Bug 1867186
| Summary: | "Secure" or "SameSite" attributes cookies for the HAProxy router in OpenShift | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Gabriel Stein <gferrazs> |
| Component: | Networking | Assignee: | Miheer Salunke <misalunk> |
| Networking sub component: | router | QA Contact: | Arvind iyengar <aiyengar> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | aiyengar, aos-bugs, bperkins, dhansen, fmarting, misalunk, mmasters, rlichti |
| Version: | 3.11.0 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:26:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gabriel Stein
2020-08-07 15:50:37 UTC
We've decided to handle https://issues.redhat.com/browse/RFE-600 as a BZ, so let's re-open this BZ for that purpose. *** Bug 1881997 has been marked as a duplicate of this bug. *** This feature has been tested in "4.6.0-0.nightly-2020-10-01-012547" release. With this payload, it is noted that the "samesite" cookie attributes now gets set properly with "router.openshift.io/cookie-same-site" route annotations. This takes either one of three options "Lax","Strict" or "None". The default option is set to "None" --- $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2020-10-01-012547 True False 26h Cluster version is 4.6.0-0.nightly-2020-10-01-012547 Default with no annotation: $ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv < set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=5ee0880e7a7264a982c5241b43f6dc3d; path=/; HttpOnly; Secure; SameSite=None < cache-control: private With "Lax" and "Strict" annotation options: $ oc annotate route service-unsecure router.openshift.io/cookie-same-site=Lax route.route.openshift.io/edge-route annotated $ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv < set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Lax < cache-control: private $ oc annotate route edge-route router.openshift.io/cookie-same-site=Strict --overwrite route.route.openshift.io/edge-route annotated $ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv < set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Strict < cache-control: private --- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |