Is it possible to enable HTTP/2 with TLS termination on Istio Gateway?
Yes, this is possible. Http 2 between your services is negotiated in the ALPN (during mTLS handshake).
You can then forward traffic from sidecar proxy to your application container with Http 2 by setting your service port name (protocol selection) to http2
.
An example service for your app:
kind: Servicemetadata: name: myappspec: ports: - number: 8080 name: http2 # protocol selection by name - important to have http2 here
If your web-server supports HTTP2 protocol then there shouldn't be any issues.
when the http/2 request comes, the tсp connection will be kept until isitio ingress gateway or untill web-application?
As far as I know the connection should be kept until wep-app. Ingress gateway will be responsible for pass the request through if it's http2, or to upgrade it from http1.1 to http2 if it's http1.1.
As @suren mentioned in his answer here
You can set h2UpgradePolicy in the The istio configMap and it's gonna upgrade all incoming http 1.1 connections to http2, so only connections with http2 will pass through.
VERY IMPORTANT: To make it work, the service in front if the downstream peer, must have named port, and it must be called http
apiVersion: v1kind: Servicemetadata: name: demospec: ports: - name: http #<- this parameter is mandatory to upgrade to HTTP2 port: 80 protocol: TCP targetPort: 80 selector: app: nginx
Additionally there are is a way to achieve this with Destination Rule for a particular namespace and pod, you can achieve that with ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy, which upgrade http1.1 connections to http2.