Refactor the VCL implementation of self-sharding & primary-only.

Updated code contributed by @slink.

Refactor the VCL implementation of self-sharding & primary-only.
Updated code contributed by @slink.
6976e9ad · Geoff Simmons · bd36d1da · 6976e9ad · 6976e9ad · 6976e9ad
Commit 6976e9ad authored Apr 26, 2021 by Geoff Simmons
14 changed files
--- a/examples/hello/cafe.vtc
+++ b/examples/hello/cafe.vtc
@@ -2,23 +2,31 @@

 varnishtest "cafe example (hello world for Ingress)"

+# The beresp may send Connection:close, if Varnish went to pipe due to
+# primary-only. So we run each test in a separate connection.
 client c1 -connect "${localhost} ${localport}" {
 	txreq -url /coffee/foo/bar -hdr "Host: cafe.example.com"
 	rxresp
 	expect resp.status == 200
 	expect resp.body ~ "(?m)^URI: /coffee/foo/bar$"
 	expect resp.body ~ "(?m)^Server name: coffee-[a-z0-9]+-[a-z0-9]+$"
+} -run

+client c1 -connect "${localhost} ${localport}" {
 	txreq -url /tea/baz/quux -hdr "Host: cafe.example.com"
 	rxresp
 	expect resp.status == 200
 	expect resp.body ~ "(?m)^URI: /tea/baz/quux$"
 	expect resp.body ~ "(?m)^Server name: tea-[a-z0-9]+-[a-z0-9]+$"
+} -run

+client c1 -connect "${localhost} ${localport}" {
 	txreq -url /coffee/foo/bar
 	rxresp
 	expect resp.status == 404
+} -run

+client c1 -connect "${localhost} ${localport}" {
 	txreq -url /milk -hdr "Host: cafe.example.com"
 	rxresp
 	expect resp.status == 404

--- a/examples/self-sharding/Makefile
+++ b/examples/self-sharding/Makefile
@@ -54,6 +54,10 @@ deploy-shard-by-key-helm:
 	@helm install viking-ingress-shard-by-key $(CHARTDIR)/viking-test-app \
 		--values values-shard-by-key.yaml

+deploy-primary-only-by-clientid-helm:
+	@helm install viking-ingress-primary-only-by-clientid $(CHARTDIR)/viking-test-app \
+		--values values-primary-only-by-clientid.yaml
+
 deploy-cafe-kubectl:
 	@kubectl apply -f $(mkdir)/../hello/cafe.yaml
 	@kubectl apply -f $(mkdir)/../hello/cafe-ingress.yaml
@@ -101,6 +105,10 @@ undeploy-shard-by-key-helm:
 	@helm uninstall viking-ingress-shard-by-key
 	$(MAKE) wait

+undeploy-primary-only-by-clientid-helm:
+	@helm uninstall viking-ingress-primary-only-by-clientid
+	$(MAKE) wait
+
 undeploy-cafe-kubectl:
 	@kubectl delete -f $(mkdir)/../hello/cafe-ingress.yaml
 	@kubectl delete -f $(mkdir)/../hello/cafe.yaml
@@ -152,6 +160,8 @@ deploy-shard-by-url: deploy-shard-by-url-helm
 undeploy-shard-by-url: undeploy-shard-by-url-helm
 deploy-shard-by-key: deploy-shard-by-key-helm
 undeploy-shard-by-key: undeploy-shard-by-key-helm
+deploy-primary-only-by-clientid: deploy-primary-only-by-clientid-helm
+undeploy-primary-only-by-clientid: undeploy-primary-only-by-clientid-helm
 endif

 ifeq ($(EXAMPLE),self-sharding)
@@ -169,9 +179,12 @@ undeploy: undeploy-shard-by-url
 else ifeq ($(EXAMPLE),shard-by-key)
 deploy: deploy-shard-by-key
 undeploy: undeploy-shard-by-key
+else ifeq ($(EXAMPLE),primary-only-by-clientid)
+deploy: deploy-primary-only-by-clientid
+undeploy: undeploy-primary-only-by-clientid
 else
 deploy undeploy:
-	$(error EXAMPLE must be set to self-sharding, primary-only, or shard-by-[digest|url|key])
+	$(error EXAMPLE must be set to self-sharding, primary-only[-by-clientid], or shard-by-[digest|url|key])
 endif

