NiFi Configuration
The tdp-nifi chart deploys Apache NiFi using the NiFiKop operator and ZooKeeper.
In daily operations, NiFi maintainers work with a cluster declared in the NifiCluster CRD. Changes to ZooKeeper, TLS certificates, listeners, or Ingress directly affect node coordination and the URL users use to access the interface. The operator reconciles the desired state — if the CRD is inconsistent or a prerequisite (e.g., cert-manager) fails, the symptom is usually a NifiCluster stuck in an intermediate state rather than a single Pod with a generic error.
Overview
| Property | Value |
|---|---|
| Chart | tdp-nifi |
| NiFi version | 1.28.0 |
| Chart version | 3.0.1 |
| Operator | NiFiKop |
| Coordination | ZooKeeper embedded as a subchart |
| Main resource | NifiCluster |
| Supported features | LDAP, S3, Ingress, and Gateway API |
| Default access | NodePort Service for the NiFi UI |
Related Pages
- Security — NiFi — LDAP, TLS, security modes, and Ranger authorization
- Integrations — NiFi — Apache Ranger integration registration
- External exposure: Ingress and Gateway API — HTTP/HTTPS UI exposure
What is NiFiKop?
The NiFiKop is a Kubernetes operator specialized in the lifecycle of Apache NiFi clusters.
Instead of managing NiFi instances manually, you describe the desired state in a Kubernetes resource called NifiCluster, and NiFiKop takes care of creating, monitoring, and updating NiFi nodes declaratively.
The tdp-nifi chart deploys both the NiFiKop operator and the NiFi cluster itself, including:
| Component | Function |
|---|---|
| NiFiKop Operator | Manages the NifiCluster (CRD) lifecycle |
| ZooKeeper | Cluster coordination between NiFi nodes |
| NifiCluster | Resource defining the cluster: nodes, listeners, external services |
| cert-manager | Issues TLS certificates for secure inter-node communication (when webhook.enabled=true) |
This operator-based model means that most NiFi configuration goes into nifiCluster.* instead of direct Helm parameters — the operator translates these values into ConfigMaps, Secrets, and Pods with the correct NiFi configuration.
NiFi Cluster
NiFi is deployed through a NifiCluster custom resource. The main cluster configuration is under nifiCluster, including nodes, configuration groups, external services, listeners, storage, and security.
The default chart starts with a single node (nifiCluster.nodes contains only id: 1). To run additional workers, append entries such as id: 2 and id: 3 pointing to the desired nodeConfigGroup in the values file or via --set nifiCluster.nodes[1].id=2:
nifiCluster:
nodes:
- id: 1
nodeConfigGroup: "default_group"
- id: 2
nodeConfigGroup: "default_group"
- id: 3
nodeConfigGroup: "default_group"
ZooKeeper
ZooKeeper is deployed as a subchart and used by NiFi for cluster coordination. In small installations, the default zookeeper.replicaCount: 1 fits simple scenarios; for more critical environments, adjust replicas, persistence, and resources according to the cluster policy.
See Apache NiFi — Concepts for a complete overview of the tool, its architecture, and operation.
Values structure (Helm)
The tdp-nifi chart organizes configuration in the blocks below:
tdp-nifi:— chart enablement.global:— global settings shared by dependencies.cert-manager:— optional subchart used when the NiFiKop webhook requires certificates.zookeeper:— ZooKeeper used for NiFi cluster coordination.nifikop:— NiFiKop operator, including image, webhook, cert-manager and resources.nifiCluster:— main NiFi cluster definition: security, read-only configuration, services, nodes, listeners, storage and authorization.TDP-Settings:,ingress:andgatewayApi:— UI exposure control through Ingress or Gateway API.
tdp-nifi:
enabled: true
cert-manager:
enabled: false
zookeeper:
replicaCount: 1
nifikop:
enabled: true
webhook:
enabled: false
nifiCluster:
nodes:
- id: 1
nodeConfigGroup: "default_group"
TDP-Settings:
gateway:
ingress:
enabled: false
gatewayApi:
enabled: false
NiFi images
The NiFi images are unified in the registry.tecnisys.com.br/tdp/images/nifi registry, with one tag variant per platform (base 1.28.0):
| Platform | Image tag |
|---|---|
| Kubernetes | 1.28.0-0 |
| OpenShift | 1.28.0-openshift |
Set the cluster image in nifiCluster.clusterImage:
nifiCluster:
clusterImage: "registry.tecnisys.com.br/tdp/images/nifi:1.28.0-0"
Prerequisites
- Kubernetes 1.32+, Red Hat OpenShift 4.19+ or Rancher Manager 2.10.x+
- Helm 3.2.0+
Optional resources
- Ingress Controller — required only when
ingress.enabled=true. - cert-manager — required only when
nifikop.webhook.enabled=true.
- With
ingress.enabled=true, the host configured iningress.rulesonly receives traffic when an Ingress Controller is available in the cluster. - With
nifikop.webhook.enabled=true, cert-manager controllers must be installed and running so the NiFiKop webhook can issue certificates.
NiFiKop and cert-manager CRDs (tdp-crds)
Before the first tdp-nifi installation, install the tdp-crds chart, which provides the CRDs used by NiFiKop and, when applicable, cert-manager CRDs:
helm upgrade --install tdp-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-crds \
--namespace tdp --create-namespace
When nifikop.webhook.enabled=true, in addition to the CRDs, the cert-manager controllers must also be installed and running (cert-manager, cainjector, and webhook). If cert-manager controllers are not installed yet, install cert-manager before enabling the NiFiKop webhook. See Security — NiFi for details.
