OIDC settings in Helm
Configure OIDC settings for the Gloo UI in Helm so that your settings remain even after version upgrades.
You can also persist the OIDC sessions in a Redis instance by configuring Helm values.
Configure OIDC values in your Gloo Mesh Enterprise deployment
You can configure the OIDC values for the Gloo UI when you install Gloo Mesh Enterprise via Helm. This way, when you manage your releases through the helm upgrade process, your Dashboard custom resource settings are kept.
Follow the steps in the get started guide to install Gloo Mesh Enterprise. During the installation, specify the following settings in your Helm values file, alongside your other settings. For more information about the OIDC settings, see the API reference.
glooUi: enabled: true auth: enabled: true backend: oidc oidc: clientId: # From the OIDC provider clientSecret: # From the OIDC provider. Stored in a secret that you created in advance in the same namespace as the Gloo UI. In this example, the secret's name is 'dashboard'. clientSecretName: dashboard issuerUrl: # The URL to connect to the OpenID Connect identity provider, often in the format 'https://<domain>.<provider_url>/'. appUrl: # The URL that the Gloo UI is exposed at, such as 'https://localhost:8090'.Optional: Add a stanza to store UI sessions in Redis.
Store UI sessions
You can configure the Gloo UI to store sessions in a browser cookie or in Redis by using the glooUi.auth.oidc.session setting in your Helm values file.
In version 2.6.0, the default values of the following Helm settings changed:
glooUi.auth.oidc.session.backend: The default value changed from""(empty) tocookieto ensure auth sessions are stored in browser cookies by default.glooUi.auth.oidc.session.redis.host: The default value changed from""(empty) togloo-mesh-redis.gloo-mesh:6379to ensure a valid Redis host is set whenglooUi.auth.oidc.session.backendis changed toredis.
Cookie
When you enable the Gloo UI, authentication sessions are automatically persisted by storing the OIDC ID tokens in encrypted browser cookies. No additional configuration is necessary.
The following example shows the default Helm values that are used to store Gloo UI auth sessions in a browser cookie.
glooUi:
enabled: true
auth:
enabled: true
oidc:
# Session storage configuration. If omitted, a cookie is used.
session:
# Backend to use for auth session storage.
backend: "cookie"
Redis
If the ID tokens are too large to be stored in cookies, you can configure the UI to use a Redis instance instead. You can use the built-in Redis instance that the Gloo management server and Gloo UI read from and write to, or use your own Redis deployment.
For the Gloo UI to function properly, it is required that you use the same Redis instance for the Gloo management server and the Gloo UI. For more information, refer to the Backing databases for Gloo UI guide.
To use the built-in Redis:
glooUi:
enabled: true
auth:
enabled: true
oidc:
session:
# Backend to use for auth session storage.
backend: redis
redis:
# The address of the built-in Redis instance.
host: gloo-mesh-redis.gloo-mesh:6379
To use your own Redis instance:
- Follow the Steps to bring your own Redis to set up your Redis instance.
- In your Helm values file, add the following settings:
glooUi: enabled: true auth: enabled: true oidc: session: backend: "redis" redis: host: "<redis-host>" #accessible hostname or IP address to your external Redis