feat: Add sameSite configuration to happy_sticky_session cookie (#3819)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: czi-github-helper[bot] <czi-github-helper[bot]@users.noreply.github.com>

Author: 3 people

terraform/modules/happy-ingress-eks/README.md

@@ -41,7 +41,7 @@ No modules.
 | <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | K8S namespace for this service | `string` | n/a | yes |
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to apply to ingress resource | `map(string)` | n/a | yes |
 | <a name="input_regional_wafv2_arn"></a> [regional\_wafv2\_arn](#input\_regional\_wafv2\_arn) | A WAF to protect the EKS Ingress if needed | `string` | `null` | no |
-| <a name="input_routing"></a> [routing](#input\_routing) | Routing configuration for the ingress | <pre>object({<br>    method           = optional(string, "DOMAIN")<br>    host_match       = string<br>    group_name       = string<br>    priority         = number<br>    path             = optional(string, "/*")<br>    service_name     = string<br>    service_port     = number<br>    service_scheme   = string<br>    service_type     = string<br>    alb_idle_timeout = optional(number, 60) // in seconds<br>    oidc_config = optional(object({<br>      issuer                = string<br>      authorizationEndpoint = string<br>      tokenEndpoint         = string<br>      userInfoEndpoint      = string<br>      secretName            = string<br>      }), {<br>      issuer                = ""<br>      authorizationEndpoint = ""<br>      tokenEndpoint         = ""<br>      userInfoEndpoint      = ""<br>      secretName            = ""<br>    })<br>    bypasses = optional(map(object({<br>      paths   = optional(set(string), [])<br>      methods = optional(set(string), [])<br>      deny_action = optional(object({<br>        deny              = optional(bool, false)<br>        deny_status_code  = optional(string, "403")<br>        deny_message_body = optional(string, "Denied")<br>      }), {})<br>    })))<br>    success_codes = optional(string, "200-499")<br>    sticky_sessions = optional(object({<br>      enabled          = optional(bool, false),<br>      duration_seconds = optional(number, 600),<br>      cookie_name      = optional(string, "happy_sticky_session"),<br>    }), {})<br>  })</pre> | n/a | yes |
+| <a name="input_routing"></a> [routing](#input\_routing) | Routing configuration for the ingress | <pre>object({<br>    method           = optional(string, "DOMAIN")<br>    host_match       = string<br>    group_name       = string<br>    priority         = number<br>    path             = optional(string, "/*")<br>    service_name     = string<br>    service_port     = number<br>    service_scheme   = string<br>    service_type     = string<br>    alb_idle_timeout = optional(number, 60) // in seconds<br>    oidc_config = optional(object({<br>      issuer                = string<br>      authorizationEndpoint = string<br>      tokenEndpoint         = string<br>      userInfoEndpoint      = string<br>      secretName            = string<br>      }), {<br>      issuer                = ""<br>      authorizationEndpoint = ""<br>      tokenEndpoint         = ""<br>      userInfoEndpoint      = ""<br>      secretName            = ""<br>    })<br>    bypasses = optional(map(object({<br>      paths   = optional(set(string), [])<br>      methods = optional(set(string), [])<br>      deny_action = optional(object({<br>        deny              = optional(bool, false)<br>        deny_status_code  = optional(string, "403")<br>        deny_message_body = optional(string, "Denied")<br>      }), {})<br>    })))<br>    success_codes = optional(string, "200-499")<br>    sticky_sessions = optional(object({<br>      enabled          = optional(bool, false),<br>      duration_seconds = optional(number, 600),<br>      cookie_name      = optional(string, "happy_sticky_session"),<br>      cookie_samesite  = optional(string, "Lax"),<br>    }), {})<br>  })</pre> | n/a | yes |
 | <a name="input_tags_string"></a> [tags\_string](#input\_tags\_string) | Tags to apply to ingress resource, comma delimited key=value pairs | `string` | `""` | no |
 | <a name="input_target_service_name"></a> [target\_service\_name](#input\_target\_service\_name) | Name of destination service that the ingress should route to | `string` | n/a | yes |
 | <a name="input_target_service_port"></a> [target\_service\_port](#input\_target\_service\_port) | Port of destination service that the ingress should route to | `number` | n/a | yes |

terraform/modules/happy-ingress-eks/variables.tf

@@ -100,6 +100,7 @@ variable "routing" {
       enabled          = optional(bool, false),
       duration_seconds = optional(number, 600),
       cookie_name      = optional(string, "happy_sticky_session"),
+      cookie_samesite  = optional(string, "Lax"),
     }), {})
   })
   description = "Routing configuration for the ingress"
@@ -145,4 +146,4 @@ variable "additional_annotations" {
   type        = map(string)
   description = "Additional annotations to apply to the ingress resource"
   default     = {}
-}
+}

