From 9a0bd904de413b486ec22eeecc3edc47b90b46c1 Mon Sep 17 00:00:00 2001
From: dmitrii-dmnk <>
Date: Sat, 3 Dec 2022 12:18:36 +0300
Subject: [PATCH] Update ldap users int ldap-test Rollback CN node name
generating Replace generating standalone certs path
---
configs/authorizers.xml | 10 +++++-----
configs/nifi.properties | 22 +++++++++++++++-------
templates/statefulset.yaml | 13 +++++--------
tests/03-ldap-values.yaml | 7 ++++---
values.yaml | 30 +++++++++++++++---------------
5 files changed, 44 insertions(+), 38 deletions(-)
diff --git a/configs/authorizers.xml b/configs/authorizers.xml
index 6ad30a8f..a6370f35 100644
--- a/configs/authorizers.xml
+++ b/configs/authorizers.xml
@@ -48,7 +48,7 @@
./auth-conf/users.xml
{{- range $i := until $replicas }}
- CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI
+ CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI
{{- end }}
{{- if and .Values.auth.ldap.enabled (not .Values.auth.admin) }}
{{.Values.auth.ldap.initialAdmin}}
@@ -125,10 +125,10 @@
{{.Values.auth.ldap.managerDN}}
{{.Values.auth.ldap.managerPassword}}
/opt/nifi/nifi-current/tls/keystore.jks
- {{.Values.auth.SSL.keystorePassword}}
- jks
+ {{.Values.auth.SSL.keystorePasswd}}
+ JKS
/opt/nifi/nifi-current/tls/truststore.jks
- {{.Values.auth.SSL.truststorePassword}}
+ {{.Values.auth.SSL.truststorePasswd}}
JKS
NONE
TLS
@@ -230,7 +230,7 @@
{{- end}}
{{- range $i := until $replicas }}
- CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI
+ CN={{ $fullname }}-{{ $i }}.{{ $fullname }}-headless.{{ $namespace }}.svc.{{ $.Values.clusterDomain }}, OU=NIFI
{{- end }}
diff --git a/configs/nifi.properties b/configs/nifi.properties
index dbcae8f9..dcd6f09e 100644
--- a/configs/nifi.properties
+++ b/configs/nifi.properties
@@ -147,7 +147,7 @@ nifi.sensitive.props.algorithm={{ .Values.properties.algorithm }}
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
-{{if .Values.auth.clientAuth.enabled}}
+{{- if .Values.auth.clientAuth.enabled }}
nifi.security.keystore=/opt/nifi/nifi-current/config-data/certs/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
@@ -157,18 +157,26 @@ nifi.security.truststoreType=jks
nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
-{{else if .Values.auth.ldap.enabled}}
+{{- else if .Values.auth.ldap.enabled }}
+{{- if .Values.certManager.enabled }}
nifi.security.keystore=/opt/nifi/nifi-current/tls/keystore.jks
+{{- else }}
+nifi.security.keystore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}/keystore.jks
+{{- end }}
nifi.security.keystoreType=jks
nifi.security.keystorePasswd={{.Values.auth.SSL.keystorePasswd}}
nifi.security.keyPasswd={{.Values.auth.SSL.keystorePasswd}}
+{{- if .Values.certManager.enabled }}
nifi.security.truststore=/opt/nifi/nifi-current/tls/truststore.jks
+{{- else }}
+nifi.security.truststore=/opt/nifi/nifi-current/tls/{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}/truststore.jks
+{{- end }}
nifi.security.truststoreType=jks
nifi.security.truststorePasswd={{.Values.auth.SSL.truststorePasswd}}
proxiedEntity={{.Values.auth.ldap.initialAdmin}}
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=ldap-provider
-{{else if .Values.auth.oidc.enabled}}
+{{- else if .Values.auth.oidc.enabled }}
nifi.security.keystore=/opt/nifi/nifi-current/conf/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
@@ -177,7 +185,7 @@ nifi.security.truststore=/opt/nifi/nifi-current/conf/truststore.p12
nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.authorizer=managed-authorizer
-{{ else }}
+{{- else }}
nifi.security.keystore=./conf/keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=
@@ -187,10 +195,10 @@ nifi.security.truststoreType=PKCS12
nifi.security.truststorePasswd=
nifi.security.user.login.identity.provider=single-user-provider
nifi.security.user.authorizer=single-user-authorizer
-{{end}}
+{{- end }}
nifi.security.needClientAuth={{.Values.properties.needClientAuth}}
-{{if .Values.auth.oidc.enabled}}
+{{- if .Values.auth.oidc.enabled }}
# OpenId Connect SSO Properties #
nifi.security.user.oidc.discovery.url={{.Values.auth.oidc.discoveryUrl}}
nifi.security.user.oidc.connect.timeout=5 secs
@@ -200,7 +208,7 @@ nifi.security.user.oidc.client.secret={{.Values.auth.oidc.clientSecret}}
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.claim.identifying.user={{.Values.auth.oidc.claimIdentifyingUser}}
nifi.security.user.oidc.additional.scopes={{.Values.auth.oidc.additionalScopes}}
-{{end}}
+{{- end }}
# Apache Knox SSO Properties #
diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
index 03e6253b..a888c532 100644
--- a/templates/statefulset.yaml
+++ b/templates/statefulset.yaml
@@ -251,12 +251,12 @@ spec:
{{- /* if .Values.certManager.enabled */}}{{ else }}
- if [ ! -r "${NIFI_HOME}/conf/nifi-cert.pem" ]
+ if [ ! -r "${NIFI_HOME}/tls/nifi-cert.pem" ]
then
/opt/nifi/nifi-toolkit-current/bin/tls-toolkit.sh standalone \
- -n '{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \
+ -n '{{.Release.Name}}-0.{{.Release.Name}}-headless.{{.Release.Namespace}}.svc.{{ $.Values.clusterDomain }}' \
-C '{{.Values.auth.admin}}' \
- -o "${NIFI_HOME}/conf/" \
+ -o "${NIFI_HOME}/tls" \
-P {{.Values.auth.SSL.truststorePasswd}} \
-S {{.Values.auth.SSL.keystorePasswd}} \
--nifiPropertiesFile /opt/nifi/nifi-current/conf/nifi.properties
@@ -523,11 +523,8 @@ spec:
{{- end }}
{{- end }}
{{- end }}
-{{- if .Values.certManager.enabled }}
- name: "tls"
mountPath: /opt/nifi/nifi-current/tls
- readOnly: true
-{{- /* if .Values.certManager.enabled */}}{{ end }}
{{- if .Values.extraVolumeMounts }}
{{ toYaml .Values.extraVolumeMounts | indent 10 }}
{{- end }}
@@ -755,12 +752,12 @@ spec:
items:
- key: "logback.xml"
path: "logback.xml"
+ - name: "tls"
+ emptyDir: {}
{{- if .Values.certManager.enabled }}
- name: secret-reader-token
secret:
secretName: {{ template "apache-nifi.fullname" $ }}-secret-reader-token
- - name: tls
- emptyDir: {}
{{- range .Values.certManager.caSecrets }}
- name: {{ include "apache-nifi.fullname" $ }}-{{ . }}
secret:
diff --git a/tests/03-ldap-values.yaml b/tests/03-ldap-values.yaml
index ecf5b334..b3b99db1 100644
--- a/tests/03-ldap-values.yaml
+++ b/tests/03-ldap-values.yaml
@@ -8,7 +8,8 @@ auth:
ldap:
enabled: true
host: ldap://openldap:389
- searchBase: ou=users,dc=example,dc=org
- admin: cn=user1,ou=users,dc=example,dc=org
- pass: password1
+ userSearchBase: ou=users,dc=example,dc=org
+ managerDN: cn=user1,ou=users,dc=example,dc=org
+ initialAdmin: cn=user1,ou=users,dc=example,dc=org
+ managerPassword: password1
authStrategy: SIMPLE
diff --git a/values.yaml b/values.yaml
index 0fe15647..dce1de17 100644
--- a/values.yaml
+++ b/values.yaml
@@ -125,10 +125,10 @@ logbackXml:
# Nifi User Authentication
auth:
# If set while LDAP is enabled, this value will be used for the initial admin and not the ldap bind dn / admin
- admin: nifiAdmin # Initial Admin account username from LDAP-server. You can set the property aka env var
+ admin: CN=admin, OU=NIFI # Initial Admin account username. You can set the property aka env var
SSL:
- keystorePassword: changeMe
- truststorePassword: changeMe
+ keystorePasswd: changeMe
+ truststorePasswd: changeMe
# Automaticaly disabled if OIDC or LDAP enabled
singleUser:
@@ -143,19 +143,19 @@ auth:
host: ldap://ldap-server.example.com:389
userSearchBase: ou=People,dc=example,dc=com
initialAdmin: nifiAdmin # LDAP account for initialize as admin user
- userSearchFilter: (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com)
- userIdentityAttribute: uid
+ userSearchFilter: (objectClass=*) # (memberOf=cn=nifi_users,ou=groups,dc=example,dc=com)
+ userIdentityAttribute: # uid
authenticationStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
identityStrategy: USE_USERNAME # USE_DN or USE_USERNAME
authExpiration: 12 hours
- groupSearchBase: ou=Groups,dc=example,dc=com
- groupObjectClass: groupOfNames
- referralStrategy: FOLLOW
- groupNameAttribute: cn
- groupMemberAttribute: member
+ groupSearchBase: # ou=Groups,dc=example,dc=com
+ groupObjectClass: group # groupOfNames
+ referralStrategy: IGNORE # FOLLOW
+ groupNameAttribute: # cn
+ groupMemberAttribute: # member
groupSearchScope: ONE_LEVEL # Search scope for searching groups (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching groups.
userSearchScope: SUBTREE # Search scope for searching users (ONE_LEVEL, OBJECT, or SUBTREE). Required if searching users.
- userGroupNameAttribute: memberOf
+ userGroupNameAttribute: # memberOf
managerDN: uid=nifiAdmin,ou=People,dc=example,dc=com # account DN for connection to LDAP-server. You can set the property aka env var
managerPassword: changeMechangeMe # account password for connection to LDAP-server. You can set the property aka env var
providerUserSearchFilter: (uid={0})
@@ -379,16 +379,16 @@ openshift:
ca:
## If true, enable the nifi-toolkit certificate authority
enabled: false
+ persistence:
+ enabled: true
+ server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}"
envFrom: []
image:
repository: apache/nifi-toolkit
- persistence:
- enabled: false
accessModes: [ReadWriteOnce]
storageClass : ''
initContainer:
image: busybox:1.32.0
- server: "" # For example "nifi-ca.default.svc.{{ .Values.clusterDomain }}"
service:
port: 9090
token: sixteenCharacters
@@ -409,7 +409,7 @@ certManager:
keystorePasswd: changeme
truststorePasswd: changeme
replaceDefaultTrustStore: false
- # For security reason, define secret aka source of env variable for keystorePassword and truststorePassword
+ # For security reason, define secret aka source of env variable for keystorePasswd and truststorePasswd
envFrom: {}
# - secretRef:
# name: test