If your route type is "termination: edge" then your backend may still need http2 (e.g., gRPC servers). To support such configurations the "server" line in the haproxy config needs to change from "alpn h2,http1.1" to "proto h2". The "proto h2" directive allows HAProxy to communicate using HTTP/2 without TLS, such as HTTP/2-enabled backends like Varnish and H2O, and gRPC servers. There is a PR open that implements this: https://github.com/openshift/router/pull/104
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Target reset from 4.6 to 4.7 while investigation is either ongoing or not yet started. Will be considered for earlier release versions when diagnosed and resolved.
Just wanted to mention that serverless (Knative) cannot support gRPC/HTTP2 due to this issue. Here is our tracking JIRA ticket https://issues.redhat.com/browse/SRVKS-211 which has been opened since last year. Although we haven't got any critical escalation yet, we were sometimes asked about it.
Tagging with UpcomingSprint while investigation is either ongoing or pending. Will be considered for earlier release versions when diagnosed and resolved.
We'll move this to 4.10 due to lack of review bandwidth and risk to making this change this close to code freeze. We can backport it to 4.9.z if needed.
verified in "4.10.0-0.nightly-2021-11-09-181140" release. With this version, it is observed that the "h2" flag is getting applied properly on the backend that connects over http2: ------- oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2021-11-09-181140 True False 5h8m Cluster version is 4.10.0-0.nightly-2021-11-09-181140 oc get all NAME READY STATUS RESTARTS AGE pod/grpc-interop 1/1 Running 0 84m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/grpc-interop ClusterIP 172.30.170.175 <none> 1110/TCP,8443/TCP 21m NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD route.route.openshift.io/grpc-interop-edge grpc-interop-edge-test2.apps.aiyengar410b.qe.devcluster.openshift.com grpc-interop 1110 edge/Redirect None Haproxy backend configuration: backend be_edge_http:test2:grpc-interop-edge mode http option redispatch option forwardfor balance leastconn timeout check 5000ms http-request add-header X-Forwarded-Host %[req.hdr(host)] http-request add-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto http if !{ ssl_fc } http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)] cookie 9ad8d0bbc0bfab078a3056b6e254ba58 insert indirect nocache httponly secure attr SameSite=None server pod:grpc-interop:grpc-interop:h2c:10.128.2.34:1110 10.128.2.34:1110 cookie 223736a291101c9209aa6d0d49da8422 weight 256 proto h2 check inter 5000ms <---- -------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056