Yiannis Triantafyllopoulos
Yiannis Triantafyllopoulos
That's correct, we don't make any requests from the UI using the auth header just the cookie is used for now.
If/when we start using the auth header we will need to add it of course but for now it's not used.
The validation secret cookie can be set to a smaller value i.e. ~5m as it only needs to be valid while the OIDC flow takes place. @bigkevmcd do you think...
I would argue that when the user (or the user's browser) does not supply the IDToken cookie, the request lacks valid authentication credentials and therefore it should return a `StatusUnauthorized`....
Just realised that we need to backport these to 0.9.1 onwards. Once we're happy with the content, I'll update previous versions.
cc @TheGostKasper @jpellizzari has there been any discussion among UI engineers about this? What do we need to do to move this forward?
@aristapimenta thanks for using Weave GitOps and for sharing your use case. My understanding is that you want to provide a view-only dashboard for all company users, without letting anyone...
> Sorry, when I say disabling the button on the UI I also meant disabling the feature on the server side so the server won't process the requests issued from...
Hey @aristapimenta while this is a reasonable request, we would prefer to rely on Kubernetes RBAC to solve this and avoid writing and maintaining code that supports a read-only setup....
You would need to install [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/) in your cluster and then add a [ConstraintTemplate/Constraint](https://open-policy-agent.github.io/gatekeeper/website/docs/howto) CRD (presumably via GitOps) which inspects the Flux resource being updated (by the `admin` user) and...