From ea2a95381b7784a1e0ec51c27ce3b207983de98e Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 21 May 2025 18:45:34 +0200 Subject: [PATCH 01/12] move sensitive properties to own module --- rust/operator-binary/src/config/mod.rs | 14 ++- rust/operator-binary/src/crd/mod.rs | 69 +---------- .../src/crd/sensitive_properties.rs | 110 ++++++++++++++++++ 3 files changed, 125 insertions(+), 68 deletions(-) create mode 100644 rust/operator-binary/src/crd/sensitive_properties.rs diff --git a/rust/operator-binary/src/config/mod.rs b/rust/operator-binary/src/config/mod.rs index b075c495..1a542adf 100644 --- a/rust/operator-binary/src/config/mod.rs +++ b/rust/operator-binary/src/config/mod.rs @@ -20,7 +20,7 @@ use strum::{Display, EnumIter}; use crate::{ crd::{ HTTPS_PORT, NifiConfig, NifiConfigFragment, NifiRole, NifiStorageConfig, PROTOCOL_PORT, - v1alpha1, + sensitive_properties, v1alpha1, }, operations::graceful_shutdown::graceful_shutdown_config_properties, security::{ @@ -96,6 +96,9 @@ pub enum Error { #[snafu(display("failed to generate OIDC config"))] GenerateOidcConfig { source: oidc::Error }, + + #[snafu(display("failed to configure sensitive properties"))] + ConfigureSensitiveProperties { source: sensitive_properties::Error }, } /// Create the NiFi bootstrap.conf @@ -473,15 +476,20 @@ pub fn build_nifi_properties( "".to_string(), ); - let algorithm = &spec + let sensitive_properties_algorithm = &spec .cluster_config .sensitive_properties .algorithm .clone() .unwrap_or_default(); + + sensitive_properties_algorithm + .check_for_nifi_version(spec.image.product_version()) + .context(ConfigureSensitivePropertiesSnafu)?; + properties.insert( "nifi.sensitive.props.algorithm".to_string(), - algorithm.to_string(), + sensitive_properties_algorithm.to_string(), ); // key and trust store diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index 56ec1ced..cf769af3 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -1,10 +1,12 @@ pub mod affinity; pub mod authentication; +pub mod sensitive_properties; pub mod tls; use std::collections::BTreeMap; use affinity::get_affinity; +use sensitive_properties::NifiSensitivePropertiesConfig; use serde::{Deserialize, Serialize}; use snafu::{OptionExt, ResultExt, Snafu}; use stackable_operator::{ @@ -80,6 +82,8 @@ pub enum Error { #[versioned(version(name = "v1alpha1"))] pub mod versioned { + use super::sensitive_properties::NifiSensitivePropertiesConfig; + /// A NiFi cluster stacklet. This resource is managed by the Stackable operator for Apache NiFi. /// Find more information on how to use it and the resources that the operator generates in the /// [operator documentation](DOCS_BASE_URL_PLACEHOLDER/nifi/). @@ -340,71 +344,6 @@ impl CurrentlySupportedListenerClasses { } } -/// These settings configure the encryption of sensitive properties in NiFi processors. -/// NiFi supports encrypting sensitive properties in processors as they are written to disk. -/// You can configure the encryption algorithm and the key to use. -/// You can also let the operator generate an encryption key for you. -#[derive(Clone, Debug, Default, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] -#[serde(rename_all = "camelCase")] -pub struct NifiSensitivePropertiesConfig { - /// A reference to a Secret. The Secret needs to contain a key `nifiSensitivePropsKey`. - /// If `autoGenerate` is false and this object is missing, the Operator will raise an error. - /// The encryption key needs to be at least 12 characters long. - pub key_secret: String, - - /// Whether to generate the `keySecret` if it is missing. - /// Defaults to `false`. - #[serde(default)] - pub auto_generate: bool, - - /// This is setting the `nifi.sensitive.props.algorithm` property in NiFi. - /// This setting configures the encryption algorithm to use to encrypt sensitive properties. - /// Valid values are: - /// - /// `nifiPbkdf2AesGcm256` (the default value), - /// `nifiArgon2AesGcm256`, - /// - /// The following algorithms are deprecated and will be removed in future versions: - /// - /// `nifiArgon2AesGcm128`, - /// `nifiBcryptAesGcm128`, - /// `nifiBcryptAesGcm256`, - /// `nifiPbkdf2AesGcm128`, - /// `nifiScryptAesGcm128`, - /// `nifiScryptAesGcm256`. - /// - /// Learn more about the specifics of the algorithm parameters in the - /// [NiFi documentation](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms). - pub algorithm: Option, -} - -#[derive(strum::Display, Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] -#[serde(rename_all = "camelCase")] -pub enum NifiSensitiveKeyAlgorithm { - #[strum(serialize = "NIFI_ARGON2_AES_GCM_128")] - NifiArgon2AesGcm128, - #[strum(serialize = "NIFI_ARGON2_AES_GCM_256")] - NifiArgon2AesGcm256, - #[strum(serialize = "NIFI_BCRYPT_AES_GCM_128")] - NifiBcryptAesGcm128, - #[strum(serialize = "NIFI_BCRYPT_AES_GCM_256")] - NifiBcryptAesGcm256, - #[strum(serialize = "NIFI_PBKDF2_AES_GCM_128")] - NifiPbkdf2AesGcm128, - #[strum(serialize = "NIFI_PBKDF2_AES_GCM_256")] - NifiPbkdf2AesGcm256, - #[strum(serialize = "NIFI_SCRYPT_AES_GCM_128")] - NifiScryptAesGcm128, - #[strum(serialize = "NIFI_SCRYPT_AES_GCM_256")] - NifiScryptAesGcm256, -} - -impl Default for NifiSensitiveKeyAlgorithm { - fn default() -> Self { - Self::NifiArgon2AesGcm256 - } -} - #[derive(strum::Display, Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] #[serde(rename_all = "camelCase")] pub enum StoreType { diff --git a/rust/operator-binary/src/crd/sensitive_properties.rs b/rust/operator-binary/src/crd/sensitive_properties.rs new file mode 100644 index 00000000..013a9eef --- /dev/null +++ b/rust/operator-binary/src/crd/sensitive_properties.rs @@ -0,0 +1,110 @@ +use serde::{Deserialize, Serialize}; +use snafu::Snafu; +use stackable_operator::schemars::{self, JsonSchema}; + +#[derive(Snafu, Debug)] +pub enum Error { + #[snafu(display( + "The sensitive key algorithm '{algorithm}' is not supported in NiFi 2.X.X. Please see https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm on how to upgrade the algorithm." + ))] + UnsupportedSensitivePropertiesAlgorithm { algorithm: String }, +} + +/// These settings configure the encryption of sensitive properties in NiFi processors. +/// NiFi supports encrypting sensitive properties in processors as they are written to disk. +/// You can configure the encryption algorithm and the key to use. +/// You can also let the operator generate an encryption key for you. +#[derive(Clone, Debug, Default, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] +#[serde(rename_all = "camelCase")] +pub struct NifiSensitivePropertiesConfig { + /// A reference to a Secret. The Secret needs to contain a key `nifiSensitivePropsKey`. + /// If `autoGenerate` is false and this object is missing, the Operator will raise an error. + /// The encryption key needs to be at least 12 characters long. + pub key_secret: String, + + /// Whether to generate the `keySecret` if it is missing. + /// Defaults to `false`. + #[serde(default)] + pub auto_generate: bool, + + /// This is setting the `nifi.sensitive.props.algorithm` property in NiFi. + /// This setting configures the encryption algorithm