Authorization issue using OIDC

Describe the bug I'm trying to config OIDC but the users.xml file doesn't reflect the auth.admin config and I'm unable to authenticate to Nifi. Inside conf/authorizers.xml seems to be ok.

Version of Helm and Kubernetes: Helm:

version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}

Kubernetes:

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCommit:"132a687512d7fb058d0f5890f07d4121b3f0a2e2", GitTreeState:"clean", BuildDate:"2021-05-12T12:40:09Z", GoVersion:"go1.15.12", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.8-gke.900", GitCommit:"28ab8501be88ea42e897ca8514d7cd0b436253d9", GitTreeState:"clean", BuildDate:"2021-06-30T09:23:36Z", GoVersion:"go1.15.13b5", Compiler:"gc", Platform:"linux/amd64"}

What happened: UI shows that I've insufficient permission and auth-conf/users.xml as follows:

nifi@nifi-0:/opt/nifi/nifi-current/auth-conf$ cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/>
        <user identifier="5ac2302b-365e-3d9a-a24e-f17565d2ca08" identity="CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/>
        <user identifier="802187fa-2f40-30b4-8554-c32b425ab945" identity="CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/>
    </users>
</tenants>

What you expected to happen: I expected that my email address was filled inside first user identifier as follows:

nifi@nifi-0:/opt/nifi/nifi-current/auth-conf$ cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="xxx@xxx.com"/>
        <user identifier="5ac2302b-365e-3d9a-a24e-f17565d2ca08" identity="CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/>
        <user identifier="802187fa-2f40-30b4-8554-c32b425ab945" identity="CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/>
    </users>
</tenants>

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

Here are some information that help troubleshooting:

values.yaml

replicaCount: 2

image:
  repository: apache/nifi
  tag: 1.12.1

properties:
  # use externalSecure for when inbound SSL is provided by nginx-ingress or other external mechanism
  externalSecure: false
  isNode: true # set to false if ldap is enabled
  httpPort: null # set to null if ldap is enabled
  httpsPort: 8443 # set to 9443 if ldap is enabled
  webProxyHost: host.com:8443
  clusterPort: 6007
  clusterSecure: true # set to true if ldap is enabled
  needClientAuth: false
  provenanceStorage: "8 GB"
  siteToSite:
    port: 10000
  authorizer: managed-authorizer
  # use properties.safetyValve to pass explicit 'key: value' pairs that overwrite other configuration
  safetyValve:
    nifi.web.http.network.interface.default: eth0
    nifi.web.http.network.interface.lo: lo

service:
  type: LoadBalancer
  httpsPort: 443
  loadBalancerIP: xxx.xxx.xxx.xxx

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-test
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/affinity: cookie
    nginx.ingress.kubernetes.io/session-cookie-name: route
    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
    nginx.ingress.kubernetes.io/session-cookie-path: /
  path: /
  hosts:
    - host.com
  tls:
    - hosts:
      - host.com
      secretName: host-tls

persistence:
  enabled: true

auth:
  admin: xxx@xxxx.com
  oidc:
    enabled: true
    discoveryUrl: https://accounts.google.com/.well-known/openid-configuration
    clientId: xxxxx
    clientSecret: xxxx

zookeeper:
  enabled: false
  url: zookeeper.zookeeper
  port: 2181

registry:
  enabled: false
  url: nifi-registry
  port: 18080

conf/authorizers.xml

nifi@nifi-0:/opt/nifi/nifi-current$ cat conf/authorizers.xml |more
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./auth-conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 0">CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property>
        <property name="Initial User Identity 1">CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property>
        <property name="Initial User Identity admin">xxx@xxx.com</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./auth-conf/authorizations.xml</property>
        <property name="Initial Admin Identity">xxx@xxx.com</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 0">CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property>
        <property name="Node Identity 1">CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property>
        <property name="Node Identity"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

</authorizers>

cetic / helm-nifi

Authorization issue using OIDC #167