search

konpyutaika / nifikop

The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://konpyutaika.github.io/nifikop/
Apache License 2.0
126 stars 44 forks source link

Nifi in cluster and secured with istio gateway #225

Closed ggerla closed 1 year ago

ggerla commented 1 year ago

Hi all I need to deploy a Nifi cluster with https enabled. I have neither LDAP or Keycloak, so I would like to configure only one admin user. Because my K8S is using istio I configured a gateway and a virtual service to allow access to the cluster from external world. I created a secret with my CA and then an issuer. I deployed the operator with this configuration

image:
  repository: quay.io/konpyutaika/docker-images/nifikop

namespaces:
- nifi
- cert-manager

and finally deployed the cluster 

apiVersion: nifi.konpyutaika.com/v1
kind: NifiCluster
metadata:
  name: sslnifi
spec:
  service:
    headlessEnabled: true
    labels:
      cluster-name: sslnifi
  zkAddress: "zookeeper.nifi.svc.cluster.local:2181"
  zkPath: "/ssllnifinodes"
  clusterImage: "proxy-ext.docker.at.thales/apache/nifi:1.17.0"
  initContainerImage: 'artifactory.prz.ics.eu-west-1.aws.gts/public_docker/library/bash:5.2.2'
  oneNifiNodePerNode: true
  externalServices:
#    - metadata:
#        labels:
#          cluster-name: sslnifi
#      name: driver-ip
#      spec:
#        portConfigs:
#          - internalListenerName: https
#            port: 8443
#        type: LoadBalancer
    - name: "nifi-cluster"
      spec:
        type: ClusterIP
        portConfigs:
          - port: 8443
            internalListenerName: "https"   
  managedAdminUsers:
    - identity : "CN=admin"
      name: "admin"
  propagateLabels: true
  nifiClusterTaskSpec:
    retryDurationMinutes: 10
  readOnlyConfig:
    # NifiProperties configuration that will be applied to the node.
    nifiProperties:
      webProxyHosts:
        - nifi.my-domain.com:443
      overrideConfigs: |
        nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword
        nifi.security.identity.mapping.pattern.dn=CN=([^,]*)(?:, (?:O|OU)=.*)?
        nifi.security.identity.mapping.value.dn=$1
        nifi.security.identity.mapping.transform.dn=NONE
  nodeConfigGroups:
    default_group:
      isNode: true
      storageConfigs:
        - mountPath: "/opt/nifi/nifi-current/logs"
          name: logs
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "csi-cinder-sc-delete"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/data"
          name: data
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "csi-cinder-sc-delete"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/flowfile_repository"
          name: flowfile-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "csi-cinder-sc-delete"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/nifi-current/conf"
          name: conf
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "csi-cinder-sc-delete"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/content_repository"
          name: content-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "csi-cinder-sc-delete"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/provenance_repository"
          name: provenance-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "csi-cinder-sc-delete"
            resources:
              requests:
                storage: 10Gi
      serviceAccountName: "default"
      resourcesRequirements:
        limits:
          cpu: "2"
          memory: 3Gi
        requests:
          cpu: "1"
          memory: 1Gi
  nodes:
    - id: 0
      nodeConfigGroup: "default_group"
    - id: 1
      nodeConfigGroup: "default_group"
    - id: 2
      nodeConfigGroup: "default_group"
  listenersConfig:
    internalListeners:
      - type: "https"
        name: "https"
        containerPort: 8443
      - type: "cluster"
        name: "cluster"
        containerPort: 6007
      - type: "s2s"
        name: "s2s"
        containerPort: 10000
#      - type: "load-balance"
#        name: "load-balance"
#        containerPort: 6342
    sslSecrets:
      tlsSecretName: "sslnifi-secret"
      create: true
      clusterScoped: true
      issuerRef:
        name: nifi-ca-issuer
        kind: Issuer

The cluster seems to start properly but if I try to access to the UI I receive the following error

image

Do you have any idea on how to solve this issue?

ggerla commented 1 year ago

Hi I was able to progress a little bit. I configured access to an external Keycloak and this solved the issue posted before. Now if I try to access from Firefox everything works fine. but if I try to access from Chrome I receive the following error

Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Because this issue disappears when I reduce the number of nodes to 1, I think this issue is related to the istio gateway configuration... Can someone help me to progress?

mh013370 commented 1 year ago

I haven't configured NiFi behind an Istio gateway, but i have configured NiFi with OIDC behind an nginx Ingress. For any proxy sitting in front of your NiFi cluster, you need to make sure you set the appropriate proxy headers: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration

I have an open PR to contribute a helm chart for NiFi clusters, including an Ingress. It might help you as an example of how to configure a proxy:

https://github.com/mh013370/nifikop/blob/add-nifi-cluster-chart/helm/nifi-cluster/values.yaml#L210-L215

ggerla commented 1 year ago

Hi all After a lot of troubles I was able to solve the issue. I created a doc page with this PR

https://github.com/konpyutaika/nifikop/pull/228

ggerla commented 1 year ago

@juldrixx I noted that my PR was merged into v1.0.0, but it is still not present into 1.1.0. Do you know how is this possible?

juldrixx commented 1 year ago

Oh I hadn't seen this one, you modified the wrong file (the version 1.0.0 file) so the change is only here.

I will correct this.

juldrixx commented 1 year ago

Fixed.

ggerla commented 1 year ago

Fixed.

Thanks