to use to encrypt sensitive properties. + /// Valid values are: + /// + /// `nifiPbkdf2AesGcm256` (the default value), + /// `nifiArgon2AesGcm256`, + /// + /// The following algorithms are deprecated and will be removed in future versions: + /// + /// `nifiArgon2AesGcm128`, + /// `nifiBcryptAesGcm128`, + /// `nifiBcryptAesGcm256`, + /// `nifiPbkdf2AesGcm128`, + /// `nifiScryptAesGcm128`, + /// `nifiScryptAesGcm256`. + /// + /// Learn more about the specifics of the algorithm parameters in the + /// [NiFi documentation](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms). + pub algorithm: Option, +} + +#[derive(strum::Display, Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] +#[serde(rename_all = "camelCase")] +pub enum NifiSensitiveKeyAlgorithm { + // supported in v2 + #[strum(serialize = "NIFI_PBKDF2_AES_GCM_256")] + NifiPbkdf2AesGcm256, + // supported in v2 + #[strum(serialize = "NIFI_ARGON2_AES_GCM_256")] + NifiArgon2AesGcm256, + // Deprecated in v1 -> can be removed when 1.x.x is no longer supported + #[strum(serialize = "NIFI_BCRYPT_AES_GCM_128")] + NifiBcryptAesGcm128, + // Deprecated in v1 -> can be removed when 1.x.x is no longer supported + #[strum(serialize = "NIFI_BCRYPT_AES_GCM_256")] + NifiBcryptAesGcm256, + // Deprecated in v1 -> can be removed when 1.x.x is no longer supported + #[strum(serialize = "NIFI_PBKDF2_AES_GCM_128")] + NifiPbkdf2AesGcm128, + // Deprecated in v1 -> can be removed when 1.x.x is no longer supported + #[strum(serialize = "NIFI_ARGON2_AES_GCM_128")] + NifiArgon2AesGcm128, + // Deprecated in v1 -> can be removed when 1.x.x is no longer supported + #[strum(serialize = "NIFI_SCRYPT_AES_GCM_128")] + NifiScryptAesGcm128, + // Deprecated in v1 -> can be removed when 1.x.x is no longer supported + #[strum(serialize = "NIFI_SCRYPT_AES_GCM_256")] + NifiScryptAesGcm256, +} + +impl NifiSensitiveKeyAlgorithm { + pub fn check_for_nifi_version(&self, product_version: &str) -> Result { + let algorithm = self.to_string(); + + match self { + // Allowed and supported in NiFi 1.x.x and 2.x.x + NifiSensitiveKeyAlgorithm::NifiPbkdf2AesGcm256 + | NifiSensitiveKeyAlgorithm::NifiArgon2AesGcm256 => {} + // All others are deprecated in 1.x.x and removed in 2.x.x + _ => { + if product_version.starts_with("1.") { + tracing::warn!( + "You are using a deprecated sensitive key algorithm '{algorithm}'. Please update to '{pbkd}' or '{argon}'.", + pbkd = NifiSensitiveKeyAlgorithm::NifiPbkdf2AesGcm256, + argon = NifiSensitiveKeyAlgorithm::NifiArgon2AesGcm256 + ) + } else { + return Err(Error::UnsupportedSensitivePropertiesAlgorithm { algorithm }); + } + } + } + + Ok(algorithm) + } +} + +impl Default for NifiSensitiveKeyAlgorithm { + fn default() -> Self { + Self::NifiArgon2AesGcm256 + } +} From 48bfa5d3713a601f7c782b3e67f8bbd88d28cfbd Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 21 May 2025 18:47:05 +0200 Subject: [PATCH 02/12] remove import --- rust/operator-binary/src/crd/mod.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index cf769af3..54e3d526 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -82,8 +82,6 @@ pub enum Error { #[versioned(version(name = "v1alpha1"))] pub mod versioned { - use super::sensitive_properties::NifiSensitivePropertiesConfig; - /// A NiFi cluster stacklet. This resource is managed by the Stackable operator for Apache NiFi. /// Find more information on how to use it and the resources that the operator generates in the /// [operator documentation](DOCS_BASE_URL_PLACEHOLDER/nifi/). From cff6a55a052907fce861e2116b86e5c7d63da20e Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Thu, 22 May 2025 09:38:32 +0200 Subject: [PATCH 03/12] remove return type --- rust/operator-binary/src/crd/sensitive_properties.