bug: add h3 alpn by default if http3 is enabled (envoyproxy#2887)

Fixes: envoyproxy#2875 Signed-off-by: Arko Dasgupta <[email protected]>
deszhou · Mar 12, 2024 · 01a123a · 01a123a
1 parent 76340b5
commit 01a123a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go
@@ -277,12 +277,12 @@ func (t *Translator) addXdsHTTPFilterChain(xdsListener *listenerv3.Listener, irL
 	if irListener.TLS != nil {
 		var tSocket *corev3.TransportSocket
 		if http3Listener {
-			tSocket, err = buildDownstreamQUICTransportSocket(irListener.TLS)
+			tSocket, err = buildDownstreamQUICTransportSocket(irListener.TLS, http3Listener)
 			if err != nil {
 				return err
 			}
 		} else {
-			tSocket, err = buildXdsDownstreamTLSSocket(irListener.TLS)
+			tSocket, err = buildXdsDownstreamTLSSocket(irListener.TLS, http3Listener)
 			if err != nil {
 				return err
 			}
@@ -388,7 +388,7 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPLi
 	}
 
 	if isTLSTerminate {
-		tSocket, err := buildXdsDownstreamTLSSocket(irListener.TLS.Terminate)
+		tSocket, err := buildXdsDownstreamTLSSocket(irListener.TLS.Terminate, false)
 		if err != nil {
 			return err
 		}
@@ -427,12 +427,12 @@ func addXdsTLSInspectorFilter(xdsListener *listenerv3.Listener) error {
 	return nil
 }
 
-func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSocket, error) {
+func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig, http3Listener bool) (*corev3.TransportSocket, error) {
 	tlsCtx := &quicv3.QuicDownstreamTransport{
 		DownstreamTlsContext: &tlsv3.DownstreamTlsContext{
 			CommonTlsContext: &tlsv3.CommonTlsContext{
 				TlsParams:     buildTLSParams(tlsConfig),
-				AlpnProtocols: buildALPNProtocols(tlsConfig.ALPNProtocols),
+				AlpnProtocols: buildALPNProtocols(tlsConfig.ALPNProtocols, http3Listener),
 			},
 		},
 	}
@@ -468,11 +468,11 @@ func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.Transp
 	}, nil
 }
 
-func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSocket, error) {
+func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig, http3Listener bool) (*corev3.TransportSocket, error) {
 	tlsCtx := &tlsv3.DownstreamTlsContext{
 		CommonTlsContext: &tlsv3.CommonTlsContext{
 			TlsParams:                      buildTLSParams(tlsConfig),
-			AlpnProtocols:                  buildALPNProtocols(tlsConfig.ALPNProtocols),
+			AlpnProtocols:                  buildALPNProtocols(tlsConfig.ALPNProtocols, http3Listener),
 			TlsCertificateSdsSecretConfigs: []*tlsv3.SdsSecretConfig{},
 		},
 	}
@@ -551,9 +551,13 @@ func buildTLSVersion(version *ir.TLSVersion) tlsv3.TlsParameters_TlsProtocol {
 	return tlsv3.TlsParameters_TLS_AUTO
 }
 
-func buildALPNProtocols(alpn []string) []string {
+func buildALPNProtocols(alpn []string, http3Listener bool) []string {
 	if len(alpn) == 0 {
-		return []string{"h2", "http/1.1"}
+		out := []string{"h2", "http/1.1"}
+		if http3Listener {
+			out = append(out, "h3")
+		}
+		return out
 	}
 	return alpn
 }

diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml
@@ -42,6 +42,7 @@
             alpnProtocols:
             - h2
             - http/1.1
+            - h3
             tlsCertificateSdsSecretConfigs:
             - name: envoy-gateway-tls-secret-1
               sdsConfig: