<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>question Re: NIFIs HTTPS requirements make running on k8s impossible- I'm probably misunderstanding it though in Support Questions</title>
    <link>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414324#M255379</link>
    <description>&lt;P&gt;Where is ssl terminating and how are you issuing the certs?&lt;/P&gt;&lt;P&gt;Are you terminating SSL at the nodes AND the LB? Are you issuing self-signed certs? I don't want users to see cert errors and I don't want to roll out a whole PKI just because NIFI is not configurable.&lt;BR /&gt;&lt;BR /&gt;I know I'm just beating a dead horse, but a more modern system would allow for this standard sort of config, I'm trying to find a workaround for NIFI:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Nodes communicate via pre-shared key or some other mechanism decoupled from the APIs&lt;/LI&gt;&lt;LI&gt;The APIs are just set to HTTP and SSL terminates at the load balancer&lt;/LI&gt;&lt;/OL&gt;</description>
    <pubDate>Wed, 01 Jul 2026 16:28:55 GMT</pubDate>
    <dc:creator>red888</dc:creator>
    <dc:date>2026-07-01T16:28:55Z</dc:date>
    <item>
      <title>NIFIs HTTPS requirements make running on k8s impossible- I'm probably misunderstanding it though</title>
      <link>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414129#M254655</link>
      <description>&lt;P&gt;I think I might just be misunderstanding something, because it seems like NIFI requires HTTPS for intra cluster communication and uses the SAME HTTPS channel for external UI and API access?&lt;/P&gt;&lt;P&gt;I'm expecting to have intra cluster communication be separate from my load balancer/ingress. Meaning the nodes communicate securely with each other but I can set the API and UI to HTTP so I can terminate that at my load balancer- this is very standard practice.&lt;/P&gt;&lt;P&gt;What I think I'm seeing is NIFI uses the same HTTPS channel for both internal and external communication? That can't be right because there is no way I'm registering all my NIFI nodes with a public DNS domain.&lt;/P&gt;&lt;P&gt;But this can't be the case right? I should be able to set just the end user API and UI to HTTP and use a self signed cert for intra-node communication.&lt;/P&gt;&lt;P&gt;I can't even seem to be able to just disable HTTPS entirely, nifi's config is poorly documented and disabling HTTPS seems to break everything. I have this on a secured cluster and because this is k8s I have network policies and myriad other features available to secure them.&lt;/P&gt;&lt;P&gt;Its weird there are specific k8s features for nifi (k8s native instead of zookeeper) but it still seems trapped in this legacy model where it expects me to have a pet server for each node and manage them all manually.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 28 May 2026 13:56:52 GMT</pubDate>
      <guid>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414129#M254655</guid>
      <dc:creator>red888</dc:creator>
      <dc:date>2026-05-28T13:56:52Z</dc:date>
    </item>
    <item>
      <title>Re: NIFIs HTTPS requirements make running on k8s impossible- I'm probably misunderstanding it though</title>
      <link>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414263#M255230</link>
      <description>&lt;P&gt;Hello&amp;nbsp;&lt;a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/152993"&gt;@red888&lt;/a&gt;,&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks for reaching Cloudera Community, glad to have you here.&amp;nbsp;&lt;/P&gt;&lt;P&gt;NiFi does not support HTTPS and HTTP mixed, you will need to have only one.&amp;nbsp;&lt;BR /&gt;Is recommended HTTPS, HTTP is supported but in the newer versions due to all the security, login auth and more, is not the best idea as you will face issues like you have seen.&amp;nbsp;&lt;/P&gt;&lt;P&gt;NiFi will use the same HTTPS listner to communicate, this is used for the UI, REST API and node protocol traffic. All of these are HTTPS requests.&amp;nbsp;&lt;/P&gt;&lt;P&gt;About the names, you do not need to add public DNS names. The certs only need to have the SANs matching what the nodes uses to talk each other.&amp;nbsp;&lt;BR /&gt;In K8s is usually the pods DNS or service DNS.&amp;nbsp;&lt;/P&gt;&lt;P&gt;There is no much NiFi docs for K8s, but some are these:&amp;nbsp;&lt;BR /&gt;&lt;A href="https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-clustering" target="_blank"&gt;https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-clustering&lt;/A&gt;&amp;nbsp;&lt;BR /&gt;&lt;A href="https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-configmap-cluster-state-provider" target="_blank"&gt;https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-configmap-cluster-state-provider&lt;/A&gt;&amp;nbsp;&lt;BR /&gt;&lt;A href="https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-nginx-ingress-controller" target="_blank"&gt;https://nifi.apache.org/nifi-docs/administration-guide.html#kubernetes-nginx-ingress-controller&lt;/A&gt;&amp;nbsp;&lt;BR /&gt;&lt;A href="https://nifi.apache.org/nifi-docs/administration-guide.html#cluster_node_properties" target="_blank"&gt;https://nifi.apache.org/nifi-docs/administration-guide.html#cluster_node_properties&lt;/A&gt;&amp;nbsp;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jun 2026 21:56:39 GMT</pubDate>
