Fix session affinity for canaries

[wasker]

What this PR does / why we need it:

If canary ingress is configured, session affinity settings no longer apply, which results in requests within the same session being served by both canary and non-canary endpoints. This affects scenarios when backwards-incompatible changes were deployed to canary, and in inconsistent results being served in general.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

The change makes canaries respect session affinity settings by default, as this makes more sense than the current behavior. Nonetheless, there's a way to restore original behavior by adding a special annotation on a non-canary ingress definition, if someone prefers that behavior for some reason.

Which issue/s this PR fixes

Fixes #3717.

How Has This Been Tested?

Used repro steps from the bug to simulate the issue before and after changes.

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added tests to cover my changes.
• All new and existing tests passed.

[k8s-ci-robot]

Welcome @wasker!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @wasker. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wasker]

@cmluciano @ElvinEfendi Can I get eyes on this PR, please?

[wasker]

@rikatz Could you help with unblocking this PR, please?

[bowei]

/ok-to-test

[wasker]

/retest

[bowei]

/assign @rikatz

[rikatz]

/kind bug
/priority important-soon

[wasker]

/retest

[wasker]

@rikatz FYI - after rebasing onto the latest from master, SSL test cases do not pass + there's an issue with a build. Is this known?

[rikatz]

Hi @wasker

From a Go perspective your PR looks good to me. I've asked for @ElvinEfendi and @moonming to do a review in Lua part.

To be honest I'm not sure we should change the default behavior (even broken). I think so, but we need to be really careful warning users about that, like "after this release, it will start working as desired but the desired may not be your desired anymore" :)

Let's re-test your tests and I'll keep an eye here, maybe you need to rebase so the latest commits/tests are present in yours as well :)

EDIT: Just saw that you already rebased, let me check here

[rikatz]

/retest

[rikatz]

/triage accepted
/cc @moonming @ElvinEfendi

[k8s-ci-robot]

@rikatz: The label(s) triage/approved cannot be applied, because the repository doesn't have them.

In response to this:

/triage approved
/cc @moonming @ElvinEfendi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rikatz]

/triage accepted

[wasker]

@rikatz I see this and this setup, and yet SSL tests are failing due to "unexpected error storing SSL certificate: could not create PEM certificate file /etc/ingress-controller/ssl/test-1624980835549457600.pem".

Am I missing something? This fails both in PR and locally.

[k8s-ci-robot]

@wasker: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Rerun command
pull-ingress-nginx-test	b5507fb	link	/test pull-ingress-nginx-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[wasker]

@rikatz I restarted the change here: #7371