 .PHONY: all $(MAKECMDGOALS)
--- a/examples/self-sharding/values-primary-only-by-clientid.yaml
+++ b/examples/self-sharding/values-primary-only-by-clientid.yaml
+apps:
+  coffee:
+    image: nginxdemos/hello:plain-text
+    replicas: 2
+  tea:
+    image: nginxdemos/hello:plain-text
+    replicas: 3
+
+ingress:
+  name: cafe-ingress
+  rules:
+  - host: cafe.example.com
+    paths:
+    - path: /tea
+      app: tea
+    - path: /coffee
+      app: coffee
+
+vikingAdmSvc: varnish-ingress-admin
+
+selfSharding:
+  primaryOnly: true
+  key: client.identity
+  probe:
+    timeout: 6s
+    interval: 6s
+    initial: 2
+    window: 4
+    threshold: 3
--- a/pkg/controller/varnishconfig.go
+++ b/pkg/controller/varnishconfig.go
@@ -309,11 +309,17 @@ func (worker *NamespaceWorker) configSharding(spec *vcl.Spec,
 					Addresses: make([]vcl.Address, 1),
 				}
 				ns, name := getTargetPod(addr)
-				if ns != "" && name != "" {
-					node.Name = eps.Name
-					node.Addresses[0].PodNamespace = ns
-					node.Addresses[0].PodName = name
+				if ns == "" || name == "" {
+					return update.MakeFatal(
+						"Pod namespace or name not "+
+							"known for Endpoint "+
+							"%s/%s ip=%s",
+						eps.Namespace, eps.Name,
+						addr.IP)
 				}
+				node.Name = eps.Name
+				node.Addresses[0].PodNamespace = ns
+				node.Addresses[0].PodName = name
 				node.Addresses[0].IP = addr.IP
 				node.Addresses[0].Port = httpPort
 				spec.ShardCluster.Nodes =

--- a/pkg/varnish/vcl/self_shard_tmpl.go
+++ b/pkg/varnish/vcl/self_shard_tmpl.go
@@ -38,6 +38,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -61,7 +62,7 @@ probe vk8s_probe_varnish {
 }

 {{range $node := .Nodes -}}
-backend {{backendName $node}} {
+backend {{nodeName $node}} {
 	.host = "{{(index $node.Addresses 0).IP}}";
 	.port = "{{(index $node.Addresses 0).Port}}";
 	.probe = vk8s_probe_varnish;
@@ -80,23 +81,24 @@ sub vcl_init {
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
 	{{range $node := .Nodes -}}
-	vk8s_cluster.add_backend({{backendName $node}});
+	vk8s_cluster.add_backend({{nodeName $node}});
 	{{end -}}
 	vk8s_cluster.reconfigure();
 	{{- digest_init . }}
+	{{ if .PrimaryOnly -}}
+	new vk8s_cluster_primary = taskvar.backend();
+	{{- end }}
 }

 sub vcl_recv {
 	{{ if .PrimaryOnly -}}
-	unset req.http.VK8S-Shard-Primary-Only;
 	{{- digest_update 'c' . }}
+	vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW
+		{{- key 'c' .}}));
 	if (remote.ip !~ vk8s_cluster_acl
-	    && "" + vk8s_cluster.backend(resolve=NOW
-                                         {{- key 'c' .}}) != server.identity) {
-		set req.http.VK8S-Shard-Primary-Only = "true";
-		set req.backend_hint = vk8s_cluster.backend(resolve=NOW
-                                                            {{- key 'c' .}});
-		return (pass);
+	    && "" + vk8s_cluster_primary.get() != server.identity) {
+		set req.backend_hint = vk8s_cluster_primary.get();
+		return (pipe);
 	}
 	else {{ end }}if (remote.ip ~ vk8s_cluster_acl) {
 		if (req.http.Host == "vk8s_cluster") {
@@ -117,19 +119,8 @@ sub vcl_recv {
 		return (hash);
 	}
 }
-{{ if .PrimaryOnly }}
-sub vcl_pass {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
-}
-{{ end }}
+
 sub vcl_backend_fetch {
-	{{- if .PrimaryOnly }}
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
-	{{- end }}
 	{{- digest_update 'b' . }}
 	vk8s_cluster_param.set({{ key 'b' .}});
 	if (bereq.retries == 0 
@@ -143,11 +134,6 @@ sub vcl_backend_fetch {
 }

 sub vcl_backend_response {
-	{{- if .PrimaryOnly }}
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
-	{{- end }}
 	if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
 	        if (beresp.http.VK8S-Cluster-TTL) {
 		        set beresp.ttl = std.duration(
@@ -171,13 +157,10 @@ sub vcl_backend_error {
 }

 sub vcl_deliver {
-	{{- if .PrimaryOnly }}
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
-	{{- end }}
 	unset resp.http.VK8S-Cluster-TTL;
-	if (remote.ip ~ vk8s_cluster_acl) {
+	if (remote.ip ~ vk8s_cluster_acl
+		{{- if .PrimaryOnly }} && ! vk8s_cluster_primary.defined()
+		{{- end }}) {
 		if (! obj.uncacheable) {
 			set resp.http.VK8S-Cluster-TTL = obj.ttl;
 		}
@@ -234,8 +217,11 @@ var shardFuncMap = template.FuncMap{
 	"key":           keyParams,
 	"digest_init":   digestInit,
 	"digest_update": digestUpdate,
-	"backendName": func(svc Service) string {
-		return backendName(svc, svc.Addresses[0])
+	"nodeName": func(svc Service) string {
+		// MUST match -i setting in the varnishd invocaton
+		// (server.identity)
+		addr := svc.Addresses[0]
+		return "vk8s_" + addr.PodNamespace + "_" + addr.PodName
 	},
 }


--- a/pkg/varnish/vcl/testdata/ingress_shard.golden
+++ b/pkg/varnish/vcl/testdata/ingress_shard.golden
@@ -75,6 +75,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -87,19 +88,19 @@ probe vk8s_probe_varnish {
 	.threshold = 3;
 }

-backend vk8s_default_varnish-8445d4f7f-z2b9p_80 {
+backend vk8s_default_varnish-8445d4f7f-z2b9p {
 	.host = "172.17.0.12";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_viking-service_172_17_0_13_80 {
+backend vk8s__ {
 	.host = "172.17.0.13";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_default_varnish-8445d4f7f-ldljf_80 {
+backend vk8s_default_varnish-8445d4f7f-ldljf {
 	.host = "172.17.0.14";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
@@ -115,10 +116,11 @@ sub vcl_init {
 	new vk8s_cluster_param = directors.shard_param();
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p_80);
-	vk8s_cluster.add_backend(vk8s_viking-service_172_17_0_13_80);
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf_80);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p);
+	vk8s_cluster.add_backend(vk8s__);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf);
 	vk8s_cluster.reconfigure();
+	
 }

 sub vcl_recv {

--- a/pkg/varnish/vcl/testdata/primaryonly_shard.golden
+++ b/pkg/varnish/vcl/testdata/primaryonly_shard.golden
@@ -3,6 +3,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -15,19 +16,19 @@ probe vk8s_probe_varnish {
 	.threshold = 3;
 }

-backend vk8s_default_varnish-8445d4f7f-z2b9p_80 {
+backend vk8s_default_varnish-8445d4f7f-z2b9p {
 	.host = "172.17.0.12";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_viking-service_172_17_0_13_80 {
+backend vk8s__ {
 	.host = "172.17.0.13";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_default_varnish-8445d4f7f-ldljf_80 {
+backend vk8s_default_varnish-8445d4f7f-ldljf {
 	.host = "172.17.0.14";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
@@ -43,19 +44,20 @@ sub vcl_init {
 	new vk8s_cluster_param = directors.shard_param();
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p_80);
-	vk8s_cluster.add_backend(vk8s_viking-service_172_17_0_13_80);
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf_80);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p);
+	vk8s_cluster.add_backend(vk8s__);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf);
 	vk8s_cluster.reconfigure();
+	new vk8s_cluster_primary = taskvar.backend();
 }

 sub vcl_recv {
-	unset req.http.VK8S-Shard-Primary-Only;
+	
+	vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW));
 	if (remote.ip !~ vk8s_cluster_acl
-	    && "" + vk8s_cluster.backend(resolve=NOW) != server.identity) {
-		set req.http.VK8S-Shard-Primary-Only = "true";
-		set req.backend_hint = vk8s_cluster.backend(resolve=NOW);
-		return (pass);
+	    && "" + vk8s_cluster_primary.get() != server.identity) {
+		set req.backend_hint = vk8s_cluster_primary.get();
+		return (pipe);
 	}
 	else if (remote.ip ~ vk8s_cluster_acl) {
 		if (req.http.Host == "vk8s_cluster") {
@@ -77,16 +79,7 @@ sub vcl_recv {
 	}
 }