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rust/operator-binary/src/crd/sensitive_properties.rs b/rust/operator-binary/src/crd/sensitive_properties.rs index 013a9eef..d3abfaac 100644 --- a/rust/operator-binary/src/crd/sensitive_properties.rs +++ b/rust/operator-binary/src/crd/sensitive_properties.rs @@ -78,7 +78,9 @@ pub enum NifiSensitiveKeyAlgorithm { } impl NifiSensitiveKeyAlgorithm { - pub fn check_for_nifi_version(&self, product_version: &str) -> Result { + /// Checks if the used encryption algorithm is supported or deprecated. + /// Will warn for deprecation and error out for missing support. + pub fn check_for_nifi_version(&self, product_version: &str) -> Result<(), Error> { let algorithm = self.to_string(); match self { @@ -99,7 +101,7 @@ impl NifiSensitiveKeyAlgorithm { } } - Ok(algorithm) + Ok(()) } } From b83ea68cd378c23e2bd170ba47f20c3d41c61588 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Thu, 22 May 2025 09:41:41 +0200 Subject: [PATCH 04/12] add comment --- rust/operator-binary/src/crd/sensitive_properties.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/operator-binary/src/crd/sensitive_properties.rs b/rust/operator-binary/src/crd/sensitive_properties.rs index d3abfaac..decf4ada 100644 --- a/rust/operator-binary/src/crd/sensitive_properties.rs +++ b/rust/operator-binary/src/crd/sensitive_properties.rs @@ -88,6 +88,7 @@ impl NifiSensitiveKeyAlgorithm { NifiSensitiveKeyAlgorithm::NifiPbkdf2AesGcm256 | NifiSensitiveKeyAlgorithm::NifiArgon2AesGcm256 => {} // All others are deprecated in 1.x.x and removed in 2.x.x + // see https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms _ => { if product_version.starts_with("1.") { tracing::warn!( From 7d0c23135b56fea8f31e1beddd16d1a109627094 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 23 May 2025 16:09:34 +0200 Subject: [PATCH 05/12] fix flow.configuration.file properties for 1.x.x --- rust/operator-binary/src/config/mod.rs | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/rust/operator-binary/src/config/mod.rs b/rust/operator-binary/src/config/mod.rs index 1a542adf..6ace8439 100644 --- a/rust/operator-binary/src/config/mod.rs +++ b/rust/operator-binary/src/config/mod.rs @@ -152,15 +152,24 @@ pub fn build_nifi_properties( // The nifi.flow.configuration.file property in nifi.properties must be changed to reference // "flow.json.gz" instead of "flow.xml.gz" // TODO: Remove once we dropped support for all 1.x.x versions - let flow_file_name = if product_version.starts_with("1.") { - "flow.xml.gz" + // TODO(malte): In order to use CLI tools like: ./bin/nifi.sh set-sensitive-properties-algorithm NIFI_PBKDF2_AES_GCM_256 + // we have to set both "nifi.flow.configuration.file" and "nifi.flow.configuration.json.file" in NiFi 1.x.x. + if product_version.starts_with("1.") { + properties.insert( + "nifi.flow.configuration.file".to_string(), + NifiRepository::Database.mount_path() + "/flow.xml.gz", + ); + properties.insert( + "nifi.flow.configuration.json.file".to_string(), + NifiRepository::Database.mount_path() + "/flow.json.gz", + ); } else { - "flow.json.gz" - }; - properties.insert( - "nifi.flow.configuration.file".to_string(), - NifiRepository::Database.mount_path() + "/" + flow_file_name, - ); + properties.insert( + "nifi.flow.configuration.file".to_string(), + NifiRepository::Database.mount_path() + "/flow.json.gz", + ); + } + properties.insert( "nifi.flow.configuration.archive.enabled".to_string(), "true".to_string(), From