Support Questions

Find answers, ask questions, and share your expertise

Configure StandardSSLContextService with password from environment variable

avatar
New Contributor

Hello community, 

 

I would like to configure a StandardSSLContextService for kafka to read the password for the keystore from an environment variable. 

Sadly it is not possible to use the "Expression Language" for this sensitive property. 

Background: We are using an operator to provision kafka users. The operator generate a kubernetes secret with the keystore and keystore password. The kubernetes secret is mounted into the nifi container and can be referenced in the StandardSSLContextService. Currently we have to add the password for this keystore manually. But when the kafka user certificate expires and is rotated, the password of the keystore changes too. 
I am looking for a solution to read the password automatically, e.g. by setting it as environment variable in nifi. 

Any idea how I could achive this? Is there a mechanism I am missing?

Thank you a lot for your help,
Constantin 

1 ACCEPTED SOLUTION

avatar
Master Collaborator

To answer your question "is there a way to read a parameter from environment inside a parameter context?" No.

 

The way you want to manage password at runtime is not possible. 

View solution in original post

3 REPLIES 3

avatar
Master Collaborator

It is not allowed to set processor password property configuration through environment variable  or variable registry. Only through parameter context values for passwords can be defined at processor group level in nifi. 

avatar
New Contributor

Thank you for the quick reply. 

As far as I see this does not solve my problem. I could create a "Parameter Context" but I would have to hardcode the password as parameter in the parameter context right? Or is there a way to read a parameter from environment inside a parameter context?

avatar
Master Collaborator

To answer your question "is there a way to read a parameter from environment inside a parameter context?" No.

 

The way you want to manage password at runtime is not possible.