►
From YouTube: CF on Kubernetes Working Group Forum 20 Sep 2022
Description
The call was a demo of a POC by Steven Taylor from SAP integrating Cloud Foundry with the new Korifi tool.
A
A
A
A
Alrighty,
so
thank
you.
Everyone,
that's
here
and
welcome
to
the
cloud
Foundry
on
kubernetes
working,
Group,
Forum
meeting,
there's
a
document
of
topics
that
is
going
to
be
posted
in
chat
once
again
for
anyone
that
would
like
to
add
to
it
view
it
and
follow
along
so
I've
just
dropped
that
link
in
the
chat.
Again,
if
you
like
to
have
a
topic,
please
do
so
otherwise
we're
going
to
skip
rolling
and
we'll
see
where
we
are
from
that
point
so
looks
like
right
now.
B
C
So
I
mean
I'll,
give
you
a
bit
of
background
on
sort
of
what
we
were
doing
sort
of.
Why
I
sort
of
stumbled
on
karifi?
How
it
helps
me
solve
some
of
my
problems
and,
and
then
it's
more
around.
This
is
extremely
Alpha
way.
I
mean
this
is
beyond
wet
paint
kind
of
like
quality.
So
don't
don't
read
anything
into
Good
the
Bad,
the
Ugly
of
it.
C
It
was
literally
hacked
together
over
the
past
couple
weeks,
because
I
needed
to
solve
a
problem
and
I
wanted
to
sort
of
see
it
in
a
way
that
sort
of
highlights
some
of
the
benefits
of
what
you
know.
Karifi
is
offering
because
I
think
it's
just
not
clear
enough
yet
to
a
lot
of
people,
especially
when
I
stumbled
upon
it.
You
know
that
it
solved
some
of
my
things
that
I
was
actually
actively
looking
into
so
once
again,
this
is
an
sap.
You
know
hacked
together,
don't
read
anything
into
it.
C
It's
probably
never
may
or
may
not
ever
go
anywhere,
but
you
know,
as
I
said,
I'll
fill
you
in
sort
of
like
the
background,
so
I
mean
it
all
really
started
with
a
problem
that
we
had
several
months
ago
was.
Actually
you
know
going
into
like
late
last
year,
where
we
had
a
problem
with
the
rate
limiting
on
cloud
Foundry.
Now
there
are
many
ways
that
we
saw
we
could
skin.
C
C
If
we've
got
external
callers
coming
in,
could
we
rate
limit
that
externally
using
something
that
was
a
little
more
Dynamic
than
h
a
proxy,
because
you
know
HD
proxy
being
configuration
versus
things
like
istio,
where
we
say
right,
we've
got
inbound
rules
and
routes
and
so
forth.
Can
we
then
start
limiting
on
particular
URLs
and
then
do
it
very
dynamically?
So
what
I
did
is
I
built
up
a
a
landscape?
C
Limiting
was
one
of
them.
There
could
have
been
Transformations,
it
could
have
been
anything
else.
So
then,
I
looked
at
that
and
said
well,
maybe
I
could
do
a
very
similar
thing
where
I
would
just
essentially
move
an
application
to
that
top
cluster
and
use
you
know
istio
rules
to
to
route
based
on
a
particular
set
of
criteria,
so
I
could
take
an
application,
move
it
to
this
applications
cluster
and
then
you
know,
call
the
same
domain
and
have
it
route
seamlessly
under
the
covers.
C
It's
a
relatively
straightforward
thing
seems
pretty
simple
and
pretty
logical,
but
nobody
had
done
it.
So,
as
I
said,
I
was
heading
down
this
route
before
the
log
for
jbug.
You
know
kicked
in
sort
of
end
of
last
year
that
sort
of
put
a
break
on
everything
that
we
had
done
and
this
cluster
had
to
be
terminated
because
it
was,
you
know,
a
compromise
cluster
potentially
so
we
put
that
on
hold
for
a
while,
and
we
thought
well,
okay,
we'll
revisit
this.
