search

konpyutaika / nifikop

The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://konpyutaika.github.io/nifikop/
Apache License 2.0
128 stars 44 forks source link

Expose OIDC configuration into values.yaml #463

Open ggerla opened 4 days ago

ggerla commented 4 days ago

Is your feature request related to a problem?

I need to configure oidc for NiFi. In my case the nifikop helm char is a sub-chart so I need to manage oidc from external values in a more abstract way. In addition the clientSecret should be managed true secret

Describe the solution you'd like to see

Similar to singleUserConfiguration and ldapConfiguration I would like to have a section like this

oidcConfiguration: discoveryUrl= clientId=<oidc client's id> clientSecret=<oidc client's secret> patternDn= valueDn=$1 transformDn=NONE

Describe alternatives you've considered

The idea can be to change nifi-config-sc.yaml

..... nifi.properties: |- {{ if .Values.cluster.oidcConfiguration }} nifi.security.user.oidc.discovery.url={{ .Values.cluster.oidcConfiguration.discoveryUrl }} nifi.security.user.oidc.client.id={{ .Values.cluster.oidcConfiguration.clientId }} nifi.security.user.oidc.client.secret={{ .Values.cluster.oidcConfiguration.clientSecret }} nifi.security.identity.mapping.pattern.dn={{ .Values.cluster.oidcConfiguration.patternDn | default('CN=([^,])(?:, (?:O|OU)=.)?') }} nifi.security.identity.mapping.value.dn={{ .Values.cluster.oidcConfiguration.valueDn | default('$1') }} nifi.security.identity.mapping.transform.dn={{ .Values.cluster.oidcConfiguration.transformDn | default('NONE') }} {{ end }} {{ .Values.cluster.nifiProperties.overrideConfigs | b64enc | indent 4 }}

Additional context

No response

mh013370 commented 4 days ago

Since we support configuring LDAP in NiFi through a similar manner, I think this is a reasonable request. And i agree that sensitive values should be pulled from secrets and not provided in raw text in the values.yaml.

https://konpyutaika.github.io/nifikop/docs/5_references/1_nifi_cluster/#ldapconfiguration

ggerla commented 4 days ago

I was looking into the code. I think that the change can be done only into nifi-config-sc.yaml, using clear clientSecret. If we want to have a k8s secret to "hide" the clientSecret then I think we need to change also the go code. Am I right?

mh013370 commented 4 days ago

Yes, supporting a feature like this would require CRD changes and consequently code changes.

mh013370 commented 4 days ago

That said, it's possible to configure OIDC right now through the following approach: https://konpyutaika.github.io/nifikop/docs/3_manage_nifi/1_manage_clusters/1_deploy_cluster/5_users_authentication/1_oidc

ggerla commented 4 days ago

yes I know, thanks. I'm already using this configuration.