Configuring NiFi Web UI connection
Learn about configuring a connection to the NiFi web UI.
You can configure a connection to the NiFi Web UI
using the spec.uiConnection field. It is a standard
connection field with special validation and handling. The name of this
connection is always ignored and set to [***CR NAME***]-web. For Ingress
type connections, a maximum of one path may be specified. When you configure a
uiConnection, the spec.hostname field is required.
The uiConnection can support hostname routing with and without an additional context path. It is not recommended to use a context path for routing as NiFi does not support it well, but it is possible. For more information, see NiFi documentation on proxy configuration. An example using ingress-nginx is included in this section.
Hostname-only ingress example
Learn about configuring an Ingress resource using TLS files generated by Cloudera Flow Management Operator for Kubernetes.
This YAML snippet configures an Ingress resource for accessing the NiFi Web UI. It uses the TLS files generated by a Cloudera Flow Management Operator for Kubernetes created Certificate as defined in
spec.security.ingressCertGen. The supplied annotations are for the
ingress-nginx Ingress controller. The affinity settings enable a persistent session so that UI
interactions go to the same NiFi node in the cluster. The
backend-protocol setting is needed for when NiFi is
configured to be secure, as it will reject any non-HTTPS connection attempts.
spec:
uiConnection:
type: Ingress
ingressConfig:
ingressClassName: myIngressClass
ingressTLS:
- hosts:
- nifi.localhost
secretName: mynifi-ingress-cert
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Hostname-only route example
Learn about configuring a Route resource to acces the NiFi web UI.
This YAML snippet configures a Route resource for accessing the NiFi web UI.
spec:
uiConnection:
type: Route
routeConfig:
tls:
termination: passthrough
Ingress with context path example
Learn about configuring an Ingress resource that rewrites the connection path in incoming requests and does a reverse-rewrite on UI calls going to the backend.
This YAML code snippet configures an ingress UI Connection with a path. The annotations here are for the ingress-nginx ingress controller and all are required for NiFi to correctly understand the incoming requests.
In the example the path includes some regex at the end: (/|$)(.*). This regex
informs the rewrite directives in the configuration-snippet and rewrite-target annotations.
NiFi does not handle proxy paths well, it does not
understand that https://nifi.localhost/some/path/to/nifi
coming through the defined Ingress is intended to call the /nifi API to load the UI. The rewrite-target
annotation addresses this by capturing the /nifi and anything that comes after and sends that as the
path to the NiFi pod. It translates
/some/path/to/nifi/ to
/nifi/. Similarly, the NiFi web UI does not correctly form API calls going to the
backend, attempting to call /nifi/
instead of /some/path/to/nifi/. This
is addressed by the configuration-snippet rewrite instruction. It does the reverse of the
rewrite-target, reapplying the removed context path /some/path/to. The
remaining configuration-snippet lines are headers required by a NiFi behind a proxy. For more information, see the NiFi
System Administrator’s Guide.
spec:
uiConnection:
type: Ingress
ingressConfig:
ingressClassName: myIngressClass
ingressTLS:
- hosts:
- nifi.localhost
secretName: mynifi-ingress-cert
paths:
- port: 8443
path: "/some/path/to(/|$)(.*)"
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/configuration-snippet: |-
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $host;
proxy_set_header X-ProxyPort $server_port;
proxy_set_header X-ProxyContextPath /some/path/to;
rewrite (.*\/nifi)$ $1/ redirect;
proxy_ssl_name mynifi.default.svc.cluster.local;
nginx.ingress.kubernetes.io/rewrite-target: /$2
