envoyproxy · mattklein123 · Dec 15, 2020 · Oct 22, 2020 · Nov 9, 2020 · Nov 9, 2020
diff --git a/api/envoy/config/cluster/v3/cluster.proto b/api/envoy/config/cluster/v3/cluster.proto
@@ -135,9 +135,12 @@ message Cluster {
   }
 
   enum ClusterProtocolSelection {
-    // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2).
-    // If :ref:`http2_protocol_options <envoy_api_field_config.cluster.v3.Cluster.http2_protocol_options>` are
-    // present, HTTP2 will be used, otherwise HTTP1.1 will be used.
+    // If both :ref:`http2_protocol_options <envoy_api_field_config.cluster.v3.Cluster.http2_protocol_options>`
+    // and :ref:`http_protocol_options <envoy_api_field_config.cluster.v3.Cluster.http_protocol_options>` are
+    // configured, Envoy will attempt to do ALPN negotiation for TLS connections, failing
+    // over to HTTP/1.1 if ALPN negotiation fails.
+    // If only one protocol option is present it will be used as the hard-coded
+    // protocol. If neither is present, HTTP/1.1 will be used.
     USE_CONFIGURED_PROTOCOL = 0;
 
     // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection.
@@ -767,14 +770,14 @@ message Cluster {
 
   // HTTP protocol options that are applied only to upstream HTTP connections.
   // These options apply to all HTTP versions.
-  core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46;
+  core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46 [deprecated = true];
 
   // Additional options when handling HTTP requests upstream. These options will be applicable to
   // both HTTP1 and HTTP2 requests.
-  core.v3.HttpProtocolOptions common_http_protocol_options = 29;
+  core.v3.HttpProtocolOptions common_http_protocol_options = 29 [deprecated = true];
 
   // Additional options when handling HTTP1 requests.
-  core.v3.Http1ProtocolOptions http_protocol_options = 13;
+  core.v3.Http1ProtocolOptions http_protocol_options = 13 [deprecated = true];
 
   // Even if default HTTP2 protocol options are desired, this field must be
   // set so that Envoy will assume that the upstream supports HTTP/2 when
@@ -783,7 +786,7 @@ message Cluster {
   // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
   // connections to happen over plain text.
   core.v3.Http2ProtocolOptions http2_protocol_options = 14
-      [(udpa.annotations.security).configure_for_untrusted_upstream = true];
+      [deprecated = true, (udpa.annotations.security).configure_for_untrusted_upstream = true];
 
   // The extension_protocol_options field is used to provide extension-specific protocol options
   // for upstream connections. The key should match the extension filter name, such as
@@ -913,7 +916,7 @@ message Cluster {
   core.v3.Metadata metadata = 25;
 
   // Determines how Envoy selects the protocol used to speak to upstream hosts.
-  ClusterProtocolSelection protocol_selection = 26;
+  ClusterProtocolSelection protocol_selection = 26 [deprecated = true];
 
   // Optional options for upstream connections.
   UpstreamConnectionOptions upstream_connection_options = 30;

diff --git a/api/envoy/config/cluster/v4alpha/cluster.proto b/api/envoy/config/cluster/v4alpha/cluster.proto
diff --git a/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/...envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@@ -834,3 +834,50 @@ message RequestIDExtension {
   // Request ID extension specific configuration.
   google.protobuf.Any typed_config = 1;
 }
+
+// If this is used, the cluster will only operate on one of the possible upstream protocols (HTTP/1.1, HTTP/2).
+// If :ref:`http2_protocol_options <envoy_api_field_config.cluster.v3.Cluster.http2_protocol_options>` are
+// present, HTTP2 will be used, otherwise HTTP1.1 will be used.
+message ExplicitHttpConfig {
+  oneof protocol_config {
+    config.core.v3.Http1ProtocolOptions http_protocol_options = 1;
+
+    config.core.v3.Http1ProtocolOptions http2_protocol_options = 2;
+  }
+}
+
+// If this is used, the cluster can use either of the configured protocols, and
+// will use whichecer protocol was used by the downstream connection.
+message UseDownstreamHttpConfig {
+  config.core.v3.Http1ProtocolOptions http_protocol_options = 1;
+
+  config.core.v3.Http1ProtocolOptions http2_protocol_options = 2;
+}
+
+// If this is used, Envoy will negotiate ALPN to determine if HTTP/1 or HTTP/2 should be used.
+message AlpnHttpConfig {
+  config.core.v3.Http1ProtocolOptions http_protocol_options = 3;
+
+  config.core.v3.Http1ProtocolOptions http2_protocol_options = 4;
+}
+
+// HttpProtocolOptions specifies Http upstream protocol options. This object
+// is used in
+// :ref:`typed_extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`,
+// // keyed by the name `envoy.filters.network.http_connection_manager`.
+//
+// This controls what protocol should be used for upstream.
+// [#next-free-field: 6]
+message HttpProtocolOptions {
+  config.core.v3.HttpProtocolOptions common_http_protocol_options = 1;
+
+  config.core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2;
+
+  oneof upstream_protocol_options {
+    ExplicitHttpConfig explicit_http_config = 3;
+
+    UseDownstreamHttpConfig use_downstream_protocol_config = 4;
+
+    AlpnHttpConfig alpn_config = 5;
+  }
+}
diff --git a/.../extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto b/.../extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -49,6 +49,7 @@ New Features
 * hds: added support for delta updates in the :ref:`HealthCheckSpecifier <envoy_v3_api_msg_service.health.v3.HealthCheckSpecifier>`, making only the Endpoints and Health Checkers that changed be reconstructed on receiving a new message, rather than the entire HDS.
 * health_check: added option to use :ref:`no_traffic_healthy_interval <envoy_v3_api_field_config.core.v3.HealthCheck.no_traffic_healthy_interval>` which allows a different no traffic interval when the host is healthy.
 * http: added frame flood and abuse checks to the upstream HTTP/2 codec. This check is off by default and can be enabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to true.
+* http: alpn is now supported upstream, configurable by setting both :ref:`HTTP/1 options <envoy_v3_api_msg_config.core.v3.HttpProtocolOptions>` and :ref:`HTTP/2 options <envoy_v3_api_msg_config.core.v3.Http2ProtocolOptions>` for a given cluster.
 * jwt_authn: added support for :ref:`per-route config <envoy_v3_api_msg_extensions.filters.http.jwt_authn.v3.PerRouteConfig>`.
 * listener: added an optional :ref:`default filter chain <envoy_v3_api_field_config.listener.v3.Listener.default_filter_chain>`. If this field is supplied, and none of the :ref:`filter_chains <envoy_v3_api_field_config.listener.v3.Listener.filter_chains>` matches, this default filter chain is used to serve the connection.
 * lua: added `downstreamDirectRemoteAddress()` and `downstreamLocalAddress()` APIs to :ref:`streamInfo() <config_http_filters_lua_stream_info_wrapper>`.

diff --git a/generated_api_shadow/envoy/config/cluster/v3/cluster.proto b/generated_api_shadow/envoy/config/cluster/v3/cluster.proto
diff --git a/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto b/generated_api_shadow/envoy/config/cluster/v4alpha/cluster.proto