OIDC settings in Helm
Configure OIDC settings for the Gloo UI in Helm so that your settings remain even after version upgrades.
You can also persist the OIDC sessions in a Redis instance by configuring Helm values.
Configure OIDC values in your Gloo Mesh Core deployment
You can configure the OIDC values for the Gloo UI when you install Gloo Mesh Core via Helm. This way, when you manage your releases through the helm upgrade
process, your Dashboard
custom resource settings are kept.
Get the client secret from your OIDC provider.
Create a Kubernetes secret with the OIDC client secret in the same namespace as you intend to install the Gloo UI, such as
gloo-mesh
. Do not include any Helm labels or annotations in the metadata. The following example usesdashboard
in thegloo-mesh
namespace.apiVersion: v1 kind: Secret metadata: name: dashboard namespace: gloo-mesh type: Opaque stringData: oidc-client-secret: $OIDC_CLIENT_SECRET
Follow the steps in the guides to upgrade or install Gloo Mesh Core. Update your Helm configuration file to remove the
glooUi.auth.oidc.clientSecret
setting and refer to the secret that you just created in theglooUi.auth.oidc.clientSecretName
setting.glooUi: enabled: true auth: enabled: true backend: oidc oidc: appUrl: # The URL that the UI for the OIDC app is available at, from the DNS and other ingress settings that expose the OIDC app UI service. clientId: # From the OIDC provider clientSecretName: dashboard #The Kubernetes secret with your OIDC client secret that you previously created. issuerUrl: # The URL to connect to the OpenID Connect identity provider, often in the format 'https://<domain>.<provider_url>/'. appUrl: # The URL that the Gloo UI is exposed at, such as 'https://localhost:8090'.
Optional: Add a stanza to store UI sessions in Redis.
Store UI sessions
You can configure the Gloo UI to store sessions in a browser cookie or in Redis by using the glooUi.auth.oidc.session
setting in your Helm values file.
In version 2.4.16, 2.5.7, and 2.6.0, the default values of the following Helm settings changed:
glooUi.auth.oidc.session.backend
: The default value changed from""
(empty) tocookie
to ensure auth sessions are stored in browser cookies by default.glooUi.auth.oidc.session.redis.host
: The default value changed from""
(empty) togloo-mesh-redis.gloo-mesh:6379
to ensure a valid Redis host is set whenglooUi.auth.oidc.session.backend
is changed toredis
.
Cookie
When you enable the Gloo UI, authentication sessions are automatically persisted by storing the OIDC ID tokens in encrypted browser cookies. No additional configuration is necessary.
The following example shows the default Helm values that are used to store Gloo UI auth sessions in a browser cookie.
glooUi:
enabled: true
auth:
enabled: true
oidc:
# Session storage configuration. If omitted, a cookie is used.
session:
# Backend to use for auth session storage.
backend: "cookie"
Redis
If the ID tokens are too large to be stored in cookies, you can configure the UI to use a Redis instance instead. You can use the built-in Redis instance that the Gloo management server and Gloo UI read from and write to, or use your own Redis deployment.
For the Gloo UI to function properly, it is required that you use the same Redis instance for the Gloo management server and the Gloo UI. For more information, refer to the Backing Redis databases guide.
To use the built-in Redis:
glooUi:
enabled: true
auth:
enabled: true
oidc:
session:
# Backend to use for auth session storage.
backend: redis
redis:
# The address of the built-in Redis instance.
host: gloo-mesh-redis.gloo-mesh:6379
To use your own Redis instance:
- Follow the Backing Redis databases guide to set up your Redis instance.
- In your Helm values file, add the following settings:
glooUi: enabled: true auth: enabled: true oidc: session: backend: "redis" redis: host: "<redis-host>" #accessible hostname or IP address to your external Redis