add session persistence support in destination rule #3502
Conversation
Signed-off-by: Rama Chavali <[email protected]>
istio-testing
added
the
size/M
ramaraochavali
added
the
release-notes-none
|
/test release-notes |
istio-testing
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| @@ -495,6 +495,35 @@ message LoadBalancerSettings { | |||
| uint64 minimum_ring_size = 4 [deprecated=true]; | |||
| }; | |||
|
|
|||
| // Session persistence settings for the destination. Use this for hard session affinity. | |||
There was a problem hiding this comment.
we need very clear docs on the difference between this and consist hash
There was a problem hiding this comment.
I think both 'hard affinity' and 'consistent hash' are well defined - but what we do ( 'by encoding the IP:port of the service in a cookie/header' ) needs to be clearly understood by users.
| // Use a cookie to store the session affinity information. | ||
| COOKIE = 0; | ||
| // Use a header to store the session affinity information. | ||
| HEADER = 1; |
There was a problem hiding this comment.
how can this possibly be used? how would a client know the opaque value to put here?
There was a problem hiding this comment.
It's not that opaque unfortunately - just an IP:port in a proto. I believe Envoy returns the header on the first request, and user is expected to set it in the next request.
Agree with your comment: it needs to be super clear in the comments, and also the case where we can't connect to the IP:port - don't remember if we return an error or just go to another endpoint and return the new updated header.
There was a problem hiding this comment.
Envoy returns the header with ip:port encoded and the client has to repeatedly send the header for every request.
The behaviour of Envoy when the ip:port is not found is dependent on the strict flag.
There was a problem hiding this comment.
I will update the docs to make all of this clear.
There was a problem hiding this comment.
This is weak feature, mostly we istio should be transparent of applications
| @@ -495,6 +495,35 @@ message LoadBalancerSettings { | |||
| uint64 minimum_ring_size = 4 [deprecated=true]; | |||
| }; | |||
|
|
|||
| // Session persistence settings for the destination. Use this for hard session affinity. | |||
There was a problem hiding this comment.
I think both 'hard affinity' and 'consistent hash' are well defined - but what we do ( 'by encoding the IP:port of the service in a cookie/header' ) needs to be clearly understood by users.
| // Use a cookie to store the session affinity information. | ||
| COOKIE = 0; | ||
| // Use a header to store the session affinity information. | ||
| HEADER = 1; |
There was a problem hiding this comment.
It's not that opaque unfortunately - just an IP:port in a proto. I believe Envoy returns the header on the first request, and user is expected to set it in the next request.
Agree with your comment: it needs to be super clear in the comments, and also the case where we can't connect to the IP:port - don't remember if we return an error or just go to another endpoint and return the new updated header.
|
|
||
| message Cookie { | ||
| // Lifetime of the cookie. If specified, a cookie with the TTL will be | ||
| // generated if the cookie is not present. If the TTL is present and zero, |
There was a problem hiding this comment.
I don't remember exactly - but there were some concerns with non-session cookies ( around privacy regulations - I think you are required to show the consent screen and all kind of other things ).
I would very much prefer if we start without this setting and only with session cookies, it's a very complicated problem, best to avoid Istio starting to set persistent cookies and dealing with privacy.
|
Not blocking for this CL, but few concerns I have with using DR:
|
|
I am planning to support this for Sidecars and Gateways and also using Gateway API - Waypoints should use Gateway API to get this behaviour? Is that fine? |
|
I think Gateways and Waypoints should use the Gateway API - and the doc
needs to be clear on the behavior (the endpoint IP is
generated by the gateway/waypoint, behave like normal / standard persistent
sessions ).
For Sidecars - that's where things are strange, because the persistent
session is actually handled on the client side, by client
sidecar encoding the picked endpoint - server has nothing to do with it
(unless it's a waypoint or gateway - and then things
get very weird because there client will stick to the gateways, which is
usually not what user wants - and a second header or cookie
is needed for sticking with the final backend ). Multicluster or egress
gateways in the path have this problem.
My point really is that it's not obvious and the docs should be detailed -
and it is better to keep the 'normal' cases separate
and handled with Gateway API, and not attempt to pretend it's the same or
mix them too much.