-sub vcl_pass {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
-}
-
 sub vcl_backend_fetch {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
 	vk8s_cluster_param.set();
 	if (bereq.retries == 0 
 	    && !bereq.uncacheable
@@ -99,9 +92,6 @@ sub vcl_backend_fetch {
 }

 sub vcl_backend_response {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
 	        if (beresp.http.VK8S-Cluster-TTL) {
 		        set beresp.ttl = std.duration(
@@ -125,11 +115,8 @@ sub vcl_backend_error {
 }

 sub vcl_deliver {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	unset resp.http.VK8S-Cluster-TTL;
-	if (remote.ip ~ vk8s_cluster_acl) {
+	if (remote.ip ~ vk8s_cluster_acl && ! vk8s_cluster_primary.defined()) {
 		if (! obj.uncacheable) {
 			set resp.http.VK8S-Cluster-TTL = obj.ttl;
 		}

--- a/pkg/varnish/vcl/testdata/shard.golden
+++ b/pkg/varnish/vcl/testdata/shard.golden
@@ -3,6 +3,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -15,19 +16,19 @@ probe vk8s_probe_varnish {
 	.threshold = 3;
 }

-backend vk8s_default_varnish-8445d4f7f-z2b9p_80 {
+backend vk8s_default_varnish-8445d4f7f-z2b9p {
 	.host = "172.17.0.12";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_viking-service_172_17_0_13_80 {
+backend vk8s__ {
 	.host = "172.17.0.13";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_default_varnish-8445d4f7f-ldljf_80 {
+backend vk8s_default_varnish-8445d4f7f-ldljf {
 	.host = "172.17.0.14";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
@@ -43,10 +44,11 @@ sub vcl_init {
 	new vk8s_cluster_param = directors.shard_param();
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p_80);
-	vk8s_cluster.add_backend(vk8s_viking-service_172_17_0_13_80);
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf_80);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p);
+	vk8s_cluster.add_backend(vk8s__);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf);
 	vk8s_cluster.reconfigure();
+	
 }

 sub vcl_recv {

--- a/pkg/varnish/vcl/testdata/shard_by_digest.golden
+++ b/pkg/varnish/vcl/testdata/shard_by_digest.golden
@@ -3,6 +3,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -15,19 +16,19 @@ probe vk8s_probe_varnish {
 	.threshold = 3;
 }

-backend vk8s_default_varnish-8445d4f7f-z2b9p_80 {
+backend vk8s_default_varnish-8445d4f7f-z2b9p {
 	.host = "172.17.0.12";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_viking-service_172_17_0_13_80 {
+backend vk8s__ {
 	.host = "172.17.0.13";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_default_varnish-8445d4f7f-ldljf_80 {
+backend vk8s_default_varnish-8445d4f7f-ldljf {
 	.host = "172.17.0.14";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
@@ -43,21 +44,22 @@ sub vcl_init {
 	new vk8s_cluster_param = directors.shard_param();
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p_80);
-	vk8s_cluster.add_backend(vk8s_viking-service_172_17_0_13_80);
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf_80);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p);
+	vk8s_cluster.add_backend(vk8s__);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf);
 	vk8s_cluster.reconfigure();
 	new vk8s_shard_digest = blobdigest.digest(SHA3_512);
+	new vk8s_cluster_primary = taskvar.backend();
 }

 sub vcl_recv {
-	unset req.http.VK8S-Shard-Primary-Only;
+	
 	vk8s_shard_digest.update(blob.decode(encoded=req.http.Host));
+	vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW, by=BLOB, key_blob=vk8s_shard_digest.final()));
 	if (remote.ip !~ vk8s_cluster_acl
-	    && "" + vk8s_cluster.backend(resolve=NOW, by=BLOB, key_blob=vk8s_shard_digest.final()) != server.identity) {
-		set req.http.VK8S-Shard-Primary-Only = "true";
-		set req.backend_hint = vk8s_cluster.backend(resolve=NOW, by=BLOB, key_blob=vk8s_shard_digest.final());
-		return (pass);
+	    && "" + vk8s_cluster_primary.get() != server.identity) {
+		set req.backend_hint = vk8s_cluster_primary.get();
+		return (pipe);
 	}
 	else if (remote.ip ~ vk8s_cluster_acl) {
 		if (req.http.Host == "vk8s_cluster") {
@@ -79,16 +81,7 @@ sub vcl_recv {
 	}
 }

-sub vcl_pass {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
-}
-
 sub vcl_backend_fetch {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
 	vk8s_shard_digest.update(blob.decode(encoded=bereq.http.Host));
 	vk8s_cluster_param.set(by=BLOB, key_blob=vk8s_shard_digest.final());
 	if (bereq.retries == 0 
@@ -102,9 +95,6 @@ sub vcl_backend_fetch {
 }

 sub vcl_backend_response {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
 	        if (beresp.http.VK8S-Cluster-TTL) {
 		        set beresp.ttl = std.duration(
@@ -128,11 +118,8 @@ sub vcl_backend_error {
 }

 sub vcl_deliver {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	unset resp.http.VK8S-Cluster-TTL;
-	if (remote.ip ~ vk8s_cluster_acl) {
+	if (remote.ip ~ vk8s_cluster_acl && ! vk8s_cluster_primary.defined()) {
 		if (! obj.uncacheable) {
 			set resp.http.VK8S-Cluster-TTL = obj.ttl;
 		}

--- a/pkg/varnish/vcl/testdata/shard_by_key.golden
+++ b/pkg/varnish/vcl/testdata/shard_by_key.golden
@@ -3,6 +3,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -15,19 +16,19 @@ probe vk8s_probe_varnish {
 	.threshold = 3;
 }

-backend vk8s_default_varnish-8445d4f7f-z2b9p_80 {
+backend vk8s_default_varnish-8445d4f7f-z2b9p {
 	.host = "172.17.0.12";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_viking-service_172_17_0_13_80 {
+backend vk8s__ {
 	.host = "172.17.0.13";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_default_varnish-8445d4f7f-ldljf_80 {
+backend vk8s_default_varnish-8445d4f7f-ldljf {
 	.host = "172.17.0.14";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
@@ -43,19 +44,20 @@ sub vcl_init {
 	new vk8s_cluster_param = directors.shard_param();
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p_80);
-	vk8s_cluster.add_backend(vk8s_viking-service_172_17_0_13_80);
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf_80);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p);
+	vk8s_cluster.add_backend(vk8s__);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf);
 	vk8s_cluster.reconfigure();
+	new vk8s_cluster_primary = taskvar.backend();
 }

 sub vcl_recv {
-	unset req.http.VK8S-Shard-Primary-Only;
+	
+	vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW, by=KEY, key=vk8s_cluster.key(req.http.Host)));
 	if (remote.ip !~ vk8s_cluster_acl
-	    && "" + vk8s_cluster.backend(resolve=NOW, by=KEY, key=vk8s_cluster.key(req.http.Host)) != server.identity) {
-		set req.http.VK8S-Shard-Primary-Only = "true";
-		set req.backend_hint = vk8s_cluster.backend(resolve=NOW, by=KEY, key=vk8s_cluster.key(req.http.Host));
-		return (pass);
+	    && "" + vk8s_cluster_primary.get() != server.identity) {
+		set req.backend_hint = vk8s_cluster_primary.get();
+		return (pipe);
 	}
 	else if (remote.ip ~ vk8s_cluster_acl) {
 		if (req.http.Host == "vk8s_cluster") {
@@ -77,16 +79,7 @@ sub vcl_recv {
 	}
 }

-sub vcl_pass {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
-}
-
 sub vcl_backend_fetch {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
 	vk8s_cluster_param.set(by=KEY, key=vk8s_cluster.key(bereq.http.Host));
 	if (bereq.retries == 0 
 	    && !bereq.uncacheable
@@ -99,9 +92,6 @@ sub vcl_backend_fetch {
 }

 sub vcl_backend_response {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
 	        if (beresp.http.VK8S-Cluster-TTL) {
 		        set beresp.ttl = std.duration(
@@ -125,11 +115,8 @@ sub vcl_backend_error {
 }

 sub vcl_deliver {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	unset resp.http.VK8S-Cluster-TTL;
-	if (remote.ip ~ vk8s_cluster_acl) {
+	if (remote.ip ~ vk8s_cluster_acl && ! vk8s_cluster_primary.defined()) {
 		if (! obj.uncacheable) {
 			set resp.http.VK8S-Cluster-TTL = obj.ttl;
 		}

--- a/pkg/varnish/vcl/testdata/shard_by_url.golden
+++ b/pkg/varnish/vcl/testdata/shard_by_url.golden
@@ -3,6 +3,7 @@ import std;
 import directors;
 import blob;
 import blobdigest;
+import taskvar;

 probe vk8s_probe_varnish {
 	.request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -15,19 +16,19 @@ probe vk8s_probe_varnish {
 	.threshold = 3;
 }

-backend vk8s_default_varnish-8445d4f7f-z2b9p_80 {
+backend vk8s_default_varnish-8445d4f7f-z2b9p {
 	.host = "172.17.0.12";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_viking-service_172_17_0_13_80 {
+backend vk8s__ {
 	.host = "172.17.0.13";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
 }

-backend vk8s_default_varnish-8445d4f7f-ldljf_80 {
+backend vk8s_default_varnish-8445d4f7f-ldljf {
 	.host = "172.17.0.14";
 	.port = "80";
 	.probe = vk8s_probe_varnish;
@@ -43,19 +44,20 @@ sub vcl_init {
 	new vk8s_cluster_param = directors.shard_param();
 	new vk8s_cluster = directors.shard();
 	vk8s_cluster.associate(vk8s_cluster_param.use());
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p_80);
-	vk8s_cluster.add_backend(vk8s_viking-service_172_17_0_13_80);
-	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf_80);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-z2b9p);
+	vk8s_cluster.add_backend(vk8s__);
+	vk8s_cluster.add_backend(vk8s_default_varnish-8445d4f7f-ldljf);
 	vk8s_cluster.reconfigure();
+	new vk8s_cluster_primary = taskvar.backend();
 }

 sub vcl_recv {
-	unset req.http.VK8S-Shard-Primary-Only;
+	
+	vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW, by=URL));
 	if (remote.ip !~ vk8s_cluster_acl
-	    && "" + vk8s_cluster.backend(resolve=NOW, by=URL) != server.identity) {
-		set req.http.VK8S-Shard-Primary-Only = "true";
-		set req.backend_hint = vk8s_cluster.backend(resolve=NOW, by=URL);
-		return (pass);
+	    && "" + vk8s_cluster_primary.get() != server.identity) {
+		set req.backend_hint = vk8s_cluster_primary.get();
+		return (pipe);
 	}
 	else if (remote.ip ~ vk8s_cluster_acl) {
 		if (req.http.Host == "vk8s_cluster") {
@@ -77,16 +79,7 @@ sub vcl_recv {
 	}
 }

-sub vcl_pass {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
-}
-
 sub vcl_backend_fetch {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (fetch);
-	}
 	vk8s_cluster_param.set(by=URL);
 	if (bereq.retries == 0 
 	    && !bereq.uncacheable
@@ -99,9 +92,6 @@ sub vcl_backend_fetch {
 }

 sub vcl_backend_response {
-	if (bereq.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
 	        if (beresp.http.VK8S-Cluster-TTL) {
 		        set beresp.ttl = std.duration(
@@ -125,11 +115,8 @@ sub vcl_backend_error {
 }

 sub vcl_deliver {
-	if (req.http.VK8S-Shard-Primary-Only) {
-		return (deliver);
-	}
 	unset resp.http.VK8S-Cluster-TTL;
-	if (remote.ip ~ vk8s_cluster_acl) {
+	if (remote.ip ~ vk8s_cluster_acl && ! vk8s_cluster_primary.defined()) {
 		if (! obj.uncacheable) {
 			set resp.http.VK8S-Cluster-TTL = obj.ttl;
 		}

--- a/test/e2e.sh
+++ b/test/e2e.sh
@@ -80,6 +80,9 @@ make EXAMPLE=shard-by-url deploy verify undeploy
 echo Self-sharding by key example
 make EXAMPLE=shard-by-key deploy verify undeploy