      <guid>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414263#M255230</guid>
      <dc:creator>vafs</dc:creator>
      <dc:date>2026-06-17T21:56:39Z</dc:date>
    </item>
    <item>
      <title>Re: NIFIs HTTPS requirements make running on k8s impossible- I'm probably misunderstanding it though</title>
      <link>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414264#M255231</link>
      <description>&lt;P&gt;&lt;a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/152993"&gt;@red888&lt;/a&gt;&amp;nbsp;How are you deploying nifi on k8s now?&amp;nbsp; &amp;nbsp;I am using our operators and deploying nifi w/ ssl is super easy!!&amp;nbsp;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jun 2026 14:07:03 GMT</pubDate>
      <guid>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414264#M255231</guid>
      <dc:creator>steven-matison</dc:creator>
      <dc:date>2026-06-18T14:07:03Z</dc:date>
    </item>
    <item>
      <title>Re: NIFIs HTTPS requirements make running on k8s impossible- I'm probably misunderstanding it though</title>
      <link>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414324#M255379</link>
      <description>&lt;P&gt;Where is ssl terminating and how are you issuing the certs?&lt;/P&gt;&lt;P&gt;Are you terminating SSL at the nodes AND the LB? Are you issuing self-signed certs? I don't want users to see cert errors and I don't want to roll out a whole PKI just because NIFI is not configurable.&lt;BR /&gt;&lt;BR /&gt;I know I'm just beating a dead horse, but a more modern system would allow for this standard sort of config, I'm trying to find a workaround for NIFI:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Nodes communicate via pre-shared key or some other mechanism decoupled from the APIs&lt;/LI&gt;&lt;LI&gt;The APIs are just set to HTTP and SSL terminates at the load balancer&lt;/LI&gt;&lt;/OL&gt;</description>
      <pubDate>Wed, 01 Jul 2026 16:28:55 GMT</pubDate>
      <guid>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414324#M255379</guid>
      <dc:creator>red888</dc:creator>
      <dc:date>2026-07-01T16:28:55Z</dc:date>
    </item>
    <item>
      <title>Re: NIFIs HTTPS requirements make running on k8s impossible- I'm probably misunderstanding it though</title>
      <link>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414325#M255380</link>
      <description>&lt;P&gt;I think this is wrong, but maybe I'm being dumb or missing something obvious here:&lt;SPAN&gt;&amp;nbsp;"certs only need to have the SANs matching what the nodes uses to talk each other."&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I DO need public DNS names if I don't want users to see cert errors though right? The certs don't _only_ need to match the node names they need to be issued from a trusted CA which requires the nodes to have public DNS names. This is the main issue.&lt;/SPAN&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;SPAN&gt;I can easily automate issuing self-signed certs for node communication (without having to deploy a whole PKI, DNS, letsencrypt, etc)&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;BUT because NIFI uses the same channel for APIs users will see cert errors and I wont be able to terminate SSL at the LB&lt;/SPAN&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;SPAN&gt;Perhaps there is a way to issue self-signed certs AND terminate SSL at the LB with a different public cert and then maybe do some kind of redirect? Ultimately users would still be redirected to the URL with the self-signed cert and see errors though I think? I think the only way to do this is...&lt;/SPAN&gt;&lt;/P&gt;&lt;H3&gt;&lt;SPAN&gt;Drop SSL everywhere (but how ?)&lt;/SPAN&gt;&lt;/H3&gt;&lt;P&gt;&lt;SPAN&gt;I've been trying to just drop all security to make it all HTTP so I can terminate SSL at the LB, but this is really poorly documented and I haven't been able to actually get it to do everything HTTP. NIFI has so many of its internals super tightly coupled to HTTPS and there are so many individual configuration fields related to this.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Is there any known working config to just set it to HTTP everywhere?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I have it running on k8s and I can use security features of the cluster to lock it down instead. Hell I even gave it its own cluster so its even more isolated, I definitely don't need HTTPS for intra-node communication.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 01 Jul 2026 16:48:18 GMT</pubDate>
      <guid>https://community.cloudera.com/t5/Support-Questions/NIFIs-HTTPS-requirements-make-running-on-k8s-impossible-I-m/m-p/414325#M255380</guid>
      <dc:creator>red888</dc:creator>
      <dc:date>2026-07-01T16:48:18Z</dc:date>
    </item>
  </channel>
</rss>

