Hashicorp vault provider for SSLContextServices

[Cannon Palms]

We need to service up dynamic certificates to NiFi at runtime to enable
connection to remote hosts via certificate-based TLS.

My understanding is that the existing implementations of SSLContextService
all require that the keystore/truststore be accessible through the
filesystem.

What might an implementation based on third-party providers (namely vault)
look like? Can someone point me to any resources that might guide this
implementation?

Thanks,
Cannon

Re: Hashicorp vault provider for SSLContextServices

[David Handermann]

Hi Cannon,

Understanding the SSLContextService [1] interface and the
StandardSSLContextService [2] implementation would be a good starting point
for considering a custom implementation.

The most important interface method is createContext(), which returns an
instance of javax.net.ssl.SSLContext [3] based on configured properties.

The SSLContextService has other methods for returning configured values,
but most components use the createContext() method.

Certain components may use the createTlsConfiguration() method, or other
methods to retrieve specific values. Those other methods could be
problematic to implement when attempting to develop a service that is not
based on files. Throwing an UnsupportedOperationException may be one
option, which would result in runtime errors for components that do not use
the standard createContext() method.

Interacting with HashiCorp Vault involves its own set of configuration
options depending on how it is deployed, but understanding the file-based
approach in the StandardSSLContextService should provide a helpful
background.

Regards,
David Handermann

[1]
https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java
[2]
https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java
[3] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html

On Tue, Jul 12, 2022 at 2:13 PM Cannon Palms  wrote:

> We need to service up dynamic certificates to NiFi at runtime to enable
> connection to remote hosts via certificate-based TLS.
>
> My understanding is that the existing implementations of SSLContextService
> all require that the keystore/truststore be accessible through the
> filesystem.
>
> What might an implementation based on third-party providers (namely vault)
> look like? Can someone point me to any resources that might guide this
> implementation?
>
> Thanks,
> Cannon
>