add apache-nifi (chainguard-images#2692)

images/apache-nifi/README.md

@@ -0,0 +1,53 @@
+<!--monopod:start-->
+# apache-nifi
+| | |
+| - | - |
+| **OCI Reference** | `cgr.dev/chainguard/apache-nifi` |
+
+
+* [View Image in Chainguard Academy](https://edu.chainguard.dev/chainguard/chainguard-images/reference/apache-nifi/overview/)
+* [View Image Catalog](https://console.enforce.dev/images/catalog) for a full list of available tags.
+* [Contact Chainguard](https://www.chainguard.dev/chainguard-images) for enterprise support, SLAs, and access to older tags.*
+
+---
+<!--monopod:end-->
+
+<!--overview:start-->
+Apache NiFi was made for dataflow. It supports highly configurable directed graphs of data routing, transformation, and system mediation logic.
+<!--overview:end-->
+
+<!--getting:start-->
+## Download this Image
+The image is available on `cgr.dev`:
+
+```
+docker pull cgr.dev/chainguard/apache-nifi:latest
+```
+<!--getting:end-->
+
+<!--body:start-->
+### Usage
+
+To get started with Chainguard's NiFi image, run it with Docker:
+
+```bash
+docker run -p 8443:8443 --name nifi cgr.dev/chainguard/apache-nifi:latest
+```
+
+NiFi will take a moment to start. Once it is finished, you'll see a message stating the Web UI is available:
+
+```
+NiFi has started. The UI is available at the following URLs
+```
+
+To obtain the username and password, check the Docker logs:
+
+```bash
+docker logs nifi | grep Generated
+```
+
+You can now access the Web UI at [localhost:8443](https://localhost:8443).
+
+A user guide for NiFi can be found [here](https://nifi.apache.org/docs/nifi-docs/html/user-guide.html).
+
+<!--body:end-->

images/apache-nifi/TESTING.md

@@ -0,0 +1,81 @@
+# Testing Apache NiFi
+
+To begin testing Chainguard's NiFi image, run it via Docker:
+
+```bash
+docker run \
+  -it --rm \
+  -p <YOUR PORT>:<YOUR PORT> \
+  -e NIFI_WEB_HTTP_HOST="0.0.0.0" \
+  -e NIFI_WEB_HTTP_PORT="<YOUR PORT>" \
+  -e SINGLE_USER_CREDENTIALS_USERNAME="<YOUR USERNAME>" \
+  -e SINGLE_USER_CREDENTIALS_PASSWORD="<YOUR PASSWORD>" \
+  --name <CONTAINER NAME> \
+  "${IMAGE_NAME}"
+```
+
+Where `<YOUR PORT>` is a free port on your system.
+
+NiFi will take a moment to start up. Once it has successfully started, you'll see a message stating the Web UI is available:
+
+```
+NiFi has started. The UI is available at the following URLs
+```
+
+At this point, you can access the Web UI at `localhost:<YOUR PORT>`.
+
+You will be greeted with a blank canvas, called a process group.
+
+### Testing NiFi's API
+
+NiFi provides various API endpoints that we can use. For the purposes of this test, we'll create a processor and validate it was created successfully.
+
+The first thing we'll do is acquire info about the root process group (the first canvas you see when accessing NiFi's Web UI):
+
+```bash
+curl -s -X GET "http://localhost:<YOUR PORT>/nifi-api/flow/process-groups/root"
+```
+
+Take note of the ID. It will look like this:
+
+```json
+"id": "885e58ea-018f-1000-7ce8-f57d0578e375",
+```
+
+We'll need this for a creating a processor within the root process group.
+
+Now that we have the ID of the root process group, we can create a processor:
+
+```bash
+curl -s -X POST "http://localhost:<YOUR PORT>/nifi-api/process-groups/<ROOT PROCESS GROUP ID>/processors" \
+        -H "Content-Type: application/json" \
+        -d '{
+                "revision": {
+                    "clientId": "test-client",
+                    "version": 0
+                },
+                "component": {
+                    "type": "org.apache.nifi.processors.standard.GenerateFlowFile",
+                    "name": "GenerateFlowFile"
+                }
+            }'
+```
+
+
+To validate the processor was successfully created, we can retrieve the processor details:
+
+```bash
+curl -s -X GET "http://localhost:44317/nifi-api/processors/<PROCESSOR ID>"
+```
+
+The processor's component name should be set to `GenerateFlowFile`.
+
+Alternatively, you may access the Web UI over `localhost:<YOUR PORT>`. The processor will be viewable on the canvas.
+
+For more info on NiFi's API, see the [upstream API documentation](https://nifi.apache.org/docs/nifi-docs/rest-api/index.html).
+
+An introductory user guide may be found [here](https://nifi.apache.org/docs/nifi-docs/html/user-guide.html).
+
+### What about Helm?
+
+Unfortunately, while a chart exists, it is not longer maintained. It can be found [here](https://github.com/cetic/helm-nifi).

images/apache-nifi/config/main.tf

@@ -0,0 +1,59 @@
+terraform {
+  required_providers {
+    apko = { source = "chainguard-dev/apko" }
+  }
+}
+
+variable "extra_packages" {
+  description = "The additional packages to install."
+  default = [
+    "apache-nifi",
+    "apache-nifi-compat",
+    "apache-nifi-toolkit"
+  ]
+}
+
+variable "environment" {
+  default = {}
+}
+
+module "accts" {
+  source = "../../../tflib/accts"
+  run-as = 1000
+  uid    = 1000
+  gid    = 1000
+  name   = "nonroot"
+}
+
+output "config" {
+  value = jsonencode({
+    contents = {
+      packages = var.extra_packages
+    }
+    accounts = module.accts.block
+    environment = merge({
+      "LANG" : "en_US.UTF-8",
+      "JAVA_HOME" : "/usr/lib/jvm/java-11-openjdk"
+      "LANGUAGE" : "en_US:en"
+      "LC_ALL" : "en_US.UTF-8"
+      "NIFI_BASE_DIR" : "/usr/share/nifi"
+      "NIFI_HOME" : "/usr/share/nifi/nifi-current"
+      "NIFI_TOOLKIT_HOME" : "/usr/share/nifi/nifi-toolkit-current"
+      "NIFI_PID_DIR" : "/usr/share/nifi/nifi-current/run"
+      "NIFI_LOG_DIR" : "/usr/share/nifi/nifi-current/logs"
+    }, var.environment)
+    entrypoint = {
+      command = "../scripts/start.sh"
+    }
+    work-dir = "/usr/share/nifi/nifi-current"
+    paths = [{
+      path        = "/usr/share/nifi"
+      type        = "directory"
+      uid         = module.accts.block.run-as
+      gid         = module.accts.block.run-as
+      permissions = 493 // 0o755 (HCL explicitly does not support octal literals)
+      recursive   = true
+    }]
+    }
+  )
+}

images/apache-nifi/main.tf

@@ -0,0 +1,39 @@
+terraform {
+  required_providers {
+    oci = { source = "chainguard-dev/oci" }
+  }
+}
+
+variable "target_repository" {
+  description = "The docker repo into which the image and attestations should be published."
+}
+
+module "config" { source = "./config" }
+
+module "apache-nifi" {
+  source            = "../../tflib/publisher"
+  name              = basename(path.module)
+  target_repository = var.target_repository
+  config            = module.config.config
+
+  build-dev = true
+
+}
+
+module "test" {
+  source = "./tests"
+  digest = module.apache-nifi.image_ref
+}
+
+resource "oci_tag" "latest" {
+  depends_on = [module.test]
+  digest_ref = module.apache-nifi.image_ref
+  tag        = "latest"
+}
+
+resource "oci_tag" "latest-dev" {
+  depends_on = [module.test]
+  digest_ref = module.apache-nifi.dev_ref
+  tag        = "latest-dev"
+}
+

images/apache-nifi/metadata.yaml

@@ -0,0 +1,12 @@
+name: apache-nifi
+image: cgr.dev/chainguard/apache-nifi
+logo: https://storage.googleapis.com/chainguard-academy/logos/apache-nifi.svg
+endoflife: ""
+console_summary: "Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data."
+short_description: Apache NiFi was made for dataflow. It supports highly configurable directed graphs of data routing, transformation, and system mediation logic.
+compatibility_notes: ""
+readme_file: README.md
+upstream_url: https://github.com/apache/nifi
+keywords:
+  - analytics
+  - application

images/apache-nifi/tests/check-nifi.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+NIFI_PORT=$(shuf -i 1024-65535 -n 1)
+CONTAINER_NAME="nifi-${NIFI_PORT}"
+
+# User credentials
+USERNAME="admin"
+PASSWD="ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB"
+
+# Retries
+REQUEST_RETRIES=10
+RETRY_DELAY=5
+
+# Logs
+declare -a expected_logs=(
+  "Starting Apache NiFi"
+  "NiFi running with PID"
+  "Launched Apache NiFi with Process ID"
+)
+declare -a missing_logs=()
+
+# Run NiFi
+docker run \
+  -d --rm \
+  -p "${NIFI_PORT}":"${NIFI_PORT}" \
+  -e NIFI_WEB_HTTP_HOST="0.0.0.0" \
+  -e NIFI_WEB_HTTP_PORT="${NIFI_PORT}" \
+  -e SINGLE_USER_CREDENTIALS_USERNAME="${USERNAME}" \
+  -e SINGLE_USER_CREDENTIALS_PASSWORD="${PASSWD}" \
+  --name "${CONTAINER_NAME}" \
+  "${IMAGE_NAME}"
+
+# Stop container when script exits
+trap "docker stop ${CONTAINER_NAME}" EXIT
+
+# Validate that NiFi container logs contain expected log messages.
+TEST_validate_container_logs() {
+  apk add grep
+
+  for ((i=1; i<=${REQUEST_RETRIES}; i++)); do
+    local logs=$(docker logs "${CONTAINER_NAME}" 2>&1)
+    local logs_found=true
+
+    # Search the container logs for our expected log lines.
+    for log in "${expected_logs[@]}"; do
+      if ! echo "$logs" | /usr/bin/grep -Fq "$log"; then
+        logs_found=false
+      fi
+    done
+
+    if $logs_found; then
+      return 0
+    elif [[ $i -lt ${REQUEST_RETRIES} ]]; then
+      echo "Some expected logs were missing. Retrying in ${RETRY_DELAY} seconds..."
+      sleep ${RETRY_DELAY}
+    fi
+  done
+
+  # After all retries, record the missing logs
+  for log in "${expected_logs[@]}"; do
+    if ! echo "${logs}" | /usr/bin/grep -Fq "$log"; then
+      missing_logs+=("${log}")
+    fi
+  done
+
+  echo "FAILED: The following log lines were not found:"
+  printf '%s\n' "${missing_logs[@]}"
+  exit 1
+}
+
+# Check that NiFi portal responds 200 HTTP status code indicating it's operational.
+TEST_http_response() {
+  for ((i=1; i<=${REQUEST_RETRIES}; i++)); do
+    if $(docker run --network container:"${CONTAINER_NAME}" cgr.dev/chainguard/curl -vsL "http://localhost:${NIFI_PORT}/nifi"); then
+      return 0 
+    fi
+    sleep ${RETRY_DELAY}
+  done
+
+  echo "FAILED: Did not receive 200 HTTP response from portal after ${REQUEST_RETRIES} attempts."
+  exit 1
+}
+
+# Run tests
+TEST_validate_container_logs
+#TEST_http_response