-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
updated doc with troubleshooting section for console logout issue #2900
updated doc with troubleshooting section for console logout issue #2900
Conversation
docs/user/using-an-OIDC-provider.md
Outdated
### User automatically logged out from Kubeapps Console | ||
|
||
When using the default auth proxy, some users may experience the behavior where they are automatically logged out from the console. | ||
The default auth proxy is not configured to refresh the access/openid token and the console will logout once the token expires. In the case of Keycloak for example, this can happen quickly as the default access token expiration is 5mn. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this statement going to be incorrect once your chart change lands (as it's setting a sensible default, which ever way it does so)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will be obsolete for new installation / upgrades once we have the new chart.
but this is an existing problem for users, so i think it is useful to have a troubleshooting section for it.
I agree that i will have to reword it once we have the change in the chart.
docs/user/using-an-OIDC-provider.md
Outdated
When using the default auth proxy, some users may experience the behavior where they are automatically logged out from the console. | ||
The default auth proxy is not configured to refresh the access/openid token and the console will logout once the token expires. In the case of Keycloak for example, this can happen quickly as the default access token expiration is 5mn. | ||
|
||
To avoid this issue, add the option `--cookie-refresh=2m` to `authProxy.additionalFlags` in your values file. The duration for the refresh must be lesser than the access/openid expiration time configured in the OAuth2/OIDC provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar to my comment on the chart, I think this would be a better UX to be able to just set a chart value directly. Guess we'll want to wait until the chart change is landed before updating this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this was worded with assumption the new chart is not yet available.
if we wait for the chart, i will reword accordingly (reason why i marked the PR as draft :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of suggestions but feel free to ignore them if you think otherwise.
Co-authored-by: Michael Nelson <absoludity@gmail.com>
Co-authored-by: Michael Nelson <absoludity@gmail.com>
Co-authored-by: Michael Nelson <absoludity@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, thank you for performing these changes.
I've also noticed a couple of (already existing minor typos), if you want, check them; but feel free to ignore them as they are not from this PR.
- Remove duplicated "accept" in:
accept accept access_tokens from their identity provider as bearer tokens (see GKE below).
- Replace "prodcution" by "production" in
the prodcution VMware cloud services issuer
Co-authored-by: Michael Nelson <absoludity@gmail.com>
Co-authored-by: Antonio Gámez <antgamdia@gmail.com>
Co-authored-by: Antonio Gámez <antgamdia@gmail.com>
You'll need to switch this from a draft PR to be able to land it, I think, if you think it's ready. It's got +1s. |
@dlaloue-vmware, feel free to click "squash and merge" whenever you want. Looking forward to have the docs up to date with these changes :) |
Description of the change
Added troubleshooting section for the console logout issue reported in #2686
Updated a few sample sections as well to include the new option.
Benefits
Users may encounter the issue where they are unexpectedly logged out of the console. The new section helps identify the issue and provide a way to configure Kubeapps to prevent/fix the issue.