hubble-ui
hubble-ui copied to clipboard
cilium
Exposing hubble-ui behind Contour/Envoy ingress leads to unsupported HTTP/2 protocol preface requests
Hi.
Using helm chart 1.12.7
I've exposed Hubble-UI through an ingress managed by Contour. I've exposed the path /api/ through a service configured with h2c protocol since these requests are HTTP/2 based.
Unfortunately, this does not work since, as far as I understand, configuring Contour to use gRPC requests leads to its reverse-proxy, envoy, to check if the upstream server (hubble-ui is this case) is talking HTTP/2 protocol with these requests:
100.83.80.69 - - [24/Feb/2023:16:45:17 +0000] "PRI * HTTP/2.0" 400 157 "-" "-" "-"
100.83.80.69 - - [24/Feb/2023:16:45:19 +0000] "PRI * HTTP/2.0" 400 157 "-" "-" "-"
100.83.80.69 - - [24/Feb/2023:16:45:25 +0000] "PRI * HTTP/2.0" 400 157 "-" "-" "-"
...
Hubble-UI does not like those requests and envoy is failing to start forwarding requests from /api/ to hubble-ui. A solution might be to stop envoy from sending those "probes" but it looks like it is not yet implemented. On the other hand, it looks like any HTTP/2 server should implement a response to the PRI verb.
Here is the ingress I'm using :
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hubble-ui
namespace: kube-system
spec:
rules:
- host: hubble.somewhere.com
http:
paths:
- backend:
service:
name: hubble-ui
port:
name: http
path: /
pathType: Prefix
- host: hubble.somewhere.com
http:
paths:
- backend:
service:
name: hubble-ui-grpc
port:
name: http
path: /api/
pathType: Prefix
along with those two services:
---
apiVersion: v1
kind: Service
metadata:
name: hubble-ui
namespace: kube-system
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8081
selector:
k8s-app: hubble-ui
---
apiVersion: v1
kind: Service
metadata:
annotations:
projectcontour.io/upstream-protocol.h2c: http
name: hubble-ui-grpc
namespace: kube-system
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8081
selector:
k8s-app: hubble-ui
