[cetic/nifi] can't login via nginx ingress url
shayki5 opened this issue · 4 comments
Describe the bug
Can't login when accessing via nginx ingress (can login via localhost).
I have my own ssl certificate in my ingress url so I guess it's related.
Version of Helm, Kubernetes and the Nifi chart:
Helm: 13.9.0
K8s: 1.21.7
Nifi chart: 1.1.1
What happened:
I configured a secured cluster with certManager enabled & single user authorization. when I try to access via loclahost (with port-forwarding) it working great.
But, when I try to login via my nginx ingress url i getting:
What you expected to happen:
Success to login.
How to reproduce it (as minimally and precisely as possible):
Install the helm chart with certManager true and nginx ingress.
Anything else we need to know:
Inside the pod I can see this error in nifi-user.log:
Caused by: org.springframework.security.oauth2.jwt.BadJwtException: An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:180)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:137)
at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.getJwt(JwtAuthenticationProvider.java:97)
... 104 common frames omitted
Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:357)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:154)
... 106 common frames omitted
My relevant values.yaml:
replicaCount: 3
externalSecure: true
isNode: true
externalSecure: true
auth:
singleUser:
username: username
password: changemechangeme
certManager:
enabled: true
clusterDomain: cluster.local
keystorePasswd: changeme
truststorePasswd: changeme
replaceDefaultTrustStore: true
additionalDnsNames:
- localhost
- nifi.dev-tools.mycompany.com
ingress:
enabled: true
# className: nginx
annotations:
nginx.ingress.kubernetes.io/upstream-vhost: "localhost:8443"
nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443"
nginx.ingress.kubernetes.io/proxy-redirect-to: "https://nifi.dev-tools.mycompany.com"
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls:
- hosts:
- nifi.dev-tools.mycompany.com
secretName: nifi-ca
hosts:
- nifi.dev-tools.mycompany.com
path: /
I couldn't make it work with single username, but it's working me with keycloak as user management.
After I deployed keycloak in my cluster I configures the values.yaml to:
oidc:
enabled: true
discoveryUrl: http://keycloack.mycompany.com/realms/nifi/.well-known/openid-configuration
clientId: nifi
clientSecret: mysecret
claimIdentifyingUser: email
admin: myuser@mycompany.com
## Request additional scopes, for example profile
additionalScopes:
And to make it work need also to update the ingress settings (inside the values.yaml) and add the following annotations:
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "hello-cookie"
nginx.ingress.kubernetes.io/session-cookie-expires: "1728000"
nginx.ingress.kubernetes.io/session-cookie-max-age: "1728000"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/session-cookie-hash: sha1
Now I can login the secured cluster with the user that I configured in the keycloak.
Any updates with this? I am experiencing the exact same issue.
Update: it's working for me now with single user in this Ingress configuration:|
ingress:
enabled: true
# className: nginx
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/upstream-vhost: "localhost:8443"
nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443"
nginx.ingress.kubernetes.io/proxy-redirect-to: "https://nifi.mycompany.com"
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "hello-cookie"
nginx.ingress.kubernetes.io/session-cookie-expires: "17280000"
nginx.ingress.kubernetes.io/session-cookie-max-age: "17280000"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/session-cookie-hash: sha1
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header 'X-ProxyScheme' 'https';
proxy_set_header 'X-ProxyPort' '443';
hosts:
- nifi.mycompany.com
path: /
I am experiencing the same issue when trying to configure an ingress path that is not /, however the above configuration doesn't help. What am I missing? Any help would be greatly appreciated.
My values.yaml.
Note: @shayki5 how did you managed to set kubernetes.io/tls-acme: "true" without an error? According to cert-manager/Securing Ingress Resources it needs additional configuration which is not present in the above comments. I have tried setting this up as well, but didn't resolve my issue.