Bug 1867186 - "Secure" or "SameSite" attributes cookies for the HAProxy router in OpenShift
Summary: "Secure" or "SameSite" attributes cookies for the HAProxy router in OpenShift
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.11.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: 4.6.0
Assignee: Miheer Salunke
QA Contact: Arvind iyengar
URL:
Whiteboard:
: 1881997 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-07 15:50 UTC by Gabriel Stein
Modified: 2020-10-27 16:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:26:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github haproxy haproxy issues 361#issuecomment-579071829 0 None closed Support SameSite parameter for the persistence cookie 2021-02-15 04:15:11 UTC
Github openshift router pull 189 0 None closed Bug 1867186: Add SameSite route annotation 2021-02-15 04:15:11 UTC
Red Hat Knowledge Base (Solution) 4839561 0 None None None 2020-08-07 15:52:06 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:26:53 UTC

Description Gabriel Stein 2020-08-07 15:50:37 UTC
Description of problem:

- The HAproxy version shipped in OpenShift Container Platform to expose Routeobjects does not support adding attributes like "Secure" or "SameSite" to the issued routing cookies (used to re-target pods).

- Modern web browsers (e.g.: Google Chrome) are changing the default behavior for how cookies will be sent in first and third party contexts. As a result, the sticky sessions configured in HAproxy will no longer work.

- Any cookies used by a site will be considered as third-party cookies when the site is displayed within the frame.

- For cookies needed in a third-party context, it will be required to ensure they are marked as SameSite=None; Secure.

- At the moment Google disabled that, but it will come back in the future and the customers applications will be "broken".


Version-Release number of selected component (if applicable):

HAProxy 1.8.17

How reproducible:

- HAProxy in a enterprise environment with Sticky Sessions configured
- Open application on Google Chrome 80 as an example

Comment 5 Miciah Dashiel Butler Masters 2020-09-22 21:13:09 UTC
We've decided to handle https://issues.redhat.com/browse/RFE-600 as a BZ, so let's re-open this BZ for that purpose.

Comment 6 Andrew McDermott 2020-09-28 17:44:49 UTC
*** Bug 1881997 has been marked as a duplicate of this bug. ***

Comment 8 Arvind iyengar 2020-10-06 06:38:22 UTC
This feature has been tested in "4.6.0-0.nightly-2020-10-01-012547" release. With this payload, it is noted that the "samesite" cookie attributes now gets set properly with "router.openshift.io/cookie-same-site" route annotations. This takes either one of three options "Lax","Strict" or "None". The default option is set to "None"
---
$ oc get clusterversion                                                                                     
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-10-01-012547   True        False         26h     Cluster version is 4.6.0-0.nightly-2020-10-01-012547

Default with no annotation:
$ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv
< set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=5ee0880e7a7264a982c5241b43f6dc3d; path=/; HttpOnly; Secure; SameSite=None
< cache-control: private

With "Lax" and "Strict" annotation options:
$ oc annotate route service-unsecure  router.openshift.io/cookie-same-site=Lax 
route.route.openshift.io/edge-route annotated
$ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv
< set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Lax
< cache-control: private

$ oc annotate route edge-route  router.openshift.io/cookie-same-site=Strict --overwrite
route.route.openshift.io/edge-route annotated
$ curl https://service-unsecure-supe1.internalapps.aiyengar-1883701-patched.qe.devcluster.openshift.com/ -kv
< set-cookie: 727bc55dc4ad1ba5c2388fc972e95d69=f6d688a279fb0a797422dfa1d2f93856; path=/; HttpOnly; Secure; SameSite=Strict
< cache-control: private
---

Comment 11 errata-xmlrpc 2020-10-27 16:26:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.