Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
On a NiFi running on K8S. The certificates are provided by a secret to the pods, so to allow NiFi to reload them when they are updated, I set the nifi.security.autoreload.enabled flag to true. But the secret mounting mechanism makes that there is a set of symlink and the scanner that keeps track of the certificates considers that the certificates are deleted and not updated. Because instead of keeping track of the file through the symlink it keeps track of the file pointed by the symlink. So when the secret is updated the certificates is deleted and created into another folder and the symlink is updated. But for the Scanner the file has been deleted. So it stops keeping track of it and does not reload the certificate.
To illustrate my point:
- At the start, the pyramid is like that: truststore.jks [Symlink] -> ..data/truststore.jks [Symlink] -> ..2022_08_31_19_45_44.079808492/truststore.jks
- After the update, the pyramid is like that: truststore.jks [Symlink] -> ..data/truststore.jks [Symlink] -> ..<NEW_TIMESTAMP>/truststore.jks
The symlink still references a right file but as the "real" file changed of directory the scanner considers that the file has been deleted and therefore stop keeping track of it.
The Scanner from Jetty will by default have the parameter reportRealPaths set to true. If set to true, the listener used by the Scanner are called with the real path of scanned files. So the parameter should be set to false.
Attachments
Issue Links
- relates to
-
NIFI-11536 nifi.security.autoreload.enabled is broken since v1.17.0
-
- Resolved
-
- links to
