Cloudera Docs

Configuration

The Cloudera Flow Management Kubernetes Operator for Apache NiFi has two methods of providing FIPS compliant security providers to the NiFi JVM: image rebuild or with volumes.

Image rebuild

This is the recommended method of enabling FIPS if you’ve got the infrastructure to utilize, as this requires no runtime configuration, Flow developer teams will simply reference the new FIPS enabled image.

You can provide all required JVM Security Provider Information directly to the cfm-nifi-k8s and cfm-nifiregistry-k8s images via an image rebuild. With this method, you will create a Dockerfile that modifies the images you’ve pulled from Cloudera prior to pushing them to your internal registries.

  1. In a directory, place the provider jars, provider definition file, and optional java policy file.

    $ ls
additional-java-policy.txt  additional-security-providers.txt  bctls.jar  ccj-3.0.2.1.jar
  2. Create a Dockerfile.
    # Use args to parameterize this Dockerfile for reuse
ARG CFM_NIFI_K8S_BASE_IMAGE=container.repository.cloudera.com/cloudera/cfm-nifi-k8s
ARG CFM_NIFI_K8S_BASE_TAG=2.9.0-b96-nifi_1.27.0.2.3.14.0-14

FROM ${CFM_NIFI_K8S_BASE_IMAGE}:${CFM_NIFI_K8S_BASE_TAG} AS nifi-k8s

# Copy the required files
COPY bctls.jar ccj-3.0.2.1.jar $NIFI_HOME/lib/
COPY additional-java-policy.txt additional-security-providers.txt $NIFI_HOME/conf/

# Configure environment variables to point to the provided files
ENV PROVIDER_JAR_PATH="$NIFI_HOME/lib/ccj-3.0.2.1.jar:$NIFI_HOME/lib/bctls.jar"
ENV JAVA_POLICY_PATH="$NIFI_HOME/conf/additional-java-policy.txt"
ENV SECURITY_PROVIDERS_PATH="$NIFI_HOME/conf/additional-security-providers.txt"

# Configure the keystore type
ENV KEYSTORE_TYPE=BCFKS

# Specify the security provider classe
ENV KEYSTORE_PROVIDER_CLASS=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
  3. Build the new image.
    docker build -t <your-registry>/cloudera/cfm-nifi-k8s:2.9.0-b96-nifi_1.27.0.2.3.14.0-14-fips .
docker push <your-registry>/cloudera/cfm-nifi-k8s:2.9.0-b96-nifi_1.27.0.2.3.14.0-14-fips

Using volumes

Using volumes, Security Providers can be configured at deploy time using the standard cfm-nifi-k8s and cfm-nifiregistry-k8s images provided by Cloudera. Prior to deploying NiFi or NiFi Registry, a volume that supports RWX should be created and populated with the required files:

  • Security provider jars

  • Security provider definition file

  • Additional Java policy

  1. In your Nifi or NifiRegistry yamls, add the following to mount the volume:

    spec:
  statefulset:
    volumes:
    - name: fips-providers
      persistentVolumeClaim:
        claimName: [***RWX VOLUME CLAIM***]
    volumeMounts:
    - name: fips-providers
      mountPath: /opt/nifi/fips-providers

  2. Reference the provided files, keystore type, and keystore provider class:

    spec:
  security:
    jvmSecurityProviderInfo:
	# List of provider jars in classpath format
      providerJarPath: "/opt/nifi/fips-providers/ccj-3.0.2.1.jar:/opt/nifi/fips-providers/bctls.jar"
	# Class providing the keystore implementation
      providerClass: com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
	# Keystore format
      keystoreType: BCFKS
	# Path to security providers definition
      securityProvidersPath: /opt/nifi/fips-providers/additional-security-providers.txt
	# Path to additional Java policy
      javaPolicyPath: /opt/nifi/fips-providers/additional-java-policy.txt