Add http/2 support for haproxy router.

[ramr]

Adds http2 support for haproxy.
Ref: https://trello.com/c/qzvlzuyx/27-3-implement-router-http-2-support-terminating-at-the-router-router

To run:

$ oc adm router --latest-images=true
$ oc set env dc/router ROUTER_ENABLE_HTTP2=true
$ #  add edge secured and/or reencrypt routes:
$ #  Example: use routes from https://github.com/ramr/nodejs-header-echo

Test:

$ curl -k --http2 -vvv --resolve edge.header.test:443:127.0.0.1 https://edge.header.test/
$ curl -k --http2  -vvv --resolve reencrypt.header.test:443:127.0.0.1 https://reencrypt.header.test/

You should see that the protocol negotiation (between haproxy and the client) uses HTTP2 and there's a new header sent to the backend x-forwarded-proto-version: h2.

@ironcladlou @knobunc PTAL thx

[knobunc]

/hold
This is a 3.11 feature.

[knobunc]

/hold
This is a 3.11 feature.

[knobunc]

/lgtm
Can you add a docs PR for the environment variable please?

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: knobunc, ramr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• images/router/OWNERS [knobunc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: knobunc, ramr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• images/router/OWNERS [knobunc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ramr]

@knobunc ack on submitting a docs PR.

[ramr]

@knobunc ack on submitting a docs PR.

[pravisankar]

Minor comment otherwise LGTM

[pravisankar]

Do we really need ROUTER_ENABLE_HTTP2 env when we know that protocol downgrade happen automatically based on the client?

[ramr]

It is intentionally disabled by default as per the requirements in the trello card: https://trello.com/c/qzvlzuyx/27-3-implement-router-http-2-support-terminating-at-the-router-router (Acceptance criteria bullet 1)

Edited trello link pointer

[ironcladlou]

What is the underlying justification of the cited requirement for a new piece of config? What are the specific risks of always enabling http2? When would a user want to disable it?

[ramr]

So as re: your questions:
3. The flag is flipped ... in that it is disabled by default and has to be explicitly enabled by the user/admin.
2. I don't see risks to always enable http2 as we do downgrade the connections to http/1.x if http/2 is not supported but that said one reason I can see is this is a new feature (and so interactions with different/older clients are something to also consider) - making it more prudent to have a flag that enables it as needed.

1. @knobunc can probably more on the cited requirement. Suspect it might be 2 but ...

[knobunc]

Yeah, it's new in haproxy and there have already been security vulnerabilities around it. I want to let it soak for a while before turning it on all the time.

[ramr]

@pravisankar as re: your question on the call, to test protocol downgrade to as example http/1.0, use -0 with curl.
E.g. curl -0 -k -vvv --resolve reencrypt.header.test:443:127.0.0.1 https://reencrypt.header.test/

[ramr]

@pravisankar as re: your question on the call, to test protocol downgrade to as example http/1.0, use -0 with curl.
E.g. curl -0 -k -vvv --resolve reencrypt.header.test:443:127.0.0.1 https://reencrypt.header.test/

[ramr]

Associated docs PR: openshift/openshift-docs#10057

[ramr]

Associated docs PR: openshift/openshift-docs#10057

[smarterclayton]

When would we enable this by default? How do we get enough soak testing on this to enable by default?

[smarterclayton]

When would we enable this by default? How do we get enough soak testing on this to enable by default?

[knobunc]

@smarterclayton I'd enable it on int then starter in 3.11 and if all is well, enable by default in 3.12.

[knobunc]

@smarterclayton I'd enable it on int then starter in 3.11 and if all is well, enable by default in 3.12.

[knobunc]

/hold cancel

[knobunc]

/hold cancel

[knobunc]

/retest

[knobunc]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[ironcladlou]

/retest

[ironcladlou]

/retest

[ramr]

/retest

[ramr]

/retest

[ramr]

/test gcp

[ramr]

/test gcp

[ramr]

flake #19679

[ramr]

flake #19679

[ramr]

/test gcp

[ramr]

/test gcp

[knobunc]

/retest

[knobunc]

/retest