Configuring NiFi Web UI connection

Learn about configuring a connection to the NiFi web UI.

You can configure a connection to the NiFi Web UI using the spec.uiConnection field. It is a standard connection field with special validation and handling. The name of this connection is always ignored and set to [***CR NAME***]-web. For Ingress type connections, a maximum of one path may be specified. When you configure a uiConnection, the spec.hostname field is required.

The uiConnection can support hostname routing with and without an additional context path. It is not recommended to use a context path for routing as NiFi does not support it well, but it is possible. For more information, see NiFi documentation on proxy configuration. An example using ingress-nginx is included in this section.

Hostname-only ingress example

Learn about configuring an Ingress resource using TLS files generated by Cloudera Flow Management - Kubernetes Operator.

This YAML snippet configures an Ingress resource for accessing the NiFi Web UI. It uses the TLS files generated by a Cloudera Flow Management - Kubernetes Operator created Certificate as defined in spec.security.ingressCertGen. The supplied annotations are for the ingress-nginx Ingress controller. The affinity settings enable a persistent session so that UI interactions go to the same NiFi node in the cluster. The backend-protocol setting is needed for when NiFi is configured to be secure, as it will reject any non-HTTPS connection attempts.

spec:
  uiConnection:
    type: Ingress
    ingressConfig:
      ingressClassName: myIngressClass
      ingressTLS:
      - hosts:
        - nifi.localhost
        secretName: mynifi-ingress-cert
    annotations:
      nginx.ingress.kubernetes.io/affinity: cookie
      nginx.ingress.kubernetes.io/affinity-mode: persistent
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS

Hostname-only route example

Learn about configuring a Route resource to acces the NiFi web UI.

This YAML snippet configures a Route resource for accessing the NiFi web UI.

spec:
  uiConnection:
    type: Route
    routeConfig:
      tls:
        termination: passthrough

Ingress with context path example

Learn about configuring an Ingress resource that rewrites the connection path in incoming requests and does a reverse-rewrite on UI calls going to the backend.

This YAML code snippet configures an ingress UI Connection with a path. The annotations here are for the ingress-nginx ingress controller and all are required for NiFi to correctly understand the incoming requests.

In the example the path includes some regex at the end: (/|$)(.*). This regex informs the rewrite directives in the configuration-snippet and rewrite-target annotations. NiFi does not handle proxy paths well, it does not understand that https://nifi.localhost/some/path/to/nifi coming through the defined Ingress is intended to call the /nifi API to load the UI. The rewrite-target annotation addresses this by capturing the /nifi and anything that comes after and sends that as the path to the NiFi pod. It translates /some/path/to/nifi/ to /nifi/. Similarly, the NiFi web UI does not correctly form API calls going to the backend, attempting to call /nifi/ instead of /some/path/to/nifi/. This is addressed by the configuration-snippet rewrite instruction. It does the reverse of the rewrite-target, reapplying the removed context path /some/path/to. The remaining configuration-snippet lines are headers required by a NiFi behind a proxy. For more information, see the NiFi System Administrator’s Guide.

spec:
  uiConnection:
    type: Ingress
    ingressConfig:
      ingressClassName: myIngressClass
      ingressTLS:
      - hosts:
        - nifi.localhost
        secretName: mynifi-ingress-cert
      paths:
      - port: 8443
        path: "/some/path/to(/|$)(.*)"
    annotations:
      nginx.ingress.kubernetes.io/affinity: cookie
      nginx.ingress.kubernetes.io/affinity-mode: persistent
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS
      nginx.ingress.kubernetes.io/configuration-snippet: |-
        proxy_set_header X-ProxyScheme $scheme;
        proxy_set_header X-ProxyHost $host;
        proxy_set_header X-ProxyPort $server_port;
        proxy_set_header X-ProxyContextPath /some/path/to;
        rewrite (.*\/nifi)$ $1/ redirect;
        proxy_ssl_name mynifi.default.svc.cluster.local;
      nginx.ingress.kubernetes.io/rewrite-target: /$2