+echo Primary-only self-sharding by client.identity as key
+make EXAMPLE=primary-only-by-clientid deploy verify undeploy
+
 echo Basic Authentication example
 cd ${MYPATH}/../examples/authentication/
 make EXAMPLE=basic-auth deploy verify undeploy

--- a/test/e2e/tmplcfg/tmplcfg.yaml
+++ b/test/e2e/tmplcfg/tmplcfg.yaml
@@ -426,6 +426,7 @@ spec:
    import directors;
    import blob;
    import blobdigest;
+    import taskvar;

    probe vk8s_probe_varnish {
            .request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -449,7 +450,7 @@ spec:
    }

    {{range $node := .Nodes -}}
-    backend {{backendName $node}} {
+    backend {{nodeName $node}} {
            .host = "{{(index $node.Addresses 0).IP}}";
            .port = "{{(index $node.Addresses 0).Port}}";
            .probe = vk8s_probe_varnish;
@@ -468,23 +469,24 @@ spec:
            new vk8s_cluster = directors.shard();
            vk8s_cluster.associate(vk8s_cluster_param.use());
            {{range $node := .Nodes -}}
-            vk8s_cluster.add_backend({{backendName $node}});
+            vk8s_cluster.add_backend({{nodeName $node}});
            {{end -}}
            vk8s_cluster.reconfigure();
            {{- digest_init . }}
+            {{ if .PrimaryOnly -}}
+	    new vk8s_cluster_primary = taskvar.backend();
+	    {{- end }}
    }

    sub vcl_recv {
            {{ if .PrimaryOnly -}}
-            unset req.http.VK8S-Shard-Primary-Only;
            {{- digest_update 'c' . }}
+	    vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW
+		{{- key 'c' .}}));
            if (remote.ip !~ vk8s_cluster_acl
-                && "" + vk8s_cluster.backend(resolve=NOW
-                                             {{- key 'c' .}}) != server.identity) {
-                    set req.http.VK8S-Shard-Primary-Only = "true";
-                    set req.backend_hint = vk8s_cluster.backend(resolve=NOW
-                                                                {{- key 'c' .}});
-                    return (pass);
+	        && "" + vk8s_cluster_primary.get() != server.identity) {
+                    set req.backend_hint = vk8s_cluster_primary.get();
+                    return (pipe);
            }
            else {{ end }}if (remote.ip ~ vk8s_cluster_acl) {
                    if (req.http.Host == "vk8s_cluster") {
@@ -505,19 +507,8 @@ spec:
                    return (hash);
            }
    }
-    {{ if .PrimaryOnly }}
-    sub vcl_pass {
-            if (req.http.VK8S-Shard-Primary-Only) {
-                    return (fetch);
-            }
-    }
-    {{ end }}
+
    sub vcl_backend_fetch {
-            {{- if .PrimaryOnly }}
-            if (bereq.http.VK8S-Shard-Primary-Only) {
-                    return (fetch);
-            }
-            {{- end }}
            {{- digest_update 'b' . }}
            vk8s_cluster_param.set({{ key 'b' .}});
            if (bereq.retries == 0 
@@ -531,11 +522,7 @@ spec:
    }

    sub vcl_backend_response {
-            {{- if .PrimaryOnly }}
-            if (bereq.http.VK8S-Shard-Primary-Only) {
-                    return (deliver);
-            }
-            {{- end }}
+            set beresp.http.Shard-Template = "override";
            if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
                    if (beresp.http.VK8S-Cluster-TTL) {
                            set beresp.ttl = std.duration(
@@ -560,13 +547,9 @@ spec:

    sub vcl_deliver {
            set resp.http.Shard-Template = "override";
-            {{- if .PrimaryOnly }}
-            if (req.http.VK8S-Shard-Primary-Only) {
-                    return (deliver);
-            }
-            {{- end }}
-            unset resp.http.VK8S-Cluster-TTL;
-            if (remote.ip ~ vk8s_cluster_acl) {
+            if (remote.ip ~ vk8s_cluster_acl
+		{{- if .PrimaryOnly }} && ! vk8s_cluster_primary.defined()
+		{{- end }}) {
                    if (! obj.uncacheable) {
                            set resp.http.VK8S-Cluster-TTL = obj.ttl;
                    }

