I want up upgrade all incoming http 1.1 connections to http2 in Istio. I understand how to achieve this via destination rules for a particular namespace and pod.
However, I want to upgrade all connections in service mesh from http1.1 too http2. Even the documentation recommends this, if Istio sidecar is auto injected here.
if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
Can I update the "istio" ConfigMap under "Istio-system" namespace?
If yes, what would the entry look like?
If no, please suggest How can I achieve this with minimal effort?
Indeed, you will set it in the The configMap istio, and it would like this:
apiVersion: v1
data:
mesh: |-
accessLogEncoding: TEXT
accessLogFile: /dev/stdout
accessLogFormat: ""
h2UpgradePolicy: UPGRADE #<- here
defaultConfig:
concurrency: 2
configPath: ./etc/istio/proxy
Now, it is a little tricky to see that it works. I sent four requests; two of them without h2UpgradePolicy parameter, and two of them with h2UpgradePolicy: UPGRADE. But my all four of my requests from the client looked like this:
$ kubectl exec -it curler -- curl -I demo.istio
Defaulting container name to curler.
Use 'kubectl describe pod/curler -n default' to see all of the containers in this pod.
HTTP/1.1 200 OK
server: envoy
date: Mon, 22 Jun 2020 13:05:53 GMT
content-type: text/html
content-length: 612
last-modified: Tue, 26 May 2020 15:00:20 GMT
etag: "5ecd2f04-264"
accept-ranges: bytes
x-envoy-upstream-service-time: 1
I sent the requests from outside the mesh, as from within I was getting HTTP2 by default. So, in my case mTLS was disabled, but that's irrelevant.
To see that it works, you would check the logs of the downstream proxy:
...
[2020-06-22T13:03:03.942Z] "HEAD / HTTP/1.1" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "a7c32d21-dcea-95da-b7c1-67c5783a1641" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:34814 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:05.245Z] "HEAD / HTTP/1.1" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "409b3432-365f-94fe-87cd-8a85b586b42d" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:60952 192.168.72.186:80 192.168.66.168:34830 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:36.732Z] "HEAD / HTTP/2" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "45dd94e5-6f29-9114-b09f-bda065dfd1eb" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:35120 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:38.743Z] "HEAD / HTTP/2" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "79e72286-f247-9ed0-b510-2819a886c7f9" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:35120 outbound_.80_._.demo.istio.svc.cluster.local default
VERY IMPORTANT: To make it work, the service in front if the downstream peer, must have named port, and it must be called http
apiVersion: v1
kind: Service
metadata:
name: demo
spec:
ports:
- name: http #<- this parameter is mandatory to upgrade to HTTP2
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx