emissary icon indicating copy to clipboard operation
emissary copied to clipboard

Published 20 hours ago verified publisher icon emissary-ingress

emissary does not configure knative grpc (http/2 cleartext) correctly

Open sdhoward opened this issue 3 years ago • 5 comments

Describe the bug

I want to create a Knative service with Emissary that responds using the grpc protocol. This will require the port to be labeled as h2c and for traffic between my emissary ingress gateway and my knative service to be cleartext HTTP/2. However, the configuration created by Emissary in Knative Mode does not specify h2c at all, and the connection to my service ends up being HTTP/1.1.

To Reproduce

I attempted to create such an h2c knative service with the following knative client command:

kn -n $NAMESPACE service create \
    --force my-service \
    --image=myregistry.example.com/myimage:latest \
    --pull-secret my-secret \
    --port "h2c:8080" \
    --annotation getambassador.io/ambassador-id=my-id \
    --no-wait

The image I refer to contains a Golang HTTP/2 cleartext (h2c) server resembling this example, to allow for easy troubleshooting.

When the ksvc is created I can verify that it contains a port in the spec named h2c:

  ports:
  - containerPort: 8080
    name: h2c

When I issue an HTTP/2 request to the service with curl --http2-prior-knowledge https://myservice.example.com/status, the connection my client makes with Emissary is HTTP/2, but the back-end connection that reaches my service is HTTP/1.1, confirmed with tcpdump.

Expected behavior

The connection that reaches my service should be cleartext HTTP/2. The Ambassador Diagnostics page should show that my service is known to be HTTP/2.

Versions (please complete the following information):

  • Kubernetes environment: bare metal
  • Kubernetes version v1.19.9
  • Emissary version: emissary-ingress v2.0.2-ea
  • Knative mode: on
  • Knative version: v0.22.2

Additional info

I also have a tlsconfig that looks like this:

{
  "ambassador_id": "my-id",
  "hosts": [
    "*.example.com"
  ],
  "min_tls_version": "v1.2"
}

sdhoward avatar Aug 31 '21 18:08 sdhoward

when an h2c service is specified in the knative service spec, a public service is created with port 81 instead of port 80. emissary is not interpreting this to mean h2c.

https://github.com/knative/networking/blob/9f4d4bd/pkg/apis/networking/ports.go#L25-L27

emissary code showing that the port number is not analyzed in order to determine whether to treat as grpc:

https://github.com/emissary-ingress/emissary/blob/63138d6/python/ambassador/fetch/knative.py#L70

sdhoward avatar Oct 28 '21 17:10 sdhoward

@bobby @boffbowsh it seem that this ticket from @sdhoward didn't get attention just yet, would you be so kind to look into the issue and prioritize the fix?

alexanderGalushka avatar Feb 08 '22 18:02 alexanderGalushka

Did you mean to tag me @alexanderGalushka? I have no involvement with this project

boffbowsh avatar Feb 08 '22 18:02 boffbowsh

Did you mean to tag me @alexanderGalushka? I have no involvement with this project

my apologies, tagged you by accident

alexanderGalushka avatar Feb 15 '22 02:02 alexanderGalushka