[ENHANCEMENT] Add `appProtocol` to Service Ports

[falko]

Describe the use case:

In Kubernetes environments using service mesh (e.g., Istio Ambient Mesh), protocol detection for service ports is critical for enabling advanced traffic management, security, and observability features. The gRPC port of the Zeebe Gateway is a particular case were explicitly specifying the protocol in the Service definition allows service mesh and other tools to correctly identify HTTP/2 and optimize traffic handling.

Describe the enhancement/feature:

Add the appProtocol field to the ports section of all relevant Service resources in the Camunda Platform Helm chart. For the Zeebe Gateway gRPC port, use:

• appProtocol: kubernetes.io/h2c for cleartext HTTP/2 (gRPC without TLS termination)
  • explicitly mentioned in Kubernetes and Linderd docs
  • should work in Istio too according to https://github.com/istio/istio/blob/4a3e1b75d2d1759a247ef0a65d289b2fc86d0418/pkg/config/kube/conversion.go#L63
• appProtocol: https if the gateway terminates TLS (gRPC with TLS)

Example:

ports:
  - name: grpc
    port: 26500
    targetPort: 26500
    protocol: TCP
    appProtocol: kubernetes.io/h2c # or "https" if TLS termination is enabled

In my example on using Istio Ambient Mesh with gRPC Load Balancing for Zeebe Gateway I had to create an additional service to set the correct protocol.

References:

• https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
• https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection
• https://linkerd.io/2-edge/features/protocol-detection/
• Set appProtocol for service resources (compatibility with service mesh) confluentinc/confluent-kubernetes-examples#186

[aabouzaid]

@falko Thanks for opening this feature request.
Do you know which version this feature is needed for? Is it the alpha (8.8) or for the stable versions also (8.7 or less).

[falko]

8.8+ should be fine. However, after I overloaded both Istio and Linkerd in my recent tests, I am unsure, which type of load ballancing to recommend and if the service mesh should maybe rather treat it as opaque layer 4 TCP traffic and not apply anything smart on the gRPC level.

[aabouzaid]

@falko and I discussed the topic, and there is still ongoing research about it.
I will put the issue into the backlog, and we can have it again anytime.

[renzpatriarca]

Hi @aabouzaid , one customer is also requesting for this and they are on 8.6.
https://jira.camunda.com/browse/SUPPORT-29103

[jessesimpson36]

Moving this back to inbox so it can be triaged again, since ahmed was previously assigned this and he is no longer in distribution team.

[jessesimpson36]

Also assigning medic + support labels as @renzpatriarca noted this from a support ticket recently.