Reputation: 635
How to upgrade Istio Service Mesh from http to http2?
We are on Kubernetes and use Istio Service Mesh. Currently, there is SSL Termination for HTTPS in Gateway. I see in the istio-proxy logs that the HTTP protocol is HTTP 1.1.
I want to upgrade HTTP 1.1 to HTTP2 due to its various advantages. Clients should call our services HTTP2 over SSL/TLS.
I am using this blog for an internal demo on this topic.
These are the bottlenecks:
1) I want to propose a plan which will causes least amount of changes. I understand I need to update the Gateway from
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
to
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
based on the examples I see in the Istio's Gateway documentation.
I want to know: Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?
2) What are some of the other Istio configurations to update?
3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?
4) I was reading about DestinationRule and upgrade policy. Is this a good fit?
Upvotes: 1
Views: 7175
Answers (1)
Reputation: 8840
Based on my knowledge, istio documentation and istio feature stages(http2 in stable phase)
1) Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?
Yes, it should allow http2.
2) What are some of the other Istio configurations to update?
Places when You have options to apply http2 :
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-ingress
spec:
selector:
app: my-ingress-gateway
servers:
- port:
number: 80
name: **http2**
protocol: **HTTP2**
hosts:
- "*"
Manual protocol selection
Protocols can be specified manually by naming the Service port name: [-]. The following protocols are supported:
- grpc
- grpc
- web
- http
- http2
- https
- mongo
- mysql*
- redis*
- tcp
- tls
- udp
*These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
kind: Service
metadata:
name: myservice
spec:
ports:
- number: 80
name: http2
3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?
4) I was reading about DestinationRule and upgrade policy. Is this a good fit?
I think it should be a good fit,You would have to upgrade h2UpgradePolicy and change services to http2.
I hope it will help You.
Upvotes: 2
Related Questions
- Istio Service Mesh TLS Config
- Kubernetes with Istio Ingress Not Running on Standard HTTP Ports 443/80
- Updating Istio-IngressGateway TLS Cert
- Istio upgrade from 1.4 to 1.5
- Istio: How to modify the h2UpgradePolicy globally?
- how update the helm installation of istio to enable 'Kubernetes Ingress with Cert-Manager' or 'enable SDS at ingress gateway'
- HAProxy to Istio Ingress
- Translating Ingress resource to Istio VirtualService or ServiceEntry
- Istio 1.1.11 not supporting http2?
- Introducing ingress to istio mesh