Skip to content

backend: charts: Add session-ttl flag and logic#4675

Merged
illume merged 2 commits intokubernetes-sigs:mainfrom
mudit06mah:feat/session-ttl
Feb 13, 2026
Merged

backend: charts: Add session-ttl flag and logic#4675
illume merged 2 commits intokubernetes-sigs:mainfrom
mudit06mah:feat/session-ttl

Conversation

@mudit06mah
Copy link
Contributor

@mudit06mah mudit06mah commented Feb 11, 2026
edited
Loading

Summary

This PR adds session-ttl flag to headlamp backend and helm chart

Related Issue

Fixes #4538

Changes

  • Added new session-ttl flag in backend
  • Updated MaxAge logic in cookies.go
  • Updated helm chart and test snapshots

Steps to Test

(Not tested yet, having problems with authenticating but have verified this from logs)

  • Build backend
  • Run it with -session-ttl=120
  • Open headlamp in browser, Authenticate
  • Developer tools -> cookies -> check for auth cookie -> MaxAge column should have a 2 minute timestamp from that period

Notes for the Reviewer

Many files have been changed as charts snapshots have been updated.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 11, 2026
@illume illume requested a review from Copilot February 11, 2026 17:10
Copilot AI reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a configurable backend -session-ttl (and corresponding Helm value) to control how long Headlamp’s auth cookie remains valid, addressing in-cluster re-authentication caused by the fixed 24h session duration.

Changes:

  • Introduces session-ttl config/flag with validation (bounds) and plumbs it into the server config.
  • Updates auth cookie issuance to use the configured TTL for MaxAge.
  • Updates Helm chart deployment args and refreshes snapshot templates.

Reviewed changes

Copilot reviewed 31 out of 31 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
charts/headlamp/values.yaml Adds config.sessionTTL default (86400s) to expose session TTL via Helm values.
charts/headlamp/templates/deployment.yaml Passes -session-ttl to the backend container args from Helm values.
charts/headlamp/tests/expected_templates/default.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/extra-args.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/extra-manifests.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/host-users-override.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/httproute-enabled.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/me-user-info-url-directly.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/me-user-info-url.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/namespace-override-oidc-create-secret.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/namespace-override.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/non-azure-oidc.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/oidc-create-secret.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/oidc-directly-env.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/oidc-directly.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/oidc-external-secret.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/oidc-pkce.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/oidc-validator-overrides.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/pod-disruption.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/security-context.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/tls-added.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/topology-spread-constraints-custom-selector.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/topology-spread-constraints.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/volumes-added.yaml Snapshot update to include -session-ttl=86400.
charts/headlamp/tests/expected_templates/azure-oidc-with-validators.yaml Snapshot update to include -session-ttl=86400.
backend/pkg/config/config.go Adds SessionTTL config field, validation, and the -session-ttl flag with default 86400.
backend/pkg/headlampconfig/headlampConfig.go Extends HeadlampCFG to carry SessionTTL through backend components.
backend/cmd/server.go Maps parsed config SessionTTL into the runtime Headlamp config struct.
backend/cmd/headlamp.go Logs Session TTL and passes it when setting/refeshing auth cookies.
backend/pkg/auth/cookies.go Updates SetTokenCookie to take TTL and set cookie MaxAge accordingly.
backend/pkg/auth/cookies_test.go Updates tests for the new SetTokenCookie signature.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@illume
Copy link
Contributor

illume commented Feb 11, 2026

@ranjit-parva how does this solution look to you?

@ranjit-parva
Copy link

ranjit-parva commented Feb 11, 2026

LGTM

@mudit06mah
Copy link
Contributor Author

mudit06mah commented Feb 12, 2026

@illume I have made the changes suggested by copilot, Can you please review this again?

@illume illume requested a review from Copilot February 12, 2026 08:53
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

backend/pkg/auth/cookies_test.go:226

  • The chunked-cookie test exercises the new sessionTTL parameter but doesn’t assert that each emitted cookie chunk inherits the configured MaxAge. Adding an assertion over the returned cookies would prevent regressions where only some chunks get the correct TTL.
	auth.SetTokenCookie(w, req, "test-cluster", longToken, "", 86400)

	// Check if cookie was set
	cookies := w.Result().Cookies()
	if len(cookies) < 2 {
		t.Fatalf("Expected at least 2 cookies for a chunked token, got %d", len(cookies))

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

illume
illume requested changes Feb 12, 2026
View reviewed changes
Copy link
Contributor

@illume illume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the suggestions, and I think they are all good suggestions. Can you please have a look?

illume
illume approved these changes Feb 12, 2026
View reviewed changes
Copy link
Contributor

@illume illume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 thanks!

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 12, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: illume, mudit06mah, ranjit-parva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 12, 2026
@illume illume merged commit d36a68d into kubernetes-sigs:main Feb 13, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@illume illume illume approved these changes

@ashu8912 ashu8912 Awaiting requested review from ashu8912

@vyncent-t vyncent-t Awaiting requested review from vyncent-t

+1 more reviewer

@ranjit-parva ranjit-parva ranjit-parva approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for session ttl

4 participants

@mudit06mah @illume @ranjit-parva @k8s-ci-robot