fix: Allow config of WebOrigins & RedirectUris#4444
Conversation
|
You can access the deployment of this PR at https://ci-renku-4444.dev.renku.ch |
leafty
left a comment
leafty
left a comment
There was a problem hiding this comment.
Why is this not added as new parameters to the cluster object? This way we would keep security features tight and not need to weaken security.
|
This is set on the keycloak client, and used by keycloak to valid the authentication request. The keycloak init-realm scripts (which reset the keycloak client in case of deviation with the expected parameters) are called every time there is a helm update/upgrade. I went for the quickest and smallest fix as this is causing problems for users in prod right now every time we deploy a release. I also did not want to rewrite the whole process for the keyclaok configuration management on something which is more of a bug fix. Adapting the current init script should be part of pitch about keycloak and its configuration management in Renku, IMHO. To make it retrieve the config from the PostgreSQL DB, introduces a dependency on the DB to be up and running before you can initialise keycloak. That new / adapted script would have to be self standing to not introduce chicken-and-egg problems. I also believe we should be a bit more mindful of the runtime inter-service dependencies and make sure they stay an acyclic graph. We could even improve deployment speed by ensuring we have proper |
What is that issue? Do we have a GitHub issue? Or any other documented logs? |
|
We had the issue on slack, literally yesterday. This is on a project channel, you may not have had access to it. @olevski is also aware of it. |
leafty
left a comment
leafty
left a comment
There was a problem hiding this comment.
Config change looks OK, though using these new values must be done with caution: all the URIs listed (especially if they contain wildcards) must be trusted.
|
Tearing down the temporary RenkuLab deployment for this PR. |
4 participants
/deploy extra-values=notebooks.oidc.extraRedirectUris=["https://domainA.example.org/*","https://domainB.example.org/*"],notebooks.oidc.extraWebOrigins=["https://domainC.example.org/*"]