Skip to content

NIFI-9401: HashiCorpVaultParameterProvider#6304

Closed
gresockj wants to merge 10 commits intoapache:mainfrom
gresockj:NIFI-9401
Closed

NIFI-9401: HashiCorpVaultParameterProvider#6304
gresockj wants to merge 10 commits intoapache:mainfrom
gresockj:NIFI-9401

Conversation

@gresockj
Copy link
Contributor

@gresockj gresockj commented Aug 16, 2022
edited
Loading

Summary

NIFI-9401

This adds a new HashiCorpVaultParameterProvider to fetch parameters from HashiCorpVault.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 8
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@gresockj gresockj requested a review from mtien-apache August 16, 2022 17:42
@gresockj gresockj marked this pull request as draft August 16, 2022 17:43
exceptionfactory
exceptionfactory requested changes Aug 31, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting forward this pull request for review @gresockj!

I reviewed the HashiCorp Vault Controller Service and noted several suggestions related to the property configuration, as well as a few other minor adjustments.

@gresockj gresockj marked this pull request as ready for review September 9, 2022 18:28
exceptionfactory
exceptionfactory reviewed Sep 9, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @gresockj, briefly noted where Resource References can be used to handle properties files.

...t-service-api/src/main/java/org/apache/nifi/vault/hashicorp/HashiCorpVaultClientService.java Outdated
"Environment Configuration documentation (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration). " +
"All of the Spring property keys and authentication-specific property keys are supported.")
.required(true)
.addValidator(MultiFileExistsValidator.INSTANCE)
Copy link
Contributor

@exceptionfactory exceptionfactory Sep 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be changed to use the identifiesExternalResource(ResourceCardinality.MULTIPLE, ResourceType.FILE) description to support framework-based resource handling.

@gresockj
Changing testConnection to getServerVersion in Vault Service, and usi…
41cc20a 
…ng framework Property Resources for Vault Properties Files
exceptionfactory
exceptionfactory requested changes Sep 12, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @gresockj, this looks close to completion. Two additional minor recommendations related to property naming and the unnecessary custom validator.

...t-service-api/src/main/java/org/apache/nifi/vault/hashicorp/HashiCorpVaultClientService.java
*/
public interface HashiCorpVaultClientService extends ControllerService, VerifiableControllerService {

AllowableValue DIRECT_PROPERTIES = new AllowableValue("direct-properties", "Direct Properties",
Copy link
Contributor

@exceptionfactory exceptionfactory Sep 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about naming this strategy Service Properties?

exceptionfactory
exceptionfactory requested changes Sep 13, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @gresockj!

The Controller Service appears to function as designed at runtime, but in the process of building and verifying the NAR bundles, I noticed duplication of nifi-vault-utils and all transitive dependencies in nifi-hashicorp-vault-nar. This highlighted the need to mark nifi-vault-utils as provided in the Controller Service implementation JAR Maven configuration, as well as the in the nifi-hashicorp-vault-parameter-value-provider Maven configuration.

This raised another question, given the fact the nifi-vault-utils contains both the HashiCorpVaultCommunicationService interface and implementation. Providing that as part of a public Controller Service interface makes sense for this design, but it also highlights a need to change the module structure. Moving the Communication Service interface to a separate nifi-hashicorp-vault-api module would provide a clean separation for the purpose of making the interface public. I can help with the implementation if needed.

nifi-nar-bundles/nifi-hashicorp-vault-bundle/nifi-hashicorp-vault-client-service/pom.xml
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-vault-utils</artifactId>
<version>1.18.0-SNAPSHOT</version>
Copy link
Contributor

@exceptionfactory exceptionfactory Sep 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be marked with the provided scope since it is included in the vault-client-service-api.

exceptionfactory
exceptionfactory approved these changes Sep 15, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working through the feedback @gresockj, the latest version looks good! +1 merging

p-kimberley pushed a commit to p-kimberley/nifi that referenced this pull request Oct 15, 2022
@gresockj @p-kimberley
NIFI-9401 Added HashiCorpVaultParameterProvider
c1d9ca6 
- Refactored nifi-vault-utils to nifi-hashicorp-vault-api and nifi-hashcorp-vault modules
- Added HashiCorpVaultClientService and Standard implementation

This closes apache#6304

Signed-off-by: David Handermann <exceptionfactory@apache.org>
@Reamer
Copy link

Reamer commented Oct 22, 2024

@gresockj How to configure the truststore and keystore if you have a valid public certificate. The certificate chain should already be known to the JVM via JAVA_HOME/lib/security/cacerts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@exceptionfactory exceptionfactory exceptionfactory approved these changes

@mtien-apache mtien-apache Awaiting requested review from mtien-apache

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gresockj @Reamer @exceptionfactory