►
From YouTube: Antrea Community Meeting 07/18/2022
Description
Antrea Community Meeting, July 18th 2022
A
All
right,
so
thanks
everyone
for
joining
andrea's
community
meeting
today
is
monday
july
18th
in
the
us,
and
I
think
on
the
agenda.
We
have
two
items.
I
think
the
main
item
is
waning,
who's
going
to
be
presenting
a
support,
bundle
for
vm
virtual
machines-
if
I'm
not
mistaken,
and
then
after
that,
I'd
like
to
give
a
short
update
on
elm
support
in
in
entry
and
entry
and
charts,
that's
correct
right.
Winning
you're
presenting
support
bundles
for
for
vms.
B
Okay,
thanks
also
for
this
meeting,
and
I
would
like
to
share
something
about
to
present
something
about
the
super
boundary
implementation
plan
in
verm
case
this
is
the
agenda
ever
introduced.
The
motivation
for
the
implement
super
boundary
implementation
and
secondly,
I
would
like
to
give
the
design
for
salt
eight
and
the
last
part
is.
I
will
introduce
some
corner
cases
we
might
hit
in
the
vam
scenarios
and
our
plan
to
support
to
resolve
the
countries,
the
motivation,
as
we
may
notice,
for
the
existing
and
chair.
B
We
have
implementation
for
support
bundle
and
we
run
two
agents
on
every
work
nodes
and
enter
agent
stats,
ports
and
run
api
server.
Listening
on
the
ports,
then
the
user
can
use
aunt
cattle
to
collect
the
logs
from
manchester
agent
and
get
the
bundle
files
to
to
the
place
where
and
kaito
is
running.
B
But
this
is
not
suitable
for
vm
cases,
because
vm
is
such
an
insecure
port
on
the
night
first,
our
way,
because
we
can't
open
up
any
apart
and
listening
for
connections
from
everywhere
as
it
might
introduce
a
security
attack.
B
So
it
is
not
easy
to
configure
ports
to
run
your
app
server
for
for
the
for
to
solve
the
request
from
other
places,
and
secondly,
it
says
for
them
cases.
We
know
that
we
might
have
some
different
vpcs
and
we
would
like
that
so
one
agents
on
one
wing,
one
on
one
vm-
has
the
the
permissions
only
allow
it
to
access
the
development
itself
information.
B
B
So
my
proposal
said
so:
we
want
to
introduce
a
mechanism
to
not
financial
agents
running
on
the
vms,
to
collect
small
bundle
files
and
actively
upload
the
files
to
a
central
pass.
So
with
this
proposal
we
want
to
have
a
crd
configured
to
configure
the
those
requests
on
the
bundle
files
collection,
two
paragrams,
what
we
want
to
collect
and
which
vms
we
want
to
create
bundle
files
and
where
we
expect
the
bundle
files
to
upload
and
secondly,
to
avoid
the
vms
untrained.
B
To
avoid
the
ramps
get
out
of
vm's
information,
we
introduce
internal
objects,
used
between
entry,
controller
and
venture
agent,
so
that
so
we
can
ensure
the
agents
running
on.
Vm
only
gets
the
information
focusing
on
itself
and
the
agents
running
on
the
vm
can
report
the
progress
of
the
pondo
file,
collection
and
uploading,
and-
and
we
also
use
a
secret
to
start
authenticator
for
the
agent
to
use
to
up
to
to
excise
the
file
server
while
uploading
the
files
in
the
design
way.
First
is
about
the
crd.
B
This
is
an
example
we
expected
used
in
the
vm
case
for
support
bundle
configuration
in
the
crd.
We
have
a
nodes
fills
which
tells
the
expected
vms,
on
which
the
subarunophiles
are
required.
B
We
spot
two
kinds
of
nodes:
one
is
the
general
kubernetes
work
node,
and
the
second
is
the
external
node
which
are
used
to
represent
the
the
vms
in
the
entry
and
with
the
nodes.
We
can
use
these
two
methods
to
to
configure
the
the
expected
nodes.
We
can
list
names
of
the
expected
node
nodes
and
we
can
use
a
label
selector
to
tell
ensure
controller
to
choose
the
expected
notes
by
the
selector
with
the
name
list.
B
If
it
is
an
empty,
it
means
that
all
the
nodes
in
the
namespace
for
external
nodes
are
required
for
work
nodes.
We
don't
require
namespace
fill
configured
and
the
second
configuration
item
in
the
crd
is
a
duration.
It
tells
agents
what
logs
are
expected
and
the
logs
newer
than
the
given
duration
are
requested.
B
We
can
use
one
day,
two
hours
or
20
minutes
or
something
like
this,
and
if
the
duration
is
empty,
it
means
that
all
logs
in
the
agent
run
time
are
required
and,
as
the
third
item
is
the
timeout,
it
means
that
how
long
the
request
is
efficient.
If
the
timeout
is
come
true,
it
means
the
request
is
expired
and
the
request
might
be
failed
if
the
required
vms
doesn't
have
completed
uploading.
The
files-
and
the
first
item
is
the
file
server.
B
B
If
the
http
works
as
ported,
but
it
is,
if
it
is
not,
configured
post
is
used
as
default,
and
the
last
path
is
about
the
authorization
it
tells
agent
how
to
connect
how
to
excise
the
file
server.
By
now,
we
plan
to
support
two
authorization
methods.
One
is
token,
and
the
second
is
api
key
and
both
the
values
are
passed
using
a
secret.
The
secret
reference
is
provided
by
the
values
are
stored
in
the
secrets,
with
a
base
1664
encoding
in
the
third.
B
You
will
also
have
a
status
configured
which
tell
use
the
for
unsure
controller
to
to
aggregate
the
status
of
the
request
in
the
status.
We
have
these
things
that
so
we
have
a
face
to
tell
the
user
that,
in
which
stage
the
the
super
bundle
processing
is
on
it
has
a
much
state
machine
is
like
this.
After
the
series
is
created,
the
status
is
marked
as
pending
and
any
vm
starts
working,
for
example,
collecting
the
the
bundle
of
uploading
elements
and
where
the
the
ram
is
starts.
B
Working
the
precise
this
phase
is
marked
as
precision
and
only
when
all
vms
has
completed
to
upload
the
files
the
series
status
is
is
marked
as
processed,
but
if
time
is
up
and
any
vm
fails
to
upload
the
files,
the
city
status
is
marked
as
field
and
in
the
run
time,
the
status
has
some
other
informations
used
for
the
user
to
know
the
progress
we
have
the
current
nodes,
which
means
until
controller
calculate
the
number
of
the
expected
external
nodes
to
upload
the
files
in
in
this
request.
B
No,
the
current
notes
means
that
how
many
nodes
has
completed
the
fail,
uploadings
and
the
theorem
knows
means
that's.
How
many
expected
external
nodes
like
calculated
about
your
controller
and
the
last
part
in
the
status
is
a
further
reason.
It
is
used
to
tell
user
why
we
marked
the
crd
status
as
field
by
now.
We
planned
these
two
list,
three
reasons,
including
the
node
conflict,
not
uploaded
or
unknown.
B
A
note
conflict
means
that,
if
a
request
involves
some
notes
which
are
involved
in
another
request
and
the
the
the
second,
the
other
request,
saturday
request
is
still
in
the
processing
state.
The
further
reason
might
be
marked
as
node
conflict,
but
not
uploaded.
It
means
that
so
one
time
is
up
some
some
note,
some
agents
on
the
rams
and
are
not
completed
the
processing.
B
C
Why
we
need
this
kind
of?
Do
you
think
circuit
will
just
remove
the
con
we
just
use
like
them,
so
some
selector
too,
you
know
selected.
C
B
We
can
think
about
it,
maybe
it
it
it
is
working
but
okay.
So,
but
if
so
that's
my
one
concern
from
my
adrenal
original
thought
is
I
I
don't
I'm
not
sure
if
we
can
configure
what
can
I
mean
that
if
we
have
one
kubernetes
organ
nodes
and
one
external
node
using
the
same
name
and
how
to
process
it
just
using
the
the
label
selector
or
name?
C
Okay,
I
think
probably
you
can
think
more
about
that.
I
feel
at
least
we
need
a
way
to
connect
both.
D
C
My
feeling
I
mean
some
way
to
say
I
want
to
connect
both
installer
node
and
the
commands
nodes.
C
Yeah,
that's
my
thing.
If
I
just
want
to
put
the
bundle
why
I
must
create
two
crds
for
two
two
types.
B
I
will
think
about
it
and
look
at
it
as
a
follow-up
question.
In
later.
C
Okay
sure
I
have
a
few
questions
regarding
to
file
servers
yeah,
so
so
first,
besides
https
do
we
do
we
plan
to
support
others
in
future,
like
ftp
or
whatever.
B
Yeah
sftp
sf
as
ftp
or
something
is
planned,
but
for
the
first
release.
I
I
just
want
this.
This
particles
are
supported.
C
Okay
and
then
for
verb.
What
are
the
verbs
we
support
for
atp
of.
C
B
For
example,
put
our
patch
or
something
actually
we
want
to
like.
We
would
like
some
because
we
don't
know
what
the
file
server
is
exactly
is
so
I
mean
there's,
so
we
don't.
We
don't
know
if
the
what
verbs
are
actually
expected
for
the
file
server
to
to
upload
the
files.
So
we
want
the
user
to
tell
us
that
what
rob
he
wants
us
to
use
the
intro
agents.
C
Okay,
okay,
got
it
and
for
ftp
there
can
be
multiple
verbs,
too
or
ftp
doesn't
have
web,
but
we
don't
have
robbie
ftp,
okay,
okay,
probably
we
can.
We
can
discuss
more
when
we
review
the
seal
yeah.
I
just
just
want
to
understand.
I'm
trying
to
see
if
we,
if
we're
not
very
sure,
probably
we
don't
need
to
you-
know,
define
what
the
future
is
tensions
if
we
yeah
for.
D
B
Yeah:
okay:
go:
go
ahead.
D
Oh,
I'm
I'm
just
asking:
where
is
the
label
selector?
If
I
want
to
use
it,
I
didn't
find
it
back.
B
As
actually
this
back,
I
only
give
an
example
for
the
no
names
list.
If
we
want
to
use
a
label
selector,
I
would
like
that
so
that
the
user
use
no
select.
Actually,
I
didn't
give
the
sardi
yama.
I
just
gave
a
cr
example
here
and
yeah.
B
Maybe
I
can
give
it
in
the
in
the
patch
and
you
can
have
it
review.
This
is
just
mean
that
so
we
would
like
to
support
the
label
selector
for
node
selections.
D
B
D
D
D
D
B
Yeah
sure
I
will
modify
so
thanks
for
stretching.
B
Actually,
we
don't
expect
that
agent
to
know
any
other
vm's
name
in
the
in
the
vm
cases.
So,
but
for
crd,
we
don't
like
that.
So
we
configure
one
crd
for
dedicated
for
1vm.
We
expect
that
a
crd
may
use
maybe
use
the
phone,
the
the
multiple
vms,
which
has
the
same
configuration
expectations,
but
so
we
would
like
that
ram
can
get
its
own
names
name
information!
D
B
You,
the
the
permissions,
is
given
to
the
entrepreneur
agents
in
by
namespace,
but
so
we
can.
We
are
not
able
to
do
a
strictly
restriction
in
our
bike
because
we
want
to
like.
We
would
like
that.
So
one,
our
back
file
is
used
in
one
namespace
and
we
would
not
like
that.
B
So,
while
our
bike
is
used
per
vm,
so
we
can
specify
the
names
in
in
the
arbeit
configurations
but
of
our
unsure
agent
to
logic,
but
we
don't
have
the
logic
to
a
list
of
other
external
nodes
how
to
get
other
external
nodes
names.
In
a
logic,
we
only
configure
the
name
of
the
of
the
itself,
so
android
agent
only
gets
it
its
own
external
nodes.
B
But
if
we
have
sync
up
all
the
vms
in
the
in
the
support
bundle
in
the
two
two
or
one
control
agents,
it
means
that
from
android
agents
logic
it
can
get
multiple
vms,
not
only
itself.
But
if,
if
the
hiker
mod
financial
code
to
get
some
additional
configuration
for
other
vms,
it
can
work.
So
that's
not
what
we
want.
D
I
understand
that
we
only
get
the
the
node,
the
external
node
of
itself,
but
I
think
the
token
has
the
permission.
So
I
think
there's
no
difference
that
user
gets
the
known
names
from
the
log
or
it
use
the
token
directly
to
list
the
other
nodes
in
that
namespace
because
they
already
have
this
permission.
D
B
D
So
to
collect
our
global,
the
the
support
bundle
of
the
whole
cluster.
We
need
to
create
a
support,
bundle,
permanent
space.
Is
that
you
yes.
B
D
B
B
B
Sure,
thanks
and
then
we
can
continue
to
the
next
okay.
This
is
about
okay,
superman's
status,
and
it's
about
the
internals
for
bound
objects.
As
we
used
to
mention
about
it.
It
is
try
to
think
the
the
resources
from
a
trade
controller
to
enter
agents
and
android
agent
only
has
the
permission
to
rate
the
internal
objects
from
entry
controller,
and
so
so
that's
what
we
come
to
the
the
targets.
Mem
agents
cannot
never
know
advanced
information
from
this
channel
for
internal
objects.
We
only.
B
D
B
Then
come
to
the
workflow.
The
expected
flow
is
like
this:
first,
the
user,
creases
power
boundary
crd
in
summary,
pc
and
the
the
request
is
coming
to
aps
server
and
your
controller
watches
vultures.
The
the
super
bundle
adding
vents
from
eps
server.
Then
it
calculates
the
internal
object
and
synced
to
the
agent,
but
the
agent
only
means
that
the
vms
which
are
selected
are
defined
in
the
crd
nodes,
so
other
vm
cannot
be
able
to
receive
the
internal
objects.
B
After
all,
the
after
the
support
bundle,
salary
status
is
marked
as
processed
the
user
can
upload
can
download
the
bundle
files
from
the
file
server,
and
one
thing
I
want
to
mention
is
that
actually
we
we
have
another
configuration
in
the
enter
controller
for
the
failed
case
and
turn
controller
will
upload
a
file
to
the
file
server
to
introduce
to
to
tell
the
user
that
to
which
nodes
are
failed
to
upload
the
files.
B
That's
what
we
I
will
introduce
some
details
in
the
counter
cases
for
security
control.
We
would
like
to
say
something
one
is
that
the
agent
only
watches
internet
object
from
venture
controller
and
other
nodes
information
is
not
included
in
the
network
object
and
the
credentials
like
the
token
or
api
case
are
not
provided
in
the
city
directly,
but
using
a
secret
disk
styles
and
for
token
is
used
for
hpp's
and
to
to
enhance
the
security
user
can
generate
a
one-time
token
with
timeout
control,
if
necessary,
yeah.
B
B
So
it
means
that
if
we
don't
process
it,
it
means
that
there
must
be
some
rep
duplicates
on
the
super
boundary
collection
agents.
So
to
resolve
the
the
current
case.
We
have
two
option
solutions
once
that,
so
we
can
use
a
webhook
validation
to
check
the
note
in
the
list
of
the
second
request
and
compared
with
the
existing
and
growing
requests.
B
Then,
if
we
advise
that
not
conflict
with
the
first
request,
kubernetes
can
the
validation
webhook
can
reject
the
request,
and
a
second
option
is
that
we
don't
use
the
web
hook
validation,
but
so
we
just
accept
the
request
and
the
letter
and
true
controller
to
check
the
status
before
creating
internal
objects.
B
The
similar
thing
is
that
the
request
will
not
be
does
the
second
request.
It
will
not
be
processed
by
any
intro
agent
instead
enter
controller
directly
mark
the
second
request
as
failed
and
provides
the
conflicted
nodes
in
the
in
the
results.
B
We
will
use
a
webhook
validation
hook
to
reject
such
operations,
and
the
third
case
is
that,
if
there
are
many
vms,
for
example,
hundreds
of
thousands
of
vms
included
in
the
salary
request
how
to
list
the
originals
are
failed
to
upload
the
bundle
files.
