Headlamp session expires in about 2 minutes when you log in via oidc

[rift0nix]

Describe the bug

Running Headlamp in-cluster, authenticating through a Keycloak OIDC server.
About 2 minutes after authentication a "Lost connection to the cluster" error is displayed, and the user is returned to the login dialog.

To Reproduce

Steps to reproduce the bug:

1. Create values.yaml with folowing content

image:
  registry: ghcr.io
  repository: headlamp-k8s/headlamp
  pullPolicy: IfNotPresent
  tag: v0.35.0
config:
  watchPlugins: true
  extraArgs:
    - "-oidc-ca-file=/usr/local/share/ca-certificates/extra/ca-chain.pem"
  oidc:
    clientID: "${headlamp_oidc_client_id}"
    clientSecret: "${headlamp_oidc_client_secret}"
    issuerURL: "${headlamp_oidc_issuer_url}"
    callbackURL: "${headlamp_oidc_callback_url}"
    scopes: "openid,email,profile"
pluginsManager:
  enabled: true
  configContent: |
    plugins:
      - name: cert-manager
        source: "https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager"
        version: "0.1.0"
initContainers:
  - name: extra-certs
    image: alpine:3.18
    command:
      - /bin/sh
      - -c
      - |
        -----BEGIN CERTIFICATE-----
        MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
        A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
        Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
        MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
        A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
        hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
        RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
        gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
        KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
        QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
        XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
        DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
        LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
        RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
        jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
        6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
        mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
        Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
        WD9f
        -----END CERTIFICATE-----
        " > /usr/local/share/ca-certificates/extra/ca-chain.pem
    volumeMounts:
      - name: extra-certs
        mountPath: /usr/local/share/ca-certificates/extra
        readOnly: false

volumes:
  - name: extra-certs
    emptyDir: {}

volumeMounts:
  - name: extra-certs
    mountPath: /usr/local/share/ca-certificates/extra
    readOnly: true

resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 2000m
    memory: 4098Mi

2. Replace templated values in oidc block
3. Run

helm upgrade headlamp headlamp \
  --namespace headlamp \
  --create-namespace \
  --install \
  --repo https://kubernetes-sigs.github.io/headlamp \
  --version 0.35.0 \
  --values values.yaml  \
  --wait \
  --timeout 60s

Environment (please provide info about your environment):

• Installation type: In-Cluster
• Headlamp Version: 0.35.0

Are you able to fix this issue?

No

[sniok]

hi, thanks for opening the issue. Could you please check if the problem persists on version 0.34.0?

[rift0nix]

Yes, it works fine on 0.34.0

[illume]

Thanks @rift0nix

cc @sniok @yolossn

[sniok]

Could you check this comment I left? I think it might be related to this issue

@skoeva @illume

#3494 (comment)

[skoeva]

ah yes thanks for the reminder, will take a look now @sniok