Configure Downstream HTTP/3

Configuring HTTP/3 for Downstream connections is as simple as setting the listener.protocol of the Gateway CR to microgateway.airlock.com/http3. Note that HTTP/3 requires TLS 1.3 and therefore listener.tls has to be configured for HTTP/3 to work.

Example:

 
Example
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-example
  namespace: example-backend-gw
spec:
  gatewayClassName: airlock-microgateway
  listeners:
    - name: http
      hostname: "*.example.com"       
      port: 80
      protocol: HTTP
    - name: https
      hostname: "*.example.com"   
      port: 443
      protocol: microgateway.airlock.com/http3
      tls:
        mode: Terminate
        certificateRefs:
          - name: downstream-server-certificate

Exposing HTTP/3

North-South

To use HTTP/3 from outside the cluster you can use a Service of type LoadBalancer. The problem is that some cloud providers do not support mixed protocols (UDP and TCP) on the same Service. Depending on the load balancer provider you must therefore manually create two Services of type LoadBalancer to expose the Airlock Microgateway as Ingress with HTTP/3 support. In the example below we create two Services, one for TCP and one for UDP.

Example

 
Example
apiVersion: v1
kind: Service
metadata:
  name: gateway-example-tcp
  namespace: example-backend-gw
spec:
  type: LoadBalancer
  ports:
    - appProtocol: http
      name: http
      port: 80
      protocol: TCP
      targetPort: 10080
    - appProtocol: https
      name: https
      port: 443
      protocol: TCP
      targetPort: 10443
  selector:
    gateway.networking.k8s.io/gateway-name: gateway-example
  externalTrafficPolicy: Local
---
apiVersion: v1
kind: Service
metadata:
  name: gateway-example-udp
  namespace: example-backend-gw
spec:
  type: LoadBalancer
  ports:
    - appProtocol: https
      name: https
      port: 443
      protocol: UDP
      targetPort: 10443
  selector:
    gateway.networking.k8s.io/gateway-name: gateway-example
  externalTrafficPolicy: Local
 
Notice

Cloud provider-specific annotations/configuration are omitted in this example. Ensure to consult the respective documentation on how to configure the Service for your environment.

 
Functional limitation

QUIC connection migration is currently not supported.

Exposing Airlock Microgateway with Service of type NodePort will currently break the advertisement of HTTP/3 via the alt-svc header because the port from the header does not necessarily match the nodePort.

Explanation

The selector uses the label gateway.networking.k8s.io/gateway-name which is automatically added with the name of the Gateway CR to the Deployment and Service of the Airlock Microgateway.

We set externalTrafficPolicy to Local to preserve the source IP address. Local will leave the routing decision/load balancing to the load balancer.

Some load balancers like Google Cloud's External Load Balancer may need sessionAffinity: ClientIP depending on the load balancer settings to track QUIC (HTTP/3) connections correctly. Please refer to your load balancers documentation to check if this is needed.

Notice the protocol in the Service gateway-example-udp is set to UDP.

East-West

The default settings for the Service created for the Microgateway is already sufficient since Kubernetes supports mixed-protocol Services and therefore should work out of the box.

 
Functional limitation

QUIC connection migration is currently not supported.

Exposing Airlock Microgateway with Service of type NodePort will currently break the advertisement of HTTP/3 via the alt-svc header because the port from the header does not necessarily match the nodePort.

TLS Certificates issued by public CA

Most modern browsers have support for HTTP/3. They use the alt-svc header to determine if a website supports HTTP/3. However if the server certificate of that website is not signed by Certificate Authority the default trust store of the browser, this will not work. Adding the CA to the browser manually will most likely not work either. An option to solve this issue is to use a certificate issued by a trusted CA like Let's Encrypt. See Configuring the HTTP-01 Gateway API solver for more details.

 
Notice

What doesn't work

  • Self-Signed TLS certificates
  • TLS certificates issued by private CA (even if the CA certificate is imported in the browser's truststore).