K
Q

How to upgrade Istio Service Mesh from http to http2?

1/6/2020

We are on Kubernetes and use Istio Service Mesh. Currently, there is SSL Termination for HTTPS in Gateway. I see in the istio-proxy logs that the HTTP protocol is HTTP 1.1.

I want to upgrade HTTP 1.1 to HTTP2 due to its various advantages. Clients should call our services HTTP2 over SSL/TLS.

I am using this blog for an internal demo on this topic.

These are the bottlenecks:

1) I want to propose a plan which will causes least amount of changes. I understand I need to update the Gateway from

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem

to

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http2
      protocol: HTTP2
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem

based on the examples I see in the Istio's Gateway documentation.

I want to know: Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?

2) What are some of the other Istio configurations to update?

3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?

4) I was reading about DestinationRule and upgrade policy. Is this a good fit?

-- Anoop Hallimala
http
http2
istio
kubernetes
kubernetes-ingress

Similar Questions

dev k8s master is showing extra load and resulting in to not getting output for getting pods
How to write a effective k8s delete job in CI
Disable Kubernetes pod update when container digest is same even if different image tag is given
gcloud kube-up certificate error - MSpanList_Insert
mount file (.sql) from minikube/host to deployment (MySQL)
AKS nodepool vmSize upgrades vs nodepool delete
AWS cross account Loki promtail setup in EKS

1 Answer

1/6/2020

Based on my knowledge, istio documentation and istio feature stages(http2 in stable phase)

1) Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?

Yes, it should allow http2.

2) What are some of the other Istio configurations to update?

Places when You have options to apply http2 :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-ingress
spec:
  selector:
    app: my-ingress-gateway
  servers:
  - port:
      number: 80
      name: **http2**
      protocol: **HTTP2**
    hosts:
    - "*"

Manual protocol selection

Protocols can be specified manually by naming the Service port name: [-]. The following protocols are supported:

  • grpc
  • grpc
  • web
  • http
  • http2
  • https
  • mongo
  • mysql*
  • redis*
  • tcp
  • tls
  • udp

*These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.

kind: Service
metadata:
  name: myservice
spec:
  ports:
  - number: 80
    name: http2

3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?

4) I was reading about DestinationRule and upgrade policy. Is this a good fit?

I think it should be a good fit,You would have to upgrade h2UpgradePolicy and change services to http2.

I hope it will help You.

-- jt97
Source: StackOverflow