It
is
not
efficient
if
we
include
all
the
other
know
the
names
in
the
api
response,
so
the
solution
says
controller
will
write
a
file,
including
the
field
nodes
list
and
upload
it
to
the
file
server
provided
by
the
in
this
bundle.
B
File
and
mark
does
the
the
serial
status
as
filled
there.
There
might
be
two
two
two
types
of
the
no
list
in
the
file
once
that,
if
the
spellbound
object
is
marked
as
failed
because
of
not
conflict,
the
failed
another
list
file
only
includes
the
conflicted
nodes
and
if
the
bundle
object
is
marked
failed
because
of
some
agents
fails
to
upload
files,
the
failed
at
least
only
include
which
nodes
fail
to
upload
the
files.
B
D
I
think,
for
the
first
case,
do
you
think
I
feel
that
requesting
a
support?
Bundle
is
not
a
very
frequent
operation
and
it
doesn't
seems,
seem
needed
to
support
a
concurrent
request.
Do
you
think
we
should?
We
could
just
deny
the
second
request
when
the
faster
is
still
handling.
B
But
but
so,
let's
think
about
multiple
vpc
cases
for
external
node,
if
the
first
srd
is
for
vpc
event
and
a
secondary
is
for
vpc2.
B
B
D
A
B
A
D
Multiple
teams
are
working,
are
troubleshooting
together
and
they
have
their
own
target.
They
have
their
own
targets.
Oh,
we
could
make
this
even
more
simple
that
we
allow
a
concurrent
request,
but
we
only
have
one
we
only
had
handle
handle
one
request
at
any
given
time
and
we
only
proceeded
the
second
one
after
the
first
one
finished.
D
C
A
All
right,
so
thanks
waning,
looks
like
some
follow-up
discussions
are
needed,
maybe
for
api
design
and
for
the
our
back
mechanism.
Any
any
other
questions
for
running.
C
C
Probably
we
should
revisit
the
wall
features,
for
example,
twist
flow
and
maybe
some
other
features
today.
You
can
see
out
there
to
be
the
channel
between
controller
between
api
and
the
agent.
B
You
mean
share
the
existing
channel
for
for
the
profile
to
work
between
entry,
controller
and
natural
agent.
Oh
just.
C
Not
use
I'm
saying,
probably
it's
in
a
month,
it's
a
strategic
decision
to
make
if
we
want
to
switch
more
communication
between
api
controller
to
agent
to
this
controller
agent
channel
compared
to
crds.
C
But
I
I
noticed
the
only
for
supported
bundle
case.
C
If
you
finally
want
to
support
truthful
for
external
for
wins,
then
you
have
the
exact
same
issue
like
permission
or
it's
supposed
to
bring
them
to
other
agents.
Something
like
that.
Maybe
there's
some
other
cases.
I
have
the
ratio
like
realization,
for
example.
I
I'm
actually
I'm
not
like
show
all
the
cases,
but
I'm
just
thinking.
C
C
A
All
right
thanks
waning
and
thanks
everyone,
so
we
have
about
15
minutes
left
and
I
just
wanted
to
give
like
a
a
super
quick
update
on
the
support
of
elm
charts
for
entria.
So
I'm
gonna
share
my
screen.
It's
only
gonna
take
a
few
minutes.
A
Okay,
so
I
just
wanted
to
let
everyone
know
that,
starting
with
the
next
entry
release,
starting
with
entria
v1.8,
it
will
be
possible
to
install
entry
using
game
charts.
So,
as
you
guys
probably
know,
for
the
last
couple
of
months,
we
switched
to
using
elm
to
generate
entry
templates,
but
sorry
to
generate.
We
switched
to
using
elm
templates
to
generate
the
entry.
A
Yaml
manifests,
but
the
templates
were
not
like
user
facing,
but
starting
with
entry
v1.8,
it
will
be
possible
for
end
users
to
install
entry,
are
using
elm
charts
and
so
we're
going
to
have
like
three
charts
one
for
entry
itself,
one
for
the
flow
aggregator
and
one
for
taiya
and
actually
elm
is
already
the
primary
installation
mechanism
for
teya.
