cilium icon indicating copy to clipboard operation
cilium copied to clipboard
verified publisher icon cilium

gateway-api: ALPN support

Open rauanmayemir opened this issue 1 year ago • 9 comments

This feature is hidden behind enable-gateway-api-alpn flag on the operator gwapi cell. The implementation will change envoy listener configuration to expose ALPN suggesting both HTTP/2 and HTTP/1.1.

Fixes: #30794

rauanmayemir avatar May 11 '24 14:05 rauanmayemir

/test

sayboras avatar May 13 '24 02:05 sayboras

The code itself looks good, but I think we should spend some time thinking about what this means for users.

Could you walk through some scenarios for me?

What happens when:

  • someone turns this on and is doing other TLS connections over HTTP2?
  • someone turns this on and is doing other TLS connections over HTTP1.1 (only)?

Bascially, what I'm trying to think of here are situations where we should call out in the docs how this could break people before they enable it.

youngnick avatar May 16 '24 01:05 youngnick

@youngnick enabling ALPN doesn't change anything for connections explicitly specifying their protocols, it only plays if client asks for available ALPN protocols (i.e initiates negotiation).

With ALPN exposed, you can exec curl commands with either of --http1.1, --http2 or --http2-prior-knowledge, commands will work fine.

It could have broken clients if I negotiated http1.1, but my backend only serves http2. (I think this would have been the case with cilium anyway) But if you check the helm chart values, enabling ALPN will also enable appProtocol support which will opt to use HTTP1.1 by default for upstreams.

We can call out in the docs that if you enable ALPN, it will also enable appProtocol, so if one's upstream is serving HTTP2, they should specify appProtocol: kubernetes.io/h2c on their Service specs.

rauanmayemir avatar May 16 '24 07:05 rauanmayemir

someone turns this on and is doing other TLS connections over HTTP2?

If their backend is only serving HTTP2 and they don't specify appProtocol: kubernetes.io/h2c and they enable ALPN (enabling appProtocol alongside), their requests will fail with 502 protocol error.

(unless they're using GRPCRoute which will force HTTP2 on the upstream whether you have appProtocol or not)

someone turns this on and is doing other TLS connections over HTTP1.1 (only)?

Nothing will break.

rauanmayemir avatar May 16 '24 07:05 rauanmayemir

If their backend is only serving HTTP2 and they don't specify appProtocol: kubernetes.io/h2c and they enable ALPN (enabling appProtocol alongside), their requests will fail with 502 protocol error.

Here, I was talking about hypothetical protocol negotiating scenario. ALPN doesn't change much for this case, because what breaks the traffic flow is enabling appProtocol, not ALPN.

rauanmayemir avatar May 20 '24 08:05 rauanmayemir

@youngnick Anything else we need for this to go in?

rauanmayemir avatar May 23 '24 07:05 rauanmayemir

/test

youngnick avatar May 27 '24 04:05 youngnick

/test

youngnick avatar May 28 '24 03:05 youngnick

@youngnick those flaky checks again. 😩

rauanmayemir avatar May 29 '24 07:05 rauanmayemir