Skip h2 upgrade when target is local (#2407)

mateiidavid · web-flow · commit 3933feb587c2 · 2023-05-10T10:01:03.000+01:00
In the most recent stable versions, pods cannot communicate with themselves when using a ClusterIP. While direct (pod-to-pod) connections are never sent through the proxy and are skipped at the iptables level, connections to a logical service still pass through the proxy. When the chosen endpoint is the same as the source of the traffic, TLS and H2 upgrades should be skipped. Every endpoint receives an h2 upgrade hint in its metadata. When looking into the problem, I noticed that client settings do not take into account that the target may be local. When deciding what client settings to use, we do not upgrade the connection when the hint is "unknown" (gatewayed connections) or "opaque". This change does a similar thing by using H1 settings when the protocol is H1 and the target IP is also part of the inbound IPs passed to the proxy. Fixes linkerd/linkerd2#10816 Signed-off-by: Matei David <matei@buoyant.io>
diff --git a/linkerd/app/outbound/src/http/concrete.rs b/linkerd/app/outbound/src/http/concrete.rs
@@ -407,13 +407,20 @@ where
     fn param(&self) -> client::Settings {
         match self.param() {
             http::Version::H2 => client::Settings::H2,
-            http::Version::Http1 => match self.metadata.protocol_hint() {
-                // If the protocol hint is unknown or indicates that the
-                // endpoint's proxy will treat connections as opaque, do not
-                // perform a protocol upgrade to HTTP/2.
-                ProtocolHint::Unknown | ProtocolHint::Opaque => client::Settings::Http1,
-                ProtocolHint::Http2 => client::Settings::OrigProtoUpgrade,
-            },
+            http::Version::Http1 => {
+                // When the target is local (i.e. same as source of traffic)
+                // then do not perform a protocol upgrade to HTTP/2
+                if self.is_local {
+                    return client::Settings::Http1;
+                }
+                match self.metadata.protocol_hint() {
+                    // If the protocol hint is unknown or indicates that the
+                    // endpoint's proxy will treat connections as opaque, do not
+                    // perform a protocol upgrade to HTTP/2.
+                    ProtocolHint::Unknown | ProtocolHint::Opaque => client::Settings::Http1,
+                    ProtocolHint::Http2 => client::Settings::OrigProtoUpgrade,
+                }
+            }
         }
     }
 }
