feature(translator): expose OIDC oauth cookie samesite configuration

api/v1alpha1/oidc_types.go

@@ -37,6 +37,11 @@ type OIDC struct {
 	// +optional
 	CookieNames *OIDCCookieNames `json:"cookieNames,omitempty"`
 
+	// CookieConfigs allows overriding the SameSite attribute for OIDC cookies.
+	// If a specific cookie is not configured, it will use the "Strict" SameSite policy by default.
+	// +optional
+	CookieConfig *OIDCCookieConfig `json:"cookieConfig,omitempty"`
+
 	// The optional domain to set the access and ID token cookies on.
 	// If not set, the cookies will default to the host of the request, not including the subdomains.
 	// If set, the cookies will be set on the specified domain and all subdomains.
@@ -187,3 +192,24 @@ type OIDCCookieNames struct {
 	// +optional
 	IDToken *string `json:"idToken,omitempty"`
 }
+
+type SameSite string
+
+const (
+	// SameSiteLax specifies the "Lax" SameSite policy.
+	SameSiteLax SameSite = "Lax"
+	// SameSiteStrict specifies the "Strict" SameSite policy.
+	SameSiteStrict SameSite = "Strict"
+	// SameSiteNone specifies the "None" SameSite policy. Requires a Secure cookie.
+	SameSiteNone SameSite = "None"
+
+	// SameSiteDisabled specifies the "Disabled" SameSite policy.
+	SameSiteDisabled SameSite = "Disabled"
+)
+
+type OIDCCookieConfig struct {
+	// +optional
+	// +kubebuilder:validation:Enum=Lax;Strict;None;Disabled
+	// +kubebuilder:default=Strict
+	SameSite *string `json:"sameSite,omitempty"`
+}

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -3612,6 +3612,20 @@ spec:
                     required:
                     - name
                     type: object
+                  cookieConfig:
+                    description: |-
+                      CookieConfigs allows overriding the SameSite attribute for OIDC cookies.
+                      If a specific cookie is not configured, it will use the "Strict" SameSite policy by default.
+                    properties:
+                      sameSite:
+                        default: Strict
+                        enum:
+                        - Lax
+                        - Strict
+                        - None
+                        - Disabled
+                        type: string
+                    type: object
                   cookieDomain:
                     description: |-
                       The optional domain to set the access and ID token cookies on.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -3611,6 +3611,20 @@ spec:
                     required:
                     - name
                     type: object
+                  cookieConfig:
+                    description: |-
+                      CookieConfigs allows overriding the SameSite attribute for OIDC cookies.
+                      If a specific cookie is not configured, it will use the "Strict" SameSite policy by default.
+                    properties:
+                      sameSite:
+                        default: Strict
+                        enum:
+                        - Lax
+                        - Strict
+                        - None
+                        - Disabled
+                        type: string
+                    type: object
                   cookieDomain:
                     description: |-
                       The optional domain to set the access and ID token cookies on.

internal/gatewayapi/securitypolicy.go

@@ -1049,6 +1049,7 @@ func (t *Translator) buildOIDC(
 		CookieSuffix:           suffix,
 		CookieNameOverrides:    policy.Spec.OIDC.CookieNames,
 		CookieDomain:           policy.Spec.OIDC.CookieDomain,
+		CookieConfig:           policy.Spec.OIDC.CookieConfig,
 		HMACSecret:             hmacData,
 		PassThroughAuthHeader:  passThroughAuthHeader,
 		DenyRedirect:           oidc.DenyRedirect,

internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies-samesite.in.yaml

@@ -0,0 +1,75 @@
+secrets:
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: envoy-gateway
+    name: client1-secret
+  data:
+    client-secret: Y2xpZW50MTpzZWNyZXQK
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    namespace: envoy-gateway-system
+    name: envoy-oidc-hmac
+  data:
+    hmac-secret: qrOYACHXoe7UEDI/raOjNSx+Z9ufXSc/22C3T6X/zPY=
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-1
+  spec:
+    hostnames:
+    - www.example.com
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/foo"
+      backendRefs:
+      - name: service-1
+        port: 8080
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: SecurityPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: policy-for-gateway  # This policy should attach httproute-2
+    uid: b8284d0f-de82-4c65-b204-96a0d3f258a1
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+    oidc:
+      provider:
+        issuer: "https://accounts.google.com"
+      clientID: "client1.apps.googleusercontent.com"
+      clientSecret:
+        name: "client1-secret"
+      redirectURL: "https://www.example.com/bar/oauth2/callback"
+      logoutPath: "/bar/logout"
+      cookieNames:
+        idToken: "CustomIdTokenCookie"
+        accessToken: "CustomAccessTokenCookie"
+      cookieConfig:
+        sameSite: None