api icon indicating copy to clipboard operation
api copied to clipboard

Published 20 hours ago verified publisher icon istio

Add service_protocol field to Sidecar API

Open wtzhang23 opened this issue 9 months ago • 7 comments

Istio supports Ingress Sidecar Termination, which allows configuring sidecars to terminate using certs provisioned elsewhere given that the ENABLE_TLS_ON_SIDECAR_INGRESS feature flag is set to true. This helps new users of Istio take advantage of Istio features such as inbound stats collection and injected EnvoyFilters while migrating their infrastructure stacks over the span of multiple years. Note that migration cannot be accelerated as it requires onboarding every client, and we have many services that have a high fan-in count (e.g. configuration services, facades over user databases).

However, the current implementation only supports passing traffic to the service over HTTP/1.1. As gRPC and other HTTP2-based protocols gain popularity, this means that users cannot use this feature out-of-the-box. EnvoyFilters can be used to patch this.

This PR proposes an ergonomic change which allows specifying the service_protocol that differs from the protocol specified in the sidecar port. The following changes (original closed PR) show how this would be implemented:

  • If blank, continue as was before
  • If the sidecar protocol is HTTPS, allow service_protocol to be either http or http2
  • If the sidecar protocol is TLS, allow service_protocol to be a TCP protocol (e.g. Redis)
  • Else, the sidecar protocol must match the sidecar port protocol if specified.

wtzhang23 avatar Mar 04 '25 15:03 wtzhang23

😊 Welcome @wtzhang23! This is either your first contribution to the Istio api repo, or it's been a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

istio-policy-bot avatar Mar 04 '25 15:03 istio-policy-bot

Hi @wtzhang23. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

istio-testing avatar Mar 04 '25 15:03 istio-testing

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

istio-testing avatar Apr 03 '25 05:04 istio-testing

How about using 'http_version' - if all you want to identify is the version of http to use ?

My concern is with the field name - 'service protocol' can have many meanings, there are many protocols that support proxy and even 'service' is an overloaded term ( there are non http services - and k8s/Istio 'services' that implement their own protocols like WebDAV over http ).

HTTP/2 is not quite a different application protocol - just a different version of the http protocol with different encoding.

Would also help a lot to include some examples of the naming used in other APIs/servers.

No concern with the feature, seems a good thing - just naming and docs.

On Fri, May 2, 2025 at 7:49 AM William T Zhang @.***> wrote:

@wtzhang23 commented on this pull request.

In networking/v1alpha3/sidecar.proto:

@@ -466,6 +466,10 @@ message IstioIngressListener { // sidecar for requests originating from outside the mesh. // Currently supports only SIMPLE and MUTUAL TLS modes. ServerTLSSettings tls = 7;

  • // The protocol to use when proxying traffic to the service. This is useful
  • // when the incoming connection's protocol differs from the service, such as
  • // when tls is set.

Ya, I think the wording is improper. By saying "protocol" I'm coupling the transport (plaintext/TLS) and the application protocol (HTTP1/2), which as far as I can tell is the only reason why this field is desirable. This PR was proposed simply to address the case:

port protocol: HTTPS -> service protocol: HTTP. Maybe it is clearer if I just delete the second sentence?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because your review was requested.Message ID: @.***>

costinm avatar May 02 '25 20:05 costinm

I would like something a little more generic than http_version to "future-proof" the api. I agree service is overloaded. What do you think about something like post_terminated_protocol (somewhat verbose though) or unterminated_protocol, mirroring AfterTLSTermination.

wtzhang23 avatar May 11 '25 19:05 wtzhang23

I don't know what future you expect - but at least near term we either have HTTP based protocols ( and plenty of protocols are now on top of HTTP) and all other TCP based protocols. There are other places to specify the top service protocol - in Service object itself, the existing protcol fields, etc.

It may be better for the users to have a clear API to solve the narrow problem of HTTP/1.1 ( H3 is UDP, and H4 is not yet a concern), and deal with future problems in the future :-)

costinm avatar May 12 '25 21:05 costinm

I was thinking more in lines of TCP protocols. E.g. if anyone has a (somewhat weird) request to forward Redis, in which case adding Redis listener filters may be desirable. Though agree with you we can keep the scope small for now and we can always deprecate/introduce a more general field when the time comes.

wtzhang23 avatar May 12 '25 21:05 wtzhang23