diff --git a/api/v2/checluster_types.go b/api/v2/checluster_types.go index b65700fa3..7860a3bcb 100644 --- a/api/v2/checluster_types.go +++ b/api/v2/checluster_types.go @@ -541,6 +541,17 @@ type Gateway struct { // Configuration for kube-rbac-proxy within the Che gateway pod. // +optional KubeRbacProxy *KubeRbacProxy `json:"kubeRbacProxy,omitempty"` + // Configuration for oauth-proxy within the Che gateway pod. + // +optional + OAuthProxy *OAuthProxy `json:"oAuthProxy,omitempty"` +} + +type OAuthProxy struct { + // Expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. + // +optional + // +kubebuilder:default:=86400 + // +kubebuilder:validation:Minimum:=0 + CookieExpireSeconds *int32 `json:"cookieExpireSeconds,omitempty"` } // Proxy server configuration. diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go index a680e837b..0b2ba2a99 100644 --- a/api/v2/zz_generated.deepcopy.go +++ b/api/v2/zz_generated.deepcopy.go @@ -680,6 +680,11 @@ func (in *Gateway) DeepCopyInto(out *Gateway) { *out = new(KubeRbacProxy) (*in).DeepCopyInto(*out) } + if in.OAuthProxy != nil { + in, out := &in.OAuthProxy, &out.OAuthProxy + *out = new(OAuthProxy) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gateway. @@ -778,6 +783,26 @@ func (in *KubeRbacProxy) DeepCopy() *KubeRbacProxy { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OAuthProxy) DeepCopyInto(out *OAuthProxy) { + *out = *in + if in.CookieExpireSeconds != nil { + in, out := &in.CookieExpireSeconds, &out.CookieExpireSeconds + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuthProxy. +func (in *OAuthProxy) DeepCopy() *OAuthProxy { + if in == nil { + return nil + } + out := new(OAuthProxy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PVC) DeepCopyInto(out *PVC) { *out = *in diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml index 75f890095..743fce153 100644 --- a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml @@ -77,7 +77,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che.v7.75.0-809.next + name: eclipse-che.v7.76.0-810.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1234,7 +1234,7 @@ spec: minKubeVersion: 1.19.0 provider: name: Eclipse Foundation - version: 7.75.0-809.next + version: 7.76.0-810.next webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml index c396b2c1f..7208a6688 100644 --- a/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml +++ b/bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml @@ -8178,6 +8178,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set + to 0, cookie becomes a session-cookie which will + expire when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/config/crd/bases/org.eclipse.che_checlusters.yaml b/config/crd/bases/org.eclipse.che_checlusters.yaml index b3534c792..11e70e9b6 100644 --- a/config/crd/bases/org.eclipse.che_checlusters.yaml +++ b/config/crd/bases/org.eclipse.che_checlusters.yaml @@ -7961,6 +7961,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set to + 0, cookie becomes a session-cookie which will expire + when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 4359d1a51..7e02e4044 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -7980,6 +7980,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set to + 0, cookie becomes a session-cookie which will expire + when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 4e7787b38..f2c89e3cc 100644 --- a/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/kubernetes/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -7975,6 +7975,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set to + 0, cookie becomes a session-cookie which will expire + when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index cdcd6e3ee..b6abc31d6 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -7980,6 +7980,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set to + 0, cookie becomes a session-cookie which will expire + when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 5d8ee06d5..4027d2adb 100644 --- a/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/deploy/deployment/openshift/objects/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -7975,6 +7975,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set to + 0, cookie becomes a session-cookie which will expire + when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml index 4e7787b38..f2c89e3cc 100644 --- a/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml +++ b/helmcharts/next/crds/checlusters.org.eclipse.che.CustomResourceDefinition.yaml @@ -7975,6 +7975,19 @@ spec: minimum: 0 type: integer type: object + oAuthProxy: + description: Configuration for oauth-proxy within the + Che gateway pod. + properties: + cookieExpireSeconds: + default: 86400 + description: