WIP: Add session persistence across config reloads

TheRealJon · TheRealJon · commit c9c378415b2a · 2025-10-03T16:41:12.000-04:00
- Cache session state (authenticator, CSRF verifier) across server restarts
- Only recreate sessions when session-related config changes
- Update run-bridge.sh to use static config file for testing
- Add examples/bridge-config.yaml with static development settings

Users now stay logged in when non-session config changes (branding, plugins, etc.)
Sessions are only invalidated when auth config actually changes.
diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -20,6 +20,7 @@ import (
 	authopts "github.com/openshift/console/cmd/bridge/config/auth"
 	"github.com/openshift/console/cmd/bridge/config/session"
 	"github.com/openshift/console/pkg/auth"
+	"github.com/openshift/console/pkg/auth/csrfverifier"
 	"github.com/openshift/console/pkg/controllers"
 	"github.com/openshift/console/pkg/flags"
 	"github.com/openshift/console/pkg/knative"
@@ -148,13 +149,35 @@ func main() {
 
 	configFile := fs.Lookup("config").Value.String()
 
+	// Track session-related config to determine if we need to recreate sessions
+	var (
+		cachedCompletedAuthnOptions   *authopts.CompletedOptions
+		cachedCompletedSessionOptions *session.CompletedOptions
+		cachedAuthenticator           auth.Authenticator
+		cachedCSRFVerifier            *csrfverifier.CSRFVerifier
+	)
+
 	// Run server in a loop to support restarts
 	for {
 		// Parse and apply config
 		applyConfig(fs, bridgeOptions, authOptions, sessionOptions)
 
-		// Build the server with current config
-		srv := createServer(bridgeOptions, authOptions, sessionOptions)
+		// Build the server with current config, potentially reusing session state
+		srv, newAuthn, newSession := createServer(
+			bridgeOptions,
+			authOptions,
+			sessionOptions,
+			cachedCompletedAuthnOptions,
+			cachedCompletedSessionOptions,
+			cachedAuthenticator,
+			cachedCSRFVerifier,
+		)
+
+		// Cache the new session state for next iteration
+		cachedCompletedAuthnOptions = newAuthn
+		cachedCompletedSessionOptions = newSession
+		cachedAuthenticator = srv.Authenticator
+		cachedCSRFVerifier = srv.CSRFVerifier
 
 		// Run the server with config file watching
 		shouldRestart := runServer(bridgeOptions, srv, configFile)
@@ -164,6 +187,51 @@ func main() {
 	}
 }
 
+func sessionConfigHasChanged(
+	authOptions *authopts.AuthOptions,
+	sessionOptions *session.SessionOptions,
+	cachedAuthnOptions *authopts.CompletedOptions,
+	cachedSessionOptions *session.CompletedOptions,
+) bool {
+	// If no cached options, session config has "changed" (needs to be created)
+	if cachedAuthnOptions == nil || cachedSessionOptions == nil {
+		return true
+	}
+
+	// Compare authentication options that affect sessions
+	if authOptions.AuthType != cachedAuthnOptions.AuthType {
+		return true
+	}
+
+	// Compare issuer URLs
+	cachedIssuerURL := ""
+	if cachedAuthnOptions.IssuerURL != nil {
+		cachedIssuerURL = cachedAuthnOptions.IssuerURL.String()
+	}
+	if authOptions.IssuerURL != cachedIssuerURL {
+		return true
+	}
+
+	if authOptions.ClientID != cachedAuthnOptions.ClientID {
+		return true
+	}
+	if authOptions.ClientSecretFilePath != "" {
+		// Client secret file path changed - assume secret might have changed
+		return true
+	}
+	if authOptions.InactivityTimeoutSeconds != cachedAuthnOptions.InactivityTimeoutSeconds {
+		return true
+	}
+
+	// Compare session options
+	if sessionOptions.CookieEncryptionKeyPath != "" || sessionOptions.CookieAuthenticationKeyPath != "" {
+		// If key paths are set, assume keys might have changed
+		return true
+	}
+
+	return false
+}
+
 func addFlags(fs *flag.FlagSet, bridgeOptions *BridgeOptions, authOptions *authopts.AuthOptions, sessionOptions *session.SessionOptions) {
 	authOptions.AddFlags(fs)
 	sessionOptions.AddFlags(fs)
@@ -254,7 +322,15 @@ func applyConfig(fs *flag.FlagSet, bridgeOptions *BridgeOptions, authOptions *au
 	sessionOptions.ApplyConfig(&cfg.Session)
 }
 
-func createServer(bridgeOptions *BridgeOptions, authOptions *authopts.AuthOptions, sessionOptions *session.SessionOptions) *server.Server {
+func createServer(
+	bridgeOptions *BridgeOptions,
+	authOptions *authopts.AuthOptions,
+	sessionOptions *session.SessionOptions,
+	cachedAuthnOptions *authopts.CompletedOptions,
+	cachedSessionOptions *session.CompletedOptions,
+	cachedAuthenticator auth.Authenticator,
+	cachedCSRFVerifier *csrfverifier.CSRFVerifier,
+) (*server.Server, *authopts.CompletedOptions, *session.CompletedOptions) {
 	baseURL, err := flags.ValidateFlagIsURL("base-address", bridgeOptions.fBaseAddress, true)
 	flags.FatalIfFailed(err)
 
@@ -418,16 +494,34 @@ func createServer(bridgeOptions *BridgeOptions, authOptions *authopts.AuthOption
 		Capabilities:                 capabilities,
 	}
 
-	completedAuthnOptions, err := authOptions.Complete()
-	if err != nil {
-		klog.Fatalf("failed to complete authentication options: %v", err)
-		os.Exit(1)
-	}
+	// Check if we can reuse cached session config
+	var completedAuthnOptions *authopts.CompletedOptions
+	var completedSessionOptions *session.CompletedOptions
+	sessionConfigChanged := sessionConfigHasChanged(authOptions, sessionOptions, cachedAuthnOptions, cachedSessionOptions)
+
+	if !sessionConfigChanged && cachedAuthnOptions != nil && cachedSessionOptions != nil {
+		// Reuse cached session configuration
+		klog.Info("Reusing existing session configuration")
+		completedAuthnOptions = cachedAuthnOptions
+		completedSessionOptions = cachedSessionOptions
+	} else {
+		// Create session configuration
+		if cachedAuthnOptions != nil {
+			klog.Info("Creating new session state")
+		}
 
-	completedSessionOptions, err := sessionOptions.Complete(completedAuthnOptions.AuthType)
-	if err != nil {
-		klog.Fatalf("failed to complete session options: %v", err)
-		os.Exit(1)
+		var err error
+		completedAuthnOptions, err = authOptions.Complete()
+		if err != nil {
+			klog.Fatalf("failed to complete authentication options: %v", err)
+			os.Exit(1)
+		}
+
+		completedSessionOptions, err = sessionOptions.Complete(completedAuthnOptions.AuthType)
+		if err != nil {
+			klog.Fatalf("failed to complete session options: %v", err)
+			os.Exit(1)
+		}
 	}
 
 	// if !in-cluster (dev) we should not pass these values to the frontend
@@ -755,11 +849,18 @@ func createServer(bridgeOptions *BridgeOptions, authOptions *authopts.AuthOption
 	}
 	srv.TokenReviewer = tokenReviewer
 
-	if err := completedAuthnOptions.ApplyTo(srv, k8sEndpoint, caCertFilePath, completedSessionOptions); err != nil {
-		klog.Fatalf("failed to apply configuration to server: %v", err)
+	// Reuse cached authenticator and CSRF verifier if session config hasn't changed
+	if !sessionConfigChanged && cachedAuthenticator != nil && cachedCSRFVerifier != nil {
+		klog.Info("Reusing existing authenticator")
+		srv.Authenticator = cachedAuthenticator
+		srv.CSRFVerifier = cachedCSRFVerifier
+	} else {
+		if err := completedAuthnOptions.ApplyTo(srv, k8sEndpoint, caCertFilePath, completedSessionOptions); err != nil {
+			klog.Fatalf("failed to apply configuration to server: %v", err)
+		}
 	}
 
-	return srv
+	return srv, completedAuthnOptions, completedSessionOptions
 }
 
 func runServer(bridgeOptions *BridgeOptions, srv *server.Server, configFile string) bool {
diff --git a/examples/bridge-config.yaml b/examples/bridge-config.yaml
@@ -0,0 +1,15 @@
+apiVersion: console.openshift.io/v1
+kind: ConsoleConfig
+servingInfo:
+  bindAddress: http://0.0.0.0:9000
+clusterInfo:
+  consoleBaseAddress: http://localhost:9000
+  consoleBasePath: /
+customization:
+  branding: okd
+  documentationBaseURL: https://docs.okd.io/latest/
+auth:
+  authType: openshift
+  clientID: console-oauth-client
+  clientSecretFile: examples/console-client-secret
+  oauthEndpointCAFile: examples/ca.crt
diff --git a/examples/run-bridge.sh b/examples/run-bridge.sh
@@ -3,18 +3,13 @@
 set -exuo pipefail
 
 ./bin/bridge \
-    --base-address=http://localhost:9000 \
+    --config=examples/bridge-config.yaml \
     --ca-file=examples/ca.crt \
     --k8s-mode=off-cluster \
     --k8s-mode-off-cluster-endpoint="$(oc whoami --show-server)" \
     --k8s-mode-off-cluster-skip-verify-tls=true \
-    --listen=http://127.0.0.1:9000 \
-    --public-dir=./frontend/public/dist \
-    --user-auth=openshift \
-    --user-auth-oidc-client-id=console-oauth-client \
-    --user-auth-oidc-client-secret-file=examples/console-client-secret \
-    --user-auth-oidc-ca-file=examples/ca.crt \
     --k8s-mode-off-cluster-service-account-bearer-token-file=examples/token \
     --k8s-mode-off-cluster-alertmanager="$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.alertmanagerPublicURL}')" \
     --k8s-mode-off-cluster-thanos="$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.thanosPublicURL}')" \
+    --public-dir=./frontend/public/dist \
     $@