--- a/test/e2e/tmplcfg/values.yaml
+++ b/test/e2e/tmplcfg/values.yaml
@@ -546,6 +546,7 @@ templates:
    import directors;
    import blob;
    import blobdigest;
+    import taskvar;

    probe vk8s_probe_varnish {
            .request = "HEAD /vk8s_cluster_health HTTP/1.1"
@@ -569,7 +570,7 @@ templates:
    }

    {{range $node := .Nodes -}}
-    backend {{backendName $node}} {
+    backend {{nodeName $node}} {
            .host = "{{(index $node.Addresses 0).IP}}";
            .port = "{{(index $node.Addresses 0).Port}}";
            .probe = vk8s_probe_varnish;
@@ -588,23 +589,24 @@ templates:
            new vk8s_cluster = directors.shard();
            vk8s_cluster.associate(vk8s_cluster_param.use());
            {{range $node := .Nodes -}}
-            vk8s_cluster.add_backend({{backendName $node}});
+            vk8s_cluster.add_backend({{nodeName $node}});
            {{end -}}
            vk8s_cluster.reconfigure();
            {{- digest_init . }}
+            {{ if .PrimaryOnly -}}
+            new vk8s_cluster_primary = taskvar.backend();
+            {{- end }}
    }

    sub vcl_recv {
            {{ if .PrimaryOnly -}}
-            unset req.http.VK8S-Shard-Primary-Only;
            {{- digest_update 'c' . }}
+            vk8s_cluster_primary.set(vk8s_cluster.backend(resolve=NOW
+                {{- key 'c' .}}));
            if (remote.ip !~ vk8s_cluster_acl
-                && "" + vk8s_cluster.backend(resolve=NOW
-                                             {{- key 'c' .}}) != server.identity) {
-                    set req.http.VK8S-Shard-Primary-Only = "true";
-                    set req.backend_hint = vk8s_cluster.backend(resolve=NOW
-                                                                {{- key 'c' .}});
-                    return (pass);
+                && "" + vk8s_cluster_primary.get() != server.identity) {
+                    set req.backend_hint = vk8s_cluster_primary.get();
+                    return (pipe);
            }
            else {{ end }}if (remote.ip ~ vk8s_cluster_acl) {
                    if (req.http.Host == "vk8s_cluster") {
@@ -625,19 +627,8 @@ templates:
                    return (hash);
            }
    }
-    {{ if .PrimaryOnly }}
-    sub vcl_pass {
-            if (req.http.VK8S-Shard-Primary-Only) {
-                    return (fetch);
-            }
-    }
-    {{ end }}
+
    sub vcl_backend_fetch {
-            {{- if .PrimaryOnly }}
-            if (bereq.http.VK8S-Shard-Primary-Only) {
-                    return (fetch);
-            }
-            {{- end }}
            {{- digest_update 'b' . }}
            vk8s_cluster_param.set({{ key 'b' .}});
            if (bereq.retries == 0 
@@ -651,11 +642,7 @@ templates:
    }

    sub vcl_backend_response {
-            {{- if .PrimaryOnly }}
-            if (bereq.http.VK8S-Shard-Primary-Only) {
-                    return (deliver);
-            }
-            {{- end }}
+            set beresp.http.Shard-Template = "override";
            if (bereq.backend == vk8s_cluster.backend(resolve=LAZY)) {
                    if (beresp.http.VK8S-Cluster-TTL) {
                            set beresp.ttl = std.duration(
@@ -679,14 +666,9 @@ templates:
    }

    sub vcl_deliver {
-            set resp.http.Shard-Template = "override";
-            {{- if .PrimaryOnly }}
-            if (req.http.VK8S-Shard-Primary-Only) {
-                    return (deliver);
-            }
-            {{- end }}
-            unset resp.http.VK8S-Cluster-TTL;
-            if (remote.ip ~ vk8s_cluster_acl) {
+            if (remote.ip ~ vk8s_cluster_acl
+                {{- if .PrimaryOnly }} && ! vk8s_cluster_primary.defined()
+                {{- end }}) {
                    if (! obj.uncacheable) {
                            set resp.http.VK8S-Cluster-TTL = obj.ttl;
                    }