C
You
know,
as
we
start
to
look
for
different
use
cases
around
this
and
I
picked
it
up
again
a
couple
a
few
weeks
ago
when
I
was
starting
to
think
about.
Well,
maybe
what
about
if
I
were
to
create
some
kind
of
API
layer
that
would
sit
in
front
of
this
applications?
Cluster
that
look
like
a
cloud
Foundry
domain,
but
you
know,
was-
was
backed
by
kubernetes.
C
So
you
know,
I
looked
at
that
and
then
I
think
buried
down
in
one
comment
was
this:
was
this
thing
called
karifi
so
I
mean,
as
I
said,
what
I
was
really
looking
at?
The
goals
of
this
particular
project
was
you're
not
allowed
transparent
movement
between
Landscapes.
You
know:
I
wanted
a
very
frictionless
developer
experience,
because
I
didn't
want
to
have
the
developer
to
have
to
go
and
relearn
new
tools.
C
C
So
you
know,
of
course,
the
the
the
question
came
up
was
why
couldn't
I
just
use
separate
clusters?
Why
did
I
need
to
do
some
magic
with
writing?
Well,
I
mean
clusters.
It
just
adds
more
complexity
when
I
have
different
URL
endpoints
I
can't
change
that
seamlessly
under
the
covers
it
got
very
complex,
I
mean
I'm,
not
a
big
fan
of
like
separate
URLs
and
separate
clusters
and
having
different
you
know,
tenants
live
within
different
clusters.
I
prefer
to
have
it
more
of
a
generic
endpoint.
C
That
I
can
then
say
call
this
endpoint
and
I
will
route
that
for
you
right.
This
is
one
of
the
reasons
why
I
went
with
istio.
You
know.
In
the
first
place
we
looked
at
I
have
a
very
simple
API
endpoint
I
call
that
API
endpoint
I
do
the
Rowdy
for
you
and
I
will
make
if
anything
goes
wrong
on
my
side,
I
know
how
to
route
you
around
it
right.
C
C
It
was-
and
you
also
backed
it
with
you-
know,
with
the
modern
paradigms
of
of
kubernetes.
So
you
could
create
an
application,
deploy
an
application
and
it
would
look
and
act
like
a
cloud
Foundry
application
and
under
the
covers
I
could
then
use
it
for
for
for
things
like
istio
routing,
I
could
start
to
do
build
extra
applications
that
attach
to
that
within
the
kubernetes
Clusters
I'm,
not
stuck
in
one
or
the
other.
So
it
gives
us
that
flexibility
of
saying
it
is
a
cloud
Foundry
application.
C
A
developer
doesn't
need
to
go
and
change
everything
they
need
to
do.
They
understand
that
Paradigm
and,
as
I
said,
sap
partners
and
customers,
you
know
have
spent
a
long
time,
understanding,
Cloud,
Foundry
and
then
to
go
and
tell
them
to
go
and
rewrite
their
entire
application.
Suite,
to
you
know,
run
on
kubernetes
or
run
on
a
new
platform
is
an
extremely
daunting
task
for
them,
and
they,
you
know
it
could
break
anything
or
everything
in
between.
C
So,
if
I
can
keep
that
facade
the
same
and
let
them
seamlessly
migrate
over
time
to
a
new
paradigm,
it
saves
me,
you
know
a
bunch
of
headaches.
We
certainly
one
of
the
paradigms.
I'd
like
to
continually
use
is
when
Apple
moved.
You
know
moose
processes
right
and
chips.
You
don't
really
have
a
major
paradigm
shift
and
say
everybody
go
into
a
whole
bunch
of
different
things.
Apple
creates
the
tools
and
the
the
facades
around
your
application
to.
Let
you
you
know
repackage,
deploy
your
application
exactly
the
same
way.
C
It
just
runs
on
a
new
chipset
right.
There's
nothing
that
says
this
is
a
whole
new
Direction.
You
know,
go
and
learn
a
whole
new
GUI,
all
the
tooling.
No,
it's
completely
different
and
and
go
ahead,
and
you
know,
spend
the
next
six
to
12
months,
trying
to
migrate
your
applications
right,
I,
wanted
it
almost
in
an
in
you
know
one
day
switch
for
for
for
a
developer
right.
