SNI Multiple Certs and Updating certs

friend 05

unread,

Apr 17, 2020, 10:42:47 AM4/17/20

to envoy-users

Our use-case is we have multple cert with different HostName. And we need to update cert anytime which can potentially also update HostName in cert.

If I understand correctly whenever I need to update Cert which can also change SNI Server Name match (Filter_chain_match) today I will need use LDS. Disadvantage of LDS is it needs to drain all connection.

Based my understanding FDS (Filter Discovery Service) will resolve issue which I trying out. Is my understanding of FDS correct ? (https://github.com/envoyproxy/envoy/issues/4540)

Do we have time-line for FDS when that will be released ?

Yuchen Dai

unread,

Apr 17, 2020, 2:41:53 PM4/17/20

to friend 05, envoy-users

"FDS" is actually FilterChain Discovery Service

It is a longer term goal. We'd better find concrete use cases to accelerate.

The current improvement on LDS(aka intelligent listener update) could help in your use case: update a small number of filter chains while leaving the rest filter chain untouched.

https://github.com/envoyproxy/envoy/pull/9773

This PR is closed in favor of split PRs. We are 1 or 2 weeks away from the alpha.

-Yuchen

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/af80b536-7f2a-471d-b286-f1949dbbb41a%40googlegroups.com.

friend 05

unread,

Apr 17, 2020, 11:06:45 PM4/17/20

to envoy-users

Thanks for info - I will look into LDS more

On Friday, 17 April 2020 14:41:53 UTC-4, Yuchen Dai wrote:

"FDS" is actually FilterChain Discovery Service
It is a longer term goal. We'd better find concrete use cases to accelerate.

The current improvement on LDS(aka intelligent listener update) could help in your use case: update a small number of filter chains while leaving the rest filter chain untouched.
https://github.com/envoyproxy/envoy/pull/9773

This PR is closed in favor of split PRs. We are 1 or 2 weeks away from the alpha.

-Yuchen

On Fri, Apr 17, 2020 at 7:42 AM friend 05 <hiren...@gmail.com> wrote:

Our use-case is we have multple cert with different HostName. And we need to update cert anytime which can potentially also update HostName in cert.

If I understand correctly whenever I need to update Cert which can also change SNI Server Name match (Filter_chain_match) today I will need use LDS. Disadvantage of LDS is it needs to drain all connection.

Based my understanding FDS (Filter Discovery Service) will resolve issue which I trying out. Is my understanding of FDS correct ? (https://github.com/envoyproxy/envoy/issues/4540)

Do we have time-line for FDS when that will be released ?

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to envoy...@googlegroups.com.

friend 05

unread,

Apr 21, 2020, 2:05:21 PM4/21/20

to envoy-users

We are still new to Envoy and currently evaluating if it fit our use-case or not.

We are multi-tenant systems with thousands of vhost and certificate (in range of 50k sites). And we can push update anytime to any of these sites.

I was curious about scalability and frequent update to Cert (SNI) using LDS (intelligent listener update) ? Currently we are still evaluating TLS Certificates in same we will also be looking at VHDS and RDS.

If will be great if we can get your opinion and possibility of using for Envoy for such large scale multi-tenant system.

Reply all

Reply to author

Forward