Add AlpnProtocols to Gateway API

[liuxu623]

Fix istio/istio#13578 istio/istio#14708 istio/istio#25081

Allow to config alpnProtocols in ServerTLSSettings like

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: httpbin-credential # must be the same as secret
      alpnProtocols:
      - h2
      - http/1.1
    hosts:
    - httpbin.example.com

[istio-policy-bot]

🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test?

Courtesy of your friendly test nag.

[istio-policy-bot]

😊 Welcome @liuxu623! This is either your first contribution to the Istio api repo, or it's been
awhile since you've been here.

You can learn more about the Istio working groups, code of conduct, and contributing guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[istio-testing]

Hi @liuxu623. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mandarjog]

The default is h2,http1.1 we should specify it here.

@howardjohn what is the equivalent for the k8s-gateway?

[howardjohn]

	// Accepts cleartext HTTP/1.1 sessions over TCP. Implementations MAY also
	// support HTTP/2 over cleartext. If implementations support HTTP/2 over
	// cleartext on "HTTP" listeners, that MUST be clearly documented by the
	// implementation.
	HTTPProtocolType ProtocolType = "HTTP"

	// Accepts HTTP/1.1 or HTTP/2 sessions over TLS.
	HTTPSProtocolType ProtocolType = "HTTPS"

So there is not really allowance in the wording today to disable HTTP2.

[howardjohn]

We also need to consider how this interacts with ISTIO_MUTUAL which does not use the standard ALPNs

[mandarjog]

Do we advertise istio specific alpns outside the mesh ? In any case those alpns are implemention detail and should be added by the controlplane when appropriate in addition to whatever the user puts here.

the other assumption is that you can’t use quic or other alpns that the underlying implementation does not support yet.

so this is really the “restrict to alpn” list.

[howardjohn]

QUIC is over udp so I am not sure it uses ALPN. Maybe to negotiate the QUIC version, but not h2 vs h3 at least (alt-svc is used).

Do we advertise istio specific alpns outside the mesh ?

Would have to check, for istio_mutual I suspect it would but am not certain.

[hzxuzhonghu]

quic's alpn is h3

[hzxuzhonghu]

Do we advertise istio specific alpns outside the mesh ?

It is not

[liuxu623]

We need consider quic,
If not set alpn，quic's alpn is h3, tcp's alpn is h2,http1.1 (default)
If set alpn to h3,h2,http1.1, the same as default
If set alpn to h3,http1.1,h2, quic's alpn is h3, tcp's alpn is http1.1,h2
If set alpn to h2,http1.1, disable quic and tcp's alpn is h2,http1.1
If set alpn to http1.1,h2, disable quic and tcp's alpn is http1.1,h2
If set alpn to h3,h2, quic's alpn is h3, tcp's alpn is h2
If set alpn to h3,http1.1, quic's alpn is h3, tcp's alpn is http1.1
If set alpn to h3, quic's alpn is h3 and disable tcp
If set alpn to h2, disable quic and tcp's alpn is h2
If set alpn to http1.1, disable quic and tcp's alpn is http1.1
How about this?

[liuxu623]

I think maybe we should add QUIC or HTTP/3 protocol, not use HTTPS to support quic.

[liuxu623]

We also need to consider how this interacts with ISTIO_MUTUAL which does not use the standard ALPNs

ISTIO_MUTUAL's alpn is h2,http1.1.

[istio-testing]

@liuxu623: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[zengyuxing007]

Any progress on this? @liuxu623

[guydc]

It seems that the gateway-api consensus is to not represent HTTP3 as a distinct protocol: kubernetes-sigs/gateway-api#687. Istio’s experimental support for HTTP3 is also aligned with this state: https://github.com/istio/istio/wiki/Experimental-QUIC-and-HTTP-3-support-in-Istio-gateways.

Considering these updates, the proposal by @albertlockett to use the new alpn_protocols to override ALPN settings only for non-QUIC/ISITO_MUTUAL sounds reasonable. @liuxu623, @mandarjog - WDYT?

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-05-30. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.