Security — NiFi
The tdp-nifi chart supports LDAP authentication and HTTPS with certificates managed by cert-manager. Configuration is done under the nifiCluster key in values.yaml.
By default, NiFi is deployed without LDAP or HTTPS enabled. Activating either feature requires explicit configuration of the blocks below.
Activating LDAP and HTTPS
The nifiCluster.security block controls the access protocol (http or https), the port, and LDAP integration in a unified way:
nifiCluster:
security:
enabled: true
protocol: "https"
port: 8443
ldap:
enabled: true
url: "ldap://<ldap-host>:389"
managerDn: "uid=<bind-user>,cn=users,cn=accounts,dc=company,dc=com"
managerPassword: "<bind-password>"
| Field | Description |
|---|---|
security.enabled | Enables secure mode in NiFi |
security.protocol | https for TLS; http for unencrypted access |
security.port | Listening port — 8443 with HTTPS, 8080 with HTTP |
security.ldap.enabled | Enables LDAP authentication |
security.ldap.url | LDAP server address |
security.ldap.managerDn | Bind user DN (read-only in the directory) |
security.ldap.managerPassword | Bind password — do not commit to public repository |
Do not store managerPassword in a Git repository. Use a private values file (outside version control) or a Secrets management mechanism to inject this credential at deploy time.
LDAP — detailed configuration
LDAP authentication delegates login to the corporate directory (LDAP or Active Directory). The configuration block is under nifiCluster.ldapConfiguration:
nifiCluster:
ldapConfiguration:
enabled: true
url: "ldap://<ldap-host>:389"
searchBase: "cn=users,cn=accounts,dc=company,dc=com"
searchFilter: "(&(uid={0})(objectClass=person))"
authenticationStrategy: "SIMPLE"
managerDn: "uid=<bind-user>,cn=users,cn=accounts,dc=company,dc=com"
managerPassword: "<bind-password>"
referralStrategy: "FOLLOW"
identityStrategy: "USE_USERNAME"
| Field | Description |
|---|---|
url | LDAP server address |
searchBase | Base DN where users are located |
searchFilter | Search filter — {0} is replaced by the entered username |
authenticationStrategy | Bind type: SIMPLE for direct authentication |
managerDn | Bind user DN (read-only access to the directory) |
managerPassword | Bind user password — do not version in a public repository |
identityStrategy | USE_USERNAME uses the login as the NiFi identity |
Additionally, include the provider in the NiFi properties block:
nifiCluster:
readOnlyConfig:
nifiProperties:
overrideConfigs: |
nifi.sensitive.props.key=<sensitive-key>
nifi.security.user.login.identity.provider=ldap-provider
Initial identities
After enabling LDAP, you must define the initial user and admin in authorizersXML. The value must be a valid identity returned by your LDAP provider:
nifiCluster:
authorizersSecret:
authorizersXML: |
<property name="Initial User Identity 1"><ldap-identity></property>
<property name="Initial Admin Identity"><ldap-identity></property>
Replace <ldap-identity> with the exact identity returned by LDAP for the user (typically the uid or user DN, depending on identityStrategy).
Disabling LDAP
To revert to HTTP access without LDAP authentication:
nifiCluster:
security:
enabled: false
protocol: "http"
port: 8080
ldap:
enabled: false
Ingress with HTTPS
When NiFi operates in HTTPS mode (nifiCluster.security.protocol: "https"), the Ingress Controller needs the backend-protocol annotation to proxy correctly. Configure the annotation in the NiFi Ingress block:
nifiCluster:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
rules:
paths:
backend:
service:
port:
number: 8443
To revert to HTTP, adjust the annotation and port:
nifiCluster:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
rules:
paths:
backend:
service:
port:
number: 8080
These annotations are specific to the NGINX Ingress Controller. If you use a different controller, consult its documentation for the equivalent backend TLS configuration.
HTTPS with cert-manager
NiFi can be configured to operate over HTTPS using certificates automatically issued by cert-manager. The NiFiKop operator webhook also requires cert-manager when nifikop.webhook.enabled: true.
nifiCluster:
https:
enabled: true
host: nifi.company.com
sslSecrets:
create: true
pkiBackend: cert-manager
issuerRef:
name: selfsigned-issuer
kind: Issuer
| Field | Description |
|---|---|
https.enabled | Enables HTTPS on the NiFi cluster |
https.host | Hostname to be used in the certificate |
sslSecrets.create | Automatically creates the TLS Secret |
sslSecrets.pkiBackend | cert-manager delegates issuance to cert-manager |
issuerRef.name | Name of the Issuer or ClusterIssuer configured in the cluster |
Prerequisite: cert-manager
cert-manager must be installed in the cluster before deploying NiFi with HTTPS or with the webhook enabled:
kubectl create namespace cert-manager
kubectl apply --validate=false -f \
https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager \
--namespace cert-manager \
--version v1.17.2 jetstack/cert-manager
Best practices
| Aspect | Recommendation |
|---|---|
| Development environment | LDAP disabled, access via port-forward |
| Shared / production environment | LDAP with ldaps:// (port 636) and HTTPS enabled |
| Credentials | Never version managerPassword in public values |
| Certificates | Prefer cert-manager with ClusterIssuer in production |
Troubleshooting
| Problem | Probable cause | Solution |
|---|---|---|
| NiFi pod does not start with HTTPS | cert-manager missing or Issuer not found | Check cert-manager installation and Issuer name |
| LDAP login fails | Incorrect bind DN or password | Test bind with ldapsearch before configuring |
| Invalid certificate in browser | Using selfsigned-issuer | Expected in development; use a valid CA in production |
For the full list of parameters, use helm show values on the version of the chart you installed.