New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gateway-api: ALPN support #32486
base: main
Are you sure you want to change the base?
gateway-api: ALPN support #32486
Conversation
fd33e4e
to
8717da9
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment as per below, the rest seems reasonable to me. Thanks for your help.
be516f6
to
b293cd5
Compare
The code itself looks good, but I think we should spend some time thinking about what this means for users. Could you walk through some scenarios for me? What happens when:
Bascially, what I'm trying to think of here are situations where we should call out in the docs how this could break people before they enable it. |
@youngnick enabling ALPN doesn't change anything for connections explicitly specifying their protocols, it only plays if client asks for available ALPN protocols (i.e initiates negotiation). With ALPN exposed, you can exec curl commands with either of It could have broken clients if I negotiated http1.1, but my backend only serves http2. (I think this would have been the case with cilium anyway) We can call out in the docs that if you enable ALPN, it will also enable appProtocol, so if one's upstream is serving HTTP2, they should specify |
If their backend is only serving HTTP2 and they don't specify (unless they're using GRPCRoute which will force HTTP2 on the upstream whether you have appProtocol or not)
Nothing will break. |
Here, I was talking about hypothetical protocol negotiating scenario. ALPN doesn't change much for this case, because what breaks the traffic flow is enabling appProtocol, not ALPN. |
@youngnick Anything else we need for this to go in? |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the code is great, but we need to clarify the requirements and behavior a bit more. Any chance you'd be up to write a small tutorial demonstrating how the feature would work? If not, I think we at least need a similar change to what I've asked for below.
@@ -812,6 +812,8 @@ gatewayAPI: | |||
enableProxyProtocol: false | |||
# -- Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol. | |||
enableAppProtocol: false | |||
# -- Enable ALPN for Gateway API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# -- Enable ALPN for Gateway API. | |
# -- Enable ALPN for all listeners configured with Gateway API. ALPN will attempt HTTP/2, then HTTP 1.1. Note that this will also enable `appProtocol` support, and services that wish to use HTTP/2 will need to indicate that via their `appProtocol`. |
Maybe just to make this one hundred percent clear? Ideally, we would add a tutorial to Documentation/network/servicemesh/gateway-api/
as well walking through what's required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we leave the documentation part for a different PR? I would like to actually run this in my env before writing any tutorials. 😅
Will add the detailed description for the helm values.
This feature is hidden behind `enable-gateway-api-alpn` flag on the operator gwapi cell. The implementation will change envoy listener configuration to expose ALPN suggesting both HTTP/2 and HTTP/1.1. Fixes: cilium#30794 Signed-off-by: Rauan Mayemir <rauan@mayemir.io>
`enable-gateway-api-alpn` flag is false by default, setting it explicitly will enable ALPN support alongside appProtocol. Signed-off-by: Rauan Mayemir <rauan@mayemir.io>
b293cd5
to
449bb6b
Compare
This feature is hidden behind
enable-gateway-api-alpn
flag on the operator gwapi cell.The implementation will change envoy listener configuration to expose ALPN suggesting both HTTP/2 and HTTP/1.1.
Fixes: #30794