Closed mostafamohajeri closed 3 months ago
You should use the same issuer & cert-manager to generate a Certificate
for nifikop to use to communicate with these external clusters. Set the NifiCluster.Spec.SecretRef
to the Certificate.Spec.SecretName
& namespace, as appropriate.
Here's where nifikop extracts the fields from that secret to set the TLS config for the nifi cluster client: https://github.com/konpyutaika/nifikop/blob/master/pkg/pki/certmanagerpki/certmanager_tls_config.go#L44-L46
Thanks @mh013370, worked as you described.
Follow up question, i also added the cn of this user to nifi's initial users (which works with oidc). what permissions does this user need for nifikop to have the same access as an internal cluster. I'm going one by one and seems like /flow and /controller is at least needed.
Also do you know if there's a way to give all these access automatically to the user with the cert?
Ah, yes. here's the full spec nifikop uses to create the controller user for "internal" nifi clusters: https://github.com/konpyutaika/nifikop/blob/master/pkg/util/pki/common.go#L195-L228
Copy all of those access policies for this external cluster "controller".
@juldrixx might be able to say for sure, but you might be able to do exactly what nifikop does and create a NifiUser
, setting CreateCert
to true. This will prompt nifikop to generate a Certificate
for you, place it in the specified secret, and then configure the assigned access policies on the external cluster. Otherwise, i think you'd have to do it manually :(
The part of creating the certificate i'm already doing automated with the helm chart that is deploying the clusters, basically adding
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nifikop-{{ template "apache-nifi.fullname" $ }}-operator
namespace: {{ $.Release.Namespace }}
spec:
duration: 2160h
commonName: nifikop-{{ template "apache-nifi.fullname" $ }}
subject:
organizationalUnits:
- NIFI
secretName: {{ template "apache-nifi.fullname" $ }}-operator-creds
privateKey:
rotationPolicy: Always
usages:
- digital signature
- content commitment
- key encipherment
- data encipherment
- key agreement
- server auth
- client auth
dnsNames:
- localhost
issuerRef:
name: {{ template "apache-nifi.fullname" $ }}-ca
kind: Issuer
as you said this can also be created with nifikop, which probably is a good idea
but i do wonder if assigning the policies that you mentioned can also be automated? because if nifikop does not have access then it can't create the user in nifi and modify the policies to give itself permissions anyways. would be great if it's doable though
Type of question
Implementation Assistance
Support question
Hi, I have a series of already deployed nifi clusters and registry. Now we want to add nifikop to the mix and it looks like it wirks nicely with "external cluster".
The only issue is that i don't know how to make nifikop trust the cluster node certificates out of creating a manual secret and referencing it in the secretref. The current cluster has its certificates generated by cert manager, so there is an issuer and each node has a certificate.
What would be the best approach here?
Thanks
NiFiKop version
No response
Golang version
No response
Kubernetes version
No response
NiFi version
No response