Downstream QUIC/HTTP3 Support

[tanujd11]

What type of PR is this?

Feature

What this PR does / why we need it:

Adds HTTP3 support in envoy gateway

Which issue(s) this PR fixes:

Fixes #422

[codecov]

Codecov Report

Attention: 49 lines in your changes are missing coverage. Please review.

Comparison is base (d13c329) 64.54% compared to head (83cbc59) 64.58%.

Files	Patch %	Lines
internal/ir/zz_generated.deepcopy.go	0.00%	20 Missing and 1 partial ⚠️
...frastructure/kubernetes/proxy/resource_provider.go	9.09%	9 Missing and 1 partial ⚠️
internal/xds/translator/listener.go	86.36%	6 Missing and 3 partials ⚠️
internal/xds/translator/translator.go	70.00%	6 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2111      +/-   ##
==========================================
+ Coverage   64.54%   64.58%   +0.04%     
==========================================
  Files         112      112              
  Lines       15949    16072     +123     
==========================================
+ Hits        10294    10380      +86     
- Misses       5007     5040      +33     
- Partials      648      652       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[arkodg]

thanks for building this out @tanujd11 ! , will start reviewing this post the v0.6 release

[arkodg]

hey @LanceEa can you help review this one ( since you have experience building this out before :) )

[arkodg]

lets make this *bool since its optional

[LanceEa]

I would recommend making it an object instead of a bool. This will future proof you more to provide addtional overrides.

For example, in the generated config you have AlpnProtocols: []string{"h3"} hard coded. Not all clients will recognize or support that. If you look at a simple google home page you can see their web server is configured to support h3=":443"; ma=2592000,h3-29=":443"; ma=2592000.

Other examples, are setting different ports to listen for the QUIC traffic on because many cloud providers do not support listening on the same incoming address. TBH, this is the tricky part to setting up H3 and the Envoy config is quite straight forward.

[LanceEa]

Note: you could start with an empty object and check for existence or not if you want to hold off on allow customizations right away but at least an object future proofs you to add going forward without breaking changes.

[arkodg]

I would love to just have a enable knob, but agree with @LanceEa, an empty struct maybe a good call for this API because some user may want to modify the listening port, and everyone loves tweaking port values to adhere with corp perimeter policies

[LanceEa]

I will defer to the maintainers on code coverage and general style but for the most part it looks good. I have left some feedback on the design and recommendations for future proofing it because support for mixedprotocols on the LoadBalancer Service and cloud vendors was limited last I looked.

[LanceEa]

I would recommend making it an object instead of a bool. This will future proof you more to provide addtional overrides.

For example, in the generated config you have AlpnProtocols: []string{"h3"} hard coded. Not all clients will recognize or support that. If you look at a simple google home page you can see their web server is configured to support h3=":443"; ma=2592000,h3-29=":443"; ma=2592000.

Other examples, are setting different ports to listen for the QUIC traffic on because many cloud providers do not support listening on the same incoming address. TBH, this is the tricky part to setting up H3 and the Envoy config is quite straight forward.

[LanceEa]

Note: you could start with an empty object and check for existence or not if you want to hold off on allow customizations right away but at least an object future proofs you to add going forward without breaking changes.

[LanceEa]

If I'm understanding this correctly we are only supporting a single port for this listener and then using the HTTP/3 flag to instruct the single ir.ProxyListener to generate a secondary listener for UDP/QUIC. This means the second listener would inherit the port correct?

If so you are more than likely going to want to allow that to be configurable because most cloud vendors were not supporting this last I knew (6+ months ago was the last time I looked so could have changed)

[LanceEa]

This comment is referring to mixed protocols on a single Service of type Loadbalancer.

[LanceEa]

You are going to want this to be configurable in the future, see my previous comment on the design of the ClientTrafficPolicy.

[LanceEa]

This port needs to be the port exposed externally outside the cluster to the client. So, in most cases involving a browser it is more than likely going to be :443 and not the listener port. The LoadBalancer of type Service then needs to point traffic to 10443. That is what I was referring to as the tricky part because a single Service doesn't always allow for MixedProtocol. note: that might have change since last time I looked into this but it is the more nuanced part to the setup.

[tanujd11]

Hi @LanceEa @arkodg I have made changes to the API making it as following

http3Settings:
  enabled: true

At the moment only enabled is there. I can raise a follow up PR to expose separate port for QUIC and other alt-svc configs. Till then this feature can be termed as experimental. WDYT?

[tanujd11]

Also it would be great if someone from @envoyproxy/gateway-reviewers / @envoyproxy/gateway-maintainers can try out the feature

[tanujd11]

/retest

[tanujd11]

/retest

[arkodg]

nit: can we reuse irListenerName and also check if irListenerName.Proxy != nil

[tanujd11]

Hi, I did not get this point. It seems irListenerName is a string. I need to get infraIR from the corresponding IrListenerName that's why I iterated listeners for a gateway.

[arkodg]

why is this true ?

[tanujd11]

As we removed NewProxyListener by default and only add it when needed(Since we replaced only 1 listener supported to multiple listener), there is no error generated in this test case, hence false. Before any empty listener was there which failed the validate function.

[arkodg]

should this live here on in the Gateway API layer ?

[tanujd11]

This is for opening UDP ports for only those ports which have HTTPS configured, That's a requirement for quic. So this condition is added here.

[arkodg]

will auto work ?
is there a way for us to support http3 but also support something else in case the client doesnt support it ?

[tanujd11]

Hi Arko, If HTTP3 is not supported then the other listener will be used. We have created a mirror UDP listener and the connection would be upgraded to HTTP3 according to the alt-svc header. So even if HTTP3 is not supported HTTP/HTTP2 will be used

[tanujd11]

/retest

[tanujd11]

/retest

[tanujd11]

Hi @arkodg , welcome back from the vacation. Your reviews on this will be greatly appreciated. Thanks.

[github-actions]

🚀 Deployed on https://gateway-pr-2111-preview--eg-preview.netlify.app

[arkodg]

LGTM, thanks for adding this feature !

[Xunzhuo]

/retest

[Xunzhuo]

Great! Thanks for working on it : )

[shawnh2]

lgtm

[Xunzhuo]

/cc @arkodg