Skip to main content
Version 3.0

NiFi Configuration

ChartVersion3.0.1TypeapplicationAppVersion1.28.0
CompatibilityKubernetes1.32+OpenShift4.19+Rancher2.10.x+
Feature SupportLDAPsupportedS3supportedIngresssupportedGateway APIsupported

The tdp-nifi chart deploys Apache NiFi using the NiFiKop operator and ZooKeeper.

In daily operations, NiFi maintainers work with a cluster declared in the NifiCluster CRD. Changes to ZooKeeper, TLS certificates, listeners, or Ingress directly affect node coordination and the URL users use to access the interface. The operator reconciles the desired state — if the CRD is inconsistent or a prerequisite (e.g., cert-manager) fails, the symptom is usually a NifiCluster stuck in an intermediate state rather than a single Pod with a generic error.

Overview

PropertyValue
Charttdp-nifi
NiFi version1.28.0
Chart version3.0.1
OperatorNiFiKop
CoordinationZooKeeper embedded as a subchart
Main resourceNifiCluster
Supported featuresLDAP, S3, Ingress, and Gateway API
Default accessNodePort Service for the NiFi UI

What is NiFiKop?

The NiFiKop is a Kubernetes operator specialized in the lifecycle of Apache NiFi clusters.

Instead of managing NiFi instances manually, you describe the desired state in a Kubernetes resource called NifiCluster, and NiFiKop takes care of creating, monitoring, and updating NiFi nodes declaratively.

The tdp-nifi chart deploys both the NiFiKop operator and the NiFi cluster itself, including:

ComponentFunction
NiFiKop OperatorManages the NifiCluster (CRD) lifecycle
ZooKeeperCluster coordination between NiFi nodes
NifiClusterResource defining the cluster: nodes, listeners, external services
cert-managerIssues TLS certificates for secure inter-node communication (when webhook.enabled=true)

This operator-based model means that most NiFi configuration goes into nifiCluster.* instead of direct Helm parameters — the operator translates these values into ConfigMaps, Secrets, and Pods with the correct NiFi configuration.

NiFi Cluster

NiFi is deployed through a NifiCluster custom resource. The main cluster configuration is under nifiCluster, including nodes, configuration groups, external services, listeners, storage, and security.

The default chart starts with a single node (nifiCluster.nodes contains only id: 1). To run additional workers, append entries such as id: 2 and id: 3 pointing to the desired nodeConfigGroup in the values file or via --set nifiCluster.nodes[1].id=2:

nifiCluster:
nodes:
- id: 1
nodeConfigGroup: "default_group"
- id: 2
nodeConfigGroup: "default_group"
- id: 3
nodeConfigGroup: "default_group"

ZooKeeper

ZooKeeper is deployed as a subchart and used by NiFi for cluster coordination. In small installations, the default zookeeper.replicaCount: 1 fits simple scenarios; for more critical environments, adjust replicas, persistence, and resources according to the cluster policy.

Learn more

See Apache NiFi — Concepts for a complete overview of the tool, its architecture, and operation.

Values structure (Helm)

The tdp-nifi chart organizes configuration in the blocks below:

  • tdp-nifi: — chart enablement.
  • global: — global settings shared by dependencies.
  • cert-manager: — optional subchart used when the NiFiKop webhook requires certificates.
  • zookeeper: — ZooKeeper used for NiFi cluster coordination.
  • nifikop: — NiFiKop operator, including image, webhook, cert-manager and resources.
  • nifiCluster: — main NiFi cluster definition: security, read-only configuration, services, nodes, listeners, storage and authorization.
  • TDP-Settings:, ingress: and gatewayApi: — UI exposure control through Ingress or Gateway API.
tdp-nifi:
enabled: true

cert-manager:
enabled: false

zookeeper:
replicaCount: 1

nifikop:
enabled: true
webhook:
enabled: false

nifiCluster:
nodes:
- id: 1
nodeConfigGroup: "default_group"

TDP-Settings:
gateway:
ingress:
enabled: false
gatewayApi:
enabled: false

NiFi images

The NiFi images are unified in the registry.tecnisys.com.br/tdp/images/nifi registry, with one tag variant per platform (base 1.28.0):

PlatformImage tag
Kubernetes1.28.0-0
OpenShift1.28.0-openshift

Set the cluster image in nifiCluster.clusterImage:

nifiCluster:
clusterImage: "registry.tecnisys.com.br/tdp/images/nifi:1.28.0-0"

Prerequisites

  • Kubernetes 1.32+, Red Hat OpenShift 4.19+ or Rancher Manager 2.10.x+
  • Helm 3.2.0+

Optional resources

  • Ingress Controller — required only when ingress.enabled=true.
  • cert-manager — required only when nifikop.webhook.enabled=true.
Note
  • With ingress.enabled=true, the host configured in ingress.rules only receives traffic when an Ingress Controller is available in the cluster.
  • With nifikop.webhook.enabled=true, cert-manager controllers must be installed and running so the NiFiKop webhook can issue certificates.

NiFiKop and cert-manager CRDs (tdp-crds)

Before the first tdp-nifi installation, install the tdp-crds chart, which provides the CRDs used by NiFiKop and, when applicable, cert-manager CRDs:

Terminal input
helm upgrade --install tdp-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-crds \
--namespace tdp --create-namespace

When nifikop.webhook.enabled=true, in addition to the CRDs, the cert-manager controllers must also be installed and running (cert-manager, cainjector, and webhook). If cert-manager controllers are not installed yet, install cert-manager before enabling the NiFiKop webhook. See Security — NiFi for details.

OpenShift: runAsUser and fsGroup

On OpenShift, the restricted SCC requires pods to run with a UID/GID assigned to the namespace. Before deploying, fetch the UID range and configure:

Terminal input
uid=$(kubectl get namespace <NAMESPACE> -o=jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.supplemental-groups}' | sed 's/\/10000$//' | tr -d '[:space:]')

Apply during deploy:

Terminal input
helm upgrade --install tdp-nifi oci://registry.tecnisys.com.br/tdp/charts/tdp-nifi \
-n <NAMESPACE> --create-namespace \
--set nifiCluster.nodeConfigGroups.default_group.runAsUser="${uid}" \
--set nifiCluster.nodeConfigGroups.default_group.fsGroup="${uid}"

Or in values.yaml:

nifiCluster:
nodeConfigGroups:
default_group:
runAsUser: "<UID>"
fsGroup: "<UID>"

Installation (OCI)

Terminal input
helm upgrade --install <RELEASE_NAME> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-nifi \
-n <NAMESPACE> --create-namespace