juldrixx opened a new pull request, #7974:
URL: https://github.com/apache/nifi/pull/7974
…Identity method
# Summary
[NIFI-11288](https://issues.apache.org/jira/browse/NIFI-11288)
# Tracking
Please complete the following tracking steps prior to pull request creation.
### Issue Tracking
- [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue
created
### Pull Request Tracking
- [X] Pull Request title starts with Apache NiFi Jira issue number, such as
`NIFI-0`
- [X] Pull Request commit message starts with Apache NiFi Jira issue number,
as such `NIFI-0`
### Pull Request Formatting
- [X] Pull Request based on current revision of the `main` branch
- [X] Pull Request refers to a feature branch with one commit containing
changes
# Verification
Please indicate the verification steps performed prior to pull request
creation.
### Build
- [X] Build completed using `mvn clean install -P contrib-check`
- [X] JDK 21
### Licensing
- [ ] New dependencies are compatible with the [Apache License
2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License
Policy](https://www.apache.org/legal/resolved.html)
- [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE`
files
### Documentation
- [X] Documentation formatting appears as expected in rendered files
# How to test
1- Create an EKS cluster and an S3 bucket
```tf
terraform {
backend "s3" {
}
}
provider "aws" {
region = var.region
}
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 19.16"
cluster_name= var.cluster_name
cluster_version = "1.28"
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
cluster_endpoint_public_access = true
eks_managed_node_groups = {
initial = {
instance_types = ["m5.large"]
min_size = 1
max_size = 5
desired_size = 4
}
}
}
# Filter out local zones, which are not currently supported
# with managed node groups
data "aws_availability_zones" "available" {
filter {
name = "opt-in-status"
values = ["opt-in-not-required"]
}
}
locals {
azs = slice(data.aws_availability_zones.available.names, 0, 3)
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"
name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 4, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k +
48)]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
public_subnet_tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
"kubernetes.io/role/elb"= 1
}
private_subnet_tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = 1
}
}
resource "aws_s3_bucket" "s3-bucket" {
bucket = "my-s3-bucket-"
tags = {
Name= "Bucket for NIFI"
}
}
```
2- Create an AWS policy to give access to S3
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
```
3- Create an AWS role that allow the K8S service account to assume it and
that has the previous policy attached
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated":
"arn:aws:iam:::oidc-provider/oidc.eks.eu-west-3.amazonaws.com/id/"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.eu-west-3.amazonaws.com/id/:aud":
"sts.amazonaws.com",
"oidc.eks.eu-west-3.amazonaws.com/id/:sub":
"system:serviceaccount:nifi:nifi"
}
}
}
]
}
```
4- Create a K8S service account that will asssume the role
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: nifi
namespace: nifi
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam:::role/
```
5- Create NiFi cluster with a Pod and a Service to expose it
```yaml
apiVersion: v1
kind: Pod
metadata:
name: nifi
namespace: nifi
labels:
app: nifi
spec:
serviceAccountName: nifi
containers:
- name: nifi
image:
ports:
-