Istio:如何全局修改 h2UpgradePolicy?

Istio: How to modify the h2UpgradePolicy globally?

我想在 Istio 中将所有传入的 http 1.1 连接升级到 http2。我了解如何通过特定命名空间和 pod 的目标规则实现此目的。

但是,我想将服务网格中的所有连接从 http1.1 升级到 http2。如果自动注入 Istio sidecar,即使文档也推荐这样做 here.

if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.

我可以更新“Istio-system”命名空间下的“istio”ConfigMap 吗?

如果是,条目会是什么样子?

如果否,请提出建议 我怎样才能以最少的努力实现这一目标?

的确,你会在 configMap istio 中设置它,它会像这样:

apiVersion: v1
data:
  mesh: |-
    accessLogEncoding: TEXT
    accessLogFile: /dev/stdout
    accessLogFormat: ""
    h2UpgradePolicy: UPGRADE        #<- here
    defaultConfig:
      concurrency: 2
      configPath: ./etc/istio/proxy

现在,要看它是否有效有点棘手。我发送了四个请求;其中两个没有 h2UpgradePolicy 参数,另外两个带有 h2UpgradePolicy: UPGRADE。但是我来自客户的所有四个请求都是这样的:

$ kubectl exec -it curler -- curl -I demo.istio
Defaulting container name to curler.
Use 'kubectl describe pod/curler -n default' to see all of the containers in this pod.
HTTP/1.1 200 OK
server: envoy
date: Mon, 22 Jun 2020 13:05:53 GMT
content-type: text/html
content-length: 612
last-modified: Tue, 26 May 2020 15:00:20 GMT
etag: "5ecd2f04-264"
accept-ranges: bytes
x-envoy-upstream-service-time: 1

我从网格外部发送请求,因为从内部我默认获得 HTTP2。因此,在我的情况下,mTLS 被禁用,但这无关紧要。

要查看它是否有效,您可以检查下游代理的日志:

...
[2020-06-22T13:03:03.942Z] "HEAD / HTTP/1.1" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "a7c32d21-dcea-95da-b7c1-67c5783a1641" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:34814 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:05.245Z] "HEAD / HTTP/1.1" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "409b3432-365f-94fe-87cd-8a85b586b42d" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:60952 192.168.72.186:80 192.168.66.168:34830 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:36.732Z] "HEAD / HTTP/2" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "45dd94e5-6f29-9114-b09f-bda065dfd1eb" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:35120 outbound_.80_._.demo.istio.svc.cluster.local default
[2020-06-22T13:03:38.743Z] "HEAD / HTTP/2" 200 - "-" "-" 0 0 0 0 "-" "curl/7.59.0" "79e72286-f247-9ed0-b510-2819a886c7f9" "demo.istio" "127.0.0.1:80" inbound|80|http|demo.istio.svc.cluster.local 127.0.0.1:33180 192.168.72.186:80 192.168.66.168:35120 outbound_.80_._.demo.istio.svc.cluster.local default

非常重要:要让它工作,前面的服务如果是下游对等点,必须有命名端口,并且必须调用它http

apiVersion: v1
kind: Service
metadata:
  name: demo
spec:
  ports:
  - name: http      #<- this parameter is mandatory to upgrade to HTTP2
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx