cetic / helm-nifi

Helm Chart for Apache Nifi
Apache License 2.0
215 stars 228 forks source link

[cetic/nifi] OIDC Untrusted proxy apache-nifi-0.apache-nifi-headless.nifi.svc.cluster.local #277

Open diegorates1991 opened 2 years ago

diegorates1991 commented 2 years ago

Hello, I'm trying to implement a Nifi cluster using the latest version of this helm chart. I'm using keycloak for OIDC authentication. But I'm getting the following message when trying to authenticate in the UI:

Untrusted proxy apache-nifi-0.apache-nifi-headless.nifi.svc.cluster.local

I'm trying to run a cluster with 2 nodes. Persistent volumes. Aws Loadbalancer cert-manager. And authentication with keycloak.

Even running on only 1 node. The problem persists.

NAME READY STATUS RESTARTS AGE apache-nifi-0 5/5 Running 0 12m apache-nifi-zookeeper-0 1/1 Running 0 12m apache-nifi-zookeeper-1 1/1 Running 0 12m apache-nifi-zookeeper-2 1/1 Running 0 12m

My values.yaml

oidc: enabled: true discoveryUrl: http://mydomain.com/realms/nifi/.well-known/openid-configuration clientId: nifi clientSecret: xxxxxxx claimIdentifyingUser: email admin: my-email@domain.com

Request additional scopes, for example profile

additionalScopes:

Any help on what's missing or what might be going on?

Log from user-log container:

2022-11-14 18:05:49,165 INFO [NiFi Web Server-184] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 152.x.x.x [my-email@domain.com] GET https://apache-nifi-0.apache-nifi-headless.nifi.svc.cluster.local:8443/nifi-api/flow/current-user 2022-11-14 18:05:49,166 WARN [NiFi Web Server-184] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 152.x.x.x GET https://apache-nifi-0.apache-nifi-headless.nifi.svc.cluster.local:8443/nifi-api/flow/current-user [Untrusted proxy apache-nifi-0.apache-nifi-headless.nifi.svc.cluster.local]

Thank you!

jrebmann commented 1 year ago

Hi @diegorates1991,

maybe following article helps you to solve your problem:

Setup a secure Apache NiFi cluster in Kubernetes

It also describes how to setup a Apache NiFi cluster with a working OIDC authentication.