Skip to content

Commit

Permalink
feat: have OAuth2 Proxy refresh the access token before it expires (#173
Browse files Browse the repository at this point in the history 
)

Co-authored-by: Jake Heath <[email protected]>
  • Loading branch information
@steveherrin @jakeyheath
steveherrin and jakeyheath authored Nov 19, 2024
1 parent cdbd064 commit 81188df
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 3 deletions.
1 change: 1 addition & 0 deletions stack/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ A Helm chart for deploying an Argus stack.
| `global.oidcProxy.annotations` | Annotations to add to the OIDC proxy | `{}` |
| `global.oidcProxy.volumeMounts` | Volume mounts for the OIDC proxy | `[]` |
| `global.oidcProxy.skipAuth` | Paths to skip authentication | `[]` |
| `global.oidcProxy.cookieRefresh` | Refresh tokens and cookies after this period | `59m` |
| `global.oidcProxy.extraArgs` | Extra arguments to pass to the OIDC proxy | `[]` |
| `global.oidcProxy.resources.limits.cpu` | CPU limit | `2` |
| `global.oidcProxy.resources.limits.memory` | Memory limit | `4Gi` |
Expand Down
1 change: 1 addition & 0 deletions stack/templates/oidc_proxy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ spec:
- --pass-authorization-header=true
- --reverse-proxy
- --skip-jwt-bearer-tokens
- --cookie-refresh={{ .Values.oidcProxy.cookieRefresh }}

{{- range $allOIDCProtectedServces }}
- --upstream={{ . }}
Expand Down
10 changes: 8 additions & 2 deletions stack/tests/oidc_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
# nudge
suite: oidc proxy deployment
templates:
- oidc_proxy.yaml
Expand Down Expand Up @@ -101,6 +102,7 @@ tests:
global:
oidcProxy:
enabled: true
cookieRefresh: 1h23m45s
skipAuth:
- method: GET
path: "/v1/api/docs2"
Expand All @@ -127,7 +129,7 @@ tests:
- documentIndex: 0
lengthEqual:
path: spec.template.spec.containers[0].args
count: 17
count: 18
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].args
Expand All @@ -140,6 +142,10 @@ tests:
contains:
path: spec.template.spec.containers[0].args
content: "--skip-auth-route=/v1/api/security/access_token"
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].args
content: "--cookie-refresh=1h23m45s"
- it: overwrites the name
set:
global:
Expand Down Expand Up @@ -421,7 +427,7 @@ tests:
- documentIndex: 0
lengthEqual:
path: spec.template.spec.containers[0].args
count: 21
count: 22
- documentIndex: 0
contains:
path: spec.template.spec.containers[0].args
Expand Down
5 changes: 5 additions & 0 deletions stack/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -589,6 +589,11 @@
"default": [],
"items": {}
},
"cookieRefresh": {
"type": "string",
"description": "Refresh tokens and cookies after this period",
"default": "59m"
},
"extraArgs": {
"type": "array",
"description": "Extra arguments to pass to the OIDC proxy",
Expand Down
3 changes: 2 additions & 1 deletion stack/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,8 @@ global:
# skipAuth:
# - path: "/healthz"
# method: GET

## @param global.oidcProxy.cookieRefresh Refresh tokens and cookies after this period
cookieRefresh: "59m"
## @param global.oidcProxy.extraArgs Extra arguments to pass to the OIDC proxy
extraArgs: []
# extraArgs:
Expand Down

0 comments on commit 81188df

Please sign in to comment.