Envoy memory optimization: do better filter_chain_match organization #1636
Comments
|
Forgot to mention: you might think it's better to aggregate FQDNs by cert content (i.e. a digest), or inspect the cert and aggregate by Common Name. The latter was our first approach but it was confounded by envoyproxy/envoy#6767 |
What about Subject Alternative Names? That aggregation could get tricky. |
|
There's also a corner case for different certs issued for the same names by different PKIs (think internal/enterprise CAs). |
|
Thank you for your issue.
We reorganized filter_chain_match creation to aggregate server_names that
reference the same secret and saw a memory reduction of 40+ GiB to ~250 MiB
in Envoy
Would you be willing to contribute that change to the project?
…On Sat, 5 Oct 2019 at 02:54, Dharma Bellamkonda ***@***.***> wrote:
There's also a corner case for different certs issued for the same names
by different PKIs (think internal/enterprise CAs).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1636?email_source=notifications&email_token=AAABYA5CU4OTSM4ZH7WSWHDQM5YN7A5CNFSM4I5R5HV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAMIJZA#issuecomment-538477796>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAABYAZZFI4GIXJX65JNABDQM5YN7ANCNFSM4I5R5HVQ>
.
|
|
FYI, we organized the filter chains differently in 1.4 to enforce SNI binding semantics. This strongly binds a SNI server name to the corresponding routes, but I expect that this has some negative effect on Envoy resources, since there are now more HttpConnectionManagers. |
|
The Contour project currently lacks enough contributors to adequately respond to all Issues. This bot triages Issues according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
github-actions
bot
added
the
lifecycle/stale
|
The Contour project currently lacks enough contributors to adequately respond to all Issues. This bot triages Issues according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
Contour creates a
filter_chain_matchwith a single FQDN inserver_namesfor every FQDN. It also provides TLS delegation which we use heavily. The problem is that the sametls_contextandfiltersare copied in eachfilter_chain.We reorganized
filter_chain_matchcreation to aggregateserver_namesthat reference the same secret name and saw a memory reduction of 40+ GiB to ~250 MiB in EnvoyThis non-optimal construction of
filter_chain_matchplus #1635 plus envoyproxy/envoy#7923 came together to cause our months-long issue of Envoy being oom-killedThe text was updated successfully, but these errors were encountered: