From 81188df2c1c946ba7640b3d3f4ca510c8798bad1 Mon Sep 17 00:00:00 2001 From: Steve Herrin Date: Tue, 19 Nov 2024 15:17:36 -0800 Subject: [PATCH] feat: have OAuth2 Proxy refresh the access token before it expires (#173) Co-authored-by: Jake Heath <76011913+jakeyheath@users.noreply.github.com> --- stack/README.md | 1 + stack/templates/oidc_proxy.yaml | 1 + stack/tests/oidc_test.yaml | 10 ++++++++-- stack/values.schema.json | 5 +++++ stack/values.yaml | 3 ++- 5 files changed, 17 insertions(+), 3 deletions(-) diff --git a/stack/README.md b/stack/README.md index 9b3449d..bb16d42 100644 --- a/stack/README.md +++ b/stack/README.md @@ -141,6 +141,7 @@ A Helm chart for deploying an Argus stack. | `global.oidcProxy.annotations` | Annotations to add to the OIDC proxy | `{}` | | `global.oidcProxy.volumeMounts` | Volume mounts for the OIDC proxy | `[]` | | `global.oidcProxy.skipAuth` | Paths to skip authentication | `[]` | +| `global.oidcProxy.cookieRefresh` | Refresh tokens and cookies after this period | `59m` | | `global.oidcProxy.extraArgs` | Extra arguments to pass to the OIDC proxy | `[]` | | `global.oidcProxy.resources.limits.cpu` | CPU limit | `2` | | `global.oidcProxy.resources.limits.memory` | Memory limit | `4Gi` | diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 1774df2..a3f02bf 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -83,6 +83,7 @@ spec: - --pass-authorization-header=true - --reverse-proxy - --skip-jwt-bearer-tokens + - --cookie-refresh={{ .Values.oidcProxy.cookieRefresh }} {{- range $allOIDCProtectedServces }} - --upstream={{ . }} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index b3a37aa..1370954 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -1,4 +1,5 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +# nudge suite: oidc proxy deployment templates: - oidc_proxy.yaml @@ -101,6 +102,7 @@ tests: global: oidcProxy: enabled: true + cookieRefresh: 1h23m45s skipAuth: - method: GET path: "/v1/api/docs2" @@ -127,7 +129,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 17 + count: 18 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args @@ -140,6 +142,10 @@ tests: contains: path: spec.template.spec.containers[0].args content: "--skip-auth-route=/v1/api/security/access_token" + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: "--cookie-refresh=1h23m45s" - it: overwrites the name set: global: @@ -421,7 +427,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 21 + count: 22 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args diff --git a/stack/values.schema.json b/stack/values.schema.json index 02b3c8d..319a2eb 100644 --- a/stack/values.schema.json +++ b/stack/values.schema.json @@ -589,6 +589,11 @@ "default": [], "items": {} }, + "cookieRefresh": { + "type": "string", + "description": "Refresh tokens and cookies after this period", + "default": "59m" + }, "extraArgs": { "type": "array", "description": "Extra arguments to pass to the OIDC proxy", diff --git a/stack/values.yaml b/stack/values.yaml index 5274864..8e14e52 100644 --- a/stack/values.yaml +++ b/stack/values.yaml @@ -318,7 +318,8 @@ global: # skipAuth: # - path: "/healthz" # method: GET - + ## @param global.oidcProxy.cookieRefresh Refresh tokens and cookies after this period + cookieRefresh: "59m" ## @param global.oidcProxy.extraArgs Extra arguments to pass to the OIDC proxy extraArgs: [] # extraArgs: