feat: Allow to configure CookieExpire timeframe (#1760)
* feat: Allow to configure CookieExpire timeframe Signed-off-by: Anatolii Bazko <abazko@redhat.com>pull/1761/head
Anatolii Bazko
GitHub
parent
c06af030eb
commit
a75d1857cc
|
|
@ -541,6 +541,17 @@ type Gateway struct {
|
|||
// Configuration for kube-rbac-proxy within the Che gateway pod.
|
||||
// +optional
|
||||
KubeRbacProxy *KubeRbacProxy `json:"kubeRbacProxy,omitempty"`
|
||||
// Configuration for oauth-proxy within the Che gateway pod.
|
||||
// +optional
|
||||
OAuthProxy *OAuthProxy `json:"oAuthProxy,omitempty"`
|
||||
}
|
||||
|
||||
type OAuthProxy struct {
|
||||
// Expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed.
|
||||
// +optional
|
||||
// +kubebuilder:default:=86400
|
||||
// +kubebuilder:validation:Minimum:=0
|
||||
CookieExpireSeconds *int32 `json:"cookieExpireSeconds,omitempty"`
|
||||
}
|
||||
|
||||
// Proxy server configuration.
|
||||
|
|
|
|||
|
|
@ -680,6 +680,11 @@ func (in *Gateway) DeepCopyInto(out *Gateway) {
|
|||
*out = new(KubeRbacProxy)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.OAuthProxy != nil {
|
||||
in, out := &in.OAuthProxy, &out.OAuthProxy
|
||||
*out = new(OAuthProxy)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gateway.
|
||||
|
|
@ -778,6 +783,26 @@ func (in *KubeRbacProxy) DeepCopy() *KubeRbacProxy {
|
|||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *OAuthProxy) DeepCopyInto(out *OAuthProxy) {
|
||||
*out = *in
|
||||
if in.CookieExpireSeconds != nil {
|
||||
in, out := &in.CookieExpireSeconds, &out.CookieExpireSeconds
|
||||
*out = new(int32)
|
||||
**out = **in
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthProxy.
|
||||
func (in *OAuthProxy) DeepCopy() *OAuthProxy {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(OAuthProxy)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PVC) DeepCopyInto(out *PVC) {
|
||||
*out = *in
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ metadata:
|
|||
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
|
||||
repository: https://github.com/eclipse-che/che-operator
|
||||
support: Eclipse Foundation
|
||||
name: eclipse-che.v7.75.0-809.next
|
||||
name: eclipse-che.v7.76.0-810.next
|
||||
namespace: placeholder
|
||||
spec:
|
||||
apiservicedefinitions: {}
|
||||
|
|
@ -1234,7 +1234,7 @@ spec:
|
|||
minKubeVersion: 1.19.0
|
||||
provider:
|
||||
name: Eclipse Foundation
|
||||
version: 7.75.0-809.next
|
||||
version: 7.76.0-810.next
|
||||
webhookdefinitions:
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
|
|
|
|||
|
|
@ -8178,6 +8178,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set
|
||||
to 0, cookie becomes a session-cookie which will
|
||||
expire when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -7961,6 +7961,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set to
|
||||
0, cookie becomes a session-cookie which will expire
|
||||
when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -7980,6 +7980,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set to
|
||||
0, cookie becomes a session-cookie which will expire
|
||||
when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -7975,6 +7975,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set to
|
||||
0, cookie becomes a session-cookie which will expire
|
||||
when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -7980,6 +7980,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set to
|
||||
0, cookie becomes a session-cookie which will expire
|
||||
when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -7975,6 +7975,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set to
|
||||
0, cookie becomes a session-cookie which will expire
|
||||
when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -7975,6 +7975,19 @@ spec:
|
|||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
oAuthProxy:
|
||||
description: Configuration for oauth-proxy within the
|
||||
Che gateway pod.
|
||||
properties:
|
||||
cookieExpireSeconds:
|
||||
default: 86400
|
||||
description: Expire timeframe for cookie. If set to
|
||||
0, cookie becomes a session-cookie which will expire
|
||||
when the browser is closed.
|
||||
format: int32
|
||||
minimum: 0
|
||||
type: integer
|
||||
type: object
|
||||
traefik:
|
||||
description: Configuration for Traefik within the Che
|
||||
gateway pod.
