NGINX Ingress controller not updating affinity cookie

10/29/2018

The nginx ingress controller in out Kubernetes cluster should route the traffic according to a optional session cookie (the SHA1 hash of the ip and port). However, when I send a random value as cookie, no real cookie is set instead. This also happens when the target server is not alive any more.

*   Trying 148.251.XXX.XXX...
* TCP_NODELAY set
* Connected to **********.com (148.251.XXX.XXX) port 444 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.********.com
*  start date: Oct 17 06:25:15 2018 GMT
*  expire date: Jan 15 06:25:15 2019 GMT
*  subjectAltName: host "********" matched cert's "*.********.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d70debd8e0)
> GET /management/health HTTP/2
> Host: ***********.com:444
> User-Agent: curl/7.58.0
> Accept: */*
> Cookie: cv-sid=aa; Domain=**********.com; Path=/; HttpOnly
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< server: nginx/1.15.2
< date: Mon, 29 Oct 2018 12:18:34 GMT
< content-type: application/vnd.spring-boot.actuator.v1+json;charset=UTF-8
< x-application-context: ********:kubernetes:8443
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< strict-transport-security: max-age=15724800; includeSubDomains

I found a PDF of the authors that explains the flow that I expect.

Update: The output of kubectl describe ingress ... is:

Name:             ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<none>)
TLS:
  tls-certificate-tmp terminates 
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  ***.com    
                       /   ***-service:80 (<none>)
Annotations:
  nginx.ingress.kubernetes.io/rewrite-target:        /
  nginx.ingress.kubernetes.io/session-cookie-name:   sid
  nginx.ingress.kubernetes.io/ssl-redirect:          true
  nginx.ingress.kubernetes.io/proxy-body-size:       50M
  kubernetes.io/ingress.class:                       nginx
  nginx.ingress.kubernetes.io/affinity:              cookie
  nginx.ingress.kubernetes.io/session-cookie-hash:   sha1
  kubectl.kubernetes.io/last-applied-configuration:  ...

Events:  <none>
-- Johannes Mittendorfer
kubernetes
kubernetes-ingress
nginx
nginx-ingress
session

0 Answers