Skip to content

NIFI-9401: HashiCorpVaultParameterProvider#6304

Closed
gresockj wants to merge 10 commits intoapache:mainfrom
gresockj:NIFI-9401
Closed

NIFI-9401: HashiCorpVaultParameterProvider#6304
gresockj wants to merge 10 commits intoapache:mainfrom
gresockj:NIFI-9401

Conversation

@gresockj
Copy link
Contributor

@gresockj gresockj commented Aug 16, 2022

Summary

NIFI-9401

This adds a new HashiCorpVaultParameterProvider to fetch parameters from HashiCorpVault.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 8
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@gresockj gresockj requested a review from mtien-apache August 16, 2022 17:42
@gresockj gresockj marked this pull request as draft August 16, 2022 17:43
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting forward this pull request for review @gresockj!

I reviewed the HashiCorp Vault Controller Service and noted several suggestions related to the property configuration, as well as a few other minor adjustments.

@gresockj gresockj marked this pull request as ready for review September 9, 2022 18:28
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @gresockj, briefly noted where Resource References can be used to handle properties files.

"Environment Configuration documentation (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration). " +
"All of the Spring property keys and authentication-specific property keys are supported.")
.required(true)
.addValidator(MultiFileExistsValidator.INSTANCE)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be changed to use the identifiesExternalResource(ResourceCardinality.MULTIPLE, ResourceType.FILE) description to support framework-based resource handling.

…ng framework Property Resources for Vault Properties Files
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @gresockj, this looks close to completion. Two additional minor recommendations related to property naming and the unnecessary custom validator.

*/
public interface HashiCorpVaultClientService extends ControllerService, VerifiableControllerService {

AllowableValue DIRECT_PROPERTIES = new AllowableValue("direct-properties", "Direct Properties",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about naming this strategy Service Properties?

Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @gresockj!

The Controller Service appears to function as designed at runtime, but in the process of building and verifying the NAR bundles, I noticed duplication of nifi-vault-utils and all transitive dependencies in nifi-hashicorp-vault-nar. This highlighted the need to mark nifi-vault-utils as provided in the Controller Service implementation JAR Maven configuration, as well as the in the nifi-hashicorp-vault-parameter-value-provider Maven configuration.

This raised another question, given the fact the nifi-vault-utils contains both the HashiCorpVaultCommunicationService interface and implementation. Providing that as part of a public Controller Service interface makes sense for this design, but it also highlights a need to change the module structure. Moving the Communication Service interface to a separate nifi-hashicorp-vault-api module would provide a clean separation for the purpose of making the interface public. I can help with the implementation if needed.

<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-vault-utils</artifactId>
<version>1.18.0-SNAPSHOT</version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be marked with the provided scope since it is included in the vault-client-service-api.

Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working through the feedback @gresockj, the latest version looks good! +1 merging

p-kimberley pushed a commit to p-kimberley/nifi that referenced this pull request Oct 15, 2022
- Refactored nifi-vault-utils to nifi-hashicorp-vault-api and nifi-hashcorp-vault modules
- Added HashiCorpVaultClientService and Standard implementation

This closes apache#6304

Signed-off-by: David Handermann <exceptionfactory@apache.org>
@Reamer
Copy link

Reamer commented Oct 22, 2024

@gresockj How to configure the truststore and keystore if you have a valid public certificate. The certificate chain should already be known to the JVM via JAVA_HOME/lib/security/cacerts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants