fix: allow overriding https for session ingress (#1106)

olevski · web-flow · commit d7ed35d17cf8 · 2026-04-14T11:05:00.000+02:00
diff --git a/api/v1alpha1/amaltheasession_children.go b/api/v1alpha1/amaltheasession_children.go
@@ -611,6 +611,10 @@ func getUseNoneSameSiteSessionCookie() bool {
 	return strings.ToLower(os.Getenv("USE_NONE_SAME_SITE_SESSION_COOKIE")) == "true"
 }
 
+func getHttpsSessionIngress() bool {
+	return strings.ToLower(os.Getenv("HTTPS_SESSION_INGRESS")) == "true"
+}
+
 // InternalSecretName returns the name of the secret that is a child
 // of the AmaltheaSession CR, as opposed to all other adopted secrets that
 // are not children of the AmaltheaSession CR and are created by the creator of each AmaltheaSession CR.
diff --git a/api/v1alpha1/amaltheasession_types.go b/api/v1alpha1/amaltheasession_types.go
@@ -231,7 +231,7 @@ type Ingress struct {
 
 func (ingress *Ingress) UrlScheme() string {
 	urlScheme := "http"
-	if (ingress.TLSSecret != nil && ingress.TLSSecret.Name != "") || ingress.UseDefaultClusterTLSCert || ingress.AssumeHttps {
+	if (ingress.TLSSecret != nil && ingress.TLSSecret.Name != "") || ingress.UseDefaultClusterTLSCert || ingress.AssumeHttps || getHttpsSessionIngress() {
 		urlScheme = "https"
 	}
 	return urlScheme
diff --git a/helm-chart/amalthea-sessions/templates/deployment.yaml b/helm-chart/amalthea-sessions/templates/deployment.yaml
@@ -44,6 +44,8 @@ spec:
           value: {{ .Values.sidecars.image.repository }}:{{ .Values.sidecars.image.tag }}
         - name: USE_NONE_SAME_SITE_SESSION_COOKIE
           value: {{ .Values.useNoneSameSiteSessionCookie | quote }}
+        - name: HTTPS_SESSION_INGRESS
+          value: {{ .Values.httpsSessionIngress | quote }}
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
           | default .Chart.AppVersion }}
         livenessProbe:
diff --git a/helm-chart/amalthea-sessions/values.yaml b/helm-chart/amalthea-sessions/values.yaml
@@ -72,3 +72,8 @@ cloner:
 # SameSite parameter to None. This is only useful in specific cases for remote Renku cluster.
 # Setting this value to true can have security implications without adjusting CSP and CORS on the session ingress.
 useNoneSameSiteSessionCookie: false
+
+# Setting this to true will result the url for the session always using https.
+# Regardless of whether a TLS secret or cluster-wide TLS secret is used.
+# This is useful because in many cases TLS can be provided through other means.
+httpsSessionIngress: false

Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,7 @@ type Ingress struct {`
`231`	`231`
`232`	`232`	`func (ingress *Ingress) UrlScheme() string {`
`233`	`233`	`urlScheme := "http"`
`234`		`- if (ingress.TLSSecret != nil && ingress.TLSSecret.Name != "") \|\| ingress.UseDefaultClusterTLSCert \|\| ingress.AssumeHttps {`
	`234`	`+ if (ingress.TLSSecret != nil && ingress.TLSSecret.Name != "") \|\| ingress.UseDefaultClusterTLSCert \|\| ingress.AssumeHttps \|\| getHttpsSessionIngress() {`
`235`	`235`	`urlScheme = "https"`
`236`	`236`	`}`
`237`	`237`	`return urlScheme`