0

I have a deployment which comprises 2 pods with a webapp in them. Nginx ingress controller is installed to expose those 2 pods using tls-passthrough. I have tried to use annotations to setup sticky-sessions but to no avail. No cookie is present in the headers hence no stickyness. What could I do to make it work ? Many thanks for your wise answers.

The Ingress I have created :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ingress
 annotations:
 # nginx.ingress.kubernetes.io/secure-backends: "true"
 # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
 # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 # nginx.ingress.kubernetes.io/rewrite-target: /
   nginx.ingress.kubernetes.io/affinity: "cookie"
   nginx.ingress.kubernetes.io/affinity-mode: "persistent"
   nginx.ingress.kubernetes.io/session-cookie-name: "wabam"
   nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
   nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
namespace: default
spec:
 rules:
  - host: wabam.moulip.lan
     http:
     paths:
      - backend:
          serviceName: wabam-ingress-svc
          servicePort: 443
        path: /
Jonas
  • 121,568
  • 97
  • 310
  • 388
moulip
  • 111
  • 1
  • 13
  • If you `ssl-passthrough` then you cannot modify the request/response (by definition). – zerkms Jul 18 '20 at 08:31
  • because the Loadbalancer frontend is not forwarding Real-IP header – Abdennour TOUMI Jul 18 '20 at 09:20
  • Hello to both of you, I was suspecting the ssl-passthrough to be the culprit. And I have checked my web app logs and it's the actual client ip which is forwarded. Since I can't have the webapp listen in plain http will Nginx accept to kind of terminate the ssl session and still forward the traffic with https behind ? – moulip Jul 18 '20 at 12:03
  • As mentioned already, any other annotation will not work when used alongside the `ssl-passthrough`. Therefore, I don't think this would work like you described. – Wytrzymały Wiktor Jul 20 '20 at 08:54

1 Answers1

0

I am posting this as a community wiki answer for better visibility.

As already mentioned in the comments: any other annotation will not work when used alongside the ssl-passthrough. This is also being mentioned by the official docs:

Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37