f3eb18eda3500c37010111e83c80aa06106c72af Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 23 May 2025 16:10:29 +0200 Subject: [PATCH 06/12] add docs --- .../nifi/pages/usage_guide/security.adoc | 64 ++++++++++++++++++- 1 file changed, 61 insertions(+), 3 deletions(-) diff --git a/docs/modules/nifi/pages/usage_guide/security.adoc b/docs/modules/nifi/pages/usage_guide/security.adoc index 883ccebe..bdbe74c4 100644 --- a/docs/modules/nifi/pages/usage_guide/security.adoc +++ b/docs/modules/nifi/pages/usage_guide/security.adoc @@ -374,7 +374,7 @@ If `autoGenerate` is false and no Secret with the given name in `keySecret` is f The `algorithm` property configures the encryption algorithm used to encrypt the sensitive properties. Consult the {crd-docs}/nifi.stackable.tech/nificluster/v1alpha1/#spec-clusterConfig-sensitiveProperties-algorithm[reference documentation {external-link-icon}^] for a list of supported algorithms. -=== Autogenerated key example +=== Autogenerated sensitive properties key Let the operator generate a Secret with the name `nifi-sensitive-property-key`: @@ -385,7 +385,7 @@ sensitiveProperties: autoGenerate: true ---- -=== Custom key and encryption algorithm example +=== Custom sensitive properties key and sensitive properties algorithm Create the Secret yourself: @@ -399,7 +399,7 @@ stringData: nifiSensitivePropsKey: my-encryption-key ---- -Configure the Secret and a different encryption algrithm: +Configure the Secret and a different sensitive properties algorithm: [source,yaml] ---- @@ -408,6 +408,64 @@ sensitiveProperties: algorithm: nifiArgon2AesGcm256 ---- +=== Upgrading sensitive properties algorithm + +WARNING: Please make sure to backup any flows before upgrading the sensitive properties algorithm! + +The sensitive properties algorithm can be changed via the `nifi.sh` CLI tool as described in the https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm[Apache NiFi documentation]. + +Assuming the you deployed a cluster like: + +[source,yaml] +---- +sensitiveProperties: + keySecret: nifi-sensitive-property-key + algorithm: nifiArgon2AesGcm256 +---- + +If you want to change the algorithm to `nifiPbkdf2AesGcm256`, you have to run the following command on each node: + +[source,bash] +---- +/stackable/nifi/bin/nifi.sh set-sensitive-properties-algorithm NIFI_PBKDF2_AES_GCM_256 +---- + +NOTE: Be careful with the notation used in the NiFiCluster `nifiPbkdf2AesGcm256` versus the setting in the NiFi CLI `NIFI_PBKDF2_AES_GCM_256`! + +Or use this shell script to automatically execute this in each pod via `kubectl` (make sure to edit the `NAMESPACE` and `STATEFULSET_NAME` accordingly): + +[source,bash] +---- +NAMESPACE="default" +STATEFULSET_NAME="simple-nifi-node-default" +COMMAND="/stackable/nifi/bin/nifi.sh set-sensitive-properties-algorithm NIFI_PBKDF2_AES_GCM_256" + +kubectl get pods -n "$NAMESPACE" --no-headers -o custom-columns=":metadata.name" | grep "^$STATEFULSET_NAME" | \ +while read pod; do + echo "Running on $pod" + kubectl exec -n "$NAMESPACE" -c "nifi" "$pod" -- sh -c "$COMMAND" +done +---- + +Afterwards, update your NiFiCluster to the required algorithm `nifiPbkdf2AesGcm256`: + +[source,yaml] +---- +sensitiveProperties: + keySecret: nifi-sensitive-property-key + algorithm: nifiPbkdf2AesGcm256 +---- + +Finally, apply the updated NiFiCluster and restart / delete the StatefulSet: + +[source,bash] +---- +kubectl apply -n "$NAMESPACE" -f +kubectl delete -n "$NAMESPACE" statefulsets ${STATEFULSET_NAME} +---- + + + [#host-header-check] == Host Header Check NiFi checks the host header of incoming requests and rejects them if they are passing through a proxy that is not on an allow-list configured in the `nifi.web.proxy.host` property. From 0df70ab70aaab703904a721e8340b462ed17e640 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 23 May 2025 16:22:03 +0200 Subject: [PATCH 07/12] fix warn / error message to be consistent --- rust/operator-binary/src/crd/sensitive_properties.