[cetic/nifi] Configure oidc clientId & clientSecret using k8s Secret

[jdesroch]

Provide a secure means to configure oidc by referencing an existing secret. End goal is to support deployment via GitOps. Values yaml will be stored in a git repo that should not have sensitive values in plain text.

[jdesroch]

This may require a large change in how nifi.properties is created and maintained. It is potentially outside the scope of this project. However I wanted to document that the GitOps use-case exists.

[wknickless]

Hi @jdesroch you might consider something like this .gitlab-ci.yml fragment we use, with $KEYCLOAK_SECRET managed as a Gitlab protected and masked variable (see https://docs.gitlab.com/ee/ci/variables/):

helm_nifi:
  stage: deploy_nifi
  tags:
    - k8s
    - some_namespace
    - some_other_tag
  only:
    refs:
      - main@some_namespace/nifi
    changes:
      - .gitlab-ci.yml
      - nifi-values.yaml
  image:
    name: lachlanevenson/k8s-helm:v3.8.2
    entrypoint: [""]
  script: |
    set -ex
    helm repo add cetic https://cetic.github.io/helm-charts
    helm repo update
    helm upgrade --install \
                --namespace some_namespace \
                nifi \
                cetic/nifi \
                --version 1.1.0 \
                -f nifi-values.yaml \
                --set auth.oidc.clientSecret="$KEYCLOAK_SECRET"

[jdesroch]

@wknickless Thank you. I can see how this CI solution would work for many cases. I am specifically trying to find a secure solution using FluxCD. From my research this requires reference to a k8s secret, perhaps created via Sealed Secrets. Flux deployment model does not provide hooks for pre-processing with gitlab or other CI variable insertion.