Configuring NiFi Web UI connection
Learn about configuring a connection to the NiFi web UI.
You can configure a connection to the NiFi Web UI using the
spec.uiConnection field. It is a standard connection
field with special validation and handling. The name of this connection is always ignored and set
to [***CR NAME***]-web. For Ingress type connections, a maximum of one path
may be specified. When you configure a uiConnection, the
spec.hostname
field is required.
The uiConnection can support hostname routing with and without an additional context path. It is not recommended to use a context path for routing as NiFi does not support it well, but it is possible. For more information, see NiFi documentation on proxy configuration. An example using ingress-nginx is included in this section.
Hostname-only ingress example
Learn about configuring an Ingress resource using TLS files generated by Cloudera Flow Management - Kubernetes Operator.
This YAML snippet configures an Ingress resource for accessing the NiFi Web UI. It uses the TLS
files generated by a Cloudera Flow Management - Kubernetes Operator created Certificate as defined in
spec.security.ingressCertGen
. The supplied annotations are for the
ingress-nginx Ingress controller. The affinity settings enable a persistent session so that UI
interactions go to the same NiFi node in the cluster. The backend-protocol setting is needed
for when NiFi is configured to be secure, as it will reject any non-HTTPS connection
attempts.
spec:
uiConnection:
type: Ingress
ingressConfig:
ingressClassName: myIngressClass
ingressTLS:
- hosts:
- nifi.localhost
secretName: mynifi-ingress-cert
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Hostname-only route example
Learn about configuring a Route resource to acces the NiFi web UI.
This YAML snippet configures a Route
resource for accessing the NiFi
web UI.
spec:
uiConnection:
type: Route
routeConfig:
tls:
termination: passthrough
Ingress with context path example
Learn about configuring an Ingress resource that rewrites the connection path in incoming requests and does a reverse-rewrite on UI calls going to the backend.
This YAML code snippet configures an ingress UI Connection with a path. The annotations here are for the ingress-nginx ingress controller and all are required for NiFi to correctly understand the incoming requests.
In the example the path includes some regex at the end: (/|$)(.*)
. This regex
informs the rewrite directives in the configuration-snippet and rewrite-target annotations.
NiFi does not handle proxy paths well, it does not understand that
https://nifi.localhost/some/path/to/nifi
coming through the defined Ingress
is intended to call the /nifi
API to load the UI. The rewrite-target
annotation addresses this by capturing the /nifi and anything that comes
after and sends that as the path to the NiFi pod. It translates
/some/path/to/nifi/
to /nifi/
. Similarly, the NiFi web UI
does not correctly form API calls going to the backend, attempting to call
/nifi/
instead of /some/path/to/nifi/
. This is addressed
by the configuration-snippet rewrite instruction. It does the reverse of the rewrite-target,
reapplying the removed context path /some/path/to
. The remaining
configuration-snippet lines are headers required by a NiFi behind a proxy. For more
information, see the NiFi System Administrator’s Guide.
spec:
uiConnection:
type: Ingress
ingressConfig:
ingressClassName: myIngressClass
ingressTLS:
- hosts:
- nifi.localhost
secretName: mynifi-ingress-cert
paths:
- port: 8443
path: "/some/path/to(/|$)(.*)"
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/configuration-snippet: |-
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $host;
proxy_set_header X-ProxyPort $server_port;
proxy_set_header X-ProxyContextPath /some/path/to;
rewrite (.*\/nifi)$ $1/ redirect;
proxy_ssl_name mynifi.default.svc.cluster.local;
nginx.ingress.kubernetes.io/rewrite-target: /$2