Skip to content

Commit c459279

Browse files
dforsberclaude
andcommitted
release: v0.10.2 — WebAuthn additional rp_origins
Fix passkey registration in K8s cluster-mode deployments where the broker→leader redirect lands the browser on a per-pod subdomain that the single configured webauthn_rp_origin did not cover. Chart: 0.3.4 -> 0.3.5 — ConfigMap overlay auto-renders every per-pod subdomain (both :443 and :8443) into webauthn_additional_rp_origins. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 71a64f4 commit c459279

3 files changed

Lines changed: 33 additions & 2 deletions

File tree

CHANGELOG.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,17 @@ All notable changes to BoilStream will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

8+
## [0.10.2] - 2026-04-19
9+
10+
### Fixes
11+
12+
- **WebAuthn passkey enrollment in K8s cluster mode**: Broker→leader redirects land the browser on a per-pod subdomain (`boilstream-N.<domain>`) different from the configured `webauthn_rp_origin`, and webauthn-rs's strict origin check rejected the ceremony with `HTTP 400 – Registration failed - The clients relying party origin does not match our servers information`.
13+
14+
### Features
15+
16+
- **`webauthn_additional_rp_origins` server config**: Optional list of extra origins accepted during WebAuthn registration/authentication. `rp_id` stays as the base domain so credentials roam across all pods; `rp_origin` is the canonical primary URL; the new list covers the redirect-target subdomains.
17+
- **Helm chart**: ConfigMap overlay auto-renders both `:443` and `:8443` variants of every per-pod subdomain (`boilstream-0.<domain>`, …) into `webauthn_additional_rp_origins`. Chart version **0.3.5**.
18+
819
## [0.10.1] - 2026-04-19
920

1021
### Fixes

charts/boilstream/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ description: |
66
support. Each pod participates in S3-based leader election and serves
77
per-user catalogs; failed pods are recovered from S3 backups.
88
type: application
9-
version: 0.3.4
10-
appVersion: "0.10.1"
9+
version: 0.3.5
10+
appVersion: "0.10.2"
1111
kubeVersion: ">=1.27.0"
1212
keywords:
1313
- streaming

charts/boilstream/templates/configmap.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,26 @@ data:
128128
'webauthn_rp_origin: "https://localhost"',
129129
'webauthn_rp_origin: "https://{{ .Values.domain }}"')
130130
131+
# Broker→leader redirects land the browser on a per-pod subdomain
132+
# (boilstream-N.{{ .Values.domain }}). WebAuthn ceremonies started on
133+
# that subdomain need each per-pod origin in the allowed list, since
134+
# webauthn-rs does an exact origin match. rp_id remains the base domain
135+
# so credentials work across all pods. Include both :443 (browser) and
136+
# :8443 (direct CLI / 307-from-:443 landing) variants.
137+
extra_origins = [
138+
{{- range $i, $_ := until (int .Values.replicas) }}
139+
'https://boilstream-{{ $i }}.{{ $.Values.domain }}',
140+
'https://boilstream-{{ $i }}.{{ $.Values.domain }}:8443',
141+
{{- end }}
142+
]
143+
# Append a webauthn_additional_rp_origins list right after rp_origin.
144+
rp_origin_line = 'webauthn_rp_origin: "https://{{ .Values.domain }}"'
145+
yaml_list = ''.join(f'\n - "{o}"' for o in extra_origins)
146+
c = c.replace(
147+
rp_origin_line,
148+
rp_origin_line + '\n webauthn_additional_rp_origins:' + yaml_list,
149+
)
150+
131151
c = c.replace(
132152
'# tls_cert: disabled for local k8s test',
133153
'tls_cert: "/tls/tls.crt"')

0 commit comments

Comments
 (0)