Expire timeframe for cookie. If set to + 0, cookie becomes a session-cookie which will expire + when the browser is closed. + format: int32 + minimum: 0 + type: integer + type: object traefik: description: Configuration for Traefik within the Che gateway pod. diff --git a/pkg/common/constants/constants.go b/pkg/common/constants/constants.go index a7b1430ae..f3964f5c5 100644 --- a/pkg/common/constants/constants.go +++ b/pkg/common/constants/constants.go @@ -20,12 +20,13 @@ const ( DefaultDashboardCpuRequest = "100m" // Gateway - DefaultGatewayMemoryLimit = "256Mi" - DefaultGatewayMemoryRequest = "64Mi" - DefaultGatewayCpuLimit = "500m" - DefaultGatewayCpuRequest = "50m" - DefaultTraefikLogLevel = "INFO" - DefaultKubeRbacProxyLogLevel = int32(0) + DefaultGatewayMemoryLimit = "256Mi" + DefaultGatewayMemoryRequest = "64Mi" + DefaultGatewayCpuLimit = "500m" + DefaultGatewayCpuRequest = "50m" + DefaultTraefikLogLevel = "INFO" + DefaultKubeRbacProxyLogLevel = int32(0) + DefaultOAuthProxyCookieExpireSeconds = int32(86400) // PluginRegistry DefaultPluginRegistryMemoryLimit = "256Mi" diff --git a/pkg/deploy/gateway/oauth_proxy.go b/pkg/deploy/gateway/oauth_proxy.go index 3b480fa7c..02f67c135 100644 --- a/pkg/deploy/gateway/oauth_proxy.go +++ b/pkg/deploy/gateway/oauth_proxy.go @@ -18,7 +18,6 @@ import ( identityprovider "github.com/eclipse-che/che-operator/pkg/deploy/identity-provider" "github.com/sirupsen/logrus" - "k8s.io/apimachinery/pkg/api/resource" "github.com/devfile/devworkspace-operator/pkg/infrastructure" @@ -81,7 +80,7 @@ client_secret = "%s" scope = "%s" openshift_service_account = "%s" cookie_secret = "%s" -cookie_expire = "24h0m0s" +cookie_expire = "%s" email_domains = "*" cookie_httponly = false pass_access_token = true @@ -94,6 +93,7 @@ skip_provider_button = false utils.GetValue(ctx.CheCluster.Spec.Networking.Auth.OAuthScope, constants.OpenShiftOAuthScope), GatewayServiceName, cookieSecret, + cookieExpireAsString(ctx.CheCluster), skipAuthConfig(ctx.CheCluster)) } @@ -113,7 +113,7 @@ upstreams = [ client_id = "%s" client_secret = "%s" cookie_secret = "%s" -cookie_expire = "24h0m0s" +cookie_expire = "%s" email_domains = "*" cookie_httponly = false skip_provider_button = true @@ -128,6 +128,7 @@ cookie_domains = "%s" ctx.CheCluster.Spec.Networking.Auth.OAuthClientName, ctx.CheCluster.Spec.Networking.Auth.OAuthSecret, cookieSecret, + cookieExpireAsString(ctx.CheCluster), utils.Whitelist(ctx.CheHost), utils.Whitelist(ctx.CheHost), skipAuthConfig(ctx.CheCluster), @@ -239,3 +240,12 @@ func getOauthProxyConfigVolume() corev1.Volume { }, } } + +func cookieExpireAsString(cheCluster *chev2.CheCluster) string { + cookieExpire := constants.DefaultOAuthProxyCookieExpireSeconds + if cheCluster.Spec.Networking.Auth.Gateway.OAuthProxy != nil && cheCluster.Spec.Networking.Auth.Gateway.OAuthProxy.CookieExpireSeconds != nil { + cookieExpire = *cheCluster.Spec.Networking.Auth.Gateway.OAuthProxy.CookieExpireSeconds + } + + return fmt.Sprintf("%dh%dm%ds", cookieExpire/3600, cookieExpire%3600/60, cookieExpire%60) +} diff --git a/pkg/deploy/gateway/oauth_proxy_test.go b/pkg/deploy/gateway/oauth_proxy_test.go index 8f009eceb..425e2d517 100644 --- a/pkg/deploy/gateway/oauth_proxy_test.go +++ b/pkg/deploy/gateway/oauth_proxy_test.go @@ -14,12 +14,54 @@ package gateway import ( "testing" + "k8s.io/utils/pointer" + "github.com/devfile/devworkspace-operator/pkg/infrastructure" chev2 "github.com/eclipse-che/che-operator/api/v2" "github.com/eclipse-che/che-operator/pkg/common/test" "github.com/stretchr/testify/assert" ) +func TestCookieExpireForOpenShiftOauthProxyConfig(t *testing.T) { + ctx := test.GetDeployContext( + &chev2.CheCluster{ + Spec: chev2.CheClusterSpec{ + Networking: chev2.CheClusterSpecNetworking{ + Auth: chev2.Auth{ + Gateway: chev2.Gateway{ + OAuthProxy: &chev2.OAuthProxy{ + CookieExpireSeconds: pointer.Int32(3665), + }, + }, + }, + }}, + }, nil) + infrastructure.InitializeForTesting(infrastructure.OpenShiftv4) + + config := openshiftOauthProxyConfig(ctx, "") + assert.Contains(t, config, "cookie_expire = \"1h1m5s\"") +} + +func TestCookieExpireKubernetesOauthProxyConfig(t *testing.T) { + ctx := test.GetDeployContext( + &chev2.CheCluster{ + Spec: chev2.CheClusterSpec{ + Networking: chev2.CheClusterSpecNetworking{ + Auth: chev2.Auth{ + Gateway: chev2.Gateway{ + OAuthProxy: &chev2.OAuthProxy{ + CookieExpireSeconds: pointer.Int32(3665), + }, + }, + }, + }}, + }, nil) + infrastructure.InitializeForTesting(infrastructure.Kubernetes) + + config := kubernetesOauthProxyConfig(ctx, "") + assert.Contains(t, config, "cookie_expire = \"1h1m5s\"") +} + func TestKubernetesOauthProxyConfig(t *testing.T) { ctx := test.GetDeployContext( &chev2.CheCluster{