Add sessionSecretNext Support for Rolling Upgrades
#2329
Labels
area/security
Security related
component/dashboard
Gardener Dashboard
kind/enhancement
Enhancement, improvement, extension
priority/4
Priority (lower number equals higher priority)
Comments
petersutter
added
area/security
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
Introduce a new configuration parameter sessionSecretNext which will be used exclusively for verification of cookies. This parameter will extend the current secret array (i.e., [sessionSecret, sessionSecretPrevious]) to [sessionSecret, sessionSecretPrevious, sessionSecretNext], ensuring that tokens signed with the new secret are accepted during rolling upgrades.
Why is this needed:
During a rolling upgrade, some instances may have already switched to the new sessionSecret for signing while others have not. The sessionSecretNext ensures that tokens signed with the new secret remain valid on instances that have not yet updated their configuration.
This enhancement reduces the risk of token validation failures and user authentication issues during secret rotation.
The text was updated successfully, but these errors were encountered: