http: require stream_error_on_invalid_http_messaging to be set for every HCM

[mattklein123]

As documented in https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two, @alyssawilk and I have discussed forcing the user to specify an HCM configuration option that specifies how to handle stream errors, thus guiding users into selecting the correct option for their use case. I think the best way of doing this is:

1. Add a new option to configure this setting using a bool WKT, deprecate the old option, and explicitly warn/stat if the new option is not set at all, telling the user that in a future version this setting will be required.
2. In the normal "deprecation cycle" make the new setting required.

[rulex123]

@mattklein123 I would like to help out with this. I guess your suggested approach still applies, so I will start by: adding a bool stream_error_on_invalid_http_messaging config option to the HCM, adding a warning if this new config isn't set, and deprecating the old option. LMK if you think differently.

Also, the original issue meant to track the deprecation of the current option in favour of the new one got closed because stale #9285. Should probably be reopened?

[alyssawilk]

I think the other issue, is that to have the option in the HCM, we need to have the options work in the HTTP/1 and HTTP/3 codecs the way it does for HTTP/2. Make sense?

[mattklein123]

@mattklein123 I would like to help out with this. I guess your suggested approach still applies, so I will start by: adding a bool stream_error_on_invalid_http_messaging config option to the HCM, adding a warning if this new config isn't set, and deprecating the old option. LMK if you think differently.

Yup sounds good.

Also, the original issue meant to track the deprecation of the current option in favour of the new one got closed because stale #9285. Should probably be reopened?

Done thanks.

I think the other issue, is that to have the option in the HCM, we need to have the options work in the HTTP/1 and HTTP/3 codecs the way it does for HTTP/2. Make sense?

Right. See also #10646. cc @yanavlasov @antoniovicente

[rulex123]

I think the other issue, is that to have the option in the HCM, we need to have the options work in the HTTP/1 and HTTP/3 codecs the way it does for HTTP/2. Make sense?

@alyssawilk while in theory this makes sense to me, in practice I am not super confident I know where to start. Do you have any specific pointers? Or, if you already have given some thoughts to how we achieve this, could you expand on your original point?

[alyssawilk]

I'd suggest tackling it once codec at a time.

Easiest (since there's already support) would be to do HTTP/2, where you're basically plumbing the HCM new option to be the default if there's no HTTP/2-specific option. You can add the option and hide it via annotation, so you don't have to do it all in one swoop.

Next up would probably be HTTP/1.1 since it's a straight forward change. There's two places we send errors, in the codec and in the HCM. the codec closes by default (sendProtocolError) and the HCM leave it open by default even for "protocol" errors like the characters being invalid (unless saw_connection_close was true). Again you could tackle one at a time to close or not based on config.

Finally for QUIC, we'd want to somewhat crib the HTTP/2 behavior for HTTP/3, which hopefully you'd have a better feel for by then (if not you can ping me and I can help out).

[alyssawilk]

@rulex123 are you still looking at this or is it Ok if I pick it up?

#11714 fixes one of the complexities I mentioned in the HTTP/1.1 stack, and I'm inclined to do the HCM config as a follow up and see if we can get this in before the release

[alyssawilk]

And either way, @htuch @mattklein123 thoughts on how we can make this required, especially if v4 isn't happening for several years?
Should we do something akin to the comment -> warn -> fatal-by-default-if-not-set cycle we used to for deprecated config over a year or two?

[mattklein123]

Should we do something akin to the comment -> warn -> fatal-by-default-if-not-set cycle we used to for deprecated config over a year or two?

Yes +1. I think this is what we had discussed previously.

[htuch]

I think this should follow minor versions, to provide control planes the right versioning information. So, we introduce it now with comment and warning. I'd probably wait until the next minor version until considering setting fatal-by-default, to allow control planes to know that this is required.

@markdroth @envoyproxy/api-shepherds any other thoughts on this? We're basically add a new field that will at some point become mandatory.

[mattklein123]

I think this is really just a standard deprecation cycle. Deprecate old field, add new field, warn if new field is not set, then eventually make it required and delete old.

[htuch]

Are you saying standard deprecation cycle with minor versioning? Or are you saying it's fine to make it fatal-by-default still, because it's possible to override and we'll still support it being unset indefinitely?

[mattklein123]

Are you saying standard deprecation cycle with minor versioning? Or are you saying it's fine to make it fatal-by-default still, because it's possible to override and we'll still support it being unset indefinitely?

I guess I'm saying it's a hybrid. We would do standard minor version deprecation on the existing field, but do warn/fatal by default on the other field (since it can be disabled), and then in the next major version we would make the new field required when the old field is removed.

[rulex123]

@alyssawilk didn't have time to do any envoy-related work over the past month, so good thing you have picked this up. I should have more time from next week though, and I would still be interested in helping you out. Is there some other task related to this area of work that I can land a hand with?

[alyssawilk]

Sure thing! One thing that might be nice is if we have an HTTP/1.1 protocol option akin to the HTTP/2 option - that way instead of doing the complicated dance with overriding the default and overriding the HTTP/2 option, users could just override the HTTP/1.1 option. The tricky bit is the HCM would have to pull that option from codec, so there'd be an config-API addition and an extension to the codec interface under include.