Configure Traefik Sticky Session in Kubernetes


As wrote earlier, I have a Jira Data Center cluster running on Kubernetes. The cluster has three nodes, and traefik is the ingress controller.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: sandbox
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
host: jira-sandbox.mydomain.com
http:
paths:
path: /
backend:
serviceName: jira
servicePort: 8080
host: confluence-sandbox.mydomain.com
http:
paths:
path: /
backend:
serviceName: confluence
servicePort: 8090
path: /synchrony
backend:
serviceName: confluence
servicePort: 8091

Sometimes when I create a new issue or open a setting, I got the following errors:

The root cause of this is that the request goes to a Jira node with which my browser has an expired session. As by default the service does round robin, the three Jira nodes just take turn to serve the new requests.

The fix is to use sticky session instead of round robin, so the same node serves the subsequent requests from the same session. Here are the annotations I added to my Jira service to use sticky session.

  annotations:
    traefik.ingress.kubernetes.io/affinity: "true"
    traefik.ingress.kubernetes.io/session-cookie-name: "sticky"

The full Jira service config file:

apiVersion: v1
kind: Service
metadata:
name: jira
labels:
app: jira
annotations:
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/session-cookie-name: "sticky"
spec:
type: NodePort
ports:
port: 8080
targetPort: 8080
selector:
app: jira

Check the session cookies, now I can see it is sticky to one of the Jira node now ( 10.32.0.6)

Run a quick curl test to double check:

$ curl -c cookie-jar -I -s http://jira-sandbox.mydomain.com:32631/status

HTTP/1.1 200 OK
Content-Length: 19
Content-Security-Policy: frame-ancestors 'self'
Content-Type: application/json;charset=UTF-8
Date: Wed, 06 Nov 2019 00:33:48 GMT
Set-Cookie: sticky=http://10.32.0.8:8080; Path=/
Set-Cookie: atlassian.xsrf.token=BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout; Path=/
Set-Cookie: JSESSIONID=BCC4EE1C6034A4C5D82A72E003EF52C3; Path=/; HttpOnly
X-Anodeid: jira-3
X-Arequestid: 33x14439x1
X-Asen: SEN-L14457132
X-Asessionid: 1m9h2ki
X-Ausername: anonymous
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

$ for i in $(seq 10); do echo "curl -b cookie-jar -I -s http://jira-sandbox.mydomain.com:32631/status | grep -i node" | bash - && grep -i token cookie-jar; done

X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout
X-Anodeid: jira-3
jira-sandbox.mydomain.com	FALSE	/	FALSE	0	atlassian.xsrf.token	BV44-TO2E-83JE-X3FL_80e09ce8c80aed4d65312980e779e88742cb2f5b_lout

And it fixed the above error:

Reference:
https://docs.traefik.io/v1.7/configuration/backends/kubernetes/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s