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rust/operator-binary/src/crd/sensitive_properties.rs b/rust/operator-binary/src/crd/sensitive_properties.rs index decf4ada..affc9c4f 100644 --- a/rust/operator-binary/src/crd/sensitive_properties.rs +++ b/rust/operator-binary/src/crd/sensitive_properties.rs @@ -5,7 +5,7 @@ use stackable_operator::schemars::{self, JsonSchema}; #[derive(Snafu, Debug)] pub enum Error { #[snafu(display( - "The sensitive key algorithm '{algorithm}' is not supported in NiFi 2.X.X. Please see https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm on how to upgrade the algorithm." + "The sensitive properties algorithm '{algorithm}' is not supported in NiFi 2.X.X. Please see https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm on how to upgrade the algorithm." ))] UnsupportedSensitivePropertiesAlgorithm { algorithm: String }, } @@ -92,7 +92,7 @@ impl NifiSensitiveKeyAlgorithm { _ => { if product_version.starts_with("1.") { tracing::warn!( - "You are using a deprecated sensitive key algorithm '{algorithm}'. Please update to '{pbkd}' or '{argon}'.", + "You are using a deprecated sensitive properties algorithm '{algorithm}'. Please update to '{pbkd}' or '{argon}'.", pbkd = NifiSensitiveKeyAlgorithm::NifiPbkdf2AesGcm256, argon = NifiSensitiveKeyAlgorithm::NifiArgon2AesGcm256 ) From 799b2c42ed1ad02301174fe4efbca51e6d12ca5d Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 23 May 2025 16:24:16 +0200 Subject: [PATCH 08/12] reference nifi pod instead of node --- docs/modules/nifi/pages/usage_guide/security.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/usage_guide/security.adoc b/docs/modules/nifi/pages/usage_guide/security.adoc index bdbe74c4..ea4afff6 100644 --- a/docs/modules/nifi/pages/usage_guide/security.adoc +++ b/docs/modules/nifi/pages/usage_guide/security.adoc @@ -423,7 +423,7 @@ sensitiveProperties: algorithm: nifiArgon2AesGcm256 ---- -If you want to change the algorithm to `nifiPbkdf2AesGcm256`, you have to run the following command on each node: +If you want to change the algorithm to `nifiPbkdf2AesGcm256`, you have to run the following command on each NiFi Pod: [source,bash] ---- From 18537bd85cd51935461df4be863005bd14c7d054 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 23 May 2025 16:28:13 +0200 Subject: [PATCH 09/12] regenerate charts --- deploy/helm/nifi-operator/crds/crds.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/helm/nifi-operator/crds/crds.yaml b/deploy/helm/nifi-operator/crds/crds.yaml index fec50157..e67acd7d 100644 --- a/deploy/helm/nifi-operator/crds/crds.yaml +++ b/deploy/helm/nifi-operator/crds/crds.yaml @@ -159,12 +159,12 @@ spec: Learn more about the specifics of the algorithm parameters in the [NiFi documentation](https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#property-encryption-algorithms). enum: - - nifiArgon2AesGcm128 + - nifiPbkdf2AesGcm256 - nifiArgon2AesGcm256 - nifiBcryptAesGcm128 - nifiBcryptAesGcm256 - nifiPbkdf2AesGcm128 - - nifiPbkdf2AesGcm256 + - nifiArgon2AesGcm128 - nifiScryptAesGcm128 - nifiScryptAesGcm256 nullable: true From 03fa753ca7c52efb1fea6a53450037dad67358c2 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Fri, 23 May 2025 16:29:53 +0200 Subject: [PATCH 10/12] adapted changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ec44e88..c7baa238 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ All notable changes to this project will be documented in this file. - Use `json` file extension for log files ([#774]). - Fix a bug where changes to ConfigMaps that are referenced in the NifiCluster spec didn't trigger a reconciliation ([#772]). +- The operator now emits a warning (1.x.x) or errors out (2.x.x) if a deprecated or unsupported sensitive properties algorithm is used ([#799]). ### Removed @@ -43,6 +44,7 @@ All notable changes to this project will be documented in this file. [#785]: https://github.com/stackabletech/nifi-operator/pull/785 [#787]: https://github.com/stackabletech/nifi-operator/pull/787 [#789]: https://github.com/stackabletech/nifi-operator/pull/789 +[#799]: https://github.com/stackabletech/nifi-operator/pull/799 ## [25.3.0] - 2025-03-21 From f33b589520ce80fd8816bb16c35f771aa8df0f89 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 27 May 2025 18:11:01 +0200 Subject: [PATCH 11/12] fixes --- rust/operator-binary/src/config/mod.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rust/operator-binary/src/config/mod.rs b/rust/operator-binary/src/config/mod.rs index 47987aa8..f01596b5 100644 --- a/rust/operator-binary/src/config/mod.rs +++ b/rust/operator-binary/src/config/mod.rs @@ -20,8 +20,7 @@ use strum::{Display, EnumIter}; use crate::{ crd::{ HTTPS_PORT, NifiConfig, NifiConfigFragment, NifiRole, NifiStorageConfig, PROTOCOL_PORT, - sensitive_properties, v1alpha1, - v1alpha1::{self, NifiClusteringBackend}, + sensitive_properties, v1alpha1, v1alpha1::NifiClusteringBackend, }, operations::graceful_shutdown::graceful_shutdown_config_properties, security::{ From a31baa42ef65d75af05c85177e6508929fdf84a7 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 28 May 2025 12:53:26 +0200 Subject: [PATCH 12/12] Apply suggestions from code review Co-authored-by: Andrew Kenworthy <1712947+adwk67@users.noreply.github.com> --- docs/modules/nifi/pages/usage_guide/security.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/nifi/pages/usage_guide/security.adoc b/docs/modules/nifi/pages/usage_guide/security.adoc index ea4afff6..9cb85311 100644 --- a/docs/modules/nifi/pages/usage_guide/security.adoc +++ b/docs/modules/nifi/pages/usage_guide/security.adoc @@ -414,7 +414,7 @@ WARNING: Please make sure to backup any flows before upgrading the sensitive pro The sensitive properties algorithm can be changed via the `nifi.sh` CLI tool as described in the https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#updating-the-sensitive-properties-algorithm[Apache NiFi documentation]. -Assuming the you deployed a cluster like: +Assuming that you deployed a cluster with this: [source,yaml] ---- @@ -432,7 +432,7 @@ If you want to change the algorithm to `nifiPbkdf2AesGcm256`, you have to run th NOTE: Be careful with the notation used in the NiFiCluster `nifiPbkdf2AesGcm256` versus the setting in the NiFi CLI `NIFI_PBKDF2_AES_GCM_256`! -Or use this shell script to automatically execute this in each pod via `kubectl` (make sure to edit the `NAMESPACE` and `STATEFULSET_NAME` accordingly): +Alternatively, you can use this shell script to automatically execute this in each pod via `kubectl` (make sure to edit the `NAMESPACE` and `STATEFULSET_NAME` accordingly): [source,bash] ----