search

cetic / helm-nifi

Helm Chart for Apache Nifi
Apache License 2.0
211 stars 221 forks source link

How to enable SSL Vault in Nifi #326

Open kamniphat01 opened 7 months ago

kamniphat01 commented 7 months ago

Hi Guys, need some help or suggestion.

Helmchart 1.1.3 Nifi Image version: 1.19.1 Standalone Nifi Server: Replica 1

Currently i am trying to figure out which part of the scripts or helmchart that generate the truststore and keystore and replace in nifi.properties

Default from helmchart nifi.properties 

nifi.security.keystore=./conf/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./conf/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.login.identity.provider=single-user-provider
nifi.security.user.authorizer=single-user-authorizer

After the deployment checked in container /conf/nifi.properties image

Objective is to update in bootstrap-hashicorp-vault.conf and get update the keystore password and truststore password same as nifi.properties for enabled the TLS to connect to my HTTPS vault server instead of HTTP. 

# Optional TLS properties
vault.ssl.enabledCipherSuites=
vault.ssl.enabledProtocols=TLSv1.3
vault.ssl.key-store=./conf/keystore.p12
vault.ssl.key-store-type=PKCS12
vault.ssl.key-store-password=
vault.ssl.trust-store=./conf/truststore.p12
vault.ssl.trust-store-type=PKCS12
vault.ssl.trust-store-password=

Not recommended to use StandardSSLContextService for manual input keystore pwd & truststore pwd due to sometimes the Nifi server restart it will regenerate a new keystore pwd and truststore pwd.

kobethuwis commented 7 months ago

Why would you want to use your own HTTPS vault server?

The NiFi newest version of the NiFi chart communicates internally over HTTPS; it's obligatory since NiFi version 1.16.3. If you want to deploy NiFi in cluster mode using your chart and share the certificates over the different nodes, the easiest way to do that is by using an external cert-manager instance or by using the nifi nifi-tls-toolkit as an init-container for your pods.

I serve NiFi externally over HTTPS by using an ingress-nginx-controller with an SSL certificate, and internally with cert-manager and it works great!