问题
We are on Kubernetes and use Istio Service Mesh. Currently, there is SSL Termination for HTTPS in Gateway. I see in the istio-proxy logs that the HTTP protocol is HTTP 1.1.
I want to upgrade HTTP 1.1 to HTTP2 due to its various advantages. Clients should call our services HTTP2 over SSL/TLS.
I am using this blog for an internal demo on this topic.
These are the bottlenecks:
1) I want to propose a plan which will causes least amount of changes. I understand I need to update the Gateway from
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
to
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP2
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
based on the examples I see in the Istio's Gateway documentation.
I want to know: Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?
2) What are some of the other Istio configurations to update?
3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?
4) I was reading about DestinationRule and upgrade policy. Is this a good fit?
回答1:
Based on my knowledge, istio documentation and istio feature stages(http2 in stable phase)
1) Will this allow HTTP2 over TLS connections from browsers (which support only this mode)? Can I provide tls details for HTTP2, like I did with HTTPS?
Yes, it should allow http2.
2) What are some of the other Istio configurations to update?
Places when You have options to apply http2 :
- Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-ingress
spec:
selector:
app: my-ingress-gateway
servers:
- port:
number: 80
name: **http2**
protocol: **HTTP2**
hosts:
- "*"
- Service protocol selection
Manual protocol selection
Protocols can be specified manually by naming the Service port name: [-]. The following protocols are supported:
- grpc
- grpc
- web
- http
- http2
- https
- mongo
- mysql*
- redis*
- tcp
- tls
- udp
*These protocols are disabled by default to avoid accidentally enabling experimental features. To enable them, configure the corresponding Pilot environment variables.
kind: Service
metadata:
name: myservice
spec:
ports:
- number: 80
name: http2
3) Will this change be break Microservices which are using http protocol currently? How can I mitigate this?
4) I was reading about DestinationRule and upgrade policy. Is this a good fit?
I think it should be a good fit,You would have to upgrade h2UpgradePolicy and change services to http2.
I hope it will help You.
来源:https://stackoverflow.com/questions/59606889/how-to-upgrade-istio-service-mesh-from-http-to-http2