Hi Ami,
Biased on the error you've got in the user log it looks like you've got
a local trust issue. If you could tell us what you've already tried,
someone might be able to help you a bit more.
Edward
On 27/04/2020 05:36, Ami Goldenberg wrote:
Hi,
We are trying to deploy NiFi on kubernetes after successfully using it
for a while.
The issue we are having is that every time we enter our nifi URL it
will redirect us to Google and once we sign in we just get
redirected again.
_The error I see on users.log is:_
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT
token>) GET https://XXX.XXX.XXXX/nifi-api/flow/current-user (source
ip: 172.32.34.99)
2020-04-25T19:48:06.256605759Z 2020-04-25 19:48:05,983 ERROR [NiFi
Web Server-16] o.a.nifi.web.security.jwt.JwtService There was an error
validating the JWT
2020-04-25T19:48:06.256610178Z 2020-04-25 19:48:05,983 ERROR [NiFi Web
Server-16] o.a.nifi.web.security.jwt.JwtService Unable to validate
the access token.
2020-04-25T19:48:06.256613727Z Caused by: JWT signature does not
match locally computed signature. JWT validity cannot be asserted and
should not be trusted.
2020-04-25T19:48:06.256617124Z 2020-04-25 19:48:05,984 WARN [NiFi Web
Server-16] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web
api:Unable to validate the access token.
_We're trying to follow practices from blogs and pvillard's repo:_
*
https://github.com/pvillard31/nifi-gcp-terraform/tree/master/gcp-cluster-secured-nifi-oidc
* https://bryanbende.com/development/2017/10/03/apache-nifi-openid-connect
* https://medium.com/swlh/operationalising-nifi-on-kubernetes-1a8e0ae16a6c
_Our set up is as such:_
* OIDC provider is Google
* TLS-toolkit running in server mode inside k8s
* StatefulSet of 3 replicas
* Zookeeper in K8s
* Ingress that is set up to create a load balancer in AWS - with
sticky sessions (based on cookie)
* Service that is set up with sessionAffinity: ClientIP
Any idea which direction I should be checking next?anks!