Skip to content

NIFI-16078 - Fix StandardHashiCorpVaultClientService for non-token authentication#11396

Open
pvillard31 wants to merge 1 commit into
apache:mainfrom
pvillard31:NIFI-16078
Open

NIFI-16078 - Fix StandardHashiCorpVaultClientService for non-token authentication#11396
pvillard31 wants to merge 1 commit into
apache:mainfrom
pvillard31:NIFI-16078

Conversation

@pvillard31

Copy link
Copy Markdown
Contributor

Summary

NIFI-16078 - Fix StandardHashiCorpVaultClientService for non-token authentication

In NiFi 2.10.0, spring-vault-core was upgraded 4.0.1 → 4.1.0. Non-token auth methods now build their client via AbstractVaultConfiguration.vaultClient(), which looks up a clientHttpRequestFactoryWrapper bean; AWS EC2 / Azure MSI also go through restClient()getRestTemplateFactory(). Alsok, NiFi's getRestTemplateFactory() override was removed.

NiFi configures HashiCorpVaultConfiguration programmatically with an empty StaticApplicationContext, so these bean lookups fail. Token authentication is unaffected (it needs no Vault client).

With this change, HashiCorpVaultConfiguration.setClientHttpRequestFactory(...) registers the request factory as the clientHttpRequestFactoryWrapper bean. We also restore the getRestTemplateFactory() override built from that same factory. And StandardHashiCorpVaultCommunicationService passes its configured (SSL Context Service–aware) factory before clientAuthentication(), so the auth client uses the same TLS material.

Added new unit tests cover Kubernetes and AWS EC2 authentication; both reproduce the reported failure without the fix.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000
  • Pull request contains commits signed with a registered key indicating Verified status

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using ./mvnw clean install -P contrib-check
    • JDK 21
    • JDK 25

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant