HTTP2 and gRPC support

[tanzeeb]

This PR adds support for HTTP/2 and gRPC services:

1. For each revision, the container port name is used to determine the appropriate protocol, as described in the runtime contract. The default is HTTP/1.1.
2. For each revision, the port name of the k8s service is determined by the revision's protocol. For h2c, http2 and for http1, http. The default is http.
3. The activator is served on two separate ports, one for each protocol.
4. When a revision is scaled-to-zero, the ClusterIngress will route to the appropriate activator port based on the revision's protocol.

Manual Test Plan

Fixes #813
Fixes #706
Fixes #707

Release Note

* Support gRPC and HTTP/2 requests

Edit Added implementation details.

[knative-prow-robot]

@tanzeeb: 1 warning.

In response to this:

This PR adds support for HTTP/2 and gRPC services.

Fixes #813
Fixes #706
Fixes #707

Release Note

* Support gRPC and HTTP/2 requests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mattmoor]

I think we definitely want an e2e test for this.

[markusthoemmes]

Thanks a lot @tanzeeb for having separately reviewable commits with meaningful commit messages. That helped a lot while stepping through this change! 🙏

The change overall looks good to me, I left a few comments throughout but nothing major at all. Great job!

[tanzeeb]

/test pull-knative-serving-upgrade-tests
/test pull-knative-serving-integration-tests

[tanzeeb]

/hold

Thanks for reviewing @mattmoor @markusthoemmes

Will fix the broken tests and add some e2e tests.

[tanzeeb]

Update:

TL;DR: This PR breaks for all applications that only support HTTP 1.1. Turns out I did a really bad job of 1) testing this feature, and 2) bisecting the test failure (sorry revision.timeoutSeconds, it wasn't your fault 😞).

Background:

Istio uses the Kubernetes Service port name of the upstream service (in our case, the Revision) to determine the request protocol. Changing the Kubernetes Service port name from http to http2 instructs the Envoy IngressGateway to make HTTP 2 requests to the service:

        // ServicePortName = "http"
	ServicePortName = "http2"

This will convert all requests, including HTTP 1.1 requests, into HTTP 2. This works very well for apps that support HTTP 2, but breaks all other apps. If we keep the port name as http, all requests, including HTTP 2 requests, will get converted to HTTP1.

The full compatibility matrix looks like this:

Port name: http2 / grpc:

	HTTP 1.1 request	HTTP 2 request	Unary gRPC request	Streaming gRPC request
HTTP 1.1 server	❌	❌	❌	❌
HTTP 2 server	✅	✅	✅	✅
gRPC server	❌	❌	✅	✅

Port name http:

	HTTP 1.1 request	HTTP 2 request	Unary gRPC request	Streaming gRPC request
HTTP 1.1 server	✅	✅	❌	❌
HTTP 2 server	✅	✅	❌	❌
gRPC server	❌	❌	❌	❌

Problem

In this PR, I was hoping to use http2 to support all http-ish protocols. This won't work. Istio will always convert the request to the upstream service protocol. Envoy has a feature to use the client protocol instead of the upstream protocol, but this breaks Istio so it is not an option.

Potential Solution?

We have to dynamically select http, http2 or grpc for the K8s Service port name.

In a previous PR there was hesitation around specifying the protocol in the revision spec. I can't think of a way around it...

Update from @evankanderson:

See the runtime spec for the current way to do this, using the container.ports[0].name field.

Edit: Corrected the charts

[evankanderson]

Thanks for the in-depth investigation. It looks like istio/istio#6158 is not very conclusive -- istio/istio#6611 reverts the behavior, but I'm wondering whether unspecified port name should be equivalent to envoy's USE_DOWNSTREAM_PROTOCOL. Unfortunately, it looks like this would require adding an enum value to the supported Pilot Protocols.

In particular, it's possible to have a docker container which answers HTTP1, HTTP via h2c, and gRPC via h2c -- there's no particular reason why the container would need to support HTTP1, but it might be convenient for testing (distro curl may not support the -2 flag, for example). It would be nice to be able to request "attempt http2 but fall back to http" in the Istio configuration, which is different than USE_DOWNSTREAM_PROTOCOL (more of a USE_BEST_PROTOCOL).

[tanzeeb]

It would be nice to be able to request "attempt http2 but fall back to http" in the Istio configuration, which is different than USE_DOWNSTREAM_PROTOCOL (more of a USE_BEST_PROTOCOL).

This would solve all of our problems 😃

[evankanderson]

Is there a feature request upstream for this? USE_BEST_PROTOCOL is best option. :-D

…

On Thu, Dec 6, 2018 at 12:44 PM Tanzeeb Khalili ***@***.***> wrote: It would be nice to be able to request "attempt http2 but fall back to http" in the Istio configuration, which is different than USE_DOWNSTREAM_PROTOCOL (more of a USE_BEST_PROTOCOL). This would solve all of our problems 😃 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2539 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHlyN4ZBphnKT4JF13Zz1O5IADBJQYDaks5u2YGcgaJpZM4YxNw5> .

-- Evan Anderson <argent@google.com>

[knative-metrics-robot]

The following is the coverage report on pkg/.
Say /test pull-knative-serving-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/activator/activator.go	Do not exist	100.0%
pkg/activator/util/io.go	Do not exist	100.0%
pkg/activator/util/rewinder.go	92.9%	100.0%	7.1
pkg/apis/serving/v1alpha1/revision_types.go	87.0%	87.9%	0.9

[evankanderson]

I'm comfortable with a quick followup e2e test, but note that until there is an e2e test for this functionality, it's likely to backslide and be broken by accident.

[tanzeeb]

Hi folks,

Thanks for the feedback so far. I'm happy to tackle the e2e tests next, but in the meantime, here's a manual test plan:

Test Plan

Pre-requisites

1. Get the app go get github.com/evankanderson/sia
2. Create a Service

apiVersion: serving.knative.dev/v1alpha1
kind: Service
metadata:
  name: sia
  namespace: default
spec:
  runLatest:
    configuration:
      revisionTemplate:
        spec:
          container:
            image: github.com/evankanderson/sia
            ports:
              - name: h2c   # set this to `http1` to test http1
                containerPort: 8080

3. Install grpcurl and Curl with HTTP/2 support (--http2-prior-knowledge)

Test HTTP 1.1

1. ko apply -f sia.yaml with port name http1
2. curl -H 'Host: sia.default.example.com' http://${ip}:80 --http1.1
3. Check the logs (kubectl logs <sia pod> user-container), should say "Got GET on 1 with ..."
4. Repeat steps 2-3 after scale-to-zero

Test HTTP 2.0

1. ko apply -f sia.yaml with port name h2c
2. curl -H 'Host: sia.default.example.com' http://${ip}:80 --http2-prior-knowledge
3. Check the logs (kubectl logs <sia pod> user-container), should say "Got GET on 2 with ..."
4. Repeat steps 2-3 after scale-to-zero

Test Unary gRPC

1. ko apply -f sia.yaml with port name h2c
2. echo '{"thing":"SOMETHING"}' | grpcurl -plaintext -proto doer/doer.proto -authority sia.default.example.com -format json -d @ ${ip}:80 doer.Doer/DoIt
3. Should see { "words": "Did: SOMETHING" }
4. Check the logs (kubectl logs <sia pod> user-container), should say "Got POST on 2 with application/grpc"
5. Repeat steps 2-4 after scale-to-zero

Test Streaming gRPC

1. ko apply -f sia.yaml with port name h2c
2. echo '{"thing":"SOMETHING"}{"thing":"SOMETHING ELSE"}' | grpcurl -plaintext -proto doer/doer.proto -authority sia.default.example.com -d @ ${ip}:80 doer.Doer/KeepDoing
3. Should see { "words": "Did: SOMETHING" }{ "words": "Did: SOMETHING ELSE" }
4. Check the logs (kubectl logs <sia pod> user-container), should say "Got POST on 2 with application/grpc"
5. yes '{"thing":"SOMETHING"}' | grpcurl -plaintext -proto doer/doer.proto -authority sia.default.example.com -d @ ${ip}:80 doer.Doer/KeepDoing
6. Should see endless stream of { "words": "Did: SOMETHING" }
7. Repeat steps 2-6 after scale-to-zero

[tanzeeb]

I'm comfortable with a quick followup e2e test, but note that until there is an e2e test for this functionality, it's likely to backslide and be broken by accident.

Understood. It's happened a few times while I was working on the PR, so e2e tests are definitely a top priority.

I'd still like to get this PR in before that, so that folks have a chance to play with the functionality. There's been a lot of theoretical discussion on how this will impact other areas, such as autoscaling (eg. #2916), and it'd be helpful for those discussions to be informed by an actual implementation.

[evankanderson]

/approve

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, tanzeeb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[evankanderson]

/lgtm