search

cetic / helm-nifi

Helm Chart for Apache Nifi
Apache License 2.0
215 stars 228 forks source link

[cetic/nifi] can't login via nginx ingress url #273

Closed shayki5 closed 1 year ago

shayki5 commented 2 years ago

Describe the bug Can't login when accessing via nginx ingress (can login via localhost). I have my own ssl certificate in my ingress url so I guess it's related.

Version of Helm, Kubernetes and the Nifi chart: Helm: 13.9.0 K8s: 1.21.7 Nifi chart: 1.1.1

What happened: I configured a secured cluster with certManager enabled & single user authorization. when I try to access via loclahost (with port-forwarding) it working great. But, when I try to login via my nginx ingress url i getting: image

What you expected to happen: Success to login.

How to reproduce it (as minimally and precisely as possible): Install the helm chart with certManager true and nginx ingress.

Anything else we need to know: Inside the pod I can see this error in nifi-user.log:

Caused by: org.springframework.security.oauth2.jwt.BadJwtException: An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:180)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:137)
        at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.getJwt(JwtAuthenticationProvider.java:97)
        ... 104 common frames omitted
Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:357)
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:154)
        ... 106 common frames omitted

My relevant values.yaml:

replicaCount: 3
externalSecure: true
isNode: true
externalSecure: true
auth:
  singleUser:
    username: username
    password: changemechangeme 
certManager:
  enabled: true
  clusterDomain: cluster.local
  keystorePasswd: changeme
  truststorePasswd: changeme
  replaceDefaultTrustStore: true
  additionalDnsNames:
    - localhost
    - nifi.dev-tools.mycompany.com
ingress:
  enabled: true
  # className: nginx
  annotations:
    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:8443"
    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443"
    nginx.ingress.kubernetes.io/proxy-redirect-to: "https://nifi.dev-tools.mycompany.com"
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  tls:
    - hosts:
        - nifi.dev-tools.mycompany.com
      secretName: nifi-ca
  hosts:
    - nifi.dev-tools.mycompany.com
  path: /
shayki5 commented 2 years ago

I couldn't make it work with single username, but it's working me with keycloak as user management.

After I deployed keycloak in my cluster I configures the values.yaml to:

oidc:
  enabled: true
  discoveryUrl: http://keycloack.mycompany.com/realms/nifi/.well-known/openid-configuration
  clientId: nifi
  clientSecret: mysecret
  claimIdentifyingUser: email
  admin: myuser@mycompany.com
  ## Request additional scopes, for example profile
  additionalScopes:

And to make it work need also to update the ingress settings (inside the values.yaml) and add the following annotations:

nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "hello-cookie"
nginx.ingress.kubernetes.io/session-cookie-expires: "1728000"
nginx.ingress.kubernetes.io/session-cookie-max-age: "1728000"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/session-cookie-hash: sha1

Now I can login the secured cluster with the user that I configured in the keycloak.

zenloop commented 1 year ago

Any updates with this? I am experiencing the exact same issue.

shayki5 commented 1 year ago

Update: it's working for me now with single user in this Ingress configuration:|

ingress:    
  enabled: true 
  # className: nginx    
  annotations:  
    kubernetes.io/ingress.class: nginx  
    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:8443"    
    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443"   
    nginx.ingress.kubernetes.io/proxy-redirect-to: "https://nifi.mycompany.com" 
    kubernetes.io/tls-acme: "true"  
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"   
    nginx.ingress.kubernetes.io/affinity: "cookie"  
    nginx.ingress.kubernetes.io/session-cookie-name: "hello-cookie" 
    nginx.ingress.kubernetes.io/session-cookie-expires: "17280000"  
    nginx.ingress.kubernetes.io/session-cookie-max-age: "17280000"  
    nginx.ingress.kubernetes.io/ssl-redirect: "false"   
    nginx.ingress.kubernetes.io/affinity-mode: persistent   
    nginx.ingress.kubernetes.io/session-cookie-hash: sha1   
    nginx.ingress.kubernetes.io/proxy-body-size: 50m    
    nginx.ingress.kubernetes.io/configuration-snippet: |    
      proxy_set_header 'X-ProxyScheme' 'https'; 
      proxy_set_header 'X-ProxyPort' '443'; 
  hosts:    
    - nifi.mycompany.com    
  path: /
ThanosKarousos commented 1 year ago

I am experiencing the same issue when trying to configure an ingress path that is not /, however the above configuration doesn't help. What am I missing? Any help would be greatly appreciated. My values.yaml.

Note: @shayki5 how did you managed to set kubernetes.io/tls-acme: "true" without an error? According to cert-manager/Securing Ingress Resources it needs additional configuration which is not present in the above comments. I have tried setting this up as well, but didn't resolve my issue.