More review comments & rework design for new RDS configuration

Signed-off-by: Steve Sloka <slokas@vmware.com>

design/fallbackcert.md

@@ -29,14 +29,72 @@ As of now, Contour only provides certificate at virtual host level in an HTTPPro
 
 Contour will add a new argument to `contour serve` named `--fallback-certificate` which references a secret which is namespaced with a name (e.g. `namespace/name`).
 This same configuration will be available in the Contour configuration file in the `tls.fallback-certificate` location.
-Secondly, a new field will be added to the `HTTPProxy.Spec.VirtualHost.TLS` named `FallbackCertificatedEnabled` to allow virtual hosts to opt into this functionality.
+Secondly, a new field will be added to the `HTTPProxy.Spec.VirtualHost.TLS` named `EnableFallbackCertificate` to allow virtual hosts to opt into this functionality.
 This last point is important as by default, all vhosts will **not** be enabled for this feature.
 
 ## Detailed Design
 
-The new argument to `contour serve` must be in the format of `namespace/name`.
+### Envoy API
+
+Contour defines `FilterChainMatches` (https://www.envoyproxy.io/docs/envoy/v1.14.1/api-v2/api/v2/listener/listener_components.proto.html?highlight=filterchainmatch#listener-filterchainmatch) on SNI names which allows for a single Envoy listener to proxy multiple vhosts over TLS.
+This feature will add a new filter chain match on `TransportProtocol:  tls` which will match any request which is TLS but does not match a pre-configured SNI defined in the previous step.
+Envoy processes `FilterChainMataches` with `SNI` matches before transport protocol.
+
+Next this catch-all filter chain takes a `route_config_name` reference in the `envoy.http_connection_manager`.
+For all non-http requests, an Envoy RDS config named `ingress_http` is configured with  all the routes.
+For each virtual host that has enabled the `EnableFallbackCertificate` flag a new RDS route table will be created which will contain all the routes for vhosts which have opted into the fallback certificate.
+
+#### Example fallback route: 
+
+```json
+{
+     "version_info": "2",
+     "route_config": {
+      "@type": "type.googleapis.com/envoy.api.v2.RouteConfiguration",
+      "name": "ingress_fallback",
+      "virtual_hosts": [
+       {
+        "name": "containersteve.com",
+        "domains": [
+         "containersteve.com",
+         "containersteve.com:*"
+        ],
+        "routes": [
+         {
+          "match": {
+           "prefix": "/"
+          },
+          "redirect": {
+           "https_redirect": true
+          }
+         }
+        ]
+       },
+       {
+        "name": "demo.projectcontour.io",
+        "domains": [
+         "demo.projectcontour.io",
+         "demo.projectcontour.io:*"
+        ],
+        "routes": [
+         {
+          "match": {
+           "prefix": "/secure"
+          },
+          "redirect": {
+           "https_redirect": true
+          }
+         }
+        ]
+       }
+      ],
+     "last_updated": "2020-04-22T17:25:41.290Z"
+    }
+   ]
+  }
+```
 
-The Envoy filter chain will be changed to match on `TransportProtocol: "tls"`:
+#### New catch-all filter chain
 
 ```go
  &envoy_api_v2_listener.FilterChain{
@@ -47,7 +105,11 @@ The Envoy filter chain will be changed to match on `TransportProtocol: "tls"`:
  }
 ```
 
-The `HTTPProxy` spec will add a new field named `FallbackCertificatedEnabled` and will default to `false`:
+### Contour API
+
+The new argument to `contour serve` must be in the format of `namespace/name`.
+
+The `HTTPProxy` spec will add a new field named `EnableFallbackCertificate` and will default to `false`:
 
 ```go
 type TLS struct {
@@ -63,7 +125,6 @@ type TLS struct {
 	Passthrough bool `json:"passthrough,omitempty"`
 
     // +optional
-    FallbackCertificatedEnabled bool `json:"fallbackCertificateEnabled,omitempty""`
-
+    EnableFallbackCertificate bool `json:"enableFallbackCertificate,omitempty""`
 }
 ```