DOC-1927 Document configuration param maximumSessionAge in console

[micheleRP]

Description

This pull request adds documentation and configuration support for limiting Redpanda Console session duration using the new maximumSessionAge parameter. This allows enterprise users to control how long browser sessions remain valid before requiring users to re-authenticate.

• Added a new section to the authentication documentation explaining how to set the maximumSessionAge parameter to limit session duration for Redpanda Console, including examples for standalone, Kubernetes Operator, Helm, and Kubernetes standalone deployments.
• Updated the sample configuration file (redpanda-console-config.yaml) to document the new maximumSessionAge option, including usage notes and example values.

Resolves https://redpandadata.atlassian.net/browse/DOC-1927
Review deadline:

Page previews

Configure session duration
config.yaml example

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	a523e01
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6977c3e48d31b00008a80eda
😎 Deploy Preview	https://deploy-preview-1561--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds documentation for a new maximumSessionAge configuration parameter in Redpanda Console's authentication settings. The changes include adding a "Configure session duration" section to the authentication configuration documentation with YAML configuration examples for Standalone, Kubernetes Operator/Helm, and Kubernetes standalone deployments. The documentation clarifies that the default session validity is one year and explains accepted duration formats. A commented-out example is also added to the sample configuration file.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• weeco
• mattschumpert

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the primary change: documenting the maximumSessionAge configuration parameter in Redpanda Console.
Linked Issues check	✅ Passed	The pull request successfully addresses the linked issue DOC-1927 by documenting the maximumSessionAge configuration parameter across all required deployment formats with examples.
Out of Scope Changes check	✅ Passed	All changes are scope-appropriate: documentation additions for the maximumSessionAge parameter in two files directly aligned with the issue objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description fully addresses the template requirements, including a detailed summary of changes, a valid Jira ticket reference, relevant page previews, and an appropriate feature classification.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[graham-rp]

Looks great, thanks for turning this around so quickly!

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@modules/console/pages/config/security/authentication.adoc`:
- Around line 500-590: Remove the entire "Configure session duration" section
(the header "Configure session duration", all explanatory text, the three YAML
example blocks that reference maximumSessionAge, and the footnote) because the
Console does not support a maximumSessionAge setting; delete every occurrence of
the configuration key maximumSessionAge and the invalid example value "90d" (or
alternatively replace the whole section with a short "Coming soon" note if you
prefer to keep a placeholder).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Go time.ParseDuration supported units and duration format

💡 Result:

time.ParseDuration format (Go stdlib)

A duration string is a possibly signed (- or +) sequence of decimal numbers, each with an optional fraction and a unit suffix, e.g. 300ms, -1.5h, 2h45m (note: no spaces). Valid unit chunks are simply concatenated (2h45m10s). [1][2]

Supported units

ns, us (or µs), ms, s, m, h (nanoseconds → hours). [1][2]

Notes / gotchas

• Units are case-sensitive (m = minutes, not months). [1][2]
• time.Duration is stored as an int64 nanosecond count, so the largest representable duration is ~290 years. [3]

Sources: [1] [2] [3]

---

🏁 Script executed:

# Search for Redpanda Console repository and authentication configuration
find . -type f -name "*.go" | grep -i auth | head -20

Repository: redpanda-data/docs

Length of output: 283

---

🏁 Script executed:

# Search for maximumSessionAge or session-related duration configuration
rg -i "maximumsessionage|session.*age|duration" --type go -l | head -20

Repository: redpanda-data/docs

Length of output: 283

---

🌐 Web query:

Redpanda Console maximumSessionAge configuration authentication documentation

💡 Result:

Redpanda Console does not document (and, in current v3.x docs, does not expose) an maximumSessionAge setting for authentication sessions.

In Redpanda Console v3.x, authentication is configured under the authentication: block (for example authentication.jwtSigningKey, optional authentication.useSecureCookies, and the basic/oidc sub-blocks). Sessions are implemented as JWT-based sessions signed with authentication.jwtSigningKey. [1][2][3]

So if you’re looking to “cap” session duration, the docs indicate the practical control points are the JWT/token lifetimes coming from your IdP (OIDC) and/or whatever defaults Console applies internally; there’s no maximumSessionAge knob described in the official configuration reference for v3.x. [1][2]

---

🌐 Web query:

Redpanda Console custom duration parser session timeout

💡 Result:

Redpanda Console doesn’t use a “custom” duration syntax for timeouts—its config expects Go-style duration strings (the same format as time.ParseDuration), e.g. 100ms, 5s, 10m, 1h, or combined like 1m30s. Formats like 1d, 30sec, or bare numbers (for example 30) typically won’t parse. (If you need “days”, use 24h, 48h, etc.) [1]

If what you’re calling “session timeout” is actually Console timing out while talking to Kafka Connect / Connectors, configure the Console Connect timeouts with Go durations (and avoid 0, which can effectively mean “immediate timeout” depending on version/chart bug): [2]

connect:
  connectTimeout: 15s
  readTimeout: 60s
  requestTimeout: 6s

Sources:
[1] Redpanda docs (duration format examples like 100ms, 1s, 5s) https://docs.redpanda.com/redpanda-connect/components/inputs/redpanda/
[2] Redpanda support article (Console Connect timeouts + 0 causing immediate timeout) https://support.redpanda.com/hc/en-us/articles/26716676212887-Console-does-not-display-Connectors-due-to-timeouts-Self-Managed-Kafka-Connect

---

Remove the entire "Configure session duration" section—this feature does not exist in Redpanda Console.

The maximumSessionAge configuration parameter is not documented or exposed in Redpanda Console v3.x. Session duration in Console is controlled by JWT/token lifetimes from your identity provider (IdP) via OIDC, not by a Console-level configuration knob.

Additionally, the example duration format 90d is invalid. Redpanda Console uses Go-style duration strings (time.ParseDuration), which support only ns, us, µs, ms, s, m, and h units—not d. Days should be expressed as 24h, 48h, etc.

Delete this section entirely, or if session duration control is planned for a future release, clearly mark it as "Coming soon" and remove all example configurations.

🤖 Prompt for AI Agents

In `@modules/console/pages/config/security/authentication.adoc` around lines 500 -
590, Remove the entire "Configure session duration" section (the header
"Configure session duration", all explanatory text, the three YAML example
blocks that reference maximumSessionAge, and the footnote) because the Console
does not support a maximumSessionAge setting; delete every occurrence of the
configuration key maximumSessionAge and the invalid example value "90d" (or
alternatively replace the whole section with a short "Coming soon" note if you
prefer to keep a placeholder).

[Feediver1]

@micheleRP Did CodeRabbitt get it wrong?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[micheleRP]

@Feediver1 right, this doesn't make sense from coderabbit: this is the whole point of the update and I've confirmed that maximumSessionAge is already live

[Feediver1]

Not sure I understand why the enterprise license note appears here. The license would be for Console, not session duration, right? This is confusing to me, and might also be for our users. Help me understand why it is in this section. thx

[micheleRP]

You're right, it's confusing. @graham-rp I added this because the description said it's for enterprise accounts. But they just need a Console license, right? Also do we need to describe how this new config behaves with JWT token expiration?

[graham-rp]

The OSS version skips over all of the auth stuff, so this really only applies to console with an enterprise license. As for OIDC, customers can (and could previously) set expirations on their tokens on their end to do something similar.

[Feediver1]

Not sure I am tracking here @graham-rp. The only Enterprise licensed features Console manages are:

• Authentication of RP Console
• Authorization (RBAC) for Redpanda
• Debug bundle generation
• Reassign partitions

There is already a licensing reminder/note at the top of the Authentication section here, so why would we repeat it for this specific task? In and of itself, session duration only requires a license because it is part of Authentication. We typically do not add the licensing requirement for each task appearing within a licensed feature. Hence, my suggestion to remove it here.