Hi Isha, Thanks for the helpful reply. I agree that the TLS Toolkit is most convenient for development and lab deployments, and that's where we should be able to provide some documentation for alternatives. The existing Secure Cluster Walkthrough is a helpful reference for TLS Toolkit usage, so if we updated that to provide similar guidance using other tools, that would be useful.
Getting everything right with TLS can be challenging, but when it comes to project maintenance, it seems better to focus on core capabilities and not maintain the TLS Toolkit if the primary use case is for non-production deployments. The encrypt-config command is a different question, but a very good question. It includes functionality that is very specific to NiFi, and it is also in need of refactoring. The threat model for containerized deployments may be somewhat different than running directly on physical hardware. With the need to support various approaches, however, some type of configuration encryption remains a relevant concern. Regards, David Handermann On Wed, Sep 13, 2023 at 10:19 AM Isha Lamboo <[email protected]> wrote: > > Hi David, > > My primary use for the TLS toolkit is for lab deployments, mostly during > in-house trainings. I will miss the convenience of having a full set of > keystores and truststores ready to go with a single command, but then again, > a few commands in a script should replicate this well enough, without the > need for maintaining the toolkit. > > I see no obstacles to adopting NiFi 2.0 if the TLS toolkit is phased out, > from the perspective of the deployments I manage. > > On a side note: How relevant is the encrypt config part of the toolkit still > in a mostly containerized world? > > Regards, > > Isha > > -----Oorspronkelijk bericht----- > Van: David Handermann <[email protected]> > Verzonden: woensdag 13 september 2023 15:16 > Aan: [email protected] > Onderwerp: [DISCUSS] Deprecate TLS Toolkit for Removal? > > Team, > > The TLS Toolkit provides a number of useful features for securing NiFi server > communication, but it also presents several maintenance concerns. In light of > other available tools, I am raising the question of removing the TLS Toolkit > from the repository as part of NiFi 2.0 technical debt reduction. > > With the addition of automatic self-signed certificate generation in NiFi > 1.14.0, the TLS Toolkit is much less relevant to standalone or development > deployments. The validity period of the automatic certificate is limited, but > it provides a method of getting started without any need for the TLS Toolkit. > > On the other end of the spectrum, orchestrated deployments of Kubernetes can > take advantage of cert-manager [1] for declarative and configurable > certificate generation and distribution. > > Cluster deployments on physical hardware or virtual machines may have > organization-specific Certificate Authorities, which require certificate > request processing external to NiFi itself. For this scenario, documenting > several standard OpenSSL commands may help to describe converting between PEM > and PKCS12 files for common use cases. > > Back to standalone deployments, Let's Encrypt provides automated certificate > provisioning with many tools for managing updates. For a self-signed > solution, the mkcert [2] tool is a popular and simple option that works > across modern operating systems. > > With these alternatives, the use cases for TLS Toolkit seem limited. > The Toolkit code is not well-structured, and includes several modes that > involve custom configuration files with a Jetty web server. There are a > number of long-standing unresolved Jira issues [3] related to the TLS Toolkit. > > Removing the TLS Toolkit for NiFi 2.0 would encourage the use of more robust > alternatives and keep the project focused on core capabilities. > > Thoughts? > > Regards, > David Handermann > > [1] https://cert-manager.io/ > [2] https://github.com/FiloSottile/mkcert > [3] > https://issues.apache.org/jira/issues/?jql=project%20%3D%20NIFI%20AND%20resolution%20%3D%20Unresolved%20AND%20text%20~%20%22TLS%20Toolkit%22
