Skip to content

Commit 141e882

Browse files
committed
feat: allow OIDC cookies when in-cluster is false via flag
Signed-off-by: Prajwal <percy38621@gmail.com>
1 parent 72d1290 commit 141e882

File tree

4 files changed

+12
-5
lines changed

4 files changed

+12
-5
lines changed

backend/cmd/headlamp.go

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,7 @@ type HeadlampConfig struct {
7979
oidcCallbackURL string
8080
oidcValidatorIdpIssuerURL string
8181
oidcUseAccessToken bool
82+
oidcUseCookie bool
8283
oidcSkipTLSVerify bool
8384
oidcCACert string
8485
oidcUsePKCE bool
@@ -448,6 +449,9 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
448449
go kubeconfig.LoadAndWatchFiles(config.KubeConfigStore, kubeConfigPath, kubeconfig.KubeConfig, skipFunc)
449450
}
450451

452+
// Initialize OIDC Cookie setting from flags
453+
config.oidcUseCookie = config.HeadlampCFG.OidcUseCookie
454+
451455
// In-cluster
452456
if config.UseInCluster {
453457
context, err := kubeconfig.GetInClusterContext(config.oidcIdpIssuerURL,
@@ -1302,8 +1306,8 @@ func (c *HeadlampConfig) helmRouteReleaseHandler(
13021306
// Create a copy of the context to avoid modifying the cached context
13031307
context = context.Copy()
13041308

1305-
// If headlamp is running in cluster, use the token from the cookie for oidc auth
1306-
if c.UseInCluster && context.OidcConf != nil {
1309+
// If running in cluster or explicitly enabled via flag, use the token from the cookie for oidc auth
1310+
if (c.UseInCluster || c.oidcUseCookie) && context.OidcConf != nil {
13071311
setTokenFromCookie(r, clusterName)
13081312
}
13091313

backend/pkg/config/config.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ type Config struct {
6161
OidcValidatorIdpIssuerURL string `koanf:"oidc-validator-idp-issuer-url"`
6262
OidcScopes string `koanf:"oidc-scopes"`
6363
OidcUseAccessToken bool `koanf:"oidc-use-access-token"`
64+
OidcUseCookie bool `koanf:"oidc-use-cookie"`
6465
OidcSkipTLSVerify bool `koanf:"oidc-skip-tls-verify"`
6566
OidcCAFile string `koanf:"oidc-ca-file"`
6667
MeUsernamePath string `koanf:"me-username-path"`
@@ -84,10 +85,10 @@ type Config struct {
8485
}
8586

8687
func (c *Config) Validate() error {
87-
if !c.InCluster && (c.OidcClientID != "" || c.OidcClientSecret != "" || c.OidcIdpIssuerURL != "" ||
88+
if !c.InCluster && !c.OidcUseCookie && (c.OidcClientID != "" || c.OidcClientSecret != "" || c.OidcIdpIssuerURL != "" ||
8889
c.OidcValidatorClientID != "" || c.OidcValidatorIdpIssuerURL != "") {
8990
return errors.New(`oidc-client-id, oidc-client-secret, oidc-idp-issuer-url, oidc-validator-client-id,
90-
oidc-validator-idp-issuer-url, flags are only meant to be used in inCluster mode`)
91+
oidc-validator-idp-issuer-url, flags are only meant to be used in inCluster mode or with --oidc-use-cookie`)
9192
}
9293

9394
// OIDC TLS verification warning.
@@ -443,6 +444,7 @@ func addOIDCFlags(f *flag.FlagSet) {
443444
f.Bool("oidc-skip-tls-verify", false, "Skip TLS verification for OIDC")
444445
f.String("oidc-ca-file", "", "CA file for OIDC")
445446
f.Bool("oidc-use-access-token", false, "Setup oidc to pass through the access_token instead of the default id_token")
447+
f.Bool("oidc-use-cookie", false, "Enable OIDC cookie usage even when not running in-cluster")
446448
f.Bool("oidc-use-pkce", false, "Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow")
447449
f.String("me-username-path", DefaultMeUsernamePath,
448450
"Comma separated JMESPath expressions used to read username from the JWT payload")

backend/pkg/config/config_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -152,7 +152,7 @@ func TestParseErrors(t *testing.T) {
152152
{
153153
name: "oidc_settings_without_incluster",
154154
args: []string{"go run ./cmd", "-oidc-client-id=noClient"},
155-
errorContains: "are only meant to be used in inCluster mode",
155+
errorContains: "flags are only meant to be used in inCluster mode or with --oidc-use-cookie",
156156
},
157157
{
158158
name: "invalid_base_url",

backend/pkg/headlampconfig/headlampConfig.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,5 @@ type HeadlampCFG struct {
2828
ProxyURLs []string
2929
TLSCertPath string
3030
TLSKeyPath string
31+
OidcUseCookie bool
3132
}

0 commit comments

Comments
 (0)