Since
entry
ivy
1.7.
A
A
So
you
can
just
add
the
repo
using
the
lm
client
locally
on
your
machine,
and
then
you
can
install
the
charts
like,
like
any
other
elm
chart
and
yeah
whenever
there
is
an
entry,
a
release,
so
the
charts
are
added
to
the
release
assets
so
they're
added
to
the
github
release
pages
as
downloadable
assets,
and
then
we
nullify
the
enter
a
website,
which
also
has
a
workflow
which
is
going
to
run
for
each
entry
release
and
it's
taking
care
of
updating
this
file
here,
which
is
index.yaml
file
used
by
the
elm
client
to
download
information
about
the
elm
repository,
and
so
every
time
there
is
a
new
entry
release.
A
Information
about
the
entry
here
charts
will
be
added
to
this
file.
Right
now
we
have.
We
did
some
experiments
with
a
an
alpha
release,
and
so
you
can
see
we
have
like
an
entry
a
chart
and
there
should
be
a
flow
aggregator
chart
as
well
and
the
chart
for
thea
and
that's
about
it.
And
since
we
now
have
m
charts,
I
was
able
to
register
entry
on
artifact
artifact
up
dot
io,
which
is
kind
of
like
a
central
website
where
you
can.
A
Find
and
install
kubernetes
packages,
and
so
the
primary
mechanism
for
registering
new
packages
is,
is
to
use
m
chart.
Basically,
you
need
to
have
a
m
chart
to
be
able
to
list
your
project
on
that
website,
and
so,
if
you
type
entry
here,
you
will
find
the
three
three
different
charts
that
we
have
for
entry
and
right
now,
those
are
like
alpha
alpha
charts.
But
as
soon
as
we
release
1.8
for
entries
and
0.2
for
thea,
there
will
be
the
let's
call
them
the
production,
ready,
charts.
A
All
right,
so
that's
that's!
That's
all
for
me.
That's
all
for
the
update.
That
was
very
quick
if
you
give
it
a
try
and-
and
you
find
any
any
problem
with
the
charts.
Please
please
open
an
issue
on
on
github
and
I
will
take
a
look.
D
Antonia,
I
have
a
question
after
you
have
uploaded
the
the
artifacts
to
artifact.
How
do
its
journey
to
you
to
to
add
the
health
helm
repo
before
installing
andrea?
Can
it
be
discovered
automatically
without
that
step?.
A
No,
I
don't
think
so.
I
think
artifact
tube
is
really
just
to
a
registry
for
available
packages,
and-
and
so
I
think,
if
I
click
on
it,
is
it
gonna
have
the
installation
and
I
click
on
install
see.
It
still
gives
me
the
steps
that
I
need
to
do.
Basically.
So
it's
still
like
a
central,
it's
just
a
central
registry
where
you
can
discover,
charts
and
and
and
look.
D
A
They
have
added
features
on
top
of
that
and
we're
not
like
leveraging
like
most
of
them
right.
I
mean
it's
really
mostly
for
documentation
purposes.
They
can
also
like
you
can
also
like
it's
a
way
you
can
subscribe
to
new
releases
as
a
user
and
get
notified
when
there
is
a
new
chart
being
released.
A
A
new
version
of
entry
have
been
released
and
as
a
chart,
owners
are
all
the
features
you
have
access
to,
like
you
can
advertise
security,
vulnerabilities
and
and
the
release
in
which
you're
fixing
that
very
vulnerability
and
things
like
this.
There
is
like
a
changelog
feature,
but
we're
not
we're
not
using
that
at
the
moment.
A
All
right
so
that
that's
all
we
had
on
the
agenda,
we
have
about
10
minutes
left.
So
if
there's
any
topics
that
anyone
wants
to
bring
up
now
is
the
time.
A
All
right
so
we're
all
getting
10
minutes
back
thanks,
everyone
for
joining
and
thanks
waning
for
presenting
your
proposal
on
support
bundle
for
external
notes.
Please
send
me
the
slides
after
the
meeting
and
as
a
pdf,
and
I
will
upload
them
to
the
andrea
website.