Configure Envoy alpn_protocols based on service protocol

[oulman]

Description

This PR is largely based on @blake's work in #12170 but updated to use the TLSContext functions introduced in #13321. I'm not sure what the best path forward for configuring this from the Consul teams perspective but I wanted to raise a PR to start a conversation.

This fixes #11907, resolves #12106, and this internal feature request.

Testing & Reproduction steps

In my testing I verified that gRPC and HTTP2 services can negotiate h2 and http/1.1 and that services configured as HTTP will only negotiate http/1.1.

Links

Include any links here that might be helpful for people reviewing your PR (Tickets, GH issues, API docs, external benchmarks, tools docs, etc). If there are none, feel free to delete this section.

Please be mindful not to leak any customer or confidential information. HashiCorp employees may want to use our internal URL shortener to obfuscate links.

PR Checklist

• updated test coverage
• external facing docs updated
• not a security concern

[malizz]

Hi @oulman! Thanks for this PR, it looks good, but we can work on adding more tests and verifying the intended behavior.

[oulman]

Hi @malizz - Thanks! I've pushed a couple of changes.

• The linter was failing because the error handling on ParseProxyConfig was empty. The original PR had a commented out call to a logger but I didn't see one available in the function. In the interim I went ahead and excluded that here
• I created a test for getAlpnProtocol()
• I added tests for http2 and grpc public listeners to validate that the Envoy alpn_protocols setting was getting configured correctly.

[malizz]

LGTM, thanks for adding tests for grpc and http2 listeners.

[malizz]

@oulman Question: you made the changes to listeners tlsContext only, but I’m wondering if we need to update the TLS contexts for other listeners (ingress listener for example) or pass through clusters too.

[oulman]

Hi @malizz! I updated the context for the Ingress Gateway listener and added tests.

Looking at pass-through clusters I'm a little confused on what actually needs to be done to support this. I found some issues (#1, #2) that make it sound like for Envoy <-> Envoy traffic ALPN isn't used in protocol negotiation. If mesh-to-mesh is OK as-is, do we need to enable ALPN negotiation for external upstream HTTP clusters?

Thanks!

[malizz]

The PR looks mostly great. I added a question and requested a few changes. Thanks.

[malizz]

The default value for protocol in ParseProxyConfig function is tcp which is missing in getAlpnProtocols function. We can either add it to the switch cases or return an error if it's tcp.

[oulman]

🤔 Right now calling getAlpnProtocols with tcp is returning an implicit nil because it's not matched. To confirm, we want to add an case statement for tcp but it should still return the empty alpnProtocols slice.

[malizz]

LGTM, thanks!