feat: allow OIDC cookies when in-cluster is false via flag

Signed-off-by: Prajwal <percy38621@gmail.com>

Author: beep-boopp

backend/cmd/headlamp.go

@@ -79,6 +79,7 @@ type HeadlampConfig struct {
 	oidcCallbackURL           string
 	oidcValidatorIdpIssuerURL string
 	oidcUseAccessToken        bool
+	oidcUseCookie             bool
 	oidcSkipTLSVerify         bool
 	oidcCACert                string
 	oidcUsePKCE               bool
@@ -448,6 +449,9 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		go kubeconfig.LoadAndWatchFiles(config.KubeConfigStore, kubeConfigPath, kubeconfig.KubeConfig, skipFunc)
 	}
 
+	// Initialize OIDC Cookie setting from flags
+	config.oidcUseCookie = config.HeadlampCFG.OidcUseCookie
+
 	// In-cluster
 	if config.UseInCluster {
 		context, err := kubeconfig.GetInClusterContext(config.oidcIdpIssuerURL,
@@ -1302,8 +1306,8 @@ func (c *HeadlampConfig) helmRouteReleaseHandler(
 	// Create a copy of the context to avoid modifying the cached context
 	context = context.Copy()
 
-	// If headlamp is running in cluster, use the token from the cookie for oidc auth
-	if c.UseInCluster && context.OidcConf != nil {
+	// If running in cluster or explicitly enabled via flag, use the token from the cookie for oidc auth
+	if (c.UseInCluster || c.oidcUseCookie) && context.OidcConf != nil {
 		setTokenFromCookie(r, clusterName)
 	}
 

backend/pkg/config/config.go

@@ -61,6 +61,7 @@ type Config struct {
 	OidcValidatorIdpIssuerURL string `koanf:"oidc-validator-idp-issuer-url"`
 	OidcScopes                string `koanf:"oidc-scopes"`
 	OidcUseAccessToken        bool   `koanf:"oidc-use-access-token"`
+	OidcUseCookie             bool   `koanf:"oidc-use-cookie"`
 	OidcSkipTLSVerify         bool   `koanf:"oidc-skip-tls-verify"`
 	OidcCAFile                string `koanf:"oidc-ca-file"`
 	MeUsernamePath            string `koanf:"me-username-path"`
@@ -84,10 +85,10 @@ type Config struct {
 }
 
 func (c *Config) Validate() error {
-	if !c.InCluster && (c.OidcClientID != "" || c.OidcClientSecret != "" || c.OidcIdpIssuerURL != "" ||
+	if !c.InCluster && !c.OidcUseCookie && (c.OidcClientID != "" || c.OidcClientSecret != "" || c.OidcIdpIssuerURL != "" ||
 		c.OidcValidatorClientID != "" || c.OidcValidatorIdpIssuerURL != "") {
 		return errors.New(`oidc-client-id, oidc-client-secret, oidc-idp-issuer-url, oidc-validator-client-id,
-		oidc-validator-idp-issuer-url, flags are only meant to be used in inCluster mode`)
+        oidc-validator-idp-issuer-url, flags are only meant to be used in inCluster mode or with --oidc-use-cookie`)
 	}
 
 	// OIDC TLS verification warning.
@@ -443,6 +444,7 @@ func addOIDCFlags(f *flag.FlagSet) {
 	f.Bool("oidc-skip-tls-verify", false, "Skip TLS verification for OIDC")
 	f.String("oidc-ca-file", "", "CA file for OIDC")
 	f.Bool("oidc-use-access-token", false, "Setup oidc to pass through the access_token instead of the default id_token")
+	f.Bool("oidc-use-cookie", false, "Enable OIDC cookie usage even when not running in-cluster")
 	f.Bool("oidc-use-pkce", false, "Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow")
 	f.String("me-username-path", DefaultMeUsernamePath,
 		"Comma separated JMESPath expressions used to read username from the JWT payload")

backend/pkg/config/config_test.go

@@ -152,7 +152,7 @@ func TestParseErrors(t *testing.T) {
 		{
 			name:          "oidc_settings_without_incluster",
 			args:          []string{"go run ./cmd", "-oidc-client-id=noClient"},
-			errorContains: "are only meant to be used in inCluster mode",
+			errorContains: "flags are only meant to be used in inCluster mode or with --oidc-use-cookie",
 		},
 		{
 			name:          "invalid_base_url",

backend/pkg/headlampconfig/headlampConfig.go

@@ -28,4 +28,5 @@ type HeadlampCFG struct {
 	ProxyURLs             []string
 	TLSCertPath           string
 	TLSKeyPath            string
+	OidcUseCookie         bool
 }