add per-httpproxy http-version support

Signed-off-by: Ahmad Karimi <[email protected]>

apis/projectcontour/v1/httpproxy.go

@@ -18,6 +18,10 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// HttpVersion is an alias to enforce validation
+// +kubebuilder:validation:Enum=h2;http/1.1
+type HttpVersion string
+
 // HTTPProxySpec defines the spec of the CRD.
 type HTTPProxySpec struct {
 	// Virtualhost appears at most once. If it is present, the object is considered
@@ -40,6 +44,11 @@ type HTTPProxySpec struct {
 	// is given precedence over this field.
 	// +optional
 	IngressClassName string `json:"ingressClassName,omitempty"`
+
+	// HttpVersions specify the http versions to offer for this HTTPProxy.
+	// If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig will be used.
+	// It is ignored when TCPProxy is set.
+	HttpVersions []HttpVersion `json:"httpVersions,omitempty"`
 }
 
 // Include describes a set of policies that can be applied to an HTTPProxy in a namespace.

changelogs/unreleased/5802-therealak12-small.md

@@ -0,0 +1 @@
+Adds HttpVersions field to HTTPProxy spec. The field is used to specify ALPNProtocols on the corresponding tls context.

examples/contour/01-crds.yaml

@@ -5011,6 +5011,17 @@ spec:
           spec:
             description: HTTPProxySpec defines the spec of the CRD.
             properties:
+              httpVersions:
+                description: HttpVersions specify the http versions to offer for this
+                  HTTPProxy. If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig
+                  will be used. It is ignored when TCPProxy is set.
+                items:
+                  description: HttpVersion is an alias to enforce validation
+                  enum:
+                  - h2
+                  - http/1.1
+                  type: string
+                type: array
               includes:
                 description: Includes allow for specific routing configuration to
                   be included from another HTTPProxy, possibly in another namespace.

examples/render/contour-deployment.yaml

@@ -5230,6 +5230,17 @@ spec:
           spec:
             description: HTTPProxySpec defines the spec of the CRD.
             properties:
+              httpVersions:
+                description: HttpVersions specify the http versions to offer for this
+                  HTTPProxy. If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig
+                  will be used. It is ignored when TCPProxy is set.
+                items:
+                  description: HttpVersion is an alias to enforce validation
+                  enum:
+                  - h2
+                  - http/1.1
+                  type: string
+                type: array
               includes:
                 description: Includes allow for specific routing configuration to
                   be included from another HTTPProxy, possibly in another namespace.

examples/render/contour-gateway-provisioner.yaml

@@ -5022,6 +5022,17 @@ spec:
           spec:
             description: HTTPProxySpec defines the spec of the CRD.
             properties:
+              httpVersions:
+                description: HttpVersions specify the http versions to offer for this
+                  HTTPProxy. If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig
+                  will be used. It is ignored when TCPProxy is set.
+                items:
+                  description: HttpVersion is an alias to enforce validation
+                  enum:
+                  - h2
+                  - http/1.1
+                  type: string
+                type: array
               includes:
                 description: Includes allow for specific routing configuration to
                   be included from another HTTPProxy, possibly in another namespace.

examples/render/contour-gateway.yaml

@@ -5233,6 +5233,17 @@ spec:
           spec:
             description: HTTPProxySpec defines the spec of the CRD.
             properties:
+              httpVersions:
+                description: HttpVersions specify the http versions to offer for this
+                  HTTPProxy. If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig
+                  will be used. It is ignored when TCPProxy is set.
+                items:
+                  description: HttpVersion is an alias to enforce validation
+                  enum:
+                  - h2
+                  - http/1.1
+                  type: string
+                type: array
               includes:
                 description: Includes allow for specific routing configuration to
                   be included from another HTTPProxy, possibly in another namespace.

examples/render/contour.yaml

@@ -5230,6 +5230,17 @@ spec:
           spec:
             description: HTTPProxySpec defines the spec of the CRD.
             properties:
+              httpVersions:
+                description: HttpVersions specify the http versions to offer for this
+                  HTTPProxy. If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig
+                  will be used. It is ignored when TCPProxy is set.
+                items:
+                  description: HttpVersion is an alias to enforce validation
+                  enum:
+                  - h2
+                  - http/1.1
+                  type: string
+                type: array
               includes:
                 description: Includes allow for specific routing configuration to
                   be included from another HTTPProxy, possibly in another namespace.

internal/dag/dag.go

@@ -793,6 +793,9 @@ type SecureVirtualHost struct {
 
 	// JWTProviders specify how to verify JWTs.
 	JWTProviders []JWTProvider
+
+	// AlpnProtos specify the HTTP version to offer for this vhost
+	HttpVersions []string
 }
 
 type JWTProvider struct {

internal/dag/httpproxy_processor.go

@@ -263,6 +263,7 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) {
 			svhost.Secret = sec
 			svhost.MinTLSVersion = minTLSVer
 			svhost.MaxTLSVersion = maxTLSVer
+			svhost.HttpVersions = p.getSortedHttpVersions(proxy)
 
 			// Check if FallbackCertificate && ClientValidation are both enabled in the same vhost
 			if tls.EnableFallbackCertificate && tls.ClientValidation != nil {
@@ -1473,6 +1474,21 @@ func (p *HTTPProxyProcessor) GlobalAuthorizationContext() map[string]string {
 	return nil
 }
 
+// getSortedHttpVersions returns and empty slice or ["h2", "http/1.1"] or ["http/1.1"].
+// This is done to conform with how envoy expects AlpnProtocols in tlsv3.CommonTlsContext.
+func (p *HTTPProxyProcessor) getSortedHttpVersions(proxy *contour_api_v1.HTTPProxy) []string {
+	proxyHttpVersions := proxy.Spec.HttpVersions
+	if len(proxyHttpVersions) == 0 {
+		return nil
+	}
+	for _, httpVersion := range proxyHttpVersions {
+		if httpVersion == "h2" {
+			return []string{"h2", "http/1.1"}
+		}
+	}
+	return []string{"http/1.1"}
+}
+
 // expandPrefixMatches adds new Routes to account for the difference
 // between prefix replacement when matching on '/foo' and '/foo/'.
 //

internal/xdscache/v3/listener.go

@@ -502,7 +502,11 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 
 				filters = envoy_v3.Filters(cm)
 
-				alpnProtos = envoy_v3.ProtoNamesForVersions(cfg.DefaultHTTPVersions...)
+				if len(vh.HttpVersions) != 0 {
+					alpnProtos = vh.HttpVersions
+				} else {
+					alpnProtos = envoy_v3.ProtoNamesForVersions(cfg.DefaultHTTPVersions...)
+				}
 			} else {
 				filters = envoy_v3.Filters(envoy_v3.TCPProxy(listener.Name, vh.TCPProxy, cfg.newSecureAccessLog()))
 

site/content/docs/main/config/api-reference.html

@@ -161,6 +161,22 @@ <h3 id="projectcontour.io/v1.HTTPProxy">HTTPProxy
 is given precedence over this field.</p>
 </td>
 </tr>
+<tr>
+<td style="white-space:nowrap">
+<code>httpVersions</code>
+<br>
+<em>
+<a href="#projectcontour.io/v1.HttpVersion">
+[]HttpVersion
+</a>
+</em>
+</td>
+<td>
+<p>HttpVersions specify the http versions to offer for this HTTPProxy.
+If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig will be used.
+It is ignored when TCPProxy is set.</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -1608,6 +1624,22 @@ <h3 id="projectcontour.io/v1.HTTPProxySpec">HTTPProxySpec
 is given precedence over this field.</p>
 </td>
 </tr>
+<tr>
+<td style="white-space:nowrap">
+<code>httpVersions</code>
+<br>
+<em>
+<a href="#projectcontour.io/v1.HttpVersion">
+[]HttpVersion
+</a>
+</em>
+</td>
+<td>
+<p>HttpVersions specify the http versions to offer for this HTTPProxy.
+If empty, the DefaultHTTPVersions from v1alpha1.EnvoyConfig will be used.
+It is ignored when TCPProxy is set.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="projectcontour.io/v1.HTTPProxyStatus">HTTPProxyStatus
@@ -2140,6 +2172,15 @@ <h3 id="projectcontour.io/v1.HeadersPolicy">HeadersPolicy
 </tr>
 </tbody>
 </table>
+<h3 id="projectcontour.io/v1.HttpVersion">HttpVersion
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#projectcontour.io/v1.HTTPProxySpec">HTTPProxySpec</a>)
+</p>
+<p>
+<p>HttpVersion is an alias to enforce validation</p>
+</p>
 <h3 id="projectcontour.io/v1.IPFilterPolicy">IPFilterPolicy
 </h3>
 <p>