Dave Cheney
Dave Cheney
The logic added in beta.1 to filter out anything except `kubernetes.io/tls` and items with `data["ca.crt"]` is failing because `kubernetes.io/service-account-token`'s also have a key called `ca.crt`. ``` % k get -n...
Envoy allocates 1mb per connection to a backend pod. https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/cds.proto#cluster It is not clear if it allocates it all in one go, or it is an upper limit. In either...
Envoy assigns a 1Mb buffer to to each incoming connection. It is not clear if it consumes the whole 1Mb in one go, or that is a upper limit. Either...
Currently TLS certificates are referenced by CDS and served by SDS. For CA certs used by upstream verification we still serve the CA material inline in CDS. To fix this...
This is a long term issue to track potentially moving from RDS/EDS/CDS/etc to a unified ADS implementation. **Note**: This is not currently in scope for Contour 1.0.
Envoy's stream protocol states that after each DiscoveryResponse message the subsequent DiscoveryRequest will contain a ACK or NACK for the previous response. Contour currently doesn't pay attention to this ACK/NACK...
Currently any change to the TLS listener requires updating the `ingress_https` LDS entry. Updating this entry will cause the previous listener definition to move into draining mode for `--drain-time-s` (default,...
Currently cert-manager integration with Contour requires either manually creating a Certificate object (a CRD describing a Let's Encrypt managed certificate) or using [annotations][1] on an Ingress resource which triggers cert-manager's...
cert-manager is changing how certificate challenges are implemented. These are called "solvers" and represent ways of altering Ingress or DNS resources to complete the HTTP-01 or DNS-01 Let's Encrypt Challenge....
Currently Contour configures Envoy to handle TLS directly on port 8443. If this is enabled then a second option to issue 301 redirects from port 8080 to port 8443 is...