Bug 1867186

Summary: "Secure" or "SameSite" attributes cookies for the HAProxy router in OpenShift
Product: OpenShift Container Platform Reporter: Gabriel Stein <gferrazs>
Component: RoutingAssignee: Miheer Salunke <misalunk>
Status: CLOSED ERRATA QA Contact: Arvind iyengar <aiyengar>
Severity: high Docs Contact:
Priority: high    
Version: 3.11.0CC: aiyengar, aos-bugs, bperkins, dhansen, fmarting, misalunk, mmasters, rlichti
Target Milestone: ---Keywords: Reopened
Target Release: 4.6.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:26:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gabriel Stein 2020-08-07 15:50:37 UTC
Description of problem:

- The HAproxy version shipped in OpenShift Container Platform to expose Routeobjects does not support adding attributes like "Secure" or "SameSite" to the issued routing cookies (used to re-target pods).

- Modern web browsers (e.g.: Google Chrome) are changing the default behavior for how cookies will be sent in first and third party contexts. As a result, the sticky sessions configured in HAproxy will no longer work.

- Any cookies used by a site will be considered as third-party cookies when the site is displayed within the frame.

- For cookies needed in a third-party context, it will be required to ensure they are marked as SameSite=None; Secure.

- At the moment Google disabled that, but it will come back in the future and the customers applications will be "broken".


Version-Release number of selected component (if applicable):

HAProxy 1.8.17

How reproducible:

- HAProxy in a enterprise environment with Sticky Sessions configured
- Open application on Google Chrome 80 as an example

Comment 5 Miciah Dashiel Butler Masters 2020-09-22 21:13:09 UTC
We've decided to handle https://issues.redhat.com/browse/RFE-600 as a BZ, so let's re-open this BZ for that purpose.

Comment 6 Andrew McDermott 2020-09-28 17:44:49 UTC
*** Bug 1881997 has been marked as a duplicate of this bug. ***

Comment 8 Arvind iyengar 2020-10-06 06:38:22 UTC
This feature has been tested in "4.6.0-0.nightly-2020-10-01-012547" release. With this payload, it is noted that the "samesite" cookie attributes now gets set properly with "router.openshift.io/cookie-same-site" route annotations. This takes either one of three options "Lax","Strict" or "None". The default option is set to "None"
---
$ oc get clusterversion                                                                                     
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-10-01-012547   True        False         26h     Cluster version is 4.6.0-0.nightly-2020-10-01-012547

Default with no annotation:
$ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv
< set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=5ee0880e7a7264a982c5241b43f6dc3d; path=/; HttpOnly; Secure; SameSite=None
< cache-control: private

With "Lax" and "Strict" annotation options:
$ oc annotate route service-unsecure  router.openshift.io/cookie-same-site=Lax 
route.route.openshift.io/edge-route annotated
$ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv
< set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Lax
< cache-control: private

$ oc annotate route edge-route  router.openshift.io/cookie-same-site=Strict --overwrite
route.route.openshift.io/edge-route annotated
$ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv
< set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Strict
< cache-control: private
---

Comment 11 errata-xmlrpc 2020-10-27 16:26:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196