transport_socket_matches different filter chains or set alpn_protocols in tls_context in HCM

[JuniorHsu]

We have a use case that a cluster which accepts http and non-http protocols. However, in the upstream envoy, we want to send alpn bits in tls transport_socket

That is, we want to set

        "common_tls_context": {
          "alpn_protocols": [
            "h2"
          ],

for http traffic but not non-http traffic, so upstream envoy is able to use it to match different filter chain.

We want to avoid dup clusters, i.e., every protocol has its corresponding cluster, since that would dup the health check too.

We also see trasnport_socket_matches but looks like we can't have multiple rules for one host except health check, which has trasnport_socket_match_criteria

We're looking to see if there's a way to set alpn_protocols in tls_context in HCM otherwise we might need a new http filter to hack the bytes.

Suggestion/feedback are welcome. Thanks!

[JuniorHsu]

Looks like it's not supported currently so we're working on a new http filter transport_socket_mutation

[ravenblackx]

@lizan might know if there's an easier way? Or @greenway? I'm not sure if this is more a TLS thing or a transport_socket thing.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.