dex expiry settings

config.yaml

@@ -43,3 +43,13 @@ options:
       DEPRECATED - Please leave empty or use issuer-url instead. This configuration option will be removed soon.
       It has been preserved to avoid breaking compatibility with existing deployments.
       Publicly-accessible endpoint for cluster
+  enable-expiry:
+    type: boolean
+    default: false
+    description: Modify expiry settings for dex
+  expiry-settings:
+    type: string
+    default: ''
+    description: |
+      Expiry settings in YAML format, as shown
+      in https://dexidp.io/docs/configuration/tokens/#expiration-and-rotation-settings

src/charm.py

@@ -226,6 +226,8 @@ def _generate_dex_auth_config(self) -> str:
             "staticPasswords": [],
         }
 
+        enable_expiry = self.model.config["enable-expiry"]
+
         # The dex-auth service cannot be started correctly when the static
         # login is disabled, but no connector configuration is provided.
         if not enable_password_db and not connectors:
@@ -250,6 +252,12 @@ def _generate_dex_auth_config(self) -> str:
                 ],
             }
 
+        # Add expiry settings for dex-auth
+        # This operation might modify the security level
+        if enable_expiry:
+            expiry_config = yaml.safe_load(self.model.config["expiry-settings"])
+            static_config["expiry"] = expiry_config
+
         config = yaml.dump(
             {
                 "issuer": self._issuer_url,