contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Add support for FDS

Open davecheney opened this issue 6 years ago • 4 comments

Currently any change to the TLS listener requires updating the ingress_https LDS entry. Updating this entry will cause the previous listener definition to move into draining mode for --drain-time-s (default, 10 min) time. During that time listener structs sit around in memory. After that time any connections established via a draining listener are forcibly closed.

The solution to this upstream is FDS, a new xDS endpoint that will serve FilterChain configuration -- the magic that makes the TLS listener work with SNI -- and remove the need to reload the object that holds the TLS socket.

Blocked:

  • [ ] https://github.com/envoyproxy/envoy/issues/4540
  • [x] #1351

davecheney avatar Apr 23 '19 00:04 davecheney

Without support for FDS in Envoy 1.11 we cannot work on this in beta.1

davecheney avatar Aug 23 '19 11:08 davecheney

Moved to the backlog. Contour 1.0.0 will ship with Envoy 1.11. We will revisit this issue when a version of Envoy with FDS is available.

davecheney avatar Sep 10 '19 08:09 davecheney

It looks like FDS will require Envoy 1.12 and possibly a switch to XDS's v3 api. https://github.com/envoyproxy/envoy/issues/4540

davecheney avatar Sep 23 '19 23:09 davecheney