Kubernetes nginx 入口 0.22 不尊重 cookie 亲和注释?
Kubernetes nginx ingress 0.22 not respecting cookie affinity annotation?
我们最近升级到 nginx-ingress 0.22。在此次升级之前,我的服务使用的是旧命名空间 ingress.kubernetes.io/affinity: cookie,并且一切都按我预期的那样工作。但是,在升级到 0.22 后,affinity 停止应用于我的服务(我在 nginx.conf 中的任何地方都看不到 sticky)。
我查看了文档并将命名空间更改为 nginx.ingress.kubernetes.io,如 in this example 所示,但没有帮助。
是否有一些调试日志可以显示配置 parsing/building 进程?我的猜测是一些其他设置阻止了它的工作(我无法想象 k8s 团队发布了一个完全破坏此功能的版本),但我不确定那可能是什么。
k8s 仪表板显示的我的入口配置如下:
"kind": "Ingress",
"apiVersion": "extensions/v1beta1",
"metadata": {
"name": "example-ingress",
"namespace": "master",
"selfLink": "/apis/extensions/v1beta1/namespaces/master/ingresses/example-ingress",
"uid": "01e81627-3b90-11e9-bb5a-f6bc944a4132",
"resourceVersion": "23345275",
"generation": 1,
"creationTimestamp": "2019-02-28T19:35:30Z",
"labels": {
},
"annotations": {
"ingress.kubernetes.io/backend-protocol": "HTTPS",
"ingress.kubernetes.io/limit-rps": "100",
"ingress.kubernetes.io/proxy-body-size": "100m",
"ingress.kubernetes.io/proxy-read-timeout": "60",
"ingress.kubernetes.io/proxy-send-timeout": "60",
"ingress.kubernetes.io/secure-backends": "true",
"ingress.kubernetes.io/secure-verify-ca-secret": "example-ingress-ssl",
"kubernetes.io/ingress.class": "nginx",
"nginx.ingress.kubernetes.io/affinity": "cookie",
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
"nginx.ingress.kubernetes.io/limit-rps": "100",
"nginx.ingress.kubernetes.io/proxy-body-size": "100m",
"nginx.ingress.kubernetes.io/proxy-buffer-size": "8k",
"nginx.ingress.kubernetes.io/proxy-read-timeout": "60",
"nginx.ingress.kubernetes.io/proxy-send-timeout": "60",
"nginx.ingress.kubernetes.io/secure-verify-ca-secret": "example-ingress-ssl",
"nginx.ingress.kubernetes.io/session-cookie-expires": "172800",
"nginx.ingress.kubernetes.io/session-cookie-max-age": "172800",
"nginx.ingress.kubernetes.io/session-cookie-name": "route",
"nginx.org/websocket-services": "example"
}
},
"spec": {
"tls": [
{
"hosts": [
"*.example.net"
],
"secretName": "example-ingress-ssl"
}
],
"rules": [
{
"host": "*.example.net",
"http": {
"paths": [
{
"path": "/",
"backend": {
"serviceName": "example",
"servicePort": 443
}
}
]
}
}
]
},
"status": {
"loadBalancer": {
"ingress": [
{}
]
}
}
}
当我用 Nginx Ingress 版本 0.22 测试 Sticky session affinity 时,我可以保证它工作得很好。然后,当我在寻找您的配置时,我将通配符主机 host: "*.example.net" 替换为 host: "stickyingress.example.net" 只是为了忽略通配符,它再次正常工作。
所以经过一番搜索,我发现 issue
Wildcard hostnames are not supported by the Ingress spec (only SSL
wildcard certificates are)
甚至这个问题是为 NGINX Ingress 控制器版本打开的:
0.21.0
我们最近升级到 nginx-ingress 0.22。在此次升级之前,我的服务使用的是旧命名空间 ingress.kubernetes.io/affinity: cookie,并且一切都按我预期的那样工作。但是,在升级到 0.22 后,affinity 停止应用于我的服务(我在 nginx.conf 中的任何地方都看不到 sticky)。
我查看了文档并将命名空间更改为 nginx.ingress.kubernetes.io,如 in this example 所示,但没有帮助。
是否有一些调试日志可以显示配置 parsing/building 进程?我的猜测是一些其他设置阻止了它的工作(我无法想象 k8s 团队发布了一个完全破坏此功能的版本),但我不确定那可能是什么。
k8s 仪表板显示的我的入口配置如下:
"kind": "Ingress",
"apiVersion": "extensions/v1beta1",
"metadata": {
"name": "example-ingress",
"namespace": "master",
"selfLink": "/apis/extensions/v1beta1/namespaces/master/ingresses/example-ingress",
"uid": "01e81627-3b90-11e9-bb5a-f6bc944a4132",
"resourceVersion": "23345275",
"generation": 1,
"creationTimestamp": "2019-02-28T19:35:30Z",
"labels": {
},
"annotations": {
"ingress.kubernetes.io/backend-protocol": "HTTPS",
"ingress.kubernetes.io/limit-rps": "100",
"ingress.kubernetes.io/proxy-body-size": "100m",
"ingress.kubernetes.io/proxy-read-timeout": "60",
"ingress.kubernetes.io/proxy-send-timeout": "60",
"ingress.kubernetes.io/secure-backends": "true",
"ingress.kubernetes.io/secure-verify-ca-secret": "example-ingress-ssl",
"kubernetes.io/ingress.class": "nginx",
"nginx.ingress.kubernetes.io/affinity": "cookie",
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
"nginx.ingress.kubernetes.io/limit-rps": "100",
"nginx.ingress.kubernetes.io/proxy-body-size": "100m",
"nginx.ingress.kubernetes.io/proxy-buffer-size": "8k",
"nginx.ingress.kubernetes.io/proxy-read-timeout": "60",
"nginx.ingress.kubernetes.io/proxy-send-timeout": "60",
"nginx.ingress.kubernetes.io/secure-verify-ca-secret": "example-ingress-ssl",
"nginx.ingress.kubernetes.io/session-cookie-expires": "172800",
"nginx.ingress.kubernetes.io/session-cookie-max-age": "172800",
"nginx.ingress.kubernetes.io/session-cookie-name": "route",
"nginx.org/websocket-services": "example"
}
},
"spec": {
"tls": [
{
"hosts": [
"*.example.net"
],
"secretName": "example-ingress-ssl"
}
],
"rules": [
{
"host": "*.example.net",
"http": {
"paths": [
{
"path": "/",
"backend": {
"serviceName": "example",
"servicePort": 443
}
}
]
}
}
]
},
"status": {
"loadBalancer": {
"ingress": [
{}
]
}
}
}
当我用 Nginx Ingress 版本 0.22 测试 Sticky session affinity 时,我可以保证它工作得很好。然后,当我在寻找您的配置时,我将通配符主机 host: "*.example.net" 替换为 host: "stickyingress.example.net" 只是为了忽略通配符,它再次正常工作。
所以经过一番搜索,我发现 issue
Wildcard hostnames are not supported by the Ingress spec (only SSL wildcard certificates are)
甚至这个问题是为 NGINX Ingress 控制器版本打开的: 0.21.0