terraform/modules/happy-nginx-ingress-eks/README.md

@@ -31,12 +31,12 @@ No modules.
 | <a name="input_ingress_name"></a> [ingress\_name](#input\_ingress\_name) | Name of the ingress resource | `string` | n/a | yes |
 | <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | K8S namespace for this service | `string` | n/a | yes |
 | <a name="input_labels"></a> [labels](#input\_labels) | Labels to apply to ingress resource | `map(string)` | n/a | yes |
-| <a name="input_sticky_sessions"></a> [sticky\_sessions](#input\_sticky\_sessions) | Sticky session configuration | <pre>object({<br>    enabled          = optional(bool, true),<br>    duration_seconds = optional(number, 600),<br>    cookie_name      = optional(string, "happy_sticky_session"),<br>  })</pre> | `{}` | no |
+| <a name="input_sticky_sessions"></a> [sticky\_sessions](#input\_sticky\_sessions) | Sticky session configuration | <pre>object({<br>    enabled          = optional(bool, true),<br>    duration_seconds = optional(number, 600),<br>    cookie_name      = optional(string, "happy_sticky_session"),<br>    cookie_samesite  = optional(string, "Lax"),<br>  })</pre> | `{}` | no |
 | <a name="input_target_service_name"></a> [target\_service\_name](#input\_target\_service\_name) | Name of destination service that the ingress should route to | `string` | n/a | yes |
 | <a name="input_target_service_port"></a> [target\_service\_port](#input\_target\_service\_port) | Port of destination service that the ingress should route to | `string` | n/a | yes |
 | <a name="input_timeout"></a> [timeout](#input\_timeout) | Timeout for the ingress resource | `number` | `60` | no |
 
 ## Outputs
 
 No outputs.
-<!-- END -->
+<!-- END -->

terraform/modules/happy-nginx-ingress-eks/main.tf

@@ -1,9 +1,10 @@
 
 locals {
   sticky_annotations = {
-    "nginx.ingress.kubernetes.io/affinity"               = "cookie"
-    "nginx.ingress.kubernetes.io/session-cookie-name"    = var.sticky_sessions.cookie_name
-    "nginx.ingress.kubernetes.io/session-cookie-max-age" = var.sticky_sessions.duration_seconds
+    "nginx.ingress.kubernetes.io/affinity"                = "cookie"
+    "nginx.ingress.kubernetes.io/session-cookie-name"     = var.sticky_sessions.cookie_name
+    "nginx.ingress.kubernetes.io/session-cookie-max-age"  = var.sticky_sessions.duration_seconds
+    "nginx.ingress.kubernetes.io/session-cookie-samesite" = var.sticky_sessions.cookie_samesite
   }
 
   base_annotations = {
@@ -50,4 +51,4 @@ resource "kubernetes_ingress_v1" "ingress" {
       }
     }
   }
-}
+}

terraform/modules/happy-nginx-ingress-eks/variables.tf

@@ -47,7 +47,8 @@ variable "sticky_sessions" {
     enabled          = optional(bool, true),
     duration_seconds = optional(number, 600),
     cookie_name      = optional(string, "happy_sticky_session"),
+    cookie_samesite  = optional(string, "Lax"),
   })
   description = "Sticky session configuration"
   default     = {}
-}
+}

