-
Hi, I'm trying to configure NiFi on our k8s cluster (with nifi-operator) to use our keycloak server for authentication. This server uses a custom HTTPS certificate from our own self-signed CA and is outside of the k8s cluster. I've already configured the NiFi cluster to use the oidc configuration, but fails to start when fetching the discovery url as it fails to verify the server certificate. Is there a way to add our CA certificate to the keystore used by NiFi or the one from the JVM so that it can verify the server certificate? I see that the NiFi keystore seems to be managed by the secrets-operator, but I don't know if there's some option to manage the JVM cacerts and how to add more certificates. Thanks. Best regards. |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 13 replies
-
Another option is to create a custom image and add the CA certificate there, but I rather not have to do that. I could mount the certificate with a configmap or a secret, but I need to be able to update the cacerts file (via update-ca-trust) before starting the NiFi process. A third option is to replace the cacerts file and mount my own, but that requires more maintenance to keep it updated than to update the one in the image when starting NiFi. |
Beta Was this translation helpful? Give feedback.
-
Hi @dmasice I am not 100% sure if you can configure the location of the keystore or pem file for your use case or if it absolutely has to be in the system keystore? But if you can specify where the cert is located you could use this to mount the CA from a secret/configmap and then use it. |
Beta Was this translation helpful? Give feedback.
-
That was my first option, but for this case it won't work, as the Is it possible to specify extra volumes outside of |
Beta Was this translation helpful? Give feedback.
-
I got it working with a volume and a batch job. First I created a apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nifi-cacerts-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: ceph-filesystem and a
Then, using the same NiFi image, I created a one time job that updates the apiVersion: batch/v1
kind: Job
metadata:
name: update-nifi-cacerts
spec:
template:
spec:
securityContext:
fsGroup: 0
runAsGroup: 0
runAsUser: 0
containers:
- name: update-nifi-cacerts
image: docker.stackable.tech/stackable/nifi:1.21.0-stackable23.7.0
command:
- "/bin/bash"
- "-c"
- "-euo"
- "pipefail"
args:
- "echo Updating cacerts && /usr/bin/update-ca-trust && echo Copying cacerts to volume && cp /etc/pki/ca-trust/extracted/java/cacerts /data/nifi-cacerts/"
volumeMounts:
- name: nifi-cacerts
mountPath: /data/nifi-cacerts
- name: remote-server-ca-certificate
mountPath: /etc/pki/ca-trust/source/anchors
volumes:
- name: nifi-cacerts
persistentVolumeClaim:
claimName: nifi-cacerts-pvc
- name: remote-server-ca-certificate
configMap:
name: remote-server-ca-certificate
restartPolicy: Never
backoffLimit: 4 The The last step is to modify the NiFi cluster definition to mount the new spec:
nodes:
podOverrides:
spec:
containers:
- name: nifi
volumeMounts:
- name: nifi-cacerts
mountPath: /etc/pki/ca-trust/extracted/java/cacerts
subPath: cacerts
volumes:
- name: nifi-cacerts
persistentVolumeClaim:
claimName: nifi-cacerts-pvc With this, I'm able to add custom certificates without having to rebuild the image. If I update the image, I just need to run the job again to regenerate the If there's a better/simpler way to add custom certificates in the future, that'll be great. But, for now, this will do. |
Beta Was this translation helpful? Give feedback.
-
After using the method avobe, I've been able to get NiFi to validate the url of the Keycloak server. But after Keycloak validates the user I get the following error:
In the log I see the following:
It seems that NiFi is unable to validate the certificate for |
Beta Was this translation helpful? Give feedback.
Both seems like valid approaches to me. Would you mind sharing your whole config?
i think we did also run into the
Untrusted proxy CN=generated certificate for pod
and added the following two settings to trust them: https://github.com/stackabletech/nifi-operator/blob/9795944bd73cb116f7953769a049c5ab7fc99569/rust/crd/src/authentication.rs#L628 and https://github.com/stackabletech/nifi-operator/blob/9795944bd73cb116f7953769a049c5ab7fc99569/rust/crd/src/authentication.rs#L642