…On Wed, May 14, 2025 at 3:05 AM Rama Chavali ***@***.***> wrote:
*ramaraochavali* left a comment (istio/api#3502)
<#3502 (comment)>
I am planning to support this for Sidecars and Gateways and also using
Gateway API - Waypoints should use Gateway API to get this behaviour? Is
that fine?
—
Reply to this email directly, view it on GitHub
<#3502 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2V6IZQZY7T62Z226ID26MIQNAVCNFSM6AAAAAB42TXOWGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNZZGYYDGNBYGI>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
| // The cookie settings for session persistence. | ||
| Cookie cookie = 3; | ||
|
|
||
| message Cookie { |
| // The type of session persistence to use. | ||
| Type type = 1; | ||
|
|
||
| // The name of the header or cookie to use for session persistence. |
There was a problem hiding this comment.
Ah, see it. It is reusable field. Why donot we make header and cookie oneof
|
As I mentioned in the past, persistent sessions are not something new,
invented by Istio or Envoy - and they exist outside of Istio too,
DestinationRule is not restricted to only configuring rules for talking to
istio workloads.
For internet services using persistent sessions - the client can't control
the name of the cookie, and is usually required to copy all the
cookies provided by the server.
Even in the case of Istio - depending on topology the request may traverse
multiple E/W, Waypoints, managed gateways, etc - so a set
of cookies may accumulate ( for example one set by the E/W so future
requests are sent to the same cluster, and one by the final endpoint).
As DestinationRule is a client feature - I don't think cookie name is
useful and I don't think single name will be sufficient - and shouldn't
matter anyways because 30 years of practice have been for client to copy
all cookies.
The header name(s) are less common and are important to specify on client
side because unlike cookies there is no way for client to know,
but because the client application needs to do the copying - not clear how
DestinationRule can help when headers are set by remote load
balancers, it won't do anything.
For configuring a server - Gateway or Waypoint - the K8S Gateway API is a
better fit than DestinationRule ( which in Istio is only used to
configure clients ).
We do need this API for the case where client sidecar is generating the
cookie/header - i.e. sidecar->sidecar -
but will break and not work as expected for sidecar -> E/W gateway ->
sidecar or for sidecar -> waypoint/gateway -> anything, because
the client-side sidecar will set a cookie/header for the next hop, and a
persistent session to a specific gateway is not helpful.
IMHO a lot of confusion could be avoided with a simpler API that just had a
single boolean setting for the case of sidecar -> sidecar ( and nothing
else), plus the K8S Gateway for configuring gateways/waypoints.
Since client-side affinity to next hop is highly Istio sidecar specific -
we can define an istio-specific header to use - we already have other istio
headers that encode the identity and IP of the peer, and what 'client
session affinity' really does is allow the client app to use a header
to override the selection of the endpoint ( in a most convoluted way ).
It's not really session affinity - user can base64 encode any IP port
( if it is in the EDS response ) and send the request there, I think using
the name 'session persistence' instead of 'explicit endpoint selection'
was a mistake.
…On Thu, May 15, 2025 at 4:37 AM hzxuzhonghu ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In networking/v1alpha3/destination_rule.proto
<#3502 (comment)>:
> @@ -495,6 +495,35 @@ message LoadBalancerSettings {
uint64 minimum_ring_size = 4 [deprecated=true];
};
+ // Session persistence settings for the destination. Use this for hard session affinity.
+ message SessionPersistence {
+ // Type defines the type of session persistence such as through
+ // the use of a header or cookie. Default is COOKIE.
+ enum Type {
+ // Use a cookie to store the session affinity information.
+ COOKIE = 0;
+ // Use a header to store the session affinity information.
+ HEADER = 1;
+ }
+
+ // The type of session persistence to use.
+ Type type = 1;
+
+ // The name of the header or cookie to use for session persistence.
Ah, see it. It is reusable field. Why donot we make header and cookie oneof
—
Reply to this email directly, view it on GitHub
<#3502 (review)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2TY4EY3JEBR34PUHFL26R4BLAVCNFSM6AAAAAB42TXOWGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDQNBTGM3DMOJXGE>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
|
@howardjohn @costinm Sorry for the huge delay. Reading all the comments, it looks like the concern is more about adding more docs and explaining the behaviour in detail and there is no objection to this API. Is that a fair summary? If yes, I will work on adding more docs and address remaining comments, we can take it from there |
API for istio/istio#55839