nginx - Nginx GKE 入口允许会话亲和性
问题描述
我正在 GKE 1.19.7-gke.1302 上部署 nginx 入口,并通过 nginx-ingress-0.8.0 helm chart 部署 nginx 入口,并且我正在尝试使会话亲和性工作。它适用于托管的“gce”入口,我正在获取“GCLB”cookie,但不适用于 nginx 入口。这些是我的配置:
nginx-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-nginx-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
# gke static ip address name
#kubernetes.io/ingress.global-static-ip-name: my-proxy
# make ssl connection to the backends (deprecated)
#nginx.ingress.kubernetes.io/secure-backends: "true"
# don't use http
kubernetes.io/ingress.allow-http: "false"
# enable backend redirections
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# this is deprecated
#nginx.ingress.kubernetes.io/app-root: /
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/kibana/(.*)$ /$2 break;
#nginx.ingress.kubernetes.io/app-root: /
# enable stickiness
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/affinity-mode: persistent
nginx.ingress.kubernetes.io/session-cookie-name: OAUTH
nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- secretName: my-tls
hosts:
- "test.com"
rules:
- host: "test.com"
http:
paths:
- path: /
backend:
serviceName: my-nodeport
servicePort: 80
我的节点端口
apiVersion: v1
kind: Service
metadata:
annotations:
cloud.google.com/backend-config: '{"ports": {"80":"my-backendconfig"}}'
cloud.google.com/neg: '{"ingress": true}'
ingress.kubernetes.io/affinity: cookie
name: my-nodeport
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: my
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
type: NodePort
我的后端配置
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
annotations:
name: my-backendconfig
namespace: default
spec:
sessionAffinity:
affinityCookieTtlSec: 6000
affinityType: GENERATED_COOKIE
我的目标是提供具有会话亲和性的 HTTPS 代理,然后将标头传递给我的应用程序,这对于内置的 GCE 入口是不可能的,所以我正在尝试使用 nginss 入口来做到这一点。其他解决方案而不是 nginx 入口也可以解决我的问题!