GEP-1619: Enumerate common configuration for session persistence and affinity

[gcs278]

What type of PR is this?
/kind gep

What this PR does / why we need it:
This update adds concrete configuration for session persistence and affinity to help lay a framework for future potential API design.

We are building iteratively on GEP-1619 by taking small steps towards a workable solution. This PR does not introduce concrete API design yet, but that is expected to come in the near future.

Review this GEP PR with Markdown Rendered: https://github.com/gcs278/gateway-api/blob/gep-1619-cookie-configuration/geps/gep-1619.md

Which issue(s) this PR fixes:
NONE

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Hi @gcs278. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[youngnick]

/ok-to-test

[gcs278]

Review the tables here: https://github.com/gcs278/gateway-api/blob/gep-1619-cookie-configuration/geps/gep-1619.md

[gcs278]

CC: @shaneutt @robscott @costinm @howardjohn @sunjayBhatia @pleshakov (the folks that showed interest in #1643 originally) ready for review if you happened to be interested in helping out. Thanks!

[youngnick]

This is an outstanding first pass at a GEP, and I will be pointing to it as such in the future.

I'll approve here with a hold so we can get some more LGTMs though.

/approve
/hold

[va7ish]

Actually session affinity/persistence is kind of related to "load balancing" - it is the exact opposite of load balancing. The goal is to keep sending requests (that match certain criteria) to a single backend instead of trying to balance load. So if all of the requests in a certain load balancer/proxy case have to obey the session persistence/affinity semantics then there is no (or very little) load balancing happening.

I wouldn't say its the exact opposite of load balancing. Rather its a two tier decision logic where we say 1) if we have a session identity provided in the request then route according to previous state/contract otherwise 2) Load balance as per LB configuration

[sanjaypujare]

...
I wouldn't say its the exact opposite of load balancing. Rather its a two tier decision logic where we say 1) if we have a session identity provided in the request then route according to previous state/contract otherwise 2) Load balance as per LB configuration

I was trying to take a high level view in terms of the goal of each feature: a load balancer's goal is to spread (or "balance") the load among a set of backends (equally or based on some other criteria such as capacity) whereas the goal of a persistence/affinity feature is to not spread it but rather keep it stuck to one backend as far as possible.

We can model the behavior as you have described for the purpose of defining the API: if the policy dictates routing based on session identity then do it otherwise load balance based on some LB configuration.

[shaneutt]

As this continues to be Provisional I'm personally comfortable with adding what's here and continuing to iterate from this point.

We should capture any outstanding concerns that aren't easily rectified yet as part of a TODO-type section.

[gcs278]

We should capture any outstanding concerns that aren't easily rectified yet as part of a TODO-type section.

Added an additional open question in https://github.com/kubernetes-sigs/gateway-api/compare/df8eba0fa6ee7747822b0a6381016be541a6e21f..37d18517ea87f4b2271bad98e5f3436bf993b4af regarding discussion on API design.

Otherwise, I think our TODO section captures what we need todo. The biggest one being We need to design and document an API for session persistence and/or session affinity in the Gateway API spec. We'll tackle that in the next PR.

[robscott]

Thanks @gcs278, this is really great. A few small requests but mostly LGTM.

[robscott]

@gcs278 can you capture some of this context in the GEP before merging and link to this thread?

[shaneutt]

I like how Rob's review is from 14 hours ago, but the individual comments say last week. He wasn't kidding when he said he had a review in progress for a while that he just hadn't submitted yet 😂

[costinm]

CloudRun is different - and I'm sure google has a few more :-)

