Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose OIDC configuration into values.yaml #463

Open
ggerla opened this issue Sep 17, 2024 · 5 comments · May be fixed by #464
Open

Expose OIDC configuration into values.yaml #463

ggerla opened this issue Sep 17, 2024 · 5 comments · May be fixed by #464
Labels
community enhancement New feature or request

Comments

@ggerla
Copy link
Contributor

ggerla commented Sep 17, 2024

Is your feature request related to a problem?

I need to configure oidc for NiFi. In my case the nifikop helm char is a sub-chart so I need to manage oidc from external values in a more abstract way. In addition the clientSecret should be managed true secret

Describe the solution you'd like to see

Similar to singleUserConfiguration and ldapConfiguration I would like to have a section like this

oidcConfiguration:
discoveryUrl=
clientId=<oidc client's id>
clientSecret=<oidc client's secret>
patternDn=
valueDn=$1
transformDn=NONE

Describe alternatives you've considered

The idea can be to change nifi-config-sc.yaml

.....
nifi.properties: |-
{{ if .Values.cluster.oidcConfiguration }}
nifi.security.user.oidc.discovery.url={{ .Values.cluster.oidcConfiguration.discoveryUrl }}
nifi.security.user.oidc.client.id={{ .Values.cluster.oidcConfiguration.clientId }}
nifi.security.user.oidc.client.secret={{ .Values.cluster.oidcConfiguration.clientSecret }}
nifi.security.identity.mapping.pattern.dn={{ .Values.cluster.oidcConfiguration.patternDn | default('CN=([^,])(?:, (?:O|OU)=.)?') }}
nifi.security.identity.mapping.value.dn={{ .Values.cluster.oidcConfiguration.valueDn | default('$1') }}
nifi.security.identity.mapping.transform.dn={{ .Values.cluster.oidcConfiguration.transformDn | default('NONE') }}
{{ end }}
{{ .Values.cluster.nifiProperties.overrideConfigs | b64enc | indent 4 }}

Additional context

No response
@ggerla ggerla added community enhancement New feature or request labels Sep 17, 2024
@mh013370
Copy link
Member

mh013370 commented Sep 17, 2024
edited
Loading

Since we support configuring LDAP in NiFi through a similar manner, I think this is a reasonable request. And i agree that sensitive values should be pulled from secrets and not provided in raw text in the values.yaml.

https://konpyutaika.github.io/nifikop/docs/5_references/1_nifi_cluster/#ldapconfiguration

@ggerla
Copy link
Contributor Author

ggerla commented Sep 17, 2024

I was looking into the code. I think that the change can be done only into nifi-config-sc.yaml, using clear clientSecret.
If we want to have a k8s secret to "hide" the clientSecret then I think we need to change also the go code.
Am I right?

@mh013370
Copy link
Member

Yes, supporting a feature like this would require CRD changes and consequently code changes.

@mh013370
Copy link
Member

That said, it's possible to configure OIDC right now through the following approach: https://konpyutaika.github.io/nifikop/docs/3_manage_nifi/1_manage_clusters/1_deploy_cluster/5_users_authentication/1_oidc

@ggerla
Copy link
Contributor Author

ggerla commented Sep 17, 2024

yes I know, thanks. I'm already using this configuration.

@ggerla ggerla linked a pull request Sep 17, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added oidc Configuration section and operator management ggerla/nifikop
2 participants
@ggerla @mh013370