C
C
So
what
I
have
in
this
one
is
a
gateway,
cluster,
a
lab
cluster
and
a
management
cluster
and,
of
course,
the
Bosch
deployment
which
is
running.
This
is
all
running
on
VCR
by
the
way.
So
the
Bosch
cluster
is
running
the
clip
in
the
cloud
Foundry
deployment,
which
is,
you
know,
a
basic
deployment,
but
it
is,
you
know,
a
full
deployment.
C
What
I
am
doing
in
the
lab
cluster
is
because
karifi
was
failing
a
few
times
when
I
first
set
it
up.
I
ended
up
running
it
under
v-cluster,
because
I
could
tear
it
down
and
rebuild
it
in.
You
know:
10
minutes
versus
tear
down
a
full.
You
know
kubernetes
cluster
rebuild
it
set
up
new
IP
addresses.
You
know,
set
up
all
of
the
configuration
again,
so
you
know
I
I
streamlined
the
deployment
of
the
karifi
cluster
down
into
you
know
a
simple
set
of
steps.
C
C
C
If
the
jot
ID
says
it's
user,
X
I
will
then
do
that
token
switch
for
you,
as
part
of
also
when
I
bring
up
an
application
on
carifi
I
I
have
a
cluster
update
service
which
is
looking
for
your
CF
routes
which
get
propagated
and
that
will
go
and
update
the
actual
kubernetes
cluster
sdo
deployment,
as
well
as
update
Route
53,
and
the
reason
I
need
to
do.
That
is
because
of
the
Sni
routing
right.
C
So
if
I
have
a
particular
route
that
gets
created,
I
need
to
create
a
DNS
entry
which
points
to
a
cname
entry
which
glue
has
been
added
as
well
as
a
route
and
that
gets
sent
through
Contour
because
of
once
again
your
CNO,
your
Sno
routing
Contour,
won't
take
it
if
it
doesn't
present.
You
know
during
that
TLS
handshake,
the
the
actual
router
wants
to
go
to.
So
it's
a
little
bit
of
a
pain,
but
once
again
it
does
work
the
cloud
Foundry
one
is
it's
just
a
wild
card
domain?
C
So
unless
it's
like
login
dot,
you
know
Stephen,
taylor.net
or
UAA,
or
anything
else
or
API.
It
will
just
default
everything
to
that
Bosch
cluster
right.
So
the
way
I
set
it
up
inside
the
routing
tables
within
the
Gateway
is
everything
by
default
will
go
to
Bosch
and
to
Cloud
Foundry
and
unless
I've
said
specific
rules
or
I'm
doing
Dynamic
routing
it
will
it
will
route
to
either
one
of
the
Clusters?
Does
that
make
some
sense
yeah?
C
You
know
we
are.
You
know
during
this
you
know
a
standard
login
event.
It
will
go
to
the
the
Gateway.
The
Gateway
C
is
okay.
There's
no
authentication
header
present,
we'll
forward
that
you
know
to
Cloud
Foundry
Cloud
Foundry
will
do
a
standard
login
and
return
that
back
to
the
CLI
the
CLI
will,
then
you
know,
you
know,
follow
the
login
sequence
which
works,
and
then
it
will
go
down
and
say
all
right
give
me
the
organizations,
but
at
this
point
in
time
you
know
there
is
a
an
authorization
header.
C
The
Gateway
was
in
picks
that
up
and
says
call
out
to
this
token
exchange
service.
The
token
exchange
service
is
the
user.
Id
sends
back
a
new
token,
which
then
I
will
replace
that
in
the
outbound,
the
outgoing
header
and
then
call
out
to
the
karifi
cluster
right
carifi
responds
as
though
it's
you're
talking
directly
to
it
and
the
CF.
You
know
this,
the
the
the
CLI
doesn't
know
any
different.
C
All
it's
seeing
is
a
bunch
of
API
endpoints
coming
back
to
it,
you
know,
and
it's
able
to
to
follow
the
standard
process
right,
so
it
doesn't
see
anything
different,
there's,
nothing.
That
seems
to
be
broken
now.
This
also
works
with
the
CF
push
and
any
other
subsequent
calls,
even
on
a
token
exchange.
If,
if
the
CLA
is
the
token
has
expired,
you
know
it
once
again
calls
into
the
login
service
and
gets
a
new
token.
So
you
get
a
refresh
token.
A
C
So
I
mean
what
do
we?
You
know
what
came
out
of
it.
I
mean
once
again,
you
can
log
in
in
a
standard,
CF
cluster.
There's
nothing
that
says
it's
special
or
has
to
do
anything.
Tokens
are
exchanged,
you
know
transparently,
so
the
Verizon
filter
was
a
bit
of
work,
but
you
know
it
does
its
thing.
It's
not
performant,
but
of
course
it
does
what
it
needs
to
do.
C
You
know
it
routes
correctly
to
the
correction
cluster
and
you
know
every
subsequent
command
that
the
CLI
sends
over
the
wire
will
be
routed
based
on
you
know
that
particular
header
apps.
Well,
they
shouldn't
technically
know
the
difference.
If
you
know
karifi's
Janet's
job
correctly,
so
I
mean
as
long
as
I've
got
the
information
within
the
apps.
It
should
work
the
developers
shouldn't
see
any
of
the
routing
and
it
should
be
very
seamless
to
the
developer
to
continue
their
current
workflows
in
the
current.
C
You
know
processes
without
having
to
do
a
whole
bunch
of
extra
work
so
far,
apps
deploy
and
act
as
normal
I'm
still
yet
to
get
some
of
the
Cross
routing
working
I
have
to
create
an
application
that
will
cross
some
of
these
routes
and
once
again,
Cloud,
Foundry
and
CLI
is
you
know,
oblivious
to
any
of
the
routing
it's
done
on.
You
know
before
they
even
know.
What's
going
on
so
I
mean
I
can
just
show
you
a
quick
demo
of.
C
Okay,
so,
as
you
can
see,
this
is
now
talking
to
Cloud
Foundry.
There
was
an
authorization
call,
but
it
didn't
do
anything
across
it.
As
you
can
see,
my
application
is
taking
a
call
from
a
wasn't
filter.
So
if
I
do
you
know
a
list
in
verbose
mode?
Sorry,
it's
a
bit
up
and
down
right
now.
You
will
see
that.
C
C
And
now
you
have
a
bunch
of
different
apps
which
are
sitting
in
a
different
class,
so
this
is
on
the
karifi
cluster.
Now,
if
I
turn
off
the
wasm
and
do
the
same
call
no
applications
are
found,
because
now
it's
talking
to
Cloud
Foundry
again
right,
it
doesn't
think
it
doesn't
know
any
different
if
I
turn
it
back
on
and
once
again,
I
could
completely
change
this
out.
C
C
You
know
they
should
technically,
because
they're
on
the
same
domain,
you
know
should
be
able
to
call
each
other.
But,
as
I
said,
it's
an
interesting
point
to
do
some
routing
later
on
and,
as
you
can
see
within
you
know,
glue
mesh.
You
know
within
the
Gateway
I
have
a
bunch
of
different
rules
based
on
imported.
You
know
applications
for
example,
and
they
are
being
you
know
there
is
I,
create
a
destination.
C
You
know
for
its
particular
particular
endpoint,
and
then
that
will
be
added
into
a
route
saying
under
certain
hosts.
Come
in,
you
know,
draw
a
route
to
a
particular
route
to
predict
a
particular
destination
which
happens
to
be
your
Contour
thing
and
through
that
they
do
the
sna
handshake
for
TLS
and
gives
me
once
again.
You
know
the
ability
to
to
Traverse
that
now
what
would
have
been
interesting
is
if
I
could
have
bypassed
the
whole
Sni
thing
and
just
pushed
it
to
a
back-end
TLS
or
directly
into
the
actual
routing
service.
C
C
C
Said
the
you
know,
I
get
the
tokens
in,
they
said
I
do
a
lookup
on
a
user
ID
set
back.
