►
From YouTube: Istio Environments Meeting 2021-09-15
Description
Istio Environments Meeting 2021-09-15
A
A
I
was
planning
to
do
to
discuss
this
this
subject.
The
short
version
is
that,
well,
as
you
know,
we
right
now,
it
still
depends
heavily
on
on
on
limitating
web
hook
and
injection
and
that
works
well.
It
has
a
lot
of
benefits,
but
it
is
specific
to
kubernetes
and
it
is
a
pretty
complicated
template
that
that
you
know
it's
it's
hard
to
maintain
and,
and
we
have
what
kind
of
problems
with
with
it.
The
document
I'm
presenting
is
based
on
some
work.
A
I
I
did
to
attempt
to
use
to
support
hto
on
docker
container
plain
docker
container,
in
particular
in
google
server
cloud
run
and,
as
you
know,
in
vms
and
in
other
environments,
since
we
don't
have
mutating
webhook,
we
need
to
do
something
else.
We
need
we
and
and
the
solution
we
have
for
vm,
it's
relatively
complicated
and
and
doesn't
work
very
well
in
docