Only set cookies on paths that enable session affinity

2018-11-19 11:42:12 -05:00 · 2018-11-19 11:42:12 -05:00 · 2b109b360b
commit 2b109b360b
parent 82721e575d
4 changed files with 92 additions and 5 deletions
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@ -137,6 +137,9 @@ If the Application Root is exposed in a different path and needs to be redirecte
 The annotation `nginx.ingress.kubernetes.io/affinity` enables and sets the affinity type in all Upstreams of an Ingress. This way, a request will always be directed to the same upstream server.
 The only affinity type available for NGINX is `cookie`.

+!!! attention
+    If more than one Ingress is defined for a host and at least one Ingress uses `nginx.ingress.kubernetes.io/affinity: cookie`, then only paths on the Ingress using `nginx.ingress.kubernetes.io/affinity` will use session cookie affinity. All paths defined on other Ingresses for the host will be load balanced through the random selection of a backend server. 
+
 !!! example
    Please check the [affinity](../../examples/affinity/cookie/README.md) example.

--- a/rootfs/etc/nginx/lua/balancer/sticky.lua
+++ b/rootfs/etc/nginx/lua/balancer/sticky.lua
@ -18,6 +18,7 @@ function _M.new(self, backend)
    cookie_expires = backend["sessionAffinityConfig"]["cookieSessionAffinity"]["expires"],
    cookie_max_age = backend["sessionAffinityConfig"]["cookieSessionAffinity"]["maxage"],
    cookie_path = backend["sessionAffinityConfig"]["cookieSessionAffinity"]["path"],
+    cookie_locations = backend["sessionAffinityConfig"]["cookieSessionAffinity"]["locations"],
    digest_func = digest_func,
    traffic_shaping_policy = backend.trafficShapingPolicy,
    alternative_backends = backend.alternativeBackends,
@ -81,7 +82,18 @@ function _M.balance(self)
  if not key then
    local random_str = string.format("%s.%s", ngx.now(), ngx.worker.pid())
    key = encrypted_endpoint_string(self, random_str)
+
+    if self.cookie_locations then
+      local locs = self.cookie_locations[ngx.var.host]
+      if locs ~= nil then
+        for _, path in pairs(locs) do
+          if ngx.var.location_path == path then
            set_cookie(self, key)
+            break
+          end
+        end
+      end
+    end
  end

  return self.instance:find(key)
--- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
@ -40,7 +40,7 @@ end

 describe("Sticky", function()
  before_each(function()
-    mock_ngx({ var = { location_path = "/" } })
+    mock_ngx({ var = { location_path = "/", host = "test.com" } })
  end)

  after_each(function()
@ -102,7 +102,8 @@ describe("Sticky", function()
      cookie.new = mocked_cookie_new
    end)

-    context("when client doesn't have a cookie set", function()
+
+    context("when client doesn't have a cookie set and location is in cookie_locations", function()
      it("picks an endpoint for the client", function()
        local sticky_balancer_instance = sticky:new(test_backend)
        local peer = sticky_balancer_instance:balance()
@ -119,7 +120,42 @@ describe("Sticky", function()
              local expected_len = #util[test_backend_hash_fn .. "_digest"]("anything")
              assert.equal(#payload.value, expected_len)
              assert.equal(payload.path, ngx.var.location_path)
-              assert.equal(payload.domain, nil)
+              assert.equal(payload.domain, ngx.var.host)
+              assert.equal(payload.httponly, true)
+              return true, nil
+            end,
+            get = function(k) return false end,
+          }
+          s = spy.on(cookie_instance, "set")
+          return cookie_instance, false
+        end
+        local b = get_test_backend()
+        b.sessionAffinityConfig.cookieSessionAffinity.locations = {}
+        b.sessionAffinityConfig.cookieSessionAffinity.locations["test.com"] = {"/"}
+        local sticky_balancer_instance = sticky:new(b)
+        assert.has_no.errors(function() sticky_balancer_instance:balance() end)
+        assert.spy(s).was_called()
+      end)
+    end)
+
+    context("when client doesn't have a cookie set and location not in cookie_locations", function()
+      it("picks an endpoint for the client", function()
+        local sticky_balancer_instance = sticky:new(test_backend)
+        local peer = sticky_balancer_instance:balance()
+        assert.equal(peer, test_backend_endpoint)
+      end)
+
+      it("does not set a cookie on the client", function()
+        local s = {}
+        cookie.new = function(self)
+          local test_backend_hash_fn = test_backend.sessionAffinityConfig.cookieSessionAffinity.hash
+          local cookie_instance = {
+            set = function(self, payload)
+              assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name)
+              local expected_len = #util[test_backend_hash_fn .. "_digest"]("anything")
+              assert.equal(#payload.value, expected_len)
+              assert.equal(payload.path, ngx.var.location_path)
+              assert.equal(payload.domain, ngx.var.host)
              assert.equal(payload.httponly, true)
              return true, nil
            end,
@ -130,7 +166,7 @@ describe("Sticky", function()
        end
        local sticky_balancer_instance = sticky:new(get_test_backend())        
        assert.has_no.errors(function() sticky_balancer_instance:balance() end)
-        assert.spy(s).was_called()
+        assert.spy(s).was_not_called()
      end)
    end)

--- a/test/e2e/annotations/affinity.go
+++ b/test/e2e/annotations/affinity.go
@ -284,4 +284,40 @@ var _ = framework.IngressNginxDescribe("Annotations - Affinity/Sticky Sessions",
 		Expect(err).ToNot(HaveOccurred())
 		Expect(logs).To(ContainSubstring(`session-cookie-path should be set when use-regex is true`))
 	})
+
+	It("should not set affinity across all server locations when using separate ingresses", func() {
+		host := "cookie.foo.com"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/affinity": "cookie",
+		}
+		ing1 := framework.NewSingleIngress("ingress1", "/foo/bar", host, f.IngressController.Namespace, "http-svc", 80, &annotations)
+		f.EnsureIngress(ing1)
+
+		ing2 := framework.NewSingleIngress("ingress2", "/foo", host, f.IngressController.Namespace, "http-svc", 80, &map[string]string{})
+		f.EnsureIngress(ing2)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, `location /foo/bar`) && strings.Contains(server, `location /foo`)
+			})
+
+		resp, _, errs := gorequest.New().
+			Get(f.IngressController.HTTPURL+"/foo").
+			Set("Host", host).
+			End()
+
+		Expect(errs).Should(BeEmpty())
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		Expect(resp.Header.Get("Set-Cookie")).Should(Equal(""))
+
+		resp, _, errs = gorequest.New().
+			Get(f.IngressController.HTTPURL+"/foo/bar").
+			Set("Host", host).
+			End()
+
+		Expect(errs).Should(BeEmpty())
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		Expect(resp.Header.Get("Set-Cookie")).Should(ContainSubstring("Path=/foo/bar"))
+	})
 })