KubernetesSecretParameterProvider 2.0.0

Bundle
org.apache.nifi | nifi-standard-nar
Description
Fetches parameters from files, in the format provided by Kubernetes mounted secrets. Parameter groups are indicated by a set of directories, and files within the directories map to parameter names. The content of the file becomes the parameter value. Since Kubernetes mounted Secrets are base64-encoded, the parameter provider defaults to Base64-decoding the value of the parameter from the file.
Tags
file
Input Requirement
Supports Sensitive Dynamic Properties
false
  • Additional Details for KubernetesSecretParameterProvider 2.0.0

    KubernetesSecretParameterProvider

    Deriving Parameters from mounted Kubernetes Secret files

    The KubernetesSecretParameterProvider maps a directory to a parameter group named after the directory, and the files within the directory to parameters. Each file’s name is mapped to a parameter, and the content of the file becomes the value. Hidden files and nested directories are ignored.

    While this provider can be useful in a range of cases since it simply reads parameter values from local files, it particularly matches the mounted volume secret structure in Kubernetes. A full discussion of Kubernetes secrets is beyond the scope of this document, but a brief overview can illustrate how these secrets can be mapped to parameter groups.

    Kubernetes Mounted Secrets Example

    Assume a secret is configured as follows:

    data:
      admin_username: my-username (base64-encoded)
      admin_password: my-password (base64-encoded)
      access_key: my-key (base64-encoded)
    

    Assume a deployment has the following configuration:

    spec:
      volumes:
      - name: system-credentials
        secret:
        items:
          - key: admin_username
            path: sys.admin.username
          - key: admin_password
            path: sys.admin.password
          - key: access_key
            path: sys.access.key
            secretName: system-creds
            containers:
      - volumeMounts:
          - mountPath: /etc/secrets/system-credentials
            name: system-credentials
            readOnly: true
    

    Then, this secret will appear on disk as follows:

    $ ls /etc/secrets/system-credentials
    sys.access.key sys.admin.password sys.admin.username
    

    Therefore, to map this secret to a parameter group that will populate a Parameter Context named ‘system-credentials’, you should simply provide the following configuration to the KubernetesSecretParameterProvider:

    • Parameter Group Directories - /etc/secrets/system-credentials

    The ‘system-credentials’ parameter context will then contain the following parameters:

    • sys.access.key - my-key
    • sys.admin.username - my-username
    • sys.admin.password - my-password
Properties
Restrictions
Required Permission Explanation
read filesystem Provides operator the ability to read from any file that NiFi has access to.