helm-nifi icon indicating copy to clipboard operation
helm-nifi copied to clipboard

Published 20 hours ago verified publisher icon cetic

[cetic/nifi] Secure cluster with provided certificates instead of self-signed ones.

Open gillhofer opened this issue 4 years ago • 3 comments

Is your feature request related to a problem? Please describe. Currently, TLS and thus authentification can only be enabled when the provided TLS-toolkit CA is enabled which creates self signed certificates. However, this breaks the browsers trust into the NIFI UI as well as prevents MiNiFi to connect to NIFI because of trust issues. If I understand this right, then this can only be fixed by using either LetsEncrypt (how?) as the CA or some other bought certificates and inject those into the TLS-toolkit CA. However, my technical knowledge about kubernetes / ingress and TLS is limited, hence my description might not be accurate. Please correct me if I'm wrong. image

Describe the solution you'd like I would like to be able to use a given TLS-Certificate for a given Sub-Domain.

Describe alternatives you've considered

Additional context There might also be a misunderstanding of the charts values.yaml

properties:
  # use externalSecure for when inbound SSL is provided by nginx-ingress or other external mechanism
  externalSecure: false
  isNode: true # set to false if ldap is enabled
  httpPort: null # set to null if ldap is enabled
  httpsPort: 9443 # set to 9443 if ldap is enabled
  webProxyHost: XXXX.westeurope.cloudapp.azure.com:9443
  clusterPort: 6007
  clusterSecure: true # set to true if ldap is enabled
  needClientAuth: false

ca:
  ## If true, enable the nifi-toolkit certificate authority
  enabled: true
  persistence:
    enabled: true
  server: XXXX.westeurope.cloudapp.azure.com
  service:
    port: 9090
  token: sixteenCharacters
  admin:
    cn: SOME_CN
  serviceAccount:
    create: false
  openshift:
    scc:
      enabled: false

gillhofer avatar Jan 21 '21 10:01 gillhofer

Would like to understand if this issue is the cause of not being able to access nifi UI after trying to enable https and ldap (should be the same for oidc). The error i got when trying to access the ui is:

image

bmgante avatar Jun 28 '21 09:06 bmgante

No, probably not. You seem to have a misconfigured NiFi. Your NiFi is running on a domain it is not aware of.

gillhofer avatar Jul 05 '21 04:07 gillhofer

I am running it at AWS EKS and disabled istio (not compatible with this helm chart). In terms of ui config I have:

# ui service service: type: LoadBalancer httpPort: 8080 httpsPort: 9443 nodePort: 30236 annotations: service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=staging,Function=xxx-xxx,Service=nifi service.beta.kubernetes.io/aws-load-balancer-internal: "true" external-dns.alpha.kubernetes.io/hostname: nifi.xxx.staging.xxx.net external-dns.alpha.kubernetes.io/ttl: "60"

Do I have anything wrong on this config? external-dns.alpha.kubernetes.io/hostname property is just to have a friendly url instead of use the given load balancer address.

bmgante avatar Jul 05 '21 08:07 bmgante