Patch NiFi to allow disabling the host header check

[soenkeliebau]

Description

NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed
values for the host header field in any incoming request for the web ui.

This frequently causes issues when trying to expose the NiFi UI via for example
an ingress, loadbalancer or any similar type of mechanism.

NiFi does not allow to disable this behavior, so at the moment the nifi operator
simply hardcodes all even remotely possible values into this field.
But in order to allow putting for example in ingress in front of NiFi this means
using config overrides to change the value of this option, copy all the values
the operator put in there and add the extra value you need.

This is less than ideal, the proper solution would probably be
stackabletech/nifi-operator#604

But until that is merged this is a simple workaround that allows overriding the list of allowed
hostnames by just setting it to "*" and this will effectively bypass the hostname check entirely if set.

This allows us to keep the default behavior in place for those users where it works and not remove
security features, but also enables users to disable this check if they know what they are doing.

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

- [ ] Changes are OpenShift compatible
- [ ] All added packages (via microdnf or otherwise) have a comment on why they are added
- [ ] Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
- [ ] All packages should have (if available) signatures/hashes verified
- [ ] Add an entry to the CHANGELOG.md file
- [ ] Integration tests ran successfully

TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

bake --product <product> --image-version <stackable-image-version>
kind load docker-image <image-tagged-with-the-major-version> --name=<name-of-your-test-cluster>

See the output of bake to retrieve the image tag for <image-tagged-with-the-major-version>.

[lfrancke]

Haven't looked at the details but please rename the patch files to contain the target version as well (see e.g. HBase and others).
That makes it easier to identify the file when it is copied around in isolation

[soenkeliebau]

Haven't looked at the details but please rename the patch files to contain the target version as well (see e.g. HBase and others). That makes it easier to identify the file when it is copied around in isolation

Is it okay to have a range of versions in there? The same patch applies across a lot of NiFi versions, that file wasn't touched a lot it seems.

[sbernauer]

Thanks!

[lfrancke]

Do I understand correctly that this is in preparation for adding the necessary support in the operator so there is nothing to document here?

[sbernauer]

Exactly 👍