Is it possible to enable HTTP/2 with TLS termination on Istio Gateway?

Question

Is it possible to enable HTTP/2 with TLS(mTLS) termination on Istio Gateway ? And then forward traffic to the application with HTTP/2

Answer 1

Yes, this is possible. Http 2 between your services is negotiated in the ALPN (during mTLS handshake).

You can then forward traffic from sidecar proxy to your application container with Http 2 by setting your service port name (protocol selection) to http2.

An example service for your app:

kind: Service
metadata:
  name: myapp
spec:
  ports:
  - number: 8080
    name: http2    # protocol selection by name - important to have http2 here

Answer 2

If your web-server supports HTTP2 protocol then there shouldn't be any issues.

when the http/2 request comes, the tсp connection will be kept until isitio ingress gateway or untill web-application?

As far as I know the connection should be kept until wep-app. Ingress gateway will be responsible for pass the request through if it's http2, or to upgrade it from http1.1 to http2 if it's http1.1.

---

As @suren mentioned in his answer here

You can set h2UpgradePolicy in the The istio configMap and it's gonna upgrade all incoming http 1.1 connections to http2, so only connections with http2 will pass through.

VERY IMPORTANT: To make it work, the service in front if the downstream peer, must have named port, and it must be called http

apiVersion: v1
kind: Service
metadata:
  name: demo
spec:
  ports:
  - name: http      #<- this parameter is mandatory to upgrade to HTTP2
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx

---

Additionally there are is a way to achieve this with Destination Rule for a particular namespace and pod, you can achieve that with ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy, which upgrade http1.1 connections to http2.