[1.1] Expose http2 window size settings as pilot env (istio#17058)

* Expose http2 window size settings as pilot env

* Bounds check, cache

codecov.skip

@@ -9,6 +9,7 @@ istio.io/istio/mixer/tools/codegen
 istio.io/istio/pilot/test
 istio.io/istio/pkg/mcp/testing
 istio.io/istio/pkg/test
+istio.io/istio/pkg/features
 istio.io/istio/samples
 istio.io/istio/security/tests/integration
 istio.io/istio/tests/codecov

pilot/pkg/networking/core/v1alpha3/cluster.go

@@ -994,6 +994,16 @@ func setUpstreamProtocol(cluster *apiv2.Cluster, port *model.Port) {
 				Value: 1073741824,
 			},
 		}
+		if s := pilot.InitialStreamWindowSize; s > 0 {
+			cluster.Http2ProtocolOptions.InitialStreamWindowSize = &types.UInt32Value{
+				Value: uint32(s),
+			}
+		}
+		if s := pilot.InitialConnectionWindowSize; s > 0 {
+			cluster.Http2ProtocolOptions.InitialConnectionWindowSize = &types.UInt32Value{
+				Value: uint32(s),
+			}
+		}
 	}
 }
 

pilot/pkg/networking/core/v1alpha3/gateway.go

@@ -19,6 +19,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/gogo/protobuf/types"
+
 	"istio.io/istio/pkg/features/pilot"
 
 	xdsapi "github.com/envoyproxy/go-control-plane/envoy/api/v2"
@@ -333,6 +335,37 @@ func (configgen *ConfigGeneratorImpl) createGatewayHTTPFilterChainOpts(
 		httpProtoOpts.AcceptHttp_10 = true
 	}
 
+	httpOpts := &httpListenerOpts{
+		rds:              routeName,
+		useRemoteAddress: true,
+		direction:        http_conn.EGRESS, // viewed as from gateway to internal
+		connectionManager: &http_conn.HttpConnectionManager{
+			// Forward client cert if connection is mTLS
+			ForwardClientCertDetails: http_conn.SANITIZE_SET,
+			SetCurrentClientCertDetails: &http_conn.HttpConnectionManager_SetCurrentClientCertDetails{
+				Subject: proto.BoolTrue,
+				Uri:     true,
+				Dns:     true,
+			},
+			ServerName:          EnvoyServerName,
+			HttpProtocolOptions: httpProtoOpts,
+		},
+	}
+	if s := pilot.InitialStreamWindowSize; s > 0 {
+		httpOpts.connectionManager.Http2ProtocolOptions = &core.Http2ProtocolOptions{}
+		httpOpts.connectionManager.Http2ProtocolOptions.InitialStreamWindowSize = &types.UInt32Value{
+			Value: uint32(s),
+		}
+	}
+	if s := pilot.InitialConnectionWindowSize; s > 0 {
+		if httpOpts.connectionManager.Http2ProtocolOptions == nil {
+			httpOpts.connectionManager.Http2ProtocolOptions = &core.Http2ProtocolOptions{}
+		}
+		httpOpts.connectionManager.Http2ProtocolOptions.InitialConnectionWindowSize = &types.UInt32Value{
+			Value: uint32(s),
+		}
+	}
+
 	// Are we processing plaintext servers or HTTPS servers?
 	// If plain text, we have to combine all servers into a single listener
 	if serverProto.IsHTTP() {
@@ -342,22 +375,7 @@ func (configgen *ConfigGeneratorImpl) createGatewayHTTPFilterChainOpts(
 			// Validation is done per gateway and also during merging
 			sniHosts:   nil,
 			tlsContext: nil,
-			httpOpts: &httpListenerOpts{
-				rds:              routeName,
-				useRemoteAddress: true,
-				direction:        http_conn.EGRESS, // viewed as from gateway to internal
-				connectionManager: &http_conn.HttpConnectionManager{
-					// Forward client cert if connection is mTLS
-					ForwardClientCertDetails: http_conn.SANITIZE_SET,
-					SetCurrentClientCertDetails: &http_conn.HttpConnectionManager_SetCurrentClientCertDetails{
-						Subject: proto.BoolTrue,
-						Uri:     true,
-						Dns:     true,
-					},
-					ServerName:          EnvoyServerName,
-					HttpProtocolOptions: httpProtoOpts,
-				},
-			},
+			httpOpts:   httpOpts,
 		}
 	}
 
@@ -376,22 +394,7 @@ func (configgen *ConfigGeneratorImpl) createGatewayHTTPFilterChainOpts(
 		// Validation is done per gateway and also during merging
 		sniHosts:   getSNIHostsForServer(server),
 		tlsContext: buildGatewayListenerTLSContext(server, enableIngressSdsAgent),
-		httpOpts: &httpListenerOpts{
-			rds:              routeName,
-			useRemoteAddress: true,
-			direction:        http_conn.EGRESS, // viewed as from gateway to internal
-			connectionManager: &http_conn.HttpConnectionManager{
-				// Forward client cert if connection is mTLS
-				ForwardClientCertDetails: http_conn.SANITIZE_SET,
-				SetCurrentClientCertDetails: &http_conn.HttpConnectionManager_SetCurrentClientCertDetails{
-					Subject: proto.BoolTrue,
-					Uri:     true,
-					Dns:     true,
-				},
-				ServerName:          EnvoyServerName,
-				HttpProtocolOptions: httpProtoOpts,
-			},
-		},
+		httpOpts:   httpOpts,
 	}
 }
 

pkg/features/pilot/pilot.go

@@ -157,6 +157,46 @@ var (
 		return os.Getenv("PILOT_DISABLE_XDS_MARSHALING_TO_ANY") == "1"
 	}
 
+	// InitialConnectionWindowSize specifies the window size to use for http2 connections
+	// Must be 65535 - 2147483647, default 268435456 (256mb)
+	initialConnectionWindowSize = func() int {
+		raw, f := os.LookupEnv("PILOT_INITIAL_CONNECTION_WINDOW_SIZE")
+		if !f {
+			return 0
+		}
+		i, err := strconv.Atoi(raw)
+		if err != nil {
+			log.Warnf("failed to parse PILOT_INITIAL_CONNECTION_WINDOW_SIZE: %v", err)
+			return 0
+		}
+		if i < 65535 || i > 2147483647 {
+			log.Warnf("PILOT_INITIAL_CONNECTION_WINDOW_SIZE invalid, must be 65535 - 2147483647: %v", i)
+			return 0
+		}
+		return i
+	}
+	InitialConnectionWindowSize = initialConnectionWindowSize()
+
+	// InitialStreamWindowSize specifies the window size to use for http2 connections
+	// Must be 65535 - 2147483647, default 268435456
+	initialStreamWindowSize = func() int {
+		raw, f := os.LookupEnv("PILOT_INITIAL_STREAM_WINDOW_SIZE")
+		if !f {
+			return 0
+		}
+		i, err := strconv.Atoi(raw)
+		if err != nil {
+			log.Warnf("failed to parse PILOT_INITIAL_STREAM_WINDOW_SIZE: %v", err)
+			return 0
+		}
+		if i < 65535 || i > 2147483647 {
+			log.Warnf("PILOT_INITIAL_STREAM_WINDOW_SIZE invalid, must be 65535 - 2147483647: %v", i)
+			return 0
+		}
+		return i
+	}
+	InitialStreamWindowSize = initialStreamWindowSize()
+
 	// DisableSplitHorizonEdsProxyNetworkCompare provides an option to disable
 	// matching proxy and pod network id.
 	DisableSplitHorizonEdsProxyNetworkCompare = func() bool {