Can I enable HTTP/2 on OpenShift?

Question

Can I enable HTTP/2 for my website hosted on OpenShift?

I know you can use CloudFlare as a proxy, then it will provide support for HTTP/2. But I am interested in is the ability to configure precisely my apps on OpenShift.

Answer 1

Yes, and as of OpenShift 4.10, there is also support for Edge termination of TLS for http/2. See PR: https://github.com/openshift/router/pull/328

TLDR; add appProtocol: h2c in the Kubernetes Service spec

However documentation still (OpenShift 4.15) states this is an unsupported case:

The connection from HAProxy to the application pod can use HTTP/2 only for re-encrypt routes and not for edge-terminated or insecure routes. This restriction is because HAProxy uses Application-Level Protocol Negotiation (ALPN), which is a TLS extension, to negotiate the use of HTTP/2 with the back-end. The implication is that end-to-end HTTP/2 is possible with passthrough and re-encrypt and not with insecure or edge-terminated routes.

Answer 2

HTTP/2 has arrived on OpenShift 4.5! https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress

TL;DR Enable HTTP/2 on the entire cluster:

$ oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true

Answer 3

As of OpenShift 3.11 you can enable it with the environment variable ROUTER_ENABLE_HTTP2, see https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html#ocp-311-haproxy-enhancements

Implements HAProxy router HTTP/2 support (terminating at the router).

$ oc set env dc/router ROUTER_ENABLE_HTTP2=true

Answer 4

There's hope!

Openshift 3 itself has a dependency of HAProxy not supporting H/2, so unfortunately there's close to no support.. There is hope for partial support for HTTP/2. You can keep an eye on this GitHub issue to see if they'd consider swapping out HAProxy.

From the mentioned issue:

Actually, the status is not too bad. We got HTTP/2 working when the public route uses a pass-through TLS termination strategy.

So:

H2 between pods works (with TLS) H2C between pods works (H2C with and without TLS) H2 behind a public route requires the route TLS termination to be "pass-through" H2C behind a public route requires the same and SSL enabled on the server side

Also HAProxy itself promised to make HTTP/2 a major focus for their next release (we were teased with the hope of H/2 support for release 1.7, but it didn't happen). If you'd like to read more on HAProxy H/2 support, then there's a promising SO answer and a Discourse discussion.

Answer 5

No, you can't.

Hopefully, this answer will be wrong someday and and some one will correct me according to Cunningham's law.