Users and groups are not getting created in sslnifi cluster

[juldrixx]

From nifikop created by Sreenivas-Ratakonda: Orange-OpenSource/nifikop#179

Bug Report

After setting up the sslnifi cluster I found that the managed users are not getting created, as per the docs to login in to the Nifi cluster UI we need one admin user but that user is not getting created in the nificluster.
As per the docs by default three groups gets created managed admins, managed users, managed nodes but for me the nifi user groups are not getting created

What did you do?
I have created an sslnifi cluster.

apiVersion: nifi.orange.com/v1alpha1
kind: NifiCluster
metadata:
  name: sslnifi
spec:
  service:
    headlessEnabled: false
  zkAddress: "zookeeper.zookeeper.svc.cluster.local:2181"
  zkPath: "/ssllnifi"
  clusterImage: "apache/nifi:1.12.1"
  oneNifiNodePerNode: false
  managedAdminUsers:
    -  identity : "sreenivas@mail.com"
       name: "nifiadmin"
  managedReaderUsers:
    -  identity : "nifiuser@mail.com"
       name: "nifiuser"
  propagateLabels: true
  nifiClusterTaskSpec:
    retryDurationMinutes: 10
  readOnlyConfig:
    # NifiProperties configuration that will be applied to the node.
    nifiProperties:
      webProxyHosts:
        - nifistandard2.trycatchlearn.fr:8443

  nodeConfigGroups:
    default_group:
      isNode: true
      storageConfigs:
        - mountPath: "/opt/nifi/nifi-current/logs"
          name: logs
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/data"
          name: data
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/flowfile_repository"
          name: flowfile-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/nifi-current/conf"
          name: conf
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/content_repository"
          name: content-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/provenance_repository"
          name: provenance-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
      serviceAccountName: "default"
      resourcesRequirements:
        limits:
          cpu: "0.5"
          memory: 2Gi
        requests:
          cpu: "0.5"
          memory: 2Gi
  nodes:
    - id: 1
      nodeConfigGroup: "default_group"
      readOnlyConfig:
        nifiProperties:
          overrideConfigs: |        
              nifi.ui.banner.text=Ciena Blueplanet Enterprise Node SSL 1
              nifi.remote.input.socket.port=
              nifi.remote.input.secure=true
              nifi.remote.input.host=xxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.elb.amazonaws.com
    - id: 2
      nodeConfigGroup: "default_group"
      readOnlyConfig:
        nifiProperties:
          overrideConfigs: |
              nifi.ui.banner.text=Ciena Blueplanet Enterprise Node SSL 2
              nifi.remote.input.socket.port=
              nifi.remote.input.secure=true
              nifi.remote.input.host=xxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.elb.amazonaws.com
    - id: 3
      nodeConfigGroup: "default_group"
      readOnlyConfig:
        nifiProperties:
          overrideConfigs: |
              nifi.ui.banner.text=Ciena Blueplanet Enterprise Node SSL 3
              nifi.remote.input.socket.port=
              nifi.remote.input.secure=true
              nifi.remote.input.host=xxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.elb.amazonaws.com
  listenersConfig:
    internalListeners:
      - type: "https"
        name: "https"
        containerPort: 8443     
      - type: "cluster"
        name: "cluster"
        containerPort: 6007
      - type: "s2s"
        name: "s2s"
        containerPort: 10000
    sslSecrets:
      tlsSecretName: "test-nifikop"
      create: true

---
apiVersion: v1
kind: Service
metadata:
  name: sslnifi-all
spec:
  selector:
    app: nifi 
    nifi_cr: sslnifi
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  type: LoadBalancer

---
apiVersion: v1
kind: Service
metadata:
  name: sslnifi-1-node-lb
spec:
  selector:
    app: nifi 
    nifi_cr: sslnifi
    nodeId: "1"
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  type: LoadBalancer

---
apiVersion: v1
kind: Service
metadata:
  name: sslnifi-2-node-lb
spec:
  selector:
    app: nifi 
    nifi_cr: sslnifi
    nodeId: "2"
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  type: LoadBalancer

---
apiVersion: v1
kind: Service
metadata:
  name: sslnifi-3-node-lb
spec:
  selector:
    app: nifi 
    nifi_cr: sslnifi
    nodeId: "3"
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  type: LoadBalancer

---
apiVersion: nifi.orange.com/v1alpha1
kind: NifiUser
metadata:
  name: bpeadmin
spec:
  identity: bpeadmin@mail.com
  clusterRef:
    name: sslnifi
    namespace: nifi
  createCert: true
  includeJKS: true
  secretName: bpeadmin_secrets

What did you expect to see?

we expected see managed users to be created but those users are not created in Nifi Cluster.
I have created an another user bpeadmin when I query nifikop it says user created but the user is not created in Nificluster.
few Nifi user groups needs be created.

What did you see instead? Under which circumstances?

Below we can see that there are no managed users created, which are mentioned in the Nifi Cluster config.

Here it says that bpeadmin user is created but i have added authorizer file there is no bpeadmin user created in there.

Users created in the Nifi Cluster config

$ k get nifiusers.nifi.orange.com -n nifi
NAME                                        AGE
bpeadmin                                    18h
sslnifi-1-node.nifi.svc.cluster.local       18h
sslnifi-2-node.nifi.svc.cluster.local       18h
sslnifi-3-node.nifi.svc.cluster.local       18h
sslnifi-controller.nifi.mgt.cluster.local   18h

authorizers.xml file in one of the nodes.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">../data/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity admin">sslnifi-controller.nifi.mgt.cluster.local</property>
        <property name="Initial User Identity 1">sslnifi-1-node.nifi.svc.cluster.local</property>
        <property name="Initial User Identity 2">sslnifi-2-node.nifi.svc.cluster.local</property>
        <property name="Initial User Identity 3">sslnifi-3-node.nifi.svc.cluster.local</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">../data/authorizations.xml</property>
        <property name="Initial Admin Identity">sslnifi-controller.nifi.mgt.cluster.local</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1">sslnifi-1-node.nifi.svc.cluster.local</property>
        <property name="Node Identity 2">sslnifi-2-node.nifi.svc.cluster.local</property>
        <property name="Node Identity 3">sslnifi-3-node.nifi.svc.cluster.local</property>
		<property name="Node Group"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

Detailed view at the bpeadmin user

$ k describe  nifiusers.nifi.orange.com/bpeadmin -n nifi
Name:         bpeadmin
Namespace:    nifi
Labels:       <none>
Annotations:  banzaicloud.com/last-applied:
                UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAIAAAAb3JpZ2luYWyUk8GO0zAQht9lzk7bZHdb8AkJiQMgDrC7BwiHqT0po3Ucy3ZWWlV5d2SnSVPURXBp49HM+Pd8/xwBHT+SD9xZkG...
API Version:  nifi.orange.com/v1alpha1
Kind:         NifiUser
Metadata:
  Creation Timestamp:  2021-12-27T12:16:18Z
  Generation:          2
  Managed Fields:
    API Version:  nifi.orange.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:banzaicloud.com/last-applied:
      f:status:
        .:
        f:id:
        f:version:
    Manager:      manager
    Operation:    Update
    Time:         2021-12-27T12:16:18Z
    API Version:  nifi.orange.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:clusterRef:
          .:
          f:name:
          f:namespace:
        f:createCert:
        f:identity:
        f:includeJKS:
        f:secretName:
    Manager:         kubectl-client-side-apply
    Operation:       Update
    Time:            2021-12-27T13:01:37Z
  Resource Version:  65379941
  Self Link:         /apis/nifi.orange.com/v1alpha1/namespaces/nifi/nifiusers/bpeadmin
  UID:               7a7b71ed-2a12-466d-9f5c-073c6b42e3a7
Spec:
  Cluster Ref:
    Name:       sslnifi
    Namespace:  nifi
  Create Cert:  true
  Identity:     bpeadmin@brillio.com
  Include JKS:  true
  Secret Name:  bpeadmin_secrets
Events:
  Type    Reason                  Age                 From       Message
  ----    ------                  ----                ----       -------
  Normal  ReconcilingCertificate  13m (x86 over 18h)  nifi-user  Reconciling certificate for nifi user bpeadmin

No Nifi Groups Found

$ kubectl get -n nifi nifiusergroups.nifi.orange.com
No resources found in nifi namespace.

So to summarize there is a conflict between what we see in k get nifiusers.nifi.orange.com -n nifi and authorizers.xml one says the bpeadmin user created but the other one doesn't have the the bpeadmin user in authorizers.xml

** So over all the Users are not getting created in Nifi Cluster **

Environment

• nifikop version:
  Followed exact steps here:
  https://orange-opensource.github.io/nifikop/docs/2_setup/1_getting_started

• Kubernetes version information:

$ k version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.13-eks-8df270", GitCommit:"8df2700a72a2598fa3a67c05126fa158fd839620", GitTreeState:"clean", BuildDate:"2021-07-31T01:36:57Z", GoVersion:"go1.15.14", Compiler:"gc", Platform:"linux/amd64"}

• NiFi version:

1.12.1

Possible Solution

Additional context
Add any other context about the problem here.

[juldrixx]

Hello @Sreenivas-Ratakonda !

I'm using headlessEnabled: true. But when I scale the clusters for 2 and more, I can't access with user that is configured, it is returning the message "Purposed state does not match the stored state. Unable to continue login process."

I've configured ingress with nginx.ingress.kubernetes.io but not work either.

[juldrixx]

@Sreenivas-Ratakonda . I've solved my problem.

In my case, I need to configure keycloack. It was missing to configure the option Authorization Enabled = true

Then, in your case, you need to configure headlessEnabled: true, and in ingress inserted the configuration:

    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
    nginx.ingress.kubernetes.io/affinity-mode: persistent

[juldrixx]

Hello @Sreenivas-Ratakonda .

Sorry, about time to response you!
Your problem is solved?

[juldrixx]

@Sreenivas-Ratakonda .

Do you use anything to auth in your UI, exemple Keycloak, Azure, GCP or you use only users in Nifi?

My CRD's config, I've used Nifi + Keycloak with OIDC. Them I have not need to configure this parameters:

  createCert: true
  includeJKS: true
  secretName: bpeadmin_secrets 

So, it's my CRD's configuration of users and groups:

apiVersion: nifi.orange.com/v1alpha1
kind: NifiUser
metadata:
  name: wanderson.pereira
  namespace: nifi
spec:
  identity: wanderson.pereira@mydomain.com.br
  clusterRef:
    name: nifi-cluster
    namespace: nifi
  createCert: false

---

apiVersion: nifi.orange.com/v1alpha1
kind: NifiUserGroup
metadata:
  name: nifi-admin
  namespace: nifi
spec:
  clusterRef:
    name: nifi-cluster
    namespace: nifi
  accessPolicies:
    - type: global
      action: read
      resource: /flow

[juldrixx]

@wandersonpereira
Now my cluster is up and running

*********** With OIDC Enabled ********************
For Auth I have used the AWS Cognito (For OIDC)
For ingress I have used the : Elastic Loadbalacer controller
I am able to create the users and groups:

My Requirement is to make S2S with other standalone nifi instances and this nificluster.

but with OIDC I am forced to use ALB as only alb can offer the sticky sessions that are needed for OIDC.

Now the problem with alb is it terminated ssl at loadbalancer but i need that ssl so i have to go back to the nificluster without OIDC

********** without OIDC ***************
Now when I remove the OIDC:

My cluster is up and running

But the problem here is : the users and groups are not synchronized to the nificluster

When we create users and groups with CRDs the creation happens in 2 stages

the first stage is : reconciliation and second is synchronization

the synchronization is not happening in my cluster as per nifikop logs Cluster is not ready:
please have a look at the logs below.

