This change is required to overcome the browser storage size limitations. Specifically, group claims exceeding 4k in size result gorilla session creation failures. To solve for this tfa can be configured to store session data in kubernetes secrets.
Kubernetes Cluster Storage
This PR adds the capability to store userInfo claim data using the kubernetes apiserver. The changes contain:
client library operations
an unbound TTL cache implementation
a simple garbage collector for removing stale records
Details
On successful authentication callback, id token claims (email, username, groups) are extracted and stored in a UserInfo structure. A claimId is generated and stored in the users browser. Subsequent requests containing the claimId is authenticated by a sha256 hmac. The UserInfo is serialized to JSON and stored in a kubernetes secret within a user defined namespace. Secrets are referenced via the following labels:
When a user makes a request using an authenticated claimId, this userinfo fetched from the corresponding secret on the API server. In order to reduce round trips to the apiserver, a local unbound TTL cache is used to proxy userInfo requests. To prevent stale secrets from polluting the api server, a garbage collection goroutine is started to periodically reap expired sessions.
D2IQ ticket
https://jira.d2iq.com/browse/COPS-6792
tl;dr
This change is required to overcome the browser storage size limitations. Specifically, group claims exceeding 4k in size result gorilla session creation failures. To solve for this tfa can be configured to store session data in kubernetes secrets.
Kubernetes Cluster Storage
This PR adds the capability to store userInfo claim data using the kubernetes apiserver. The changes contain:
Details
On successful authentication callback, id token claims (email, username, groups) are extracted and stored in a UserInfo structure. A claimId is generated and stored in the users browser. Subsequent requests containing the claimId is authenticated by a sha256 hmac. The UserInfo is serialized to JSON and stored in a kubernetes secret within a user defined namespace. Secrets are referenced via the following labels:
When a user makes a request using an authenticated claimId, this userinfo fetched from the corresponding secret on the API server. In order to reduce round trips to the apiserver, a local unbound TTL cache is used to proxy userInfo requests. To prevent stale secrets from polluting the api server, a garbage collection goroutine is started to periodically reap expired sessions.