"logout_url" does not seem to be respected from omniauth provider

Summary

With omniauth enabled, and with a given logout_url, the proper redirection does not take place on sign-out

Steps to reproduce

Configure Gitlab to use a CAS omniauth provider that specifies a logout_url. Sign out. Notice you are not redirected to the URL you specified.

Configuration used

Here is our values config:

omniauth:
  enabled: true
  autoSignInWithProvider: cas3
  syncProfileFromProvider: ['cas3']
  syncProfileAttributes: ['cas3']
  allowSingleSignOn: ['cas3']
  blockAutoCreatedUsers: false
  autoLinkLdapUser: false
  autoLinkSamlUser: false
  externalProviders: []
  providers:
  - secret: gitlab-cas-secret
    name: provider

And here is the CAS json (that is set in the gitlab-cas-secret):

{
  "name": "cas3",
  "label": "My CAS",
  "args": {
      "url": "https://cas.provider.net",
      "login_url": "/cas/login",
      "service_validate_url": "/cas/serviceValidate",
      "logout_url": "/cas/logout",
      "nickname_key": "username"
  }
}

I also tried creating the secret with yaml to see if that made a difference (it didn't):

---
name: cas3
label: My CAS
args:
  url: https://cas.provider.net
  login_url: "/cas/login"
  service_validate_url: "/cas/serviceValidate"
  logout_url: "/cas/logout"
  nickname_key: username

Current behavior

All of the sign-in feature of the provider work perfectly (auto sign-in, the login redirect, etc, are all fine) - but if a user tries to sign out they are automatically signed back in - because the logout url is not redirected to /cas/logout as expected, instead it is just going to /users/sign_in.

Expected behavior

The URL redirection would work as expected. FWIW this same configuration works fine in our omnibus deployment.

Versions

  • Chart: latest
  • Platform:
    • Self-hosted: IBM Cloud
  • Kubernetes: (kubectl version)
    • Client: 1.10
    • Server: 1.11
  • Helm: (helm version)
    • Client: 2.8.2
    • Server: 2.8.2

Relevant logs

Here is a kubetail capture of the unicorn log when a user tries to sign out:

[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] ==> /var/log/gitlab/production.log <== 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Started GET "/users/sign_out" for xxx.xxx.xxx.xxx at 2018-10-03 16:53:01 +0000 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Processing by SessionsController#destroy as HTML 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Redirected to https://gitlab-test.net/users/sign_in 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Completed 302 Found in 95ms (ActiveRecord: 21.0ms)