feat: support setting samesite cookie param (#1097)

Author: olevski

api/v1alpha1/amaltheasession_children.go

@@ -48,6 +48,7 @@ const TunnelPort int32 = 65531
 var sidecarsImage string = getSidecarsImage()
 var rcloneStorageClass string = getStorageClass()
 var rcloneDefaultStorage resource.Quantity = resource.MustParse("1Gi")
+var useNoneSameSiteSessionCookie = getUseNoneSameSiteSessionCookie()
 
 const rcloneStorageSecretNameAnnotation = "csi-rclone.dev/secretName"
 
@@ -606,6 +607,10 @@ func getSidecarsImage() string {
 	return sc
 }
 
+func getUseNoneSameSiteSessionCookie() bool {
+	return strings.ToLower(os.Getenv("USE_NONE_SAME_SITE_SESSION_COOKIE")) == "true"
+}
+
 // InternalSecretName returns the name of the secret that is a child
 // of the AmaltheaSession CR, as opposed to all other adopted secrets that
 // are not children of the AmaltheaSession CR and are created by the creator of each AmaltheaSession CR.

api/v1alpha1/auth_templates.go

@@ -47,6 +47,10 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 				Port: intstr.FromInt32(authenticatedPort),
 			},
 		}
+		sameSiteCookieFlag := "strict"
+		if useNoneSameSiteSessionCookie {
+			sameSiteCookieFlag = "none"
+		}
 		oauth2ProxyContainer := v1.Container{
 			Image: authproxyImage,
 			Name:  "oauth2-proxy",
@@ -59,6 +63,7 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 				fmt.Sprintf("--http-address=:%d", authenticatedPort),
 				"--silence-ping-logging",
 				"--config=/etc/oauth2-proxy/" + auth.SecretRef.Key,
+				fmt.Sprintf("--cookie-samesite=%s", sameSiteCookieFlag),
 			},
 			VolumeMounts: append(
 				[]v1.VolumeMount{
@@ -89,6 +94,9 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 
 		output.Containers = append(output.Containers, oauth2ProxyContainer)
 	case Token:
+		if useNoneSameSiteSessionCookie {
+			return output, fmt.Errorf("cannot set the same site cookie parameter for anonymous sessions")
+		}
 		volName := fmt.Sprintf("%sproxy-configuration-secret", prefix)
 		output.Volumes = append(output.Volumes, v1.Volume{
 			Name: volName,
@@ -143,6 +151,10 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 				Port: intstr.FromInt32(authenticatedPort),
 			},
 		}
+		sameSiteCookieFlag := "strict"
+		if useNoneSameSiteSessionCookie {
+			sameSiteCookieFlag = "none"
+		}
 		oauth2ProxyContainer := v1.Container{
 			Image: authproxyImage,
 			Name:  "oauth2-proxy",
@@ -154,6 +166,7 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 				"--silence-ping-logging",
 				"--alpha-config=/etc/oauth2-proxy/oauth2-proxy-alpha-config.yaml",
 				"--config=/etc/oauth2-proxy/oauth2-proxy-config.yaml",
+				fmt.Sprintf("--cookie-samesite=%s", sameSiteCookieFlag),
 			},
 			EnvFrom: []v1.EnvFromSource{
 				{

helm-chart/amalthea-sessions/templates/deployment.yaml

@@ -42,6 +42,8 @@ spec:
           value: {{ .Values.rcloneStorageClass | quote }}
         - name: SIDECARS_IMAGE
           value: {{ .Values.sidecars.image.repository }}:{{ .Values.sidecars.image.tag }}
+        - name: USE_NONE_SAME_SITE_SESSION_COOKIE
+          value: {{ .Values.useNoneSameSiteSessionCookie | quote }}
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
           | default .Chart.AppVersion }}
         livenessProbe:

helm-chart/amalthea-sessions/values.yaml

@@ -67,3 +67,8 @@ cloner:
   image:
     repository: renku/cloner
     tag: latest
+
+# Setting this flag to true will make the oauth2-proxy session cookie set its
+# SameSite parameter to None. This is only useful in specific cases for remote Renku cluster.
+# Setting this value to true can have security implications without adjusting CSP and CORS on the session ingress.
+useNoneSameSiteSessionCookie: false