Skip to main content
Version: v1.0.0

Istio service mesh

The purpose of this section is to explain how to expose your NiFi cluster using Istio on Kubernetes.

Istio configuration for HTTP

To access to the NiFi cluster from the external world, it is needed to configure a Gateway and a VirtualService on Istio.

The following example show how to define a Gateway that will be able to intercept all requests for a specific domain host on HTTP port 80.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: nifi-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - nifi.my-domain.com

In combination, we need to define also a VirtualService that redirect all requests itercepted by the Gateway to a specific service.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nifi-vs
spec:
  gateways:
  - nifi-gateway
  hosts:
  - nifi.my-domain.com
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: nifi
        port:
          number: 8080

Istio configuration for HTTPS

In case you are deploying a cluster and you want to enable the HTTPS protocol to manage user authentication, the configuration is more complex. To understand the reason of this, it is important to explain that in this scenario the HTTPS protocol with all certificates is managed directly by NiFi. This means that all requests passes through all Istio services in an encrypted way, so Istio can't manage a sticky session. To solve this issue, the tricky is to limit the HTTPS session till the Gateway, then decrypt all requests in HTTP, manage the sticky session and then encrypt again in HTTPS before reach the NiFi node. Istio allows to do this using a destination rule combined with the VirtualService. In the next example, we define a Gateway that accepts HTTPS traffic and transform it in HTTP.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: nifi-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: my-secret
    hosts:
    - nifi.my-domain.com

In combination, we need to define also a VirtualService that redirect all HTTP traffic to a specific the ClusterIP Service.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nifi-vs
spec:
  gateways:
  - nifi-gateway
  hosts:
  - nifi.my-domain.com
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: <service-name>.<namespace>.svc.cluster.local
        port:
          number: 8443

Please note that the service name configured as destination of the VirtualService is the name of the Service created with the following section in the cluster Deployment YAML

spec:  
  externalServices:  
    - name: "nifi-cluster"
      spec:
        type: ClusterIP
        portConfigs:
          - port: 8443
            internalListenerName: "https"

Finally the destination rule that redirect all HTTP traffic destinated to the ClusterIP Service to HTTPS encrypting it.

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: nifi-dr
spec:
  host: <service-name>.<namespace>.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE
    loadBalancer:
      consistentHash:
        httpCookie:
          name: __Secure-Authorization-Bearer
          ttl: 0s

As you can see in the previous example, the destination rule also define how manage the sticky session based on httpCookie property called __Secure-Authorization-Bearer.