Description of problem: kibana-proxy does not be honor the sessionConfig in master-config.yml. Although the oauth is configured with a sessionMaxAgeSeconds greater than 3600 seconds, the kibana console always times out after 3600 seconds. It doesn't seem to be related to the kibana-proxy oauthclient, as it retrieves the correct token and with the correct expiration time. ### oauthclient kibana-proxy apiVersion: oauth.openshift.io/v1 kind: OAuthClient metadata: creationTimestamp: 2018-04-03T08:31:00Z labels: logging-infra: support name: kibana-proxy resourceVersion: "1847494" selfLink: /apis/oauth.openshift.io/v1/oauthclients/kibana-proxy uid: 56922827-3719-11e8-ab2b-fa163ee6399e redirectURIs: - https://kibana.apps.mordor.quicklab.pnq2.cee.redhat.com scopeRestrictions: - literals: - user:info - user:check-access - user:list-projects secret: qpDNJp11cCYVFLqLUJB1J6AUiHIB3j36exFGVgMNMIqhL4TXrHHZ8SB9YOi8cJ7r ### oauthaccesstoken apiVersion: oauth.openshift.io/v1 authorizeToken: OdxB7gbRxlNcT05oWdtqTQjV3AerKW8126Hb8fluMO0 clientName: kibana-proxy expiresIn: 86400 kind: OAuthAccessToken metadata: creationTimestamp: 2018-04-17T14:21:38Z name: LEthOz7n63g2JSgv_y80Rbn8z5BRQ6yUo4MkQsV1LG4 resourceVersion: "6040021" selfLink: /apis/oauth.openshift.io/v1/oauthaccesstokens/LEthOz7n63g2JSgv_y80Rbn8z5BRQ6yUo4MkQsV1LG4 uid: a4417f79-424a-11e8-b394-fa163ee6399e redirectURI: https://kibana.apps.mordor.quicklab.pnq2.cee.redhat.com/auth/openshift/callback scopes: - user:info - user:check-access - user:list-projects userName: cluster-admin userUID: 8e426d52-3275-11e8-8103-fa163ee6399e Version-Release number of selected component (if applicable): openshift v3.9.14 EFK components: 3.9.14 How reproducible: 1. deploy EFK 3.9.14 2. configure master-config.yml and edit sessionMaxAgeSeconds with a value greater than 3600 3. restart api and controllers 4. kibana session ends after 3600 seconds. Actual results: kibana session times out Expected results: kibana session available for ${sessionMaxAgeSeconds} seconds.
This is not a bug. The proxy [1] which fronts Kibana has an expiration setting that is unrelated to the value defined in the master-config. It can be explicitly set by modifying the logging-kibana environment variable to set it the desired value in millis. [1] https://github.com/fabric8io/openshift-auth-proxy [2] https://github.com/fabric8io/openshift-auth-proxy/blob/master/lib/config.js#L53