Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

How to enable SSL Vault in Nifi #326

Open
kamniphat01 opened this issue Jan 4, 2024 · 1 comment
Open

How to enable SSL Vault in Nifi #326

kamniphat01 opened this issue Jan 4, 2024 · 1 comment
Labels
question Further information is requested

Comments

@kamniphat01
Copy link

Hi Guys, need some help or suggestion.

Helmchart 1.1.3
Nifi Image version: 1.19.1
Standalone Nifi Server: Replica 1

Currently i am trying to figure out which part of the scripts or helmchart that generate the truststore and keystore and replace in nifi.properties

Default from helmchart nifi.properties

nifi.security.keystore=./conf/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=./conf/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.login.identity.provider=single-user-provider
nifi.security.user.authorizer=single-user-authorizer

After the deployment checked in container /conf/nifi.properties
image

Objective is to update in bootstrap-hashicorp-vault.conf and get update the keystore password and truststore password same as nifi.properties for enabled the TLS to connect to my HTTPS vault server instead of HTTP.

# Optional TLS properties
vault.ssl.enabledCipherSuites=
vault.ssl.enabledProtocols=TLSv1.3
vault.ssl.key-store=./conf/keystore.p12
vault.ssl.key-store-type=PKCS12
vault.ssl.key-store-password=
vault.ssl.trust-store=./conf/truststore.p12
vault.ssl.trust-store-type=PKCS12
vault.ssl.trust-store-password=

Not recommended to use StandardSSLContextService for manual input keystore pwd & truststore pwd due to sometimes the Nifi server restart it will regenerate a new keystore pwd and truststore pwd.
@banzo banzo added the question Further information is requested label Jan 5, 2024
@kobethuwis
Copy link

Why would you want to use your own HTTPS vault server?

The NiFi newest version of the NiFi chart communicates internally over HTTPS; it's obligatory since NiFi version 1.16.3. If you want to deploy NiFi in cluster mode using your chart and share the certificates over the different nodes, the easiest way to do that is by using an external cert-manager instance or by using the nifi nifi-tls-toolkit as an init-container for your pods.

I serve NiFi externally over HTTPS by using an ingress-nginx-controller with an SSL certificate, and internally with cert-manager and it works great!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@banzo @kobethuwis @kamniphat01