From e8a08def87a2be6993955a8503234134b0e322c7 Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Fri, 24 Apr 2026 17:10:53 +0200 Subject: [PATCH 1/3] feat: make OIDC passThroughAuthHeader and refreshToken configurable Expose envoy.security.passThroughAuthHeader and envoy.security.refreshToken (also per-policy) so services can match the proven graylog OIDC setup. Defaults change to passThroughAuthHeader: false and refreshToken: true, which rejects unauthenticated requests at the gateway and keeps sessions alive via refresh tokens. Co-Authored-By: Claude Opus 4.7 (1M context) --- parcellab/common/Chart.yaml | 2 +- .../common/templates/_securitypolicies.tpl | 17 ++++++++++++++++- parcellab/microservice/Chart.yaml | 2 +- parcellab/monolith/Chart.yaml | 2 +- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/parcellab/common/Chart.yaml b/parcellab/common/Chart.yaml index 5b65cf2..1d4af6c 100644 --- a/parcellab/common/Chart.yaml +++ b/parcellab/common/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: common description: A Helm chart library for parcelLab charts type: library -version: 1.3.6 +version: 1.3.7 maintainers: - name: parcelLab email: engineering@parcellab.com diff --git a/parcellab/common/templates/_securitypolicies.tpl b/parcellab/common/templates/_securitypolicies.tpl index 8031493..9050f73 100644 --- a/parcellab/common/templates/_securitypolicies.tpl +++ b/parcellab/common/templates/_securitypolicies.tpl @@ -26,6 +26,8 @@ {{- $globalJwtProviderName := $security.jwtProviderName -}} {{- $globalJwksURI := $security.jwksURI -}} {{- $globalAnnotations := default (dict) $security.annotations -}} +{{- $globalPassThroughAuthHeader := $security.passThroughAuthHeader -}} +{{- $globalRefreshToken := $security.refreshToken -}} {{ range $policyIndex, $policy := $policies }} {{- $policyName := required (printf "envoy.security.policies[%d].name is required" $policyIndex) $policy.name -}} @@ -42,6 +44,18 @@ {{- $jwksURI := coalesce $policy.jwksURI $globalJwksURI (printf "%s/protocol/openid-connect/certs" $issuer) -}} {{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}} {{- $annotations := merge (default (dict) $policy.annotations) $globalAnnotations -}} +{{- $passThroughAuthHeader := false -}} +{{- if hasKey $policy "passThroughAuthHeader" -}} + {{- $passThroughAuthHeader = $policy.passThroughAuthHeader -}} +{{- else if hasKey $security "passThroughAuthHeader" -}} + {{- $passThroughAuthHeader = $globalPassThroughAuthHeader -}} +{{- end -}} +{{- $refreshToken := true -}} +{{- if hasKey $policy "refreshToken" -}} + {{- $refreshToken = $policy.refreshToken -}} +{{- else if hasKey $security "refreshToken" -}} + {{- $refreshToken = $globalRefreshToken -}} +{{- end -}} {{- $targetRef := $policy.targetRef -}} {{- $targetRefs := $policy.targetRefs -}} {{- $rawSelectors := list -}} @@ -104,7 +118,8 @@ spec: {{- end }} cookieDomain: {{ $cookieDomain | quote }} forwardAccessToken: true - passThroughAuthHeader: true + passThroughAuthHeader: {{ $passThroughAuthHeader }} + refreshToken: {{ $refreshToken }} jwt: optional: false providers: diff --git a/parcellab/microservice/Chart.yaml b/parcellab/microservice/Chart.yaml index 5c62579..f120b7b 100644 --- a/parcellab/microservice/Chart.yaml +++ b/parcellab/microservice/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: microservice description: Simple microservice -version: 0.5.6 +version: 0.5.7 dependencies: - name: common version: "*" diff --git a/parcellab/monolith/Chart.yaml b/parcellab/monolith/Chart.yaml index 92821a6..c30400c 100644 --- a/parcellab/monolith/Chart.yaml +++ b/parcellab/monolith/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: monolith description: Application that may define multiple services and cronjobs -version: 0.5.7 +version: 0.5.8 dependencies: - name: common version: "*" From 5bcab6fefbccdb23ab40263bd3f59f7e47cd53e1 Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Fri, 24 Apr 2026 17:14:48 +0200 Subject: [PATCH 2/3] chore: default passThroughAuthHeader to true to preserve prior behavior Restore the previous hardcoded behavior as the default so that existing services opt in to false explicitly when needed. Co-Authored-By: Claude Opus 4.7 (1M context) --- parcellab/common/templates/_securitypolicies.