You
know
two
things,
one
is
the
header
and
one
is
just
saying
this
is
my
cluster
that
I'm
going
to
and
then
based
on
routes,
which
will
be
that
you
know,
there's
a
header
rule
that
says
reroute
to
a
particular
destination
based
on
that
header.
B
C
So
it's
purely
done
on
the
on
the
clients
on
the
set
on
the
user
ID
in
the
jar.
So
once
again,
if
I
I
will
I
will
just
take
the
user
ID
that
I
have
set,
you
know
from
the
decoded
jot.
I
will
then
add
this
header
I
will
replace
the
header
into
here
and
then
the
then
set
the
the
particular
cluster
I
mean.
The
actual
you
know
if
you
want
to
look
at
wasm,
I
mean.
B
I
guess
my
question
was
more
like
about
the
user.
I
guess
the
user
will
have
to
know
how
these
mappings
are
set
up
because
the
output
is
indistinguishable.
It's
like
seamless
right
and
what
happens
if
you
push
the
same
because
you're
sharing
the
same
domain
happens.
If
you
push
the
same
map,
virtual
tourism
result
in
the
same
route.
Do
you
get
like
some
different
subdomains?
C
C
C
Do
I
know
if
there
there's
probably
a
billion
different
use
cases
that
may
fail,
but
I
don't
think
that
it's
I,
don't
think
that
that's
just
a
probably
discovering
you
know,
as
we
sort
of
dig
through
some
of
this
stuff
I
mean
that's
also
not
handling
things
like
custom
domains
and
routes
and
so
forth.
So.
C
B
B
C
We
can
just
swap
that
yeah.
The
goal
was
in
the
original
picture
to
to
replace
proxy
with
istio,
and
that
would
let
me
route
directly
to
the
go
routers
and
then
I
could
almost
build
in
East-West
routing
directly
from
one
app
to
Cloud
Foundry,
not
to
an
application,
but
at
least
from
let's
say
a
kubernetes
deployed
karifi
application
to
a
cloud
Foundry.
C
You
know
from
let's
say
one
application:
could
I
deploy
half
an
application
on
cloud
Foundry
and
the
other
half
on
carifi
I,
don't
know
I
mean
it's
possible.
How
would
the
routing
look?
That's
a
very
good
question.
You
know,
service
Discovery
is
a
little
more
tricky.
You
know.
How
do
you
do
populate
services
within
you
know
within
istio
that
are
deployed
on
cloud
Foundry
and
vice
versa.
I
don't
know
yet.
B
C
Like
it
would
be
because
then
I
wouldn't
right
because
it
kind
of
works
within
the
same,
let's
say
because
we
always
say
it
speaks
the
same
language
right
then
I
don't
need
to
have
complexities
such
as
DNS,
DNS,
entries
I
can
just
do
a
pure
routing
and
based
on
on
that,
I
could
go
almost
directly
to
her
to
a
service
and
said
I
haven't
you
know,
I
I
hadn't
looked
into
how
how
deep
that
would
need
to
be.
But
yes,
I
mean
my
experience.
C
So
far
with
karifi
I
mean
look
it
you
know
it's
starting
to
solve.
Some
of
the
problems
that
you
know
are
interesting
as
far
as
routing
goes
as
far
as
building
a
cloud
native
application
goes
as
far
as
once
again,
I
could
deploy
my
legacy.
Application
to
you
know
to
karifi
and
then
modernize
that
around
it
over
time.
C
You
know,
as
I
said,
I
I,
don't
know,
I
mean
I
like
the
cloud
fantasy
deployment
and
and
development
experience.
I
think
it's
much
easier
for
a
developer
to
understand
how
to
do
a
cloud.
Foundry
application
versus
you
know
a
pure
kubernetes
in
istio
I.
Think
that
a
lot
of
developers,
you
know
outside
of
guys
that
really
want
to
dig
you
know
into
the
details,
I
think
having
a
developer
experience
that
is
as
simple
as
a
CF
push
makes
a
whole
bunch
of
sense
for
them.
It
just
needs
to
be
modernized.
C
A
C
A
A
A
A
C
C
B
Yeah
yeah
I
guess
you
can
probably
use
the
slack
Channel
I,
don't
know
if
you
invited
you
there
yet,
because
you've
been
communicating
via
email,
go
for
it,
so
I
I
guess
you
can
drop
in
the
channel
and
ask
stuff
like
propose
open
issues.
What
kind
of
feedback
is
very
welcome?
We
already
created
the
story
to
look
into
these
two
stuff
which
I
don't
know
exactly.
Why
we're
going
to
pick
it
up,
but
it's
in
our
list.
C
Yeah
I
think
some
of
the
also
getting
up
and
running
as
a
you
know
to
you
know,
develop
some
of
the
code.
You
know
at
least
to
spin
up
a
developer
environment.
To
get
it
up
and
running.
Is
it's
probably
something
that
you
know
would
be
interesting
to
me
now
at
least
to
debug,
because
someone
said
I
can
usually
you
know,
function
offline
most
of
the
time
so
I
know
there's
the
hacking
guide,
but.
B
Yeah
we're
using
kind
deployments
for
local
development,
debugging
trying
out
stuff
so
I.
Guess,
if
you
I
guess
we
were
we're
constantly
improving
the
install
instructions
and
they're
constantly
breaking
down
I
I
think
we're
in
one
of
these
Loops
now
and
a
release
is
pending
soon,
I
guess
pretty
soon,
they'll
be
back
to
normal
and
you'll
be
able
to,
but
I
mean
you
can
try
them
out.
B
C
Yeah,
no,
as
I
said,
I
think
you
know
if
I
can
get
at
least
debugging.
You
know
put
together
and
say:
I'm,
not
you
know
going
to
delve
into
writing
a
bunch
of
code,
but
I'm
just
going
to
go
and
delve
into
it
and
I
can
debug
this
thing.
When
it
breaks,
I
mean
I've
had
to
go
and
Patch
the
cfcla.
You
know
to
give
me
you
know
some
of
the
things
I
needed
to
at
least
view
the
you
know:
redacted
variables
that
in
I
needed
to
see
so.
A
C
A
C
But
what
I
liked
about
istio
was
I
could
then
do
inspection
on
who's?
Doing
the
call
and
I
could
dynamically
change
those
rates
right,
I'm,
not
going
to
say
you've
got
3
000
calls
per
minute
allocated
where
I
could
say
right,
I'm,
seeing
that
you're
calling
me,
but
in
a
burst
right,
I
could
smooth
that
burst
out,
so
I
needed
the
more
Dynamic
capabilities
of
rate,
limiting
in
fact,
we've
seen
a
lot
of
applications,
especially
new
ones.
C
Coming
in
you
know
new
clusters
and-
and
you
know,
on
cloud
native
sort
of
like
kubernetes
deployments,
looking
at
the
more
Dynamic
rate
limiting
and
not
from
istio,
but
you
know
from
the
solar
distribution
that
we
have,
because
we
have
a
partnership
in
partnership
with
with
solo,
so
we're
using
their
rate.
Limiting
and
teams
are
looking
at
actively
rate
limiting.
C
C
A
A
Foreign
well,
if
there
are
no
other
thoughts
on
this
at
the
moment-
and
there
are
no
other
topics-
we
can
probably
wrap
it
up.
I'd
say
keep
this
line
of
thought
open
and
discuss
it.
We,
you
know,
have
the
slack
channels
and
the
repos,
you
can
drop
issues
on
and
all
sorts
of
stuff,
so
we'd
love
to
have
that
engagement
and
kind
of
see
what's
going
on
and
how
people
are
using
it.
A
A
Awesome
well,
it
looks
like
I
might
be
able
to
give
you
all
about
20
minutes
back,
which
would
be
great
for
everyone,
depending
on
where
you
are
doing
whatever
so
yeah,
unless
there
are
any
pressing
concerns
that
someone
wants
to
raise
their
hand
for
I'm
gonna
say.
Thank
you
all
so
much
for
coming
out
for
this.
This
is
cool.