I have been some issues to configuring Apache Nifi using an existing certificate.
My use case is:
I'm generating the truststore and the keystore from an existing tls.pem and tls.key that my ingress is using, from this I set the referent configurations of TLS and OpenId (I have created a custom image based on the official Nifi's image).
Everything its working, although when I try to access the UI and the redirects to the openId occurs the Nifi throw an exception, these are the last logs shown in the nifi-user.log:
2021-07-22 09:58:05,814 INFO [NiFi Web Server-25] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=MY-HOST) GET https://MY-HOST/nifi-api/flow/current-u
ser (source ip: xx.xxx.xxx.xxx)
2021-07-22 09:58:05,815 INFO [NiFi Web Server-25] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=MY-HOST
2021-07-22 09:58:05,818 INFO [NiFi Web Server-25] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=MY-HOST], groups does not have permission to access the requested resource. Unknown user with id
entity 'CN=MY-HOST'. Returning Forbidden response.
Although according the documentation to this documentation:
NiFi’s web server will REQUIRE certificate based client authentication for users accessing the User Interface when not configured with an alternative authentication mechanism which would require one way SSL (for instance LDAP, OpenId Connect, etc). Enabling an alternative authentication mechanism will configure the web server to WANT certificate base client authentication. This will allow it to support users with certificates and those without that may be logging in with credentials. See User Authentication for more details.
Are you using the version published by Cloudera? Please confirm exactly which platform version and whether this is the on premise variant or in public cloud.
After a lot of headaches and some tries, I finally discover the issue, due the fact that I have a nginx as my ingress some headers are added during each request, and due the headers "x-forward-.*" the request always return an error. Although this is not an acceptable an answer, I need a clear understanding about that before to close this issue.
I would always recommend you to use the Cloudera distribution, as people like me are not able to troubleshoot the upstream distributions, and we do note that. it is common that people run into trouble when using upstream versions.
I am not sure about the exact time, but if you are interested in Nifi on K8s, then rather than trying to solve all challenges personally you may also want to look into how the Cloudera Data Platform attacks this challenge for everyone.