You can also persist the OIDC sessions in a Redis instance by configuring Helm values.

Configure OIDC values in your Gloo Mesh Enterprise deployment

You can configure the OIDC values for the Gloo UI when you install Gloo Mesh Enterprise via Helm. This way, when you manage your releases through the helm upgrade process, your Dashboard custom resource settings are kept.

  1. Get the client secret from your OIDC provider.

  2. Create a Kubernetes secret with the OIDC client secret in the same namespace as you intend to install the Gloo UI, such as gloo-mesh. Do not include any Helm labels or annotations in the metadata. The following example uses dashboard in the gloo-mesh namespace.

      apiVersion: v1
    kind: Secret
    metadata:
      name: dashboard
      namespace: gloo-mesh
    type: Opaque
    stringData:
      oidc-client-secret: $OIDC_CLIENT_SECRET
      
  3. Follow the steps in the guides to upgrade or install Gloo Mesh Enterprise. Update your Helm configuration file to remove the glooUi.auth.oidc.clientSecret setting and refer to the secret that you just created in the glooUi.auth.oidc.clientSecretName setting.

      
    glooUi:
      enabled: true
      auth:
        enabled: true
        backend: oidc
        oidc:
          clientId: # From the OIDC provider
          clientSecretName: dashboard #The Kubernetes secret with your OIDC client secret that you previously created.
          issuerUrl: # The URL to connect to the OpenID Connect identity provider, often in the format 'https://<domain>.<provider_url>/'.
          appUrl: # The URL that the Gloo UI is exposed at, such as 'https://localhost:8090'.
      
  4. Optional: Add a stanza to store UI sessions in Redis.

Store UI sessions

You can configure the Gloo UI to store sessions in a browser cookie or in Redis by using the glooUi.auth.oidc.session setting in your Helm values file.

When you enable the Gloo UI, authentication sessions are automatically persisted by storing the OIDC ID tokens in encrypted browser cookies. No additional configuration is necessary.

The following example shows the default Helm values that are used to store Gloo UI auth sessions in a browser cookie.

  
glooUi:
  enabled: true
  auth:
    enabled: true
    oidc:
      # Session storage configuration. If omitted, a cookie is used.
      session:
        # Backend to use for auth session storage. 
        backend: "cookie"
  

Redis

If the ID tokens are too large to be stored in cookies, you can configure the UI to use a Redis instance instead. You can use the built-in Redis instance that the Gloo management server and Gloo UI read from and write to, or use your own Redis deployment.

To use the built-in Redis:

  
glooUi:
  enabled: true
  auth:
    enabled: true
    oidc:
      session:
        # Backend to use for auth session storage. 
        backend: redis
        redis:
          # The address of the built-in Redis instance.
          host: gloo-mesh-redis.gloo-mesh:6379 
  

To use your own Redis instance:

  1. Follow the Backing Redis databases guide to set up your Redis instance.
  2. In your Helm values file, add the following settings:
      
    glooUi:
      enabled: true
      auth:
        enabled: true
        oidc:
          session:
            backend: "redis"
            redis:
              host: "<redis-host>" #accessible hostname or IP address to your external Redis