Protocol Detection breaking H2 traffic to gateway #21230
Description
fd29fd3 introduced a change to use USE_DOWNSTREAM_PROTOCOL if sniffing is enabled. This seems to break gateway traffic.
Relevant configs:
443 listener:
{
"version_info": "2020-02-18T18:34:05Z/3",
"listener": {
"name": "0.0.0.0_443",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 443
}
},
"filter_chains": [
{
"filter_chain_match": {
"server_names": [
"*.mydomain"
]
},
"tls_context": {
"common_tls_context": {
"alpn_protocols": [
"h2",
"http/1.1"
],
"tls_certificate_sds_secret_configs": [
{
"name": "ingressgateway-wildcard-certs",
"sds_config": {
"api_config_source": {
"api_type": "GRPC",
"grpc_services": [
{
"google_grpc": {
"target_uri": "unix:/var/run/ingress_gateway/sds",
"stat_prefix": "sdsstat"
}
}
]
}
}
}
]
},
"require_client_certificate": false
},
"filters": [
{
"name": "envoy.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"stat_prefix": "outbound_0.0.0.0_443",
"http_filters": [
{
"name": "envoy.cors"
},
{
"name": "envoy.fault"
},
{
"name": "envoy.router"
}
],
"http_protocol_options": {},
"server_name": "istio-envoy",
"idle_timeout": "300s",
"access_log": [
{
"name": "envoy.file_access_log",
"typed_config": {
"@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
"path": "/dev/stdout",
"format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" \"%UPSTREAM_TRANSPORT_FAILURE_REASON%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME% %ROUTE_NAME%\n"
}
}
],
"use_remote_address": true,
"forward_client_cert_details": "SANITIZE_SET",
"set_current_client_cert_details": {
"subject": true,
"cert": true,
"dns": true,
"uri": true
},
"upgrade_configs": [
{
"upgrade_type": "websocket"
}
],
"stream_idle_timeout": "0s",
"normalize_path": true,
"rds": {
"config_source": {
"ads": {}
},
"route_config_name": "https.443.https-demo-wildcard.istio-autogenerated-k8s-ingress.gke-system"
}
}
}
]
}
],
"listener_filters": [
{
"name": "envoy.listener.tls_inspector"
}
],
"traffic_direction": "OUTBOUND"
},
"last_updated": "2020-02-18T18:34:31.197Z"
},Cluster that is being routed to:
{
"version_info": "2020-02-18T18:34:05Z/3",
"cluster": {
"name": "outbound|80||service2.default.svc.cluster.local",
"type": "EDS",
"eds_cluster_config": {
"eds_config": {
"ads": {}
},
"service_name": "outbound|80||service2.default.svc.cluster.local"
},
"connect_timeout": "10s",
"circuit_breakers": {
"thresholds": [
{
"max_connections": 4294967295,
"max_pending_requests": 4294967295,
"max_requests": 4294967295,
"max_retries": 4294967295
}
]
},
"http2_protocol_options": {
"max_concurrent_streams": 1073741824
},
"protocol_selection": "USE_DOWNSTREAM_PROTOCOL"
},
"last_updated": "2020-02-18T18:34:31.195Z"
},Gateway:
port:
name: https-demo-wildcard
number: 443
protocol: HTTPS
tls:
credentialName: ingressgateway-wildcard-certs
mode: SIMPLELooks like we hit this code path:
This seems to assume sniffing has occurred, but this is not the case at the gateway.
This was reported on 1.4.4 (as a regression from a 1.2 upgrade). Disabling protocol sniffing solved this issue. A curl --http1.1 also fixes this.