►
From YouTube: Antrea Community Meeting 04/25/2022
Description
Antrea Community Meeting, April 25th 2022
A
B
B
So
it's
it's
too
limited
for
enterprise
networks
and
the
obs
toolkit
already
supports
also
getting
turning
points
using
standard
certificates
and
for
untrue.
We
only
need
to
manage
certificates
and
load
them
to
each
node,
so
the
obs
toolkit
will
be
responsible
for
mounting
and
configuring
as
a
key
dimmer
so
yeah
so
things
for
entry.
We
only
need
to
find
a
way
to
request
and
issue
the
certificates
and
configure
them
to
to
each
node,
and
here
is
the
here
is
the
strictly
format
for
for
for
each
node.
B
So,
as
you
can
see
that
the
the
important
the
in
the
certificate
I
wish,
we
should
pay
attention
to
the
common
name
section
and
and
as
a
the
obvious
muay
thai
aggie
stack
script
will
extract
the
common
name
section
and
configure
the
abisec
except.conf
to
the
academy.
So
it
is,
it
is
critical
and
also
we
can
see
that
for
the
for
the
extension
section
and
we
mark
the
key
usage
to
abstract
panel.
B
B
Yeah
yeah,
basically
this
this
is
a
standard,
x5
tavona
certificate
and
for
obs
configurations
we
need
to
start
the
other
config
fields
of
also
open
the
switch.
Basically,
we
need
three
fields
why
the
certificate
for
the
node
and
this
corresponding
private
key
also,
we
also
need
to.
We
also
need
to
start
the
rule
certificate
for
for
australian
purpose.
B
B
B
So
so
there
is
a
problem.
Is
that
as
intelligent
parts
can
cannot
bounce
their
own
certificates
individually,
as
they
are
managed
by
demon
set
so
yeah?
So
it's
also
not
scared
to
save
all
the
issues,
certificates
and
their
private
keys
in
in
one
secret
and
loads
them
in
their
demo
set
as
a
volume.
So
I
think
it's
it's
not
secure
and
and
for
most
cases
so
as
we
we
can
use
samsung
certificates
for
for
the
authentication.
B
So
I
think
I
struggle
to
issue
a
new
certificate
without
processing
them
in
the
kubernetes
storage
database
and
also
grenadiers
provide
stable
certificate.
Signing
request
apis.
So
it
fits
nicely
with
the
controller
and
the
agent
title
venture.
So
that
means
the
agent
can
create
a
certificate
sign
request
through
the
coordinated
api
and
the
android
controller
can
approve
and
assign
it
by
the
by
the
cr,
and
then
a
control
agent
can
get
the
certificate
through
the
status
and
save
them
as
files
in
the
node.
B
B
The
volume
so
so
so
so
this
is
what
the
csi
api
looks
like
for
our
use
case
and,
as
you
can
see,
that's
for
the
in
the
specs
section
on
the
left.
So
we
have
the
pm
encoded
csr
and
the
the
certificate
request
contains
the
common
name
of
the
node
and
also,
we
must
also
specify
the
signal
name,
I'm
not
sure
for
for
the
further
for
the
for
the
naming
of
the
center.
So
I
just
name
it
enter
center
here
and
the
the
usage.
As
I
said
before,
is
his
sidestep
tunnel.
B
It's
five
seconds
yeah.
So
once
the
the
service
signing
request
got
approved,
you
can
we
can
see
the
status
in
the
continuum
field
it
studied.
It
was
automatically
approved
by
the
enter.io
standard
and
then
the
next
step,
the
the
the
controller
will
stand
the
certificate
and
and
update
the
certificate
section
in
the
status.
B
So
so
there
is
a
subtle
issue
there
is
that
maybe
it's
not
the
issue,
but
the
part
is
also
the
the
approved.
Denial
of
other
requests
will
be
automatically
deleted
deleted
after
one
hour.
So
so
this
is
a
community
behavior.
So
we
must
pay
attention
to
to
the
to
the
controller
or
the
controller
in
the
android
agent
to
to
make
sure
we
do
not
need
to
issue
new
strategies,
as
this
is
why
it's
still
valid.
B
B
Assign
permission
for
the
approve
and
the
sign
verbs
to
enter
dial
center
yeah
the
sender
name,
as
I
said
earlier,
so
it
will
make
sure
that
the
android
controller
will
only
sign
approve,
understand
the
request
with
the
desired
center
name.
It
would
not
touch
any
other
csrs
with
other
server
name
and
also
as
android
owner
android
controller
need
to
save
its
roots,
lucy
and
private
key
in
the
secret.
B
B
Yeah,
that's
for
the
back,
and
for
and
nasa
is
for
certificate
renewal,
so
it
so
from
my
understanding.
I
think
there
are
three
cases
so
to
to
renew
the
certificate.
So
why
is
that?
The
the
the
science
of
grid
is
about
this
bar,
so
we
can't
determine
it
from
the
entrance
and
we
can
create
new
csrcrs
and
and
issued
a
new
certificate.
B
Also
it
can
happen
when
the
the
coordinators
know
the
reports.
So
if
we
store
the
private
key
in
the
vargas
folder
on
the
other
node,
so
I
think
it
will
be
deleted
once
the
node
got
rebooted
and
the
last
thing
is
that
the
rule
certificate
might
be
changed,
so
it
can
happen
when
the
research
certificate
is
bar
or
the
secret
controller
controller
manager
was
deleted
manually
or
by
accident.
So
the
certificate
will
will
will
change
once
the
turn
and
enchantment
detects.
The
change
of
research
is
so
it
will.
B
If
not,
I
think
it
will
need
to
request
a
new
certificate
and-
and
during
my
testing
I
found
some
limitations
of
the
obvious
void-
type
stack
script,
so
it
only
works
for
the
obvious
db
changes
instead
of
the
file
content
changes.
So
so
for
starter
reloading,
so
we
can
have
the
the
following
workaround.
B
Unfortunately,
we
can
maybe
generate
a
random
name
for
the
final
certificate
and
and
update
the
other
configurations
so
that
the
the
script
will
detect
the
change
of
the
of
the
certificate
name
and
updates
the
update
and
reload
the
lucky
dimmer,
and
also
we
can
also
the
option
too,
is
that
we
can
use
stack,
pick
names
for
certificates,
but
we
can
add
another
field
to
the
other
config.
For
example,
we
can
compute
a
hash
for
for
the
other
party
roon
circuit
and
the
sensor
trees
and
save
a
hash
to
the
other
config.
B
B
B
B
C
B
C
B
B
Whether
we
can
reuse
it
or
not,
so
we
can
go,
we
can
create
a
new
certificate
if
it's
a
deleted
bank
system
or
the
node
reports,
so
we
can
always
create
new
certificates
for
each
node.
So
I
don't
think
we
need
to
save
it
as
secret
and
I
I
I
cannot
find
a
clear
way
to
to
to
to
load
the
certificate
individually
to
each
node.
C
B
B
For
the
for
the
csr,
the
the
the
certification
status
only
contains
it
only
contains
the
leave
certificates
of
the
node,
but
but
yeah,
but
we
are
right.
So
we
can
we
can.
We
can
append
the
rule
ca
to
the
certificates
in
status
yeah.
We
can
do
that,
but
but
for
but
for
obvious
confusions.
We
need
a
separate
file
for
the
for
the
lucia.
B
C
B
B
C
B
B
B
And
I
won't
get
to
get
your
opinions
about
the
whether
we
we
we,
which
which
container
we
should
put
the
logic
for
and
manual
certificates.
So
if
we
keep
the
android
style
container
as
it
is,
so
we
can
just
mount
the
same
path
of
traffic
and
a
transient
container
and
the
android
agent
can
be
responsible
for
for
managing
the
certificates.
So
if
not,
we
may
need
to
modify
the
the
script
in
the
entire
website
container.
We
can.
We
can
compile
a
dedicated
binary
for
just
minor
certificates
in
the
container.
C
I
assume
currently
enter
agent
already.
Has
some
ipsec
specific
code
right
yeah
code
writing
for
exact?
Then
probably
it
is
simpler
to
just
how
the
csr
logic
in
country
agent
as
well,
because
if
you
have
another
go
process
for
this
purpose,
it
will
also
need
to
have
some
certificate.
Some
token
and
connection
with
cuba,
api
right.
D
B
D
D
C
D
B
B
C
A
A
A
B
Yeah
so
so
I
think
I
think
so
this
is
this
is
the
standard
drawback
for
for
all
kind
of
series.
Yeah.
We
have
sub
resource
for
approval
and
status,
but
we
still
need
a
additional
verbs
for
the
for
the
for
the
scanner,
so
so
this
this
means
that
the
android
controller
can
only
sign
and
approve
csrs
with
the
specific
server
name.
A
A
I
don't
know
if
it's
a
security
issue,
but
ideally
you
would
only
want
to
be
able
to
create
certificate,
signing
requests
for
the
entry
at
the
dot,
io
signer,
and
I
guess
ideally
you
would
be
able
to
constrain
what
you
can
put
in
the
in
the
common
name,
field
or
san
san
field.
But
I
I
guess
it's
not
possible
because
all
the
entry
agent
pods
in
the
domain
set
of
the
same
permissions.
B
A
B
B
A
B
C
C
Not
sure
it's
typical
to
always
automatically
approve
it
by
program,
it
sounds
like
every
node
actually
has
can
have
all
peer
certificates
and
keys
if
they
want,
because
even
even
when
one
agent
can
create
its
own
ssr
and
get
gets
its
certificate.
Another
compromise,
the
agent
may
issue
same
request
and
this
gets
certificated.
C
I'm
not
sure
whether
this
is
a
security
issue,
but
yes,
perhaps
if
we
or
just
optionally
have
a
configuration
to
ask
a
user
to
upload
the
csr
when
they
start
the
when
they
deploy
after
they
deploy
and
share,
could
that
be
an
option
and
could
that
avoid
the
issues,
security
issues
by
automatic
approval
yeah?
I
think
that's
a.
B
C
Subtle
issue
yeah.
I
think
that's
understandable,
because
we,
if
we
document
that
the
certificate
will
not
be
will
not
be
persistent
across,
not
restart.
It
should
be
reasonable
to
ask
a
user
to
re-upload
new
csr
after
a
node
restarts-
and
I
remember
cube
control
manager.
Has
this
option
to
to
I
remember
by
default
by
default.
It
doesn't
automatically
upload
csr.
C
A
A
I
think
that's
a
good
idea,
but
do
you
do
you
think
it's
possible
to
prevent
pods
from
being
scheduled
on
a
node
until
the
csr
has
been
approved?
I'm
just
thinking
of
a
node
reboot,
where
the
node
would
reboot
and
pod
would
be
scheduled
to
the
to
the
node,
but
they
would
not
be
able
to
talk
to
other
pods
on
different
nodes
until
the
csr
is
approved.
So
would
there
be
a
way
for
us
to
mark
the
node
that
not
that's
not
ready
or
something
like
this
or
unscheduled,
or
something
like
this?