diff --git a/parcellab/common/Chart.yaml b/parcellab/common/Chart.yaml index 5b65cf2..1d4af6c 100644 --- a/parcellab/common/Chart.yaml +++ b/parcellab/common/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: common description: A Helm chart library for parcelLab charts type: library -version: 1.3.6 +version: 1.3.7 maintainers: - name: parcelLab email: engineering@parcellab.com diff --git a/parcellab/common/templates/_securitypolicies.tpl b/parcellab/common/templates/_securitypolicies.tpl index 8031493..ef26b0c 100644 --- a/parcellab/common/templates/_securitypolicies.tpl +++ b/parcellab/common/templates/_securitypolicies.tpl @@ -26,6 +26,8 @@ {{- $globalJwtProviderName := $security.jwtProviderName -}} {{- $globalJwksURI := $security.jwksURI -}} {{- $globalAnnotations := default (dict) $security.annotations -}} +{{- $globalPassThroughAuthHeader := $security.passThroughAuthHeader -}} +{{- $globalRefreshToken := $security.refreshToken -}} {{ range $policyIndex, $policy := $policies }} {{- $policyName := required (printf "envoy.security.policies[%d].name is required" $policyIndex) $policy.name -}} @@ -42,6 +44,18 @@ {{- $jwksURI := coalesce $policy.jwksURI $globalJwksURI (printf "%s/protocol/openid-connect/certs" $issuer) -}} {{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}} {{- $annotations := merge (default (dict) $policy.annotations) $globalAnnotations -}} +{{- $passThroughAuthHeader := true -}} +{{- if and (hasKey $policy "passThroughAuthHeader") (ne $policy.passThroughAuthHeader nil) -}} + {{- $passThroughAuthHeader = $policy.passThroughAuthHeader -}} +{{- else if and (hasKey $security "passThroughAuthHeader") (ne $globalPassThroughAuthHeader nil) -}} + {{- $passThroughAuthHeader = $globalPassThroughAuthHeader -}} +{{- end -}} +{{- $refreshToken := true -}} +{{- if and (hasKey $policy "refreshToken") (ne $policy.refreshToken nil) -}} + {{- $refreshToken = $policy.refreshToken -}} +{{- else if and (hasKey $security "refreshToken") (ne $globalRefreshToken nil) -}} + {{- $refreshToken = $globalRefreshToken -}} +{{- end -}} {{- $targetRef := $policy.targetRef -}} {{- $targetRefs := $policy.targetRefs -}} {{- $rawSelectors := list -}} @@ -104,7 +118,8 @@ spec: {{- end }} cookieDomain: {{ $cookieDomain | quote }} forwardAccessToken: true - passThroughAuthHeader: true + passThroughAuthHeader: {{ $passThroughAuthHeader }} + refreshToken: {{ $refreshToken }} jwt: optional: false providers: diff --git a/parcellab/microservice/Chart.yaml b/parcellab/microservice/Chart.yaml index 5c62579..f120b7b 100644 --- a/parcellab/microservice/Chart.yaml +++ b/parcellab/microservice/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: microservice description: Simple microservice -version: 0.5.6 +version: 0.5.7 dependencies: - name: common version: "*" diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml index ac99467..9eb3ed1 100644 --- a/parcellab/microservice/values.yaml +++ b/parcellab/microservice/values.yaml @@ -116,6 +116,8 @@ envoy: # redirectURL: "https://my-app.example.com/oauth2/callback" # cookieDomain: "my-app.example.com" # annotations: {} # optional: annotations applied to all SecurityPolicy resources + # passThroughAuthHeader: true # optional: default true. Set false to reject unauthenticated requests at the gateway instead of forwarding the incoming Authorization header to the backend. + # refreshToken: true # optional: default true. Keep the OIDC session alive via refresh tokens. # scopes: # - profile # - email diff --git a/parcellab/monolith/Chart.yaml b/parcellab/monolith/Chart.yaml index 92821a6..c30400c 100644 --- a/parcellab/monolith/Chart.yaml +++ b/parcellab/monolith/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: monolith description: Application that may define multiple services and cronjobs -version: 0.5.7 +version: 0.5.8 dependencies: - name: common version: "*" diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml index 9b1247a..1f51c46 100644 --- a/parcellab/monolith/values.yaml +++ b/parcellab/monolith/values.yaml @@ -145,6 +145,8 @@ envoy: # redirectURL: "https://my-app.example.com/oauth2/callback" # cookieDomain: "my-app.example.com" # annotations: {} # optional: annotations applied to all SecurityPolicy resources + # passThroughAuthHeader: true # optional: default true. Set false to reject unauthenticated requests at the gateway instead of forwarding the incoming Authorization header to the backend. + # refreshToken: true # optional: default true. Keep the OIDC session alive via refresh tokens. # scopes: # - profile # - email