|
||||
|
|
|
|||
|
|
@ -20,12 +20,13 @@ const (
|
|||
DefaultDashboardCpuRequest = "100m"
|
||||
|
||||
// Gateway
|
||||
DefaultGatewayMemoryLimit = "256Mi"
|
||||
DefaultGatewayMemoryRequest = "64Mi"
|
||||
DefaultGatewayCpuLimit = "500m"
|
||||
DefaultGatewayCpuRequest = "50m"
|
||||
DefaultTraefikLogLevel = "INFO"
|
||||
DefaultKubeRbacProxyLogLevel = int32(0)
|
||||
DefaultGatewayMemoryLimit = "256Mi"
|
||||
DefaultGatewayMemoryRequest = "64Mi"
|
||||
DefaultGatewayCpuLimit = "500m"
|
||||
DefaultGatewayCpuRequest = "50m"
|
||||
DefaultTraefikLogLevel = "INFO"
|
||||
DefaultKubeRbacProxyLogLevel = int32(0)
|
||||
DefaultOAuthProxyCookieExpireSeconds = int32(86400)
|
||||
|
||||
// PluginRegistry
|
||||
DefaultPluginRegistryMemoryLimit = "256Mi"
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ import (
|
|||
|
||||
identityprovider "github.com/eclipse-che/che-operator/pkg/deploy/identity-provider"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
|
||||
"github.com/devfile/devworkspace-operator/pkg/infrastructure"
|
||||
|
|
@ -81,7 +80,7 @@ client_secret = "%s"
|
|||
scope = "%s"
|
||||
openshift_service_account = "%s"
|
||||
cookie_secret = "%s"
|
||||
cookie_expire = "24h0m0s"
|
||||
cookie_expire = "%s"
|
||||
email_domains = "*"
|
||||
cookie_httponly = false
|
||||
pass_access_token = true
|
||||
|
|
@ -94,6 +93,7 @@ skip_provider_button = false
|
|||
utils.GetValue(ctx.CheCluster.Spec.Networking.Auth.OAuthScope, constants.OpenShiftOAuthScope),
|
||||
GatewayServiceName,
|
||||
cookieSecret,
|
||||
cookieExpireAsString(ctx.CheCluster),
|
||||
skipAuthConfig(ctx.CheCluster))
|
||||
}
|
||||
|
||||
|
|
@ -113,7 +113,7 @@ upstreams = [
|
|||
client_id = "%s"
|
||||
client_secret = "%s"
|
||||
cookie_secret = "%s"
|
||||
cookie_expire = "24h0m0s"
|
||||
cookie_expire = "%s"
|
||||
email_domains = "*"
|
||||
cookie_httponly = false
|
||||
skip_provider_button = true
|
||||
|
|
@ -128,6 +128,7 @@ cookie_domains = "%s"
|
|||
ctx.CheCluster.Spec.Networking.Auth.OAuthClientName,
|
||||
ctx.CheCluster.Spec.Networking.Auth.OAuthSecret,
|
||||
cookieSecret,
|
||||
cookieExpireAsString(ctx.CheCluster),
|
||||
utils.Whitelist(ctx.CheHost),
|
||||
utils.Whitelist(ctx.CheHost),
|
||||
skipAuthConfig(ctx.CheCluster),
|
||||
|
|
@ -239,3 +240,12 @@ func getOauthProxyConfigVolume() corev1.Volume {
|
|||
},
|
||||
}
|
||||
}
|
||||
|
||||
func cookieExpireAsString(cheCluster *chev2.CheCluster) string {
|
||||
cookieExpire := constants.DefaultOAuthProxyCookieExpireSeconds
|
||||
if cheCluster.Spec.Networking.Auth.Gateway.OAuthProxy != nil && cheCluster.Spec.Networking.Auth.Gateway.OAuthProxy.CookieExpireSeconds != nil {
|
||||
cookieExpire = *cheCluster.Spec.Networking.Auth.Gateway.OAuthProxy.CookieExpireSeconds
|
||||
}
|
||||
|
||||
return fmt.Sprintf("%dh%dm%ds", cookieExpire/3600, cookieExpire%3600/60, cookieExpire%60)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,12 +14,54 @@ package gateway
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"k8s.io/utils/pointer"
|
||||
|
||||
"github.com/devfile/devworkspace-operator/pkg/infrastructure"
|
||||
chev2 "github.com/eclipse-che/che-operator/api/v2"
|
||||
"github.com/eclipse-che/che-operator/pkg/common/test"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestCookieExpireForOpenShiftOauthProxyConfig(t *testing.T) {
|
||||
ctx := test.GetDeployContext(
|
||||
&chev2.CheCluster{
|
||||
Spec: chev2.CheClusterSpec{
|
||||
Networking: chev2.CheClusterSpecNetworking{
|
||||
Auth: chev2.Auth{
|
||||
Gateway: chev2.Gateway{
|
||||
OAuthProxy: &chev2.OAuthProxy{
|
||||
CookieExpireSeconds: pointer.Int32(3665),
|
||||
},
|
||||
},
|
||||
},
|
||||
}},
|
||||
}, nil)
|
||||
infrastructure.InitializeForTesting(infrastructure.OpenShiftv4)
|
||||
|
||||
config := openshiftOauthProxyConfig(ctx, "")
|
||||
assert.Contains(t, config, "cookie_expire = \"1h1m5s\"")
|
||||
}
|
||||
|
||||
func TestCookieExpireKubernetesOauthProxyConfig(t *testing.T) {
|
||||
ctx := test.GetDeployContext(
|
||||
&chev2.CheCluster{
|
||||
Spec: chev2.CheClusterSpec{
|
||||
Networking: chev2.CheClusterSpecNetworking{
|
||||
Auth: chev2.Auth{
|
||||
Gateway: chev2.Gateway{
|
||||
OAuthProxy: &chev2.OAuthProxy{
|
||||
CookieExpireSeconds: pointer.Int32(3665),
|
||||
},
|
||||
},
|
||||
},
|
||||
}},
|
||||
}, nil)
|
||||
infrastructure.InitializeForTesting(infrastructure.Kubernetes)
|
||||
|
||||
config := kubernetesOauthProxyConfig(ctx, "")
|
||||
assert.Contains(t, config, "cookie_expire = \"1h1m5s\"")
|
||||
}
|
||||
|
||||
func TestKubernetesOauthProxyConfig(t *testing.T) {
|
||||
ctx := test.GetDeployContext(
|
||||
&chev2.CheCluster{
|
||||
|
|
|
|||
Loading…
Reference in New Issue