Description of problem: - The HAproxy version shipped in OpenShift Container Platform to expose Routeobjects does not support adding attributes like "Secure" or "SameSite" to the issued routing cookies (used to re-target pods). - Modern web browsers (e.g.: Google Chrome) are changing the default behavior for how cookies will be sent in first and third party contexts. As a result, the sticky sessions configured in HAproxy will no longer work. - Any cookies used by a site will be considered as third-party cookies when the site is displayed within the frame. - For cookies needed in a third-party context, it will be required to ensure they are marked as SameSite=None; Secure. - At the moment Google disabled that, but it will come back in the future and the customers applications will be "broken". Version-Release number of selected component (if applicable): HAProxy 1.8.17 How reproducible: - HAProxy in a enterprise environment with Sticky Sessions configured - Open application on Google Chrome 80 as an example
We've decided to handle https://issues.redhat.com/browse/RFE-600 as a BZ, so let's re-open this BZ for that purpose.
*** Bug 1881997 has been marked as a duplicate of this bug. ***
This feature has been tested in "4.6.0-0.nightly-2020-10-01-012547" release. With this payload, it is noted that the "samesite" cookie attributes now gets set properly with "router.openshift.io/cookie-same-site" route annotations. This takes either one of three options "Lax","Strict" or "None". The default option is set to "None" --- $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2020-10-01-012547 True False 26h Cluster version is 4.6.0-0.nightly-2020-10-01-012547 Default with no annotation: $ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv < set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=5ee0880e7a7264a982c5241b43f6dc3d; path=/; HttpOnly; Secure; SameSite=None < cache-control: private With "Lax" and "Strict" annotation options: $ oc annotate route service-unsecure router.openshift.io/cookie-same-site=Lax route.route.openshift.io/edge-route annotated $ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv < set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Lax < cache-control: private $ oc annotate route edge-route router.openshift.io/cookie-same-site=Strict --overwrite route.route.openshift.io/edge-route annotated $ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv < set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Strict < cache-control: private ---
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196