Large number for session inactivity timeout seconds

[alenhodzic85]

Hi, Is it possible to have this inactivity session TTL for bigger period? I have tried 2 weeks, but I have this error:

Exception in thread "main" java.lang.NumberFormatException: Not a number: 1.2096e+06

[alenhodzic85]

Hi, Any updates on this?

[mlbiam]

Sorry about that. Is there a larger stack trace you can provide?

In theory, that should work. The int in Java goes up to 2147483647 or ~2400 days. That said, why do you want the inactivity timeout to be so long?

You can try setting it to 0, i know the cookies will last forever (or until openunison is restarted). not sure about the oidc tokens though. i'll need to check that.

[alenhodzic85]

No worries. Unfortunately I don't have larger stack trace saved, but I think you can easily reproduce. But if you cannot, I can reproduce it myself.

That said, why do you want the inactivity timeout to be so long?

telepresence.io doesn't play well with Openunison when the token expires

You can try setting it to 0, i know the cookies will last forever (or until openunison is restarted). not sure about the oidc tokens though. i'll need to check that.

No, we don't want to set it to last forever

Thanks

[mlbiam]

telepresence.io doesn't play well with Openunison when the token expires

Ahh, figured this had to do with a pipeline. I've never used telepresense.io but I bet we can craft a better solution then a long lived token (we've got several ways of handling this exact scenario). Let me take a look at their docs (if you know of which doc talks about telepresence's identity capabilities, like having its own OIDC provider to identify workloads, that would be helpful)

[mlbiam]

I'm guessing you're running a local telepresence trying to connect to remote cluster? Is that telepresence instance running inside of a Kubernetes cluster?

[alenhodzic85]

Yes, Telepresence traffic manager is installed in remote cluster.

[mlbiam]

Yes, Telepresence traffic manager is installed in remote cluster.

Awesome! can your pipelines get access to a projected token?

[alenhodzic85]

What projected token? And we are accessing telepresence from our workstations, not with pipelines.

[mlbiam]

let me make sure i understand what you're looking to do. You've got pipelines that need to interact with a cluster running OpenUnison, right? You're running pipelines interactively, pasting in your current OpenUnison session's id_token so you can run the pipeline as you, the developer?

If you're running telepresence on a Kubernetes cluster newer then 1.20 you can:

1. enable token projection so that each Pod that telepresence runs on get's a unique token scoped to OpenUnison
2. configure OpenUnison to accept this token as an impersonation proxy

we can also support a couple of other options:

1. provide a URL that lets a pipeline get its own token that can be used with your API server
2. configure OpenUnison to generate an id_token that has a longer life used specifically for pipelines. These tokens can be used just like any other token, but it doesn't interfere with kubectl tokens

[alenhodzic85]

We use Openunison portal to create fresh k8s context and paste it in user workstation terminal. Then use Telepresence to connect to traffic manager also from workstation terminal. It uses port forwarding for this.

[mlbiam]

I see, so having a workstation identity probably wouldn't work. i'll see if i can reproduce to get a better stack trace

[alenhodzic85]

I have put it to 1 week, so we can close the issue.