Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Expose OIDC configuration into values.yaml #463

Open
ggerla opened this issue Sep 17, 2024 · 5 comments · May be fixed by #464
Open

Expose OIDC configuration into values.yaml #463

ggerla opened this issue Sep 17, 2024 · 5 comments · May be fixed by #464
Labels
community enhancement New feature or request

Comments

@ggerla
Copy link
Contributor

ggerla commented Sep 17, 2024

Is your feature request related to a problem?

I need to configure oidc for NiFi. In my case the nifikop helm char is a sub-chart so I need to manage oidc from external values in a more abstract way. In addition the clientSecret should be managed true secret

Describe the solution you'd like to see

Similar to singleUserConfiguration and ldapConfiguration I would like to have a section like this

oidcConfiguration:
discoveryUrl=
clientId=<oidc client's id>
clientSecret=<oidc client's secret>
patternDn=
valueDn=$1
transformDn=NONE

Describe alternatives you've considered

The idea can be to change nifi-config-sc.yaml

.....
nifi.properties: |-
{{ if .Values.cluster.oidcConfiguration }}
nifi.security.user.oidc.discovery.url={{ .Values.cluster.oidcConfiguration.discoveryUrl }}
nifi.security.user.oidc.client.id={{ .Values.cluster.oidcConfiguration.clientId }}
nifi.security.user.oidc.client.secret={{ .Values.cluster.oidcConfiguration.clientSecret }}
nifi.security.identity.mapping.pattern.dn={{ .Values.cluster.oidcConfiguration.patternDn | default('CN=([^,])(?:, (?:O|OU)=.)?') }}
nifi.security.identity.mapping.value.dn={{ .Values.cluster.oidcConfiguration.valueDn | default('$1') }}
nifi.security.identity.mapping.transform.dn={{ .Values.cluster.oidcConfiguration.transformDn | default('NONE') }}
{{ end }}
{{ .Values.cluster.nifiProperties.overrideConfigs | b64enc | indent 4 }}

Additional context

No response
@ggerla ggerla added community enhancement New feature or request labels Sep 17, 2024
@mh013370
Copy link
Member

mh013370 commented Sep 17, 2024
edited
Loading

Since we support configuring LDAP in NiFi through a similar manner, I think this is a reasonable request. And i agree that sensitive values should be pulled from secrets and not provided in raw text in the values.yaml.

https://konpyutaika.github.io/nifikop/docs/5_references/1_nifi_cluster/#ldapconfiguration

@ggerla
Copy link
Contributor Author

ggerla commented Sep 17, 2024

I was looking into the code. I think that the change can be done only into nifi-config-sc.yaml, using clear clientSecret.
If we want to have a k8s secret to "hide" the clientSecret then I think we need to change also the go code.
Am I right?

@mh013370
Copy link
Member

Yes, supporting a feature like this would require CRD changes and consequently code changes.

@mh013370
Copy link
Member

That said, it's possible to configure OIDC right now through the following approach: https://konpyutaika.github.io/nifikop/docs/3_manage_nifi/1_manage_clusters/1_deploy_cluster/5_users_authentication/1_oidc

@ggerla
Copy link
Contributor Author

ggerla commented Sep 17, 2024

yes I know, thanks. I'm already using this configuration.

@ggerla ggerla linked a pull request Sep 17, 2024 that will close this issue
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
community enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added oidc Configuration section and operator management ggerla/nifikop
2 participants
@ggerla @mh013370