terraform/modules/happy-service-eks/README.md

@@ -89,7 +89,7 @@
 | <a name="input_progress_deadline_seconds"></a> [progress\_deadline\_seconds](#input\_progress\_deadline\_seconds) | The maximum time in seconds for a deployment to make progress before it is considered to be failed. Defaults to 600 seconds. | `number` | `600` | no |
 | <a name="input_readiness_timeout_seconds"></a> [readiness\_timeout\_seconds](#input\_readiness\_timeout\_seconds) | Readiness probe timeout seconds | `number` | `30` | no |
 | <a name="input_regional_wafv2_arn"></a> [regional\_wafv2\_arn](#input\_regional\_wafv2\_arn) | A WAF to protect the EKS Ingress if needed | `string` | `null` | no |
-| <a name="input_routing"></a> [routing](#input\_routing) | Routing configuration for the ingress | <pre>object({<br>    method : optional(string, "DOMAIN")<br>    host_match : string<br>    additional_hostnames : optional(set(string), [])<br>    group_name : string<br>    alb : optional(object({<br>      name : string,<br>      listener_port : number,<br>    }), null)<br>    priority : number<br>    path : optional(string, "/*")<br>    service_name : string<br>    port : number<br>    service_port : number<br>    alb_idle_timeout : optional(number, 60) // in seconds<br>    service_scheme : optional(string, "HTTP")<br>    scheme : optional(string, "HTTP")<br>    success_codes : optional(string, "200-499")<br>    service_type : string<br>    service_mesh : bool<br>    allow_k6_operator : optional(bool, false)<br>    allow_mesh_services : optional(list(object({<br>      service : optional(string, null),<br>      stack : optional(string, null),<br>      service_account_name : optional(string, null),<br>    })), null)<br>    oidc_config : optional(object({<br>      issuer : string<br>      authorizationEndpoint : string<br>      tokenEndpoint : string<br>      userInfoEndpoint : string<br>      secretName : string<br>      }), {<br>      issuer                = ""<br>      authorizationEndpoint = ""<br>      tokenEndpoint         = ""<br>      userInfoEndpoint      = ""<br>      secretName            = ""<br>    })<br>    bypasses : optional(map(object({<br>      paths   = optional(set(string), [])<br>      methods = optional(set(string), [])<br>      deny_action = optional(object({<br>        deny              = optional(bool, false)<br>        deny_status_code  = optional(string, "403")<br>        deny_message_body = optional(string, "Denied")<br>      }), {})<br>    })))<br>    sticky_sessions = optional(object({<br>      enabled          = optional(bool, false),<br>      duration_seconds = optional(number, 600),<br>      cookie_name      = optional(string, "happy_sticky_session"),<br>    }), {})<br>  })</pre> | n/a | yes |
+| <a name="input_routing"></a> [routing](#input\_routing) | Routing configuration for the ingress | <pre>object({<br>    method : optional(string, "DOMAIN")<br>    host_match : string<br>    additional_hostnames : optional(set(string), [])<br>    group_name : string<br>    alb : optional(object({<br>      name : string,<br>      listener_port : number,<br>    }), null)<br>    priority : number<br>    path : optional(string, "/*")<br>    service_name : string<br>    port : number<br>    service_port : number<br>    alb_idle_timeout : optional(number, 60) // in seconds<br>    service_scheme : optional(string, "HTTP")<br>    scheme : optional(string, "HTTP")<br>    success_codes : optional(string, "200-499")<br>    service_type : string<br>    service_mesh : bool<br>    allow_k6_operator : optional(bool, false)<br>    allow_mesh_services : optional(list(object({<br>      service : optional(string, null),<br>      stack : optional(string, null),<br>      service_account_name : optional(string, null),<br>    })), null)<br>    oidc_config : optional(object({<br>      issuer : string<br>      authorizationEndpoint : string<br>      tokenEndpoint : string<br>      userInfoEndpoint : string<br>      secretName : string<br>      }), {<br>      issuer                = ""<br>      authorizationEndpoint = ""<br>      tokenEndpoint         = ""<br>      userInfoEndpoint      = ""<br>      secretName            = ""<br>    })<br>    bypasses : optional(map(object({<br>      paths   = optional(set(string), [])<br>      methods = optional(set(string), [])<br>      deny_action = optional(object({<br>        deny              = optional(bool, false)<br>        deny_status_code  = optional(string, "403")<br>        deny_message_body = optional(string, "Denied")<br>      }), {})<br>    })))<br>    sticky_sessions = optional(object({<br>      enabled          = optional(bool, false),<br>      duration_seconds = optional(number, 600),<br>      cookie_name      = optional(string, "happy_sticky_session"),<br>      cookie_samesite  = optional(string, "Lax"),<br>    }), {})<br>  })</pre> | n/a | yes |
 | <a name="input_scaling_cpu_threshold_percentage"></a> [scaling\_cpu\_threshold\_percentage](#input\_scaling\_cpu\_threshold\_percentage) | The CPU threshold percentage at which we should scale up | `number` | `80` | no |
 | <a name="input_scan_on_push"></a> [scan\_on\_push](#input\_scan\_on\_push) | Whether to enable image scan on push, disabled by default. | `bool` | `false` | no |
 | <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | Service endpoints to be injected for service discovery | `map(string)` | `{}` | no |

terraform/modules/happy-service-eks/variables.tf

@@ -334,6 +334,7 @@ variable "routing" {
       enabled          = optional(bool, false),
       duration_seconds = optional(number, 600),
       cookie_name      = optional(string, "happy_sticky_session"),
+      cookie_samesite  = optional(string, "Lax"),
     }), {})
   })
   description = "Routing configuration for the ingress"