envoyproxy/envoy

Support reloading TlsCertificate files

Open

#10,387 opened on Mar 14, 2020

View on GitHub
 (10 comments) (4 reactions) (0 assignees)C++ (5,373 forks)batch import
area/tlshelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

Issue Template

Title: Support reloading TlsCertificate files

Description:

Currently, there are a few ways to get certificates reloaded (that I know of!):

  • Hot restart - this works but requires a wrapper that is watching the certs and hot restarting envoy when they reload. This adds complexity since you need to create/maintain a wrapper, which also implies your own docker image. It also has a run time cost when hot restarting.
  • SDS - this was, as far as I can tell, intended for solving this purpose. However, it involves quite a bit of complexity for the control plane, and another moving part for Envoy.
  • File based SDS - I am not sure if this is intended for production usage or testing/debugging? Regardless, this also has the issue that it requires a custom format. This means that in order to use existing tooling that is provisioning certificates, we need another wrapper to watch those files and convert them to SDS shaped files.

As someone not familiar with Envoy internals, it seems like the ideal scenario would be for Envoy to just watch the certificates in the first place. When they are reloaded on the disk, they would be reloaded internally.

From the outside this seems like it should be feasible as

  • SDS is already hot reloading certs, so that code exists somewhere
  • Files are already watched for other parts of the code as well

Is this something that would be considered useful or feasible to implement? From looking at a few past issues it seems the answer has been "use SDS", but as discussed above I don't think that is the best solution (from a user perspective).

Contributor guide