Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1759] Ingress affinity session cookie with Secure flag for HTTPS #3509

Merged
merged 3 commits into from
Dec 6, 2018
Merged

[1759] Ingress affinity session cookie with Secure flag for HTTPS #3509

merged 3 commits into from
Dec 6, 2018

Conversation

fabiant7t
Copy link
Contributor

Signed-off-by: Fabian Topfstedt topfstedt@schneevonmorgen.com

What this PR does / why we need it:
Ingress affinity session cookies did not set the Secure flag when the Ingress is called through HTTPS. The affinity cookie is therefore ignored by the client and every recurring request to the ingress will result in a new Set-Cookie header being send, preventing stickyness to work.
Since ingresses may be called both through both HTTP and HTTPS, setting the Secure flag depends on the context.

My proposal to solve it:

Which issue this PR fixes: fixes #1759

Special notes for your reviewer:
I managed to run and edit the Lua testsuite to unit test my assumptions. Being my first PR, I need someone experienced to review the integration though.

@fabiant7t
[1759] Ingress affinity session cookie with Secure flag for HTTPS
1e31767 
Signed-off-by: Fabian Topfstedt <topfstedt@schneevonmorgen.com>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 4, 2018
@fabiant7t
Copy link
Contributor Author

/assign @bowei

Thanks a lot!

@fabiant7t fabiant7t mentioned this pull request Dec 4, 2018
Closed
@aledbf
Copy link
Member

aledbf commented Dec 4, 2018

@fabiant7t please don't assign PRs manually

@fabiant7t
Copy link
Contributor Author

@aledbf I'm sorry, I followed k8s-ci-robot's hint above, which must have been addressed to the reviewers then.

@aledbf aledbf unassigned bowei Dec 4, 2018
ElvinEfendi
ElvinEfendi reviewed Dec 5, 2018
View reviewed changes
rootfs/etc/nginx/lua/test/balancer/sticky_test.lua Outdated
@@ -40,7 +40,7 @@ end

describe("Sticky", function()
before_each(function()
mock_ngx({ var = { location_path = "/", host = "test.com" } })
mock_ngx({ var = { location_path = "/", host = "test.com", https = "on" } })
Copy link
Member

@ElvinEfendi ElvinEfendi Dec 5, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of changing this globally please introduce another test just like https://github.com/kubernetes/ingress-nginx/pull/3509/files#diff-f62b36fb1d17870f3fbc347d5624fc1fR112 but for when ngx.var.https is "on".

Then inside that specific test case (it) you can mock $https using ngx.var.https = "on"

@ElvinEfendi
Copy link
Member

Thanks for fixing this @fabiant7t ! Just one comment about the unit test otherwise LGTM.

@fabiant7t
reverted changing $https globally in the unit tests
6c46adf 
Signed-off-by: Fabian Topfstedt <topfstedt@schneevonmorgen.com>
@fabiant7t
testing that a secure cookie gets set when being in ssl mode
f03c8a8 
Signed-off-by: Fabian Topfstedt <topfstedt@schneevonmorgen.com>
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 6, 2018
@ElvinEfendi
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 6, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ElvinEfendi, fabiant7t

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 6, 2018
@k8s-ci-robot k8s-ci-robot merged commit da32401 into kubernetes:master Dec 6, 2018
ankon added a commit to Collaborne/ingress that referenced this pull request Nov 19, 2019
@ankon
Allow configuring the 'secure' flag for the session cookie
6d22280 
The annotation `ingress.k8s.collaborne.com/session-cookie-flags` can be set to "secure" to configure the sticky affinity
cookie to have the 'secure' flag.

This is a complete reimplementation of kubernetes#3509
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ElvinEfendi ElvinEfendi ElvinEfendi left review comments

@aledbf aledbf Awaiting requested review from aledbf

Assignees

@ElvinEfendi ElvinEfendi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ingress affinity session cookie doesn't have a Secure flag for HTTPS
5 participants
@fabiant7t @aledbf @ElvinEfendi @k8s-ci-robot @bowei