ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(auth): Redis-backed OIDC sessions for portal + operator
ci / typecheck (map[dir:apps/operator name:operator]) (push) Successful in 19s
Details
ci / typecheck (map[dir:apps/booking name:booking]) (push) Successful in 22s
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Successful in 23s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Successful in 28s
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Successful in 23s
Details
ci / test (push) Successful in 31s
Details
ci / build (map[dir:apps/booking name:booking]) (push) Successful in 9s
Details
ci / build (map[dir:apps/operator name:operator]) (push) Successful in 43s
Details
ci / build (map[dir:services/platform-api name:platform-api]) (push) Successful in 5s
Details
ci / build (map[dir:apps/portal name:portal]) (push) Successful in 51s
Details
ci / deploy (push) Failing after 3m42s
Details

Browse Source 
nuxt-oidc-auth persists sessions via useStorage('oidc'), whose default
mount is per-pod memory — broken at >1 replica (random 401s) and every
deploy logged all users out. A nitro plugin now mounts 'oidc' on the
dezky-data Redis (db 1, app-prefixed keys, 14d TTL) when SESSION_REDIS_URL
is set; dev keeps the memory driver with no Redis required. Replicas back
to 2 for both apps.
This commit is contained in:
Ronni Baslund
2026-06-10 18:48:16 +02:00
parent fd0c5d011b
commit 91134c94f5
9 changed files with 135 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/production/fleet/apps/operator.yaml
+3 -5
View File
@@ -13,11 +13,9 @@ metadata:
app.kubernetes.io/name: operator
app.kubernetes.io/part-of: dezky
spec:
# Single replica until OIDC sessions move to shared storage: nuxt-oidc-auth
# keeps sessions in per-pod memory, so with >1 replica every request that
# lands on the pod that did NOT handle the login gets 401. TODO: nitro
# session storage on the dezky-data Redis, then scale back up.
replicas: 1
# Sessions live on the dezky-data Redis (server/plugins/session-storage.ts,
# SESSION_REDIS_URL from the app secret) — safe to run multiple replicas.
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: operator
infrastructure/production/fleet/apps/portal.yaml
+3 -5
View File
@@ -10,11 +10,9 @@ metadata:
app.kubernetes.io/name: portal
app.kubernetes.io/part-of: dezky
spec:
# Single replica until OIDC sessions move to shared storage: nuxt-oidc-auth
# keeps sessions in per-pod memory, so with >1 replica every request that
# lands on the pod that did NOT handle the login gets 401. TODO: nitro
# session storage on the dezky-data Redis, then scale back up.
replicas: 1
# Sessions live on the dezky-data Redis (server/plugins/session-storage.ts,
# SESSION_REDIS_URL from the app secret) — safe to run multiple replicas.
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: portal
infrastructure/production/fleet/apps/secrets.example.yaml
+7
View File
@@ -71,6 +71,11 @@ stringData:
# die on every pod restart (random keys are generated per boot).
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
# Shared session storage (server/plugins/session-storage.ts) — required for
# >1 replica and for sessions to survive deploys. Password = dezky-data
# redis-secret.REDIS_PASSWORD; db 1 keeps app sessions out of Authentik's
# keyspace.
SESSION_REDIS_URL: "redis://:REDIS_PASSWORD@redis.dezky-data.svc.cluster.local:6379/1"
---
apiVersion: v1
kind: Secret
@@ -112,3 +117,5 @@ stringData:
NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration"
NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
# Shared session storage — see the portal section above.
SESSION_REDIS_URL: "redis://:REDIS_PASSWORD@redis.dezky-data.svc.cluster.local:6379/1"