Merge pull request #519 from daschwanden:feature/http2

PiperOrigin-RevId: 650525181

Author: copybara-github

fleetspeak/src/client/https/https.go

@@ -36,6 +36,8 @@ import (
 	"github.com/google/fleetspeak/fleetspeak/src/client/comms"
 	"github.com/google/fleetspeak/fleetspeak/src/client/stats"
 	"github.com/google/fleetspeak/fleetspeak/src/common"
+
+	"golang.org/x/net/http2"
 )
 
 const (
@@ -92,7 +94,17 @@ func makeTransport(cctx comms.Context, dc func(ctx context.Context, network, add
 		proxy = http.ProxyURL(si.Proxy)
 	}
 
-	return ci.ID, &http.Transport{
+	// We'll make the Transport configurable so we can be both backwards compatible but also forward looking
+	nextProtos := []string{"http/1.1"}
+	preferHttp2 := false
+	if cctx.CommunicatorConfig() != nil {
+		preferHttp2 = cctx.CommunicatorConfig().PreferHttp2
+	}
+	if preferHttp2 {
+		nextProtos = []string{"h2", "http/1.1"}
+	}
+
+	tr := &http.Transport{
 		Proxy: proxy,
 		TLSClientConfig: &tls.Config{
 			RootCAs: si.TrustedCerts,
@@ -110,12 +122,18 @@ func makeTransport(cctx comms.Context, dc func(ctx context.Context, network, add
 				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
 			VerifyPeerCertificate: cv,
 			ServerName:            si.ServerName,
+			NextProtos:            nextProtos,
 		},
 		MaxIdleConns:          10,
 		DialContext:           dc,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
-	}, certBytes, nil
+	}
+
+	if preferHttp2 {
+		err = http2.ConfigureTransport(tr)
+	}
+	return ci.ID, tr, certBytes, err
 }
 
 // jitter adds up to 50% random jitter, and converts to time.Duration.

fleetspeak/src/client/https/streaming.go

@@ -345,6 +345,7 @@ func (c *StreamingCommunicator) connect(ctx context.Context, host string, maxLif
 		c.cctx.Stats().OutboundContactData(host, len(buf), err)
 		return fail(err)
 	}
+	log.V(2).Infof("POST to %v succeeded with status: %v and protocol: %v", host, resp.StatusCode, resp.Proto)
 	c.cctx.Stats().OutboundContactData(host, len(buf), nil)
 	body := bufio.NewReader(resp.Body)
 	cd, err := ret.readContact(body)

fleetspeak/src/client/proto/fleetspeak_client/client.pb.go

@@ -37,6 +37,9 @@ message CommunicatorConfig {
   //
   // No compression is applied if unset.
   fleetspeak.CompressionAlgorithm compression = 6;
+
+  // If set, the client will prefer comms with HTTP2 Transport
+  bool prefer_http2 = 7;
 }
 
 // ClientState contains the state of the client which should be persisted across

fleetspeak/src/client/proto/fleetspeak_client/client.proto

@@ -0,0 +1 @@
+prefer_http2: true

sandboxes/cleartext-header-mode/config/fleetspeak-client/communicator.txt

@@ -80,6 +80,7 @@ static_resources:
           common_tls_context:
             validation_context:
               trust_chain_verification: ACCEPT_UNTRUSTED
+            alpn_protocols: ["h2,http/1.1"]
             tls_certificates:
             # The following self-signed certificate pair is generated using:
             # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out  a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'

sandboxes/cleartext-header-mode/envoy-https-http.yaml

@@ -0,0 +1 @@
+prefer_http2: true

sandboxes/cleartext-xfcc-mode/config/fleetspeak-client/communicator.txt

@@ -47,6 +47,7 @@ static_resources:
           common_tls_context:
             validation_context:
               trust_chain_verification: ACCEPT_UNTRUSTED
+            alpn_protocols: ["h2,http/1.1"]
             tls_certificates:
             # The following self-signed certificate pair is generated using:
             # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out  a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'

sandboxes/cleartext-xfcc-mode/envoy-https-http.yaml

@@ -0,0 +1 @@
+prefer_http2: true

sandboxes/direct-mtls-mode/config/fleetspeak-client/communicator.txt

@@ -0,0 +1 @@
+prefer_http2: true

sandboxes/https-header-mode/config/fleetspeak-client/communicator.txt

@@ -80,6 +80,7 @@ static_resources:
           common_tls_context:
             validation_context:
               trust_chain_verification: ACCEPT_UNTRUSTED
+            alpn_protocols: ["h2,http/1.1"]
             tls_certificates:
             # The following self-signed certificate pair is generated using:
             # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out  a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'

sandboxes/https-header-mode/envoy-https-https.yaml

@@ -0,0 +1 @@
+prefer_http2: true