2022-01-07T08:36:27+05:30 github.com/go-logr/zapr.(*zapLogger).Error
2022-01-07T08:36:27+05:30 	/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/nificlient.errorGetOperation
2022-01-07T08:36:27+05:30 	/workspace/pkg/nificlient/common.go:38
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/nificlient.(*nifiClient).DescribeCluster
2022-01-07T08:36:27+05:30 	/workspace/pkg/nificlient/system.go:30
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/nificlient.(*nifiClient).Build
2022-01-07T08:36:27+05:30 	/workspace/pkg/nificlient/client.go:181
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/nificlient.NewFromConfig
2022-01-07T08:36:27+05:30 	/workspace/pkg/nificlient/client.go:202
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/common.NewClusterConnection
2022-01-07T08:36:27+05:30 	/workspace/pkg/common/common.go:54
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/clientwrappers/scale.EnsureRemovedNodes
2022-01-07T08:36:27+05:30 	/workspace/pkg/clientwrappers/scale/scale.go:201
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/pkg/resources/nifi.(*Reconciler).Reconcile
2022-01-07T08:36:27+05:30 	/workspace/pkg/resources/nifi/nifi.go:237
2022-01-07T08:36:27+05:30 github.com/Orange-OpenSource/nifikop/controllers.(*NifiClusterReconciler).Reconcile
2022-01-07T08:36:27+05:30 	/workspace/controllers/nificluster_controller.go:131
2022-01-07T08:36:27+05:30 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
2022-01-07T08:36:27+05:30 	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:263
2022-01-07T08:36:27+05:30 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
2022-01-07T08:36:27+05:30 	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:235
2022-01-07T08:36:27+05:30 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1
2022-01-07T08:36:27+05:30 	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.7.2/pkg/internal/controller/controller.go:198
2022-01-07T08:36:27+05:30 k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1
2022-01-07T08:36:27+05:30 	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185
2022-01-07T08:36:27+05:30 k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
2022-01-07T08:36:27+05:30 	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:155
2022-01-07T08:36:27+05:30 k8s.io/apimachinery/pkg/util/wait.BackoffUntil
2022-01-07T08:36:27+05:30 	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:156
2022-01-07T08:36:27+05:30 k8s.io/apimachinery/pkg/util/wait.JitterUntil
2022-01-07T08:36:27+05:30 	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:133
2022-01-07T08:36:27+05:30 k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext
2022-01-07T08:36:27+05:30 	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:185
2022-01-07T08:36:27+05:30 k8s.io/apimachinery/pkg/util/wait.UntilWithContext
2022-01-07T08:36:27+05:30 	/go/pkg/mod/k8s.io/apimachinery@v0.20.2/pkg/util/wait/wait.go:99
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.255Z	INFO	controllers.NifiCluster	Nodes unreachable, may still be starting up
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.308Z	DEBUG	controller-runtime.manager.events	Normal	{"object": {"kind":"NifiUser","namespace":"nifi","name":"sslnifi-controller.nifi.mgt.cluster.local","uid":"7a1717e4-c837-4503-b131-e3fb1f904638","apiVersion":"nifi.orange.com/v1alpha1","resourceVersion":"71815037"}, "reason": "ReconcilingCertificate", "message": "Reconciling certificate for nifi user sslnifi-controller.nifi.mgt.cluster.local"}
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.314Z	DEBUG	controller-runtime.manager.events	Normal	{"object": {"kind":"NifiUser","namespace":"nifi","name":"sslnifi-controller.nifi.mgt.cluster.local","uid":"7a1717e4-c837-4503-b131-e3fb1f904638","apiVersion":"nifi.orange.com/v1alpha1","resourceVersion":"71815037"}, "reason": "ReconciledCertificate", "message": "Reconciled certificate for nifi user sslnifi-controller.nifi.mgt.cluster.local"}
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.314Z	INFO	controllers.NifiUser	Cluster is not ready yet, will wait until it is.
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.314Z	DEBUG	controller-runtime.manager.events	Normal	{"object": {"kind":"NifiUser","namespace":"nifi","name":"sslnifi-controller.nifi.mgt.cluster.local","uid":"7a1717e4-c837-4503-b131-e3fb1f904638","apiVersion":"nifi.orange.com/v1alpha1","resourceVersion":"71815037"}, "reason": "ReferenceClusterNotReady", "message": "The referenced cluster is not ready yet : sslnifi in sslnifi"}
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.323Z	DEBUG	controller-runtime.manager.events	Normal	{"object": {"kind":"NifiUser","namespace":"nifi","name":"sslnifi-1-node.sslnifi-headless.nifi.svc.cluster.local","uid":"3fb47db1-727e-40ca-b864-55c327f793d4","apiVersion":"nifi.orange.com/v1alpha1","resourceVersion":"71803986"}, "reason": "ReconcilingCertificate", "message": "Reconciling certificate for nifi user sslnifi-1-node.sslnifi-headless.nifi.svc.cluster.local"}
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.327Z	DEBUG	controller-runtime.manager.events	Normal	{"object": {"kind":"NifiUser","namespace":"nifi","name":"sslnifi-1-node.sslnifi-headless.nifi.svc.cluster.local","uid":"3fb47db1-727e-40ca-b864-55c327f793d4","apiVersion":"nifi.orange.com/v1alpha1","resourceVersion":"71803986"}, "reason": "ReconciledCertificate", "message": "Reconciled certificate for nifi user sslnifi-1-node.sslnifi-headless.nifi.svc.cluster.local"}
2022-01-07T08:36:27+05:30 2022-01-07T03:06:27.327Z	INFO	controllers.NifiUser	Cluster is not ready yet, will wait until it is.

As per the logs when I removed the OIDC config from the Cluster, nifikop assuming the cluster is not ready yet. controllers.NifiUser Cluster is not ready yet, will wait until it is.

This is my Nificluster config:

apiVersion: nifi.orange.com/v1alpha1
kind: NifiCluster
metadata:
  name: sslnifi
spec:
  service:
    headlessEnabled: true
    annotations:
      external-dns.alpha.kubernetes.io/ttl: "5"
  zkAddress: "zookeeper.zookeeper.svc.cluster.local:2181"
  zkPath: "/ssllnifi"
  clusterImage: "apache/nifi:1.12.1"
  oneNifiNodePerNode: false
  managedAdminUsers:
    -  identity : "CN=admin"  # I have named identity CN bcz the certificate will be styarting with CN so we need to mention it here to.
       name: "admin"
  propagateLabels: true
  nifiClusterTaskSpec:
    retryDurationMinutes: 10
  readOnlyConfig:
    nifiProperties:
      webProxyHosts:
        - sslnifi.mydomain.org:8443
  nodeConfigGroups:
    default_group:
      isNode: true
      storageConfigs:
        - mountPath: "/opt/nifi/nifi-current/logs"
          name: logs
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/data"
          name: data
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/flowfile_repository"
          name: flowfile-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/nifi-current/conf"
          name: conf
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/content_repository"
          name: content-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
        - mountPath: "/opt/nifi/provenance_repository"
          name: provenance-repository
          pvcSpec:
            accessModes:
              - ReadWriteOnce
            storageClassName: "gp2"
            resources:
              requests:
                storage: 10Gi
      serviceAccountName: "default"
      resourcesRequirements:
        limits:
          cpu: "0.5"
          memory: 2Gi
        requests:
          cpu: "0.5"
          memory: 2Gi
  nodes:
    - id: 1
      nodeConfigGroup: "default_group"
    - id: 2
      nodeConfigGroup: "default_group"
    # - id: 3
    #   nodeConfigGroup: "default_group"
  
  listenersConfig:
    internalListeners:
      - type: "https"
        name: "https"
        containerPort: 8443     
      - type: "cluster"
        name: "cluster"
        containerPort: 6007
      - type: "s2s"
        name: "s2s"
        containerPort: 10000
    sslSecrets:
      tlsSecretName: "test-nifikop"
      create: true

Have you tried without any OIDC, can you check if you are also facing same Issue.
If we can Identify why nifikop is assuming the cluster is not ready I think we can solve this problem.

[juldrixx]

@wandersonpereira
I have set the headless:true and configured the alb load balencer instead of nignx with the help of ELB Ingress controller Now I am to Access the UI of nificluster I am not facing any invalid token issues either.

But I am still not able to create the nifiuser and nifigroups using the CRD mentioned in the docs.
to be specific the problem with user creation is the users are not getting synchronized with the cluster

Please look at the example below:

For successful user creation:
this user got created post OIDC auth:

I have created another user using the CRD:

apiVersion: nifi.orange.com/v1alpha1
kind: NifiUser
metadata:
  name: sslnifi.bpeadmin
spec:
  identity: bpeadmin@brillio.com
  clusterRef:
    name: sslnifi
    namespace: nifi
  createCert: true
  includeJKS: true
  secretName: bpeadmin_secrets 

output:

Am I missing something Over here ...?

One more thing did you try to setup Site to Site with other nifi Instance.

[juldrixx]

please have a look here:
Orange-OpenSource/nifikop#49
this is the issue i am facing now without OIDC scenario.

[rogerlga]

I was facing something similar (NiFiKop v1.8.0 / NiFi 1.24.0 here). managedAdminUsers were not getting created. Solved by setting some identity mapping keys in the nifi.properties, as indicated at the beginning of the "OpenId Connect" part of the documentation (although, no OpenId config is necessary):

nifi.security.identity.mapping.pattern.dn=CN=([^,]*)(?:, (?:O|OU)=.*)?
nifi.security.identity.mapping.value.dn=$1
nifi.security.identity.mapping.transform.dn=NONE

After setting these keys (I think the values could be any), the nifi operator started to populate the cluster with the users and user groups from managedAdminUsers configuration.