OpenShift: runAsUser and fsGroup
On OpenShift, the restricted SCC requires pods to run with a UID/GID assigned to the namespace. Before deploying, fetch the UID range and configure:
uid=$(kubectl get namespace <NAMESPACE> -o=jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.supplemental-groups}' | sed 's/\/10000$//' | tr -d '[:space:]')
Apply during deploy:
helm upgrade --install tdp-nifi oci://registry.tecnisys.com.br/tdp/charts/tdp-nifi \
-n <NAMESPACE> --create-namespace \
--set nifiCluster.nodeConfigGroups.default_group.runAsUser="${uid}" \
--set nifiCluster.nodeConfigGroups.default_group.fsGroup="${uid}"
Or in values.yaml:
nifiCluster:
nodeConfigGroups:
default_group:
runAsUser: "<UID>"
fsGroup: "<UID>"
- Installation
- Main parameters
- Configuration details
- Access & Security
- Troubleshooting
- Uninstallation
Installation (OCI)
helm upgrade --install <RELEASE_NAME> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-nifi \
-n <NAMESPACE> --create-namespace
Main Parameters
| Parameter | Description | Default (reference) |
|---|---|---|
tdp-nifi.enabled | Enable the chart | true |
zookeeper.replicaCount | ZooKeeper replicas | 1 |
zookeeper.persistence.storageClass | ZooKeeper StorageClass | local-path |
zookeeper.persistence.size | ZooKeeper volume size | 4Gi |
nifikop.enabled | NiFiKop operator | true |
nifikop.watchOwnNamespace | Watch only the release namespace | true |
nifikop.webhook.enabled | Operator webhook | false |
nifikop.certManager.enabled | cert-manager for webhook | false |
nifiCluster.zkAddress | ZooKeeper address | <RELEASE_NAME>-zookeeper:2181 |
nifiCluster.externalServices[0].spec.type | NiFi service type | NodePort |
nifiCluster.externalServices[0].spec.portConfigs[0].port | NiFi node HTTP port | 8080 |
nifiCluster.nodeConfigGroups.default_group.resourcesRequirements | NiFi node resources (CPU/memory) | run helm show values |
ingress.enabled | Create Ingress | false |
ingress.rules[0].host | Ingress host | nifi.tdp.local |
ingress.ingressClassName | Ingress class | nginx |
TDP-Settings.gateway.ingress.enabled | Enable Ingress | false |
TDP-Settings.gateway.gatewayApi.enabled | Enable Gateway API (HTTPRoute) | false |
gatewayApi.nifi.enabled | Enable HTTPRoute for NiFi | false |
gatewayApi.nifi.hostnames[0] | HTTPRoute hostname | nifi.tdp.local |
Adjust images, resources, NifiCluster, listeners, and health checks in the values file; the full key list is available via helm show values.
NiFi Properties Customization
NiFi properties can be customized by adding nifiProperties.overrideConfigs under nifiCluster.readOnlyConfig. This allows adjusting persistence, performance, and other NiFi-specific settings.
Example:
nifiCluster:
readOnlyConfig:
nifiProperties:
overrideConfigs: |
nifi.flowfile.repository.checkpoint.interval=5 mins
Common use cases:
- Adjust checkpoint intervals
- Configure provenance repository implementation
- Tune content repository settings
- Reduce disk I/O in development environments
Some properties may affect data persistence or performance. Review NiFi documentation before applying in production environments.
Access
By default, the chart exposes the NiFi UI through a NodePort Service, usually named tdp-nifi-service. This access model is useful for initial validation, labs, or environments where direct node IP traffic is allowed.
kubectl -n <NAMESPACE> get svc tdp-nifi-service
kubectl get nodes -o wide
The URL follows this format:
http://<NODE_IP>:<NODE_PORT>/nifi
Port-forward
kubectl port-forward svc/tdp-nifi-service 8080:8080 -n <NAMESPACE>
Open http://localhost:8080/nifi.
External exposure
For external exposure through Ingress or Gateway API, see External Exposure — NiFi. That page concentrates the complete examples for standard Kubernetes, OpenShift, HTTPS, and Gateway API.
Troubleshooting
When the UI does not open but Pods appear Running, first check the NifiCluster (describe) and namespace events: the operator usually logs listener, TLS, or ZooKeeper failures before the HTTP service responds. The commands below help correlate CRD phase, events, and workload state.
kubectl -n <NAMESPACE> get pods
kubectl -n <NAMESPACE> get nificlusters
kubectl -n <NAMESPACE> describe nificluster <CLUSTER_NAME>
kubectl -n <NAMESPACE> get events --sort-by=.lastTimestamp
kubectl -n <NAMESPACE> logs <POD_NAME> -f
Uninstall
helm uninstall <RELEASE_NAME> -n <NAMESPACE>
The chart includes a pre-delete hook that removes the NifiCluster CR and its finalizers before Helm uninstalls the operator. This prevents the CR from getting stuck in Terminating state.
To avoid data loss when uninstalling in production, set reclaimPolicy: Retain on data PVCs:
nifiCluster:
nodeConfigGroups:
default_group:
storageConfigs:
- name: flowfile-repository
reclaimPolicy: Retain
- name: content-repository
reclaimPolicy: Retain
- name: provenance-repository
reclaimPolicy: Retain