K
Q

Kubernetes nginx ingress 0.22 not respecting cookie affinity annotation?

3/7/2019

We recently upgraded to nginx-ingress 0.22. Before this upgrade, my service was using the old namespace ingress.kubernetes.io/affinity: cookie and everything was working as I expected. However, upon the upgrade to 0.22, affinity stopped being applied to my service (I don't see sticky anywhere in the nginx.conf).

I looked at the docs and changed the namespace to nginx.ingress.kubernetes.io as shown in this example, but it didn't help.

Is there some debug log I can look at that will show the configuration parsing/building process? My guess is that some other setting is preventing this from working (I can't imagine the k8s team shipped a release with this feature completely broken), but I'm not sure what that could be.

My ingress config as shown by the k8s dashboard follows:

  "kind": "Ingress",
  "apiVersion": "extensions/v1beta1",
  "metadata": {
    "name": "example-ingress",
    "namespace": "master",
    "selfLink": "/apis/extensions/v1beta1/namespaces/master/ingresses/example-ingress",
    "uid": "01e81627-3b90-11e9-bb5a-f6bc944a4132",
    "resourceVersion": "23345275",
    "generation": 1,
    "creationTimestamp": "2019-02-28T19:35:30Z",
    "labels": {
    },
    "annotations": {
      "ingress.kubernetes.io/backend-protocol": "HTTPS",
      "ingress.kubernetes.io/limit-rps": "100",
      "ingress.kubernetes.io/proxy-body-size": "100m",
      "ingress.kubernetes.io/proxy-read-timeout": "60",
      "ingress.kubernetes.io/proxy-send-timeout": "60",
      "ingress.kubernetes.io/secure-backends": "true",
      "ingress.kubernetes.io/secure-verify-ca-secret": "example-ingress-ssl",
      "kubernetes.io/ingress.class": "nginx",
      "nginx.ingress.kubernetes.io/affinity": "cookie",
      "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
      "nginx.ingress.kubernetes.io/limit-rps": "100",
      "nginx.ingress.kubernetes.io/proxy-body-size": "100m",
      "nginx.ingress.kubernetes.io/proxy-buffer-size": "8k",
      "nginx.ingress.kubernetes.io/proxy-read-timeout": "60",
      "nginx.ingress.kubernetes.io/proxy-send-timeout": "60",
      "nginx.ingress.kubernetes.io/secure-verify-ca-secret": "example-ingress-ssl",
      "nginx.ingress.kubernetes.io/session-cookie-expires": "172800",
      "nginx.ingress.kubernetes.io/session-cookie-max-age": "172800",
      "nginx.ingress.kubernetes.io/session-cookie-name": "route",
      "nginx.org/websocket-services": "example"
    }
  },
  "spec": {
    "tls": [
      {
        "hosts": [
          "*.example.net"
        ],
        "secretName": "example-ingress-ssl"
      }
    ],
    "rules": [
      {
        "host": "*.example.net",
        "http": {
          "paths": [
            {
              "path": "/",
              "backend": {
                "serviceName": "example",
                "servicePort": 443
              }
            }
          ]
        }
      }
    ]
  },
  "status": {
    "loadBalancer": {
      "ingress": [
        {}
      ]
    }
  }
}
-- anisoptera
kubernetes
kubernetes-ingress
nginx-ingress

Similar Questions

How can I enable external access to my Kubernetes service via the master with Calico on GCP?
Kubernetes Node NotReady: ContainerGCFailed / ImageGCFailed context deadline exceeded
Secret storage in JupyterHub or Helm? (Running on kubernetes on AWS EKS)
Retrieve Kubernetes Secrets mounted as volumes

1 Answer

3/11/2019

As I tested Sticky session affinity with Nginx Ingress version 0.22, I can assure that it works just fine. Then when I was looking for your configuration, I replaced wildcard host host: "*.example.net" with i.e host: "stickyingress.example.net" just to ignore wildcard, and it worked fine again. So after some search I found out that from this issue

Wildcard hostnames are not supported by the Ingress spec (only SSL wildcard certificates are)

Even this issue was opened for NGINX Ingress controller version: 0.21.0

-- coolinuxoid
Source: StackOverflow