[batch/auth] Making session timeout duration configurable

[grohli]

Change Description

Adding SESSION_MAX_AGE_SECS environment variable, allowing this session timeout window to be configurable in different deployments. This is set to 30 minutes by default.

Testing results:

• Am able to retrieve user info from the /api/v1alpha/userinfo api call, am no longer able to after timeout;
• Session timeout defaults properly in absence of a proper k8s secret/environment variable; and
• Jobs are not cancelled as a result of session timeout.

Security Assessment

• This change has a low security impact

Impact Description

Enables configuration of this timeout duration, however we already have had a notion of timing out sessions. Additionally, this will shorten our default timeout window from 30 days to 30 minutes.

(Reviewers: please confirm the security impact before approving)

[ehigham]

Not sure i particularly like the idea of an environment variable for this. Why did you opt for this solution over editing the existing configuration file?

[grohli]

Not sure i particularly like the idea of an environment variable for this. Why did you opt for this solution over editing the existing configuration file?

There's currently no existing config file for auth, but long-ish term we probably should have one. In any case, we grab the environment variable here in the same manner we do in other auth scripts (e.g. here).

[ehigham]

makes sense. thanks for the explanation

[ehigham]

[cjllanwarne]

Have you tried setting this in a developer environment to see it working?

[grohli]

Yup, there's now a proper Kubernetes secret for this (see the auth-config portion of the current deployment.yaml). Also noted in the updated description

[cjllanwarne]

Mostly good, just want to see it working in a developer environment before giving the 👍