Open ggerla opened 4 days ago
Since we support configuring LDAP in NiFi through a similar manner, I think this is a reasonable request. And i agree that sensitive values should be pulled from secrets and not provided in raw text in the values.yaml.
https://konpyutaika.github.io/nifikop/docs/5_references/1_nifi_cluster/#ldapconfiguration
I was looking into the code. I think that the change can be done only into nifi-config-sc.yaml, using clear clientSecret. If we want to have a k8s secret to "hide" the clientSecret then I think we need to change also the go code. Am I right?
Yes, supporting a feature like this would require CRD changes and consequently code changes.
That said, it's possible to configure OIDC right now through the following approach: https://konpyutaika.github.io/nifikop/docs/3_manage_nifi/1_manage_clusters/1_deploy_cluster/5_users_authentication/1_oidc
yes I know, thanks. I'm already using this configuration.
Is your feature request related to a problem?
I need to configure oidc for NiFi. In my case the nifikop helm char is a sub-chart so I need to manage oidc from external values in a more abstract way. In addition the clientSecret should be managed true secret
Describe the solution you'd like to see
Similar to singleUserConfiguration and ldapConfiguration I would like to have a section like this
oidcConfiguration: discoveryUrl=
clientId=<oidc client's id>
clientSecret=<oidc client's secret>
patternDn=
valueDn=$1
transformDn=NONE
Describe alternatives you've considered
The idea can be to change nifi-config-sc.yaml
..... nifi.properties: |- {{ if .Values.cluster.oidcConfiguration }} nifi.security.user.oidc.discovery.url={{ .Values.cluster.oidcConfiguration.discoveryUrl }} nifi.security.user.oidc.client.id={{ .Values.cluster.oidcConfiguration.clientId }} nifi.security.user.oidc.client.secret={{ .Values.cluster.oidcConfiguration.clientSecret }} nifi.security.identity.mapping.pattern.dn={{ .Values.cluster.oidcConfiguration.patternDn | default('CN=([^,])(?:, (?:O|OU)=.)?') }} nifi.security.identity.mapping.value.dn={{ .Values.cluster.oidcConfiguration.valueDn | default('$1') }} nifi.security.identity.mapping.transform.dn={{ .Values.cluster.oidcConfiguration.transformDn | default('NONE') }} {{ end }} {{ .Values.cluster.nifiProperties.overrideConfigs | b64enc | indent 4 }}
Additional context
No response