I think I might just be misunderstanding something, because it seems like NIFI requires HTTPS for intra cluster communication and uses the SAME HTTPS channel for external UI and API access? I'm expecting to have intra cluster communication be separate from my load balancer/ingress. Meaning the nodes communicate securely with each other but I can set the API and UI to HTTP so I can terminate that at my load balancer- this is very standard practice. What I think I'm seeing is NIFI uses the same HTTPS channel for both internal and external communication? That can't be right because there is no way I'm registering all my NIFI nodes with a public DNS domain. But this can't be the case right? I should be able to set just the end user API and UI to HTTP and use a self signed cert for intra-node communication. I can't even seem to be able to just disable HTTPS entirely, nifi's config is poorly documented and disabling HTTPS seems to break everything. I have this on a secured cluster and because this is k8s I have network policies and myriad other features available to secure them. Its weird there are specific k8s features for nifi (k8s native instead of zookeeper) but it still seems trapped in this legacy model where it expects me to have a pet server for each node and manage them all manually.
... View more
