We are on Kubernetes and use Istio Service Mesh. Currently, there is SSL Termination for HTTPS in Gateway. I see in the istio-proxy logs that the HTTP protocol is HTTP 1.1.
I want to upgrade HTTP 1.1 to HTTP2 due to its various advantages. Clients should call our services HTTP2 over SSL/TLS.
I am using this blog for an internal demo on this topic.
These are the bottlenecks:
1) I want to propose a plan which will causes least amount of changes. I understand I need to update the Gateway from
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
to
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
based on the examples I see in the Istio's Gateway documentation.
I want to know: Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?
2) What are some of the other Istio configurations to update?
3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?
4) I was reading about DestinationRule and upgrade policy. Is this a good fit?
Based on my knowledge, istio documentation and istio feature stages(http2 in stable phase)
1) Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?
Yes, it should allow http2.
2) What are some of the other Istio configurations to update?
Places when You have options to apply http2 :
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-ingress
spec:
selector:
app: my-ingress-gateway
servers:
- port:
number: 80
name: **http2**
protocol: **HTTP2**
hosts:
- "*"
Manual protocol selection
Protocols can be specified manually by naming the Service port name: [-]. The following protocols are supported:
*These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
kind: Service
metadata:
name: myservice
spec:
ports:
- number: 80
name: http2
3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?
4) I was reading about DestinationRule and upgrade policy. Is this a good fit?
I think it should be a good fit,You would have to upgrade h2UpgradePolicy and change services to http2.
I hope it will help You.