Appending attributes to multiple set-cookie headers is not possible in Gloo Edge
sadieleob opened this issue · comments
Gloo Edge Product
Enterprise
Gloo Edge Version
v1.16.10
Kubernetes Version
1.27
Describe the bug
Using extractors and appending set-cookie headers does not work in Gloo Edge.
Expected Behavior
We expect to be able to modify the set-cookie in the response headers, by adding SameSite=None for example with the following configuration:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: httpbin
namespace: gloo-system
spec:
virtualHost:
domains:
- iamready.servebeer.com
routes:
- matchers:
- prefix: /
options:
stagedTransformations:
regular:
responseTransforms:
- responseTransformation:
logRequestResponseInfo: true
transformationTemplate:
advancedTemplates: true
extractors:
cookies_id:
header: set-cookie
regex: ".*staging_dev_id_token.*"
subgroup: 1
cookies_access:
header: set-cookie
regex: ".*staging_dev_access_token.*"
subgroup: 1
headers:
set-cookie:
text: '{{ extraction ("cookies_id") }}; SameSite=None'
headersToAppend:
- key: set-cookie
value:
text: '{{ extraction ("cookies_access") }}; SameSite=None'
autoHostRewrite: true
routeAction:
single:
upstream:
name: default-httpbin-8000
namespace: gloo-system
We expect to see:
< set-cookie: staging_dev_id_token=value1; SameSite=None
< set-cookie: staging_dev_access_token=value2; SameSite=None
The current behavior is that headers extracted or appended in the virtualservice configuration are not actually appended to the set-cookie headers in the response, as shown below
curl -v 'http://iamready.servebeer.com/response-headers?Set-Cookie=staging_dev_id_token=value1&Set-Cookie=staging_dev_access_token=value2'
* Host iamready.servebeer.com:80 was resolved.
* IPv6: (none)
* IPv4: 35.166.120.164
* Trying 35.166.120.164:80...
* Connected to iamready.servebeer.com (35.166.120.164) port 80
> GET /response-headers?Set-Cookie=staging_dev_id_token=value1&Set-Cookie=staging_dev_access_token=value2 HTTP/1.1
> Host: iamready.servebeer.com
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 200 OK
< server: envoy
< date: Tue, 18 Jun 2024 21:55:24 GMT
< content-type: application/json
< content-length: 167
< set-cookie: staging_dev_id_token=value1
< set-cookie: staging_dev_access_token=value2
< access-control-allow-origin: *
< access-control-allow-credentials: true
< x-envoy-upstream-service-time: 1
< x-ratelimit-limit: 1000
< x-ratelimit-remaining: 999
< x-ratelimit-reset: 1
<
{
"Content-Length": "167",
"Content-Type": "application/json",
"Set-Cookie": [
"staging_dev_id_token=value1",
"staging_dev_access_token=value2"
]
}
Steps to reproduce the bug
This was tested in httpbin and querying the endpoint /response_headers
Also tried:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: httpbin
namespace: gloo-system
spec:
virtualHost:
domains:
- iamready.servebeer.com
routes:
- matchers:
- prefix: /
options:
stagedTransformations:
regular:
responseTransforms:
- responseTransformation:
logRequestResponseInfo: true
transformationTemplate:
advancedTemplates: true
extractors:
cookies_access:
header: set-cookie
regex: .*[;](.*)
subgroup: 1
cookies_id:
header: set-cookie
regex: (.*)[;].*
subgroup: 1
headers:
set-cookie:
text: '{{ extraction("cookies_id") }}; SameSite=None {{ extraction("cookies_access") }}; SameSite=None'
autoHostRewrite: true
routeAction:
single:
upstream:
name: default-httpbin-8000
namespace: gloo-system
Query:
curl -v 'http://<fqdn>/response-headers?Set-Cookie=staging_dev_id_token=value1&Set-Cookie=staging_dev_access_token=value2'
Additional Environment Detail
No response
Additional Context
No response
Zendesk ticket #3870 has been linked to this issue.