…

On Wed, May 3, 2023 at 10:46 AM Grant Spence ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In geps/gep-1619.md <#1935 (comment)> : > +| Hashicorp Consul | Implementation (Envoy) | N/A | Supports Gateway API Only* | N/A | *Hashicorp Consul solely uses Gateway API; therefore, it doesn’t yet have a way to configure session persistence. [Hashicorp Consul API Gateway Docs](https://developer.hashicorp.com/consul/docs/api-gateway) | +| Kuma | Implementation (Envoy) | None | None | None | Kuma has no documentation on how it supports session persistence or cookies. [Kuma Docs](https://kuma.io/docs/2.1.x/) | +| Cilium | Implementation / Dataplane | None | None | None | Cilium has no documented way of doing session persistence. [Cilium Docs](https://cilium.io/) | +| Kong | Implementation / Dataplane | [Cookie-Based](https://docs.konghq.com/hub/kong-inc/session/) | cookie_name=name<br>rolling_timeout=timeout<br>absolute_timeout=timeout<br>idling_timeout=timeout<br>cookie_path=path<br>cookie_domain=domain<br>cookie_same_site=[Strict \| Lax \| None \| off]<br>cookie_http_only<br>cookie_secure=[true \| false]<br>stale_ttl=duration<br>cookie_persistent=[true \| false]<br>storage=storage_type | [Route, Service, Global](https://docs.konghq.com/hub/kong-inc/session/) (Route or Backends or Global) | N/A | +| | | [Header-Based](https://docs.konghq.com/gateway/latest/how-kong-works/load-balancing/#balancing-algorithms) | name | [Upstreams](https://docs.konghq.com/gateway/3.2.x/admin-api/#add-upstream) (Backends) | | +| Traefik | Implementation / Dataplane | [Cookie-Based](https://doc.traefik.io/traefik/routing/services/#sticky-sessions) | name=name<br>secure<br>httpOnly<br>sameSite=[none \| lax \| strict ] | [Services](https://doc.traefik.io/traefik/routing/services/#sticky-sessions) (Backends) | N/A | +| Google CloudRun | Implementation / Dataplane | [Cookie-Based](https://cloud.google.com/run/docs/configuring/session-affinity) | Enabled / Disabled | [Service](https://cloud.google.com/run/docs/configuring/session-affinity) (Backends) | Only allowed to turn off or on, no other configuration items | +| Flomesh Service Mesh | Implementation / Dataplane (Pipy) | ? | ? | ? | ? | +| HAProxy Ingress | Implementation (HAProxy) | [Cookie-Based](https://haproxy-ingress.github.io/docs/configuration/keys/#affinity) | affinity (enable/disable)<br>cookie-key=key<br>session-cookie-domain=domain<br>session-cookie-dynamic=[true \| false]<br>session-cookie-keywords=keywords<br>session-cookie-name=name<br>session-cookie-preserve=[true \| false]<br>session-cookie-same-site=[true \| false]<br>session-cookie-shared=[true \| false]<br>session-cookie-strategy=strategy<br>session-cookie-value-strategy=value_strategy | [Backend](https://haproxy-ingress.github.io/docs/configuration/keys/#affinity) (Backends) | N/A | +| Apache APISIX | Implementation (Nginx) | [Cookie-Based](https://apisix.apache.org/docs/apisix/admin-api/#upstream) | hash_on=[vars \| header \| cookie \| consumer]<br>key=cookie_name | [Upstream](https://apisix.apache.org/docs/apisix/admin-api/#upstream) (Route or Backends) | N/A | +| | Implementation (Nginx) | [Header-Based](https://apisix.apache.org/docs/apisix/terminology/upstream/#header) | hash_on=[vars \| header \| cookie \| consumer]<br>key=header_name | [Upstream](https://apisix.apache.org/docs/apisix/admin-api/#upstream) (Route or Backends) | N/A | +| NGINX Kubernetes Gateway | Implementation (Nginx) | N/A | Supports Gateway API Only* | N/A | *NGINX Kubernetes Gateway solely uses Gateway API; therefore, it doesn’t yet have a way to configure session persistence. [Nginx Kubernetes Gateway Docs](https://github.com/nginxinc/nginx-kubernetes-gateway) | +| Java Servlet | Web Server | [Cookie-Based / URL-Encoded](https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpSession.html) | invalidate()<br>setAttribute(String name, Object value)<br>setMaxInactiveInterval(int interval) | N/A | Java Servlets do not natively support proxy functions. | +| Apache httpd | Web Server | [Cookie-Based / URL-Encoded](https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html) | Cookie Attributes | N/A | N/A | + +**Session Affinity** Added Google GKE, but left Google Cloud Run, let me know if I am conflating the two — Reply to this email directly, view it on GitHub <#1935 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAUR2T3FWDV5POVEKID6MDXEKKYZANCNFSM6AAAAAAW6XBIAQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[robscott]

Thanks @gcs278! A couple very tiny nits but these don't need to block merging.

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278, robscott, shaneutt, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• geps/OWNERS [robscott,shaneutt,youngnick]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[youngnick]

/lgtm

I'll leave the hold though until @gcs278 has a chance to address those nits.

[robscott]

Thanks @gcs278!

/lgtm

[robscott]

/hold cancel

[youngnick]

Noone ever mentioned #1619 to create the link, sigh.