Add support for the SameSite sticky cookie attribute (#4001)

* Add support for the SameSite cookie attribute

Author: jjngx

deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml

@@ -588,6 +588,8 @@ spec:
                             type: string
                           path:
                             type: string
+                          samesite:
+                            type: string
                           secure:
                             type: boolean
                       slow-start:

deployments/common/crds/k8s.nginx.org_virtualservers.yaml

@@ -675,6 +675,8 @@ spec:
                             type: string
                           path:
                             type: string
+                          samesite:
+                            type: string
                           secure:
                             type: boolean
                       slow-start:

deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml

@@ -588,6 +588,8 @@ spec:
                             type: string
                           path:
                             type: string
+                          samesite:
+                            type: string
                           secure:
                             type: boolean
                       slow-start:

deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml

@@ -675,6 +675,8 @@ spec:
                             type: string
                           path:
                             type: string
+                          samesite:
+                            type: string
                           secure:
                             type: boolean
                       slow-start:

docs/content/configuration/virtualserver-and-virtualserverroute-resources.md

@@ -460,6 +460,7 @@ sessionCookie:
   domain: .example.com
   httpOnly: false
   secure: true
+  samesite: strict
 ```
 See the [`sticky`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html?#sticky) directive for additional information. The session cookie corresponds to the `sticky cookie` method.
 
@@ -475,6 +476,7 @@ Note: This feature is supported only in NGINX Plus.
 |``domain`` | The domain for which the cookie is set. | ``string`` | No |
 |``httpOnly`` | Adds the ``HttpOnly`` attribute to the cookie. | ``boolean`` | No |
 |``secure`` | Adds the ``Secure`` attribute to the cookie. | ``boolean`` | No |
+|``samesite`` | Adds the ``SameSite`` attribute to the cookie. The allowed values are: ``strict``, ``lax``, ``none`` | ``string`` | No |
 {{% /table %}}
 
 ### Header

internal/configs/version2/http.go

@@ -283,6 +283,7 @@ type SessionCookie struct {
 	Domain   string
 	HTTPOnly bool
 	Secure   bool
+	SameSite string
 }
 
 // Distribution maps weight to a value in a SplitClient.

internal/configs/version2/nginx-plus.virtualserver.tmpl

@@ -18,7 +18,7 @@ upstream {{ $u.Name }} {
 
     {{ with $u.SessionCookie }}
         {{ if .Enable }}
-    sticky cookie {{ .Name }}{{ if .Expires }} expires={{ .Expires }}{{ end }}{{ if .Domain }} domain={{ .Domain }}{{ end }}{{ if .HTTPOnly }} httponly{{ end }}{{ if .Secure }} secure{{ end }}{{ if .Path }} path={{ .Path }}{{ end }};
+    sticky cookie {{ .Name }}{{ if .Expires }} expires={{ .Expires }}{{ end }}{{ if .Domain }} domain={{ .Domain }}{{ end }}{{ if .HTTPOnly }} httponly{{ end }}{{ if .SameSite}} samesite={{.SameSite | toLower }}{{ end }}{{ if .Secure }} secure{{ end }}{{ if .Path }} path={{ .Path }}{{ end }};
         {{ end }}
     {{ end }}
 

internal/configs/version2/template_helper.go

@@ -20,7 +20,17 @@ func hasCIKey(key string, d map[string]string) bool {
 	return ok
 }
 
+// toLower takes a string and make it lowercase.
+//
+// Example:
+//
+//	{{ if .SameSite}} samesite={{.SameSite | toLower }}{{ end }}
+func toLower(s string) string {
+	return strings.ToLower(s)
+}
+
 var helperFunctions = template.FuncMap{
 	"headerListToCIMap": headerListToCIMap,
 	"hasCIKey":          hasCIKey,
+	"toLower":           toLower,
 }