Feature: Annotation to disable HTTP2 per host

[Nuru]

This feature has been requested and attempted a few times, but keeps losing steam.

• Support per-ingress http2 setting through annotation #2189
• Add http2-host-blacklist config flag #2482
• Annotation support for http2 #2402

I would like to revive it because it should now be relatively easy to implement and there are precedents for it.

Specifically, I would like to have the annotation nginx.ingress.kubernetes.io/use-http2: "false" disable HTTP2 for that host. We already have nginx.ingress.kubernetes.io/server-snippet which can only be used once per host and which affects all paths for the host, but because of the way HTTP2 support is configured (as part of the listen directive), the server snippet annotation cannot be used to disable HTTP2 support for the server. We also have the nginx.ingress.kubernetes.io/use-regex which affects all paths for the host, regardless of which Ingress the paths are defined on.

I think #2189 was not allowed because the fact that it applies to the entire host was seen as unacceptable, but this kind of thing, when necessary for architectural reasons, is acceptable now when properly documented. #2482 was a different way to accomplish the same goal and was proposed as a way around a bug in nginx and lost steam when the bug was fixed.

Note that I am not asking for an annotation that would allow HTTP2 support on port 80 or any non-TLS port, which I think is what got #2402 shut down. What I am asking for is an annotation that turns off the now default HTTP2 support for TLS ports on a per-host/server basis.

Proposed documentation:

Enables or disables HTTP/2 support in secure connections for this host. (Overrides the ConfigMap setting use-http2 for this host.) Setting this on any Ingress for the host affects all paths of the host, regardless of what Ingress they are defined on. May only be set once per host.

Use case: We have a large cluster with many hosts and we want to have HTTP2 support for nearly all of them, but some break when HTTP2 support is turned on and we want to disable it only for those hosts. It is acceptable that this be a per-host setting like the server snippet.

/kind feature

[aledbf]

@Nuru thank you for writing this request with some context and analysis of the previous attempts. My only concern is how we can avoid issues/complains with "allow HTTP2 support on port 80 or any non-TLS port".

[Nuru]

@aledbf wrote

My only concern is how we can avoid issues/complaints with "allow HTTP2 support on port 80 or any non-TLS port".

A few ways:

1. The same way this has been avoided with the use-http2 ConfigMap setting: by documenting that it toggles support "in secure connections".
2. By documenting why HTTP/2 is not supported on non-TLS connections and/or linking to some relevant issues
   • https://github.com/kubernetes/ingress-nginx/issues/4630#issuecomment-537691335
   • #3897
   • #3938
   • #2465
3. By including comments in the code

I suppose we cannot really avoid complaints, but we have a solid answer for them: non-TLS protocol does not support auto-negotiation of protocol. In other words, it just does not work.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[braxtone]

Does that seem sufficient to address the prior concerns @aledbf ?

[Nuru]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

[Nuru]

/remove-lifecycle rotten

@aledbf What can I do to move this forward?

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fnkr]

I need this too. Can we have this reopened please?

[johngirvin]

We also need this ability.

[arpit20adlakha]

We need this too, can someone please pick it up ?

[tao12345666333]

let me reopen it

/reopen

[k8s-ci-robot]

@tao12345666333: Reopened this issue.

In response to this:

let me reopen it

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[iamNoah1]

/triage accepted /priority important-soon

@fnkr @johngirvin @arpit20adlakha if you want to see this feature, we are happy for any contributions :)

/help

[k8s-ci-robot]

@iamNoah1: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/triage accepted /priority important-soon

@fnkr @johngirvin @arpit20adlakha if you want to see this feature, we are happy for any contributions :)

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rikatz]

/lifecycle frozen

[malthe]

@nicknovitski how far from this proposal is your existing work on this?

[k8s-triage-robot]

This issue is labeled with priority/important-soon but has not been updated in over 90 days, and should be re-triaged. Important-soon issues must be staffed and worked on either currently, or very soon, ideally in time for the next release.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Deprioritize it with /priority important-longterm or /priority backlog
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rahulsb]

This feature will be very useful and I have number of users looking for this on IBM Cloud deployments. Can we triage this ?

[aojea]

Can not be achieved this using gateway API?

ingress API has been GA for a long time, growing the scope of this project with annotations fragments the ecosystem and reduces the capacity to standardize it

[rikatz]

@rahulsb are you willing to implement, maintain, triage bugs, etc for this feature? If so, please feel free to open a PR for it

[strongjz]

We are not actively adding new features as we migrate our focus to ingate.

We have discussed at the gateway-api community meeting and our latest ingress-nginx Kubcon Maintainer talk.

The repo to follow along is at: https://github.com/kubernetes-sigs/ingate

/close

[k8s-ci-robot]

@strongjz: Closing this issue.

In response to this:

We are not actively adding new features as we migrate our focus to ingate.

We have discussed at the gateway-api community meeting and our latest ingress-nginx Kubcon Maintainer talk.

The repo to follow along is at: https://github.com/kubernetes-sigs/ingate

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.