OIDC settings in Helm

You can also persist the OIDC sessions in a Redis instance by configuring Helm values.

Configure OIDC values in your Gloo Mesh Gateway deployment link

You can configure the OIDC values for the Gloo UI when you install Gloo Mesh Gateway via Helm. This way, when you manage your releases through the helm upgrade process, your Dashboard custom resource settings are kept.

1. Get the client secret from your OIDC provider.

2. Create a Kubernetes secret with the OIDC client secret in the same namespace as you intend to install the Gloo UI, such as gloo-mesh. Do not include any Helm labels or annotations in the metadata. The following example uses dashboard in the gloo-mesh namespace.

   apiVersion: v1
   kind: Secret
   metadata:
     name: dashboard
     namespace: gloo-mesh
   type: Opaque
   stringData:
     oidc-client-secret: $OIDC_CLIENT_SECRET

3. Follow the steps in the guides to upgrade or install Gloo Mesh Gateway. Update your Helm configuration file to remove the glooUi.auth.oidc.clientSecret setting and refer to the secret that you just created in the glooUi.auth.oidc.clientSecretName setting.

   glooUi:
     enabled: true
     auth:
       enabled: true
       backend: oidc
       oidc:
         clientId: # From the OIDC provider
         clientSecretName: dashboard #The Kubernetes secret with your OIDC client secret that you previously created.
         issuerUrl: # The URL to connect to the OpenID Connect identity provider, often in the format 'https://<domain>.<provider_url>/'.
         appUrl: # The URL that the Gloo UI is exposed at, such as 'https://localhost:8090'.

Store UI sessions link

You can configure the Gloo UI to store sessions in a browser cookie by using the glooUi.auth.oidc.session setting in your Helm values file.

Cookie link

When you enable the Gloo UI, authentication sessions are automatically persisted by storing the OIDC ID tokens in encrypted browser cookies. No additional configuration is necessary.

The following example shows the default Helm values that are used to store Gloo UI auth sessions in a browser cookie.

glooUi:
  enabled: true
  auth:
    enabled: true
    oidc:
      # Session storage configuration. If omitted, a cookie is used.
      session:
        # Backend to use for auth session storage.
        backend: "cookie"

Optionally, you can configure the cookie settings by using the Dashboard authn.oidc.session.cookieOptions settings. For more information, see the API docs. Note that Dashboard settings are reset when you upgrade the Helm chart.