This change is breaking, because - for security reasons - we default to thecluster-internalListenerClass. If you need your cluster to be accessible from outside of Kubernetes you need to setclusterConfig.listenerClasstoexternal-unstable(#449).
- Avoid empty log events dated to 1970-01-01 and improve the precision of the log event timestamps (#452).
- Fix
create-reporting-taskto support multiple rolegroups (#453) - Fix proxy hosts list missing an entry for the load-balanced Service (#453)
- Remove hardcoded
kubernetes.io/os=linuxselector when determining list of valid proxy nodes (#453)
- Updated operator-rs to 0.31.0 (#382, #401, #408)
- Do not run init container as root anymore and avoid chmod and chown (#390)
- [BREAKING] Use Product image selection instead of version.
spec.versionhas been replaced byspec.image(#394) - [BREAKING]: Removed tools image (reporting task job and init container) and replaced with NiFi product image. This means the latest stackable version has to be used in the product image selection (#397)
- Fixed the RoleGroup
selector. It was not used before. (#401) - Refactoring of authentication handling (#408)
- Fixed a regression that made PVC configs mandatory in some cases (#375)
- Updated stackable image versions (#376)
- Support for in-place NiFi cluster upgrades (#323)
- Added default resource requests (memory and cpu) for NiFi pods (#353)
- Added support for NiFi version 1.18.0 (#360)
- Updated operator-rs to 0.26.1 (#371)
- NiFi repository sizes are now adjusted based on declared PVC sizes (#371)
- Include chart name when installing with a custom release name (#300, #301).
- Orphaned resources are deleted (#319)
- Updated operator-rs to 0.25.0 (#319, #328)
- Operator will not error out any more if admin credential need to be generated but
auto_generateis not set. Instead the pods are written but will stay in initializing state until the necessary secrets have been created. (#319)
- Reconciliation errors are now reported as Kubernetes events (#218).
- Use cli argument
watch-namespace/ env varWATCH_NAMESPACEto specify a single namespace to watch (#223). - Enable prometheus metrics via a
Job. This is done via a python script that creates a ReportingTask via the NiFi REST API in thetoolsdocker image (#230). - Monitoring scraping label prometheus.io/scrape: true (#230).
operator-rs0.10.0->0.15.0(#218, #223, #230).- [BREAKING] Specifying the product version has been changed to adhere to ADR018 instead of just specifying the product version you will now have to add the Stackable image version as well, so
version: 3.5.8becomes (for example)version: 3.5.8-stackable0.1.0(#270) - [BREAKING] CRD overhaul: Moved
authenticationConfigto top levelconfig.authentication.SingleUsernow proper camelCasesingleUser.adminCredentialsSecretnow takes a String instead ofSecretReference(#277). - [BREAKING] CRD overhaul: Moved
sensitivePropertiesConfigto top levelconfig.sensitiveProperties(#277).
- The
monitoring.rsmodule which is obsolete (#230).
- The ZooKeeper discovery now references config map name of ZNode (#207).
operator-rs0.9.0→0.10.0(#207).
- Removed support for 1.13.2 (#125)
- Added/removed some default config settings that changed from 1.13 to 1.15 (#125)
operator-rs0.3.0→0.4.0(#101).stackable-zookeeper-crd:0.4.1→0.5.0(#101).- Adapted pod image and container command to docker image (#101).
- Adapted documentation to represent new workflow with docker images (#101).
- Added versioning code from operator-rs for up and downgrades (#81).
- Added
ProductVersionto status (#81). - Added
Conditionto status (#81). - Use sticky scheduler (#87)
stackable-zookeeper-crd:0.3.0→0.4.1(#92).operator-rs:0.3.0(#92).kube-rs:0.58→0.60(#83).k8s-openapi0.12→0.13and features:v1_21→v1_22(#83).operator-rs0.2.1→0.2.2(#83).
- Fixed a bug where
wait_until_crds_presentonly reacted to the main CRD, not the commands (#92).
- Breaking: Repository structure was changed and the -server crate renamed to -binary. As part of this change the -server suffix was removed from both the package name for os packages and the name of the executable (#72).
- Initial release