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parcellab/common/templates/_securitypolicies.tpl b/parcellab/common/templates/_securitypolicies.tpl index 9050f73..8daca3d 100644 --- a/parcellab/common/templates/_securitypolicies.tpl +++ b/parcellab/common/templates/_securitypolicies.tpl @@ -44,7 +44,7 @@ {{- $jwksURI := coalesce $policy.jwksURI $globalJwksURI (printf "%s/protocol/openid-connect/certs" $issuer) -}} {{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}} {{- $annotations := merge (default (dict) $policy.annotations) $globalAnnotations -}} -{{- $passThroughAuthHeader := false -}} +{{- $passThroughAuthHeader := true -}} {{- if hasKey $policy "passThroughAuthHeader" -}} {{- $passThroughAuthHeader = $policy.passThroughAuthHeader -}} {{- else if hasKey $security "passThroughAuthHeader" -}} From e16e501f1c071b9bf20f0ad875a8e98e7e848817 Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Fri, 24 Apr 2026 17:17:29 +0200 Subject: [PATCH 3/3] chore: guard OIDC nil values and document new knobs - Treat explicit null passThroughAuthHeader / refreshToken as unset so Helm does not render "" and break the SecurityPolicy YAML. - Add commented examples for the new settings in microservice and monolith values.yaml. Co-Authored-By: Claude Opus 4.7 (1M context) --- parcellab/common/templates/_securitypolicies.tpl | 8 ++++---- parcellab/microservice/values.yaml | 2 ++ parcellab/monolith/values.yaml | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/parcellab/common/templates/_securitypolicies.tpl b/parcellab/common/templates/_securitypolicies.tpl index 8daca3d..ef26b0c 100644 --- a/parcellab/common/templates/_securitypolicies.tpl +++ b/parcellab/common/templates/_securitypolicies.tpl @@ -45,15 +45,15 @@ {{- $backendRefs := coalesce $policy.backendRefs $security.backendRefs -}} {{- $annotations := merge (default (dict) $policy.annotations) $globalAnnotations -}} {{- $passThroughAuthHeader := true -}} -{{- if hasKey $policy "passThroughAuthHeader" -}} +{{- if and (hasKey $policy "passThroughAuthHeader") (ne $policy.passThroughAuthHeader nil) -}} {{- $passThroughAuthHeader = $policy.passThroughAuthHeader -}} -{{- else if hasKey $security "passThroughAuthHeader" -}} +{{- else if and (hasKey $security "passThroughAuthHeader") (ne $globalPassThroughAuthHeader nil) -}} {{- $passThroughAuthHeader = $globalPassThroughAuthHeader -}} {{- end -}} {{- $refreshToken := true -}} -{{- if hasKey $policy "refreshToken" -}} +{{- if and (hasKey $policy "refreshToken") (ne $policy.refreshToken nil) -}} {{- $refreshToken = $policy.refreshToken -}} -{{- else if hasKey $security "refreshToken" -}} +{{- else if and (hasKey $security "refreshToken") (ne $globalRefreshToken nil) -}} {{- $refreshToken = $globalRefreshToken -}} {{- end -}} {{- $targetRef := $policy.targetRef -}} diff --git a/parcellab/microservice/values.yaml b/parcellab/microservice/values.yaml index ac99467..9eb3ed1 100644 --- a/parcellab/microservice/values.yaml +++ b/parcellab/microservice/values.yaml @@ -116,6 +116,8 @@ envoy: # redirectURL: "https://my-app.example.com/oauth2/callback" # cookieDomain: "my-app.example.com" # annotations: {} # optional: annotations applied to all SecurityPolicy resources + # passThroughAuthHeader: true # optional: default true. Set false to reject unauthenticated requests at the gateway instead of forwarding the incoming Authorization header to the backend. + # refreshToken: true # optional: default true. Keep the OIDC session alive via refresh tokens. # scopes: # - profile # - email diff --git a/parcellab/monolith/values.yaml b/parcellab/monolith/values.yaml index 9b1247a..1f51c46 100644 --- a/parcellab/monolith/values.yaml +++ b/parcellab/monolith/values.yaml @@ -145,6 +145,8 @@ envoy: # redirectURL: "https://my-app.example.com/oauth2/callback" # cookieDomain: "my-app.example.com" # annotations: {} # optional: annotations applied to all SecurityPolicy resources + # passThroughAuthHeader: true # optional: default true. Set false to reject unauthenticated requests at the gateway instead of forwarding the incoming Authorization header to the backend. + # refreshToken: true # optional: default true. Keep the OIDC session alive via refresh tokens. # scopes: # - profile # - email