From 712b889466abc858bd4f8d034c9b28f3e2bae3fd Mon Sep 17 00:00:00 2001 From: Sebastien Dupont Date: Sat, 22 Apr 2023 19:37:21 +0200 Subject: [PATCH] feature/enh290 Set OIDC clientSecret to be set via a secret Signed-off-by: Michael Dent --- README.md | 3 ++- configs/login-identity-providers-ldap.xml | 8 ++++---- templates/secret.yaml | 14 ++++++++++++++ templates/statefulset.yaml | 16 +++++++++++++++- values.yaml | 3 +++ 5 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 templates/secret.yaml diff --git a/README.md b/README.md index d5c51035..c7046a20 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,8 @@ The following table lists the configurable parameters of the nifi chart and the | `auth.oidc.enabled` | Enable User auth via oidc | `false` | | `auth.oidc.discoveryUrl` | oidc discover url | `https:///.well-known/openid-configuration` | | `auth.oidc.clientId` | oidc clientId | `nil` | -| `auth.oidc.clientSecret` | oidc clientSecret | `nil` | +| `auth.oidc.clientSecret` | oidc clientSecret (plaintext secret that could get stored in git, logs, etc.) | `nil` | +| `auth.oidc.existingSecret` | Name of an existing secret with the oidc clientSecret | `nil` | | `auth.oidc.claimIdentifyingUser` | oidc claimIdentifyingUser | `email` | | `auth.oidc.admin` | Default OIDC admin identity | `nifi@example.com` | | Note that OIDC authentication to a multi-NiFi-node cluster requires Ingress sticky sessions | See [background](https://community.cloudera.com/t5/Support-Questions/OIDC-With-Azure-AD/m-p/232324#M194163) | Also [how](https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/) | diff --git a/configs/login-identity-providers-ldap.xml b/configs/login-identity-providers-ldap.xml index 204d08a5..d34e5f7a 100644 --- a/configs/login-identity-providers-ldap.xml +++ b/configs/login-identity-providers-ldap.xml @@ -65,7 +65,7 @@ ldap-provider org.apache.nifi.ldap.LdapProvider - SIMPLE + {{.Values.auth.ldap.authStrategy}} {{.Values.auth.ldap.admin}} {{.Values.auth.ldap.pass}} /opt/nifi/nifi-current/conf/{{.Release.Name}}-nifi-0.{{.Release.Name}}-nifi-headless.{{.Release.Namespace}}.svc.cluster.local/keystore.jks @@ -83,8 +83,8 @@ 10 secs {{.Values.auth.ldap.host}} {{.Values.auth.ldap.searchBase}} - (cn={0}) + ({{.Values.auth.ldap.userIdentityAttribute}}={0}) {{.Values.auth.ldap.IdentityStrategy}} - 12 hours + {{.Values.auth.ldap.authExpiration}} - \ No newline at end of file + diff --git a/templates/secret.yaml b/templates/secret.yaml new file mode 100644 index 00000000..88cf6846 --- /dev/null +++ b/templates/secret.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.auth.oidc.enabled (not (.Values.auth.oidc.existingSecret)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "apache-nifi.fullname" . }}-oidc + labels: + app: {{ include "apache-nifi.name" . | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +data: + clientSecret: {{ .Values.auth.oidc.clientSecret | b64enc }} + +{{- end }} diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml index 7a732024..4ea82576 100644 --- a/templates/statefulset.yaml +++ b/templates/statefulset.yaml @@ -146,7 +146,7 @@ spec: prop_replace nifi.security.user.authorizer managed-authorizer prop_replace nifi.security.user.oidc.discovery.url {{ .Values.auth.oidc.discoveryUrl }} prop_replace nifi.security.user.oidc.client.id {{ .Values.auth.oidc.clientId }} - prop_replace nifi.security.user.oidc.client.secret {{ .Values.auth.oidc.clientSecret }} + prop_replace nifi.security.user.oidc.client.secret $(cat /mnt/secrets/oidc/clientSecret) prop_replace nifi.security.user.oidc.claim.identifying.user {{ .Values.auth.oidc.claimIdentifyingUser }} xmlstarlet ed --inplace --delete "//authorizers/authorizer[identifier='single-user-authorizer']" "${NIFI_HOME}/conf/authorizers.xml" xmlstarlet ed --inplace --update "//authorizers/userGroupProvider/property[@name='Users File']" -v './auth-conf/users.xml' "${NIFI_HOME}/conf/authorizers.xml" @@ -523,6 +523,11 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.auth.oidc.enabled }} + - name: oidc-secret + mountPath: /mnt/secrets/oidc + readOnly: true + {{- end }} {{- if .Values.certManager.enabled }} - name: "tls" mountPath: /opt/nifi/nifi-current/tls @@ -783,6 +788,15 @@ spec: - name: logs emptyDir: {} {{- end }} +{{- if .Values.auth.oidc.enabled }} + - name: oidc-secret + secret: + {{- if not .Values.auth.oidc.existingSecret }} + secretName: {{ template "apache-nifi.fullname" . }}-oidc + {{- else }} + secretName: {{ .Values.auth.oidc.existingSecret }} + {{- end }} +{{- end }} {{- if .Values.extraVolumes }} {{ toYaml .Values.extraVolumes | indent 6 }} {{- end }} diff --git a/values.yaml b/values.yaml index 158bdfed..0e290129 100644 --- a/values.yaml +++ b/values.yaml @@ -147,6 +147,9 @@ auth: discoveryUrl: #http://:/auth/realms//.well-known/openid-configuration clientId: # clientSecret: # + # try to use an existing secret that has been sourced from a key vault so the clientSecret isn't stored in plaintext + # if this is set then the clientSecret above is ignored. + existingSecret: claimIdentifyingUser: email admin: nifi@example.com ## Request additional scopes, for example profile