search

konpyutaika / nifikop

The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://konpyutaika.github.io/nifikop/
Apache License 2.0
122 stars 39 forks source link

Common CA with external cluster #395

Closed mostafamohajeri closed 3 months ago

mostafamohajeri commented 4 months ago

Type of question

Implementation Assistance

Support question

Hi, I have a series of already deployed nifi clusters and registry. Now we want to add nifikop to the mix and it looks like it wirks nicely with "external cluster".

The only issue is that i don't know how to make nifikop trust the cluster node certificates out of creating a manual secret and referencing it in the secretref. The current cluster has its certificates generated by cert manager, so there is an issuer and each node has a certificate.

What would be the best approach here?

Thanks

NiFiKop version

No response

Golang version

No response

Kubernetes version

No response

NiFi version

No response

mh013370 commented 4 months ago

You should use the same issuer & cert-manager to generate a Certificate for nifikop to use to communicate with these external clusters. Set the NifiCluster.Spec.SecretRef to the Certificate.Spec.SecretName & namespace, as appropriate.

Here's where nifikop extracts the fields from that secret to set the TLS config for the nifi cluster client: https://github.com/konpyutaika/nifikop/blob/master/pkg/pki/certmanagerpki/certmanager_tls_config.go#L44-L46

mostafamohajeri commented 4 months ago

Thanks @mh013370, worked as you described.

Follow up question, i also added the cn of this user to nifi's initial users (which works with oidc). what permissions does this user need for nifikop to have the same access as an internal cluster. I'm going one by one and seems like /flow and /controller is at least needed.

Also do you know if there's a way to give all these access automatically to the user with the cert?

mh013370 commented 4 months ago

Ah, yes. here's the full spec nifikop uses to create the controller user for "internal" nifi clusters: https://github.com/konpyutaika/nifikop/blob/master/pkg/util/pki/common.go#L195-L228

Copy all of those access policies for this external cluster "controller".

@juldrixx might be able to say for sure, but you might be able to do exactly what nifikop does and create a NifiUser, setting CreateCert to true. This will prompt nifikop to generate a Certificate for you, place it in the specified secret, and then configure the assigned access policies on the external cluster. Otherwise, i think you'd have to do it manually :(

mostafamohajeri commented 4 months ago

The part of creating the certificate i'm already doing automated with the helm chart that is deploying the clusters, basically adding

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: nifikop-{{ template "apache-nifi.fullname" $ }}-operator
 namespace: {{ $.Release.Namespace }}
spec:
 duration: 2160h
 commonName: nifikop-{{ template "apache-nifi.fullname" $ }}
 subject:
  organizationalUnits:
   - NIFI
 secretName: {{ template "apache-nifi.fullname" $ }}-operator-creds
 privateKey:
  rotationPolicy: Always
 usages:
  - digital signature
  - content commitment
  - key encipherment
  - data encipherment
  - key agreement
  - server auth
  - client auth
 dnsNames:
  - localhost
 issuerRef:
  name: {{ template "apache-nifi.fullname" $ }}-ca
  kind: Issuer

as you said this can also be created with nifikop, which probably is a good idea

but i do wonder if assigning the policies that you mentioned can also be automated? because if nifikop does not have access then it can't create the user in nifi and modify the policies to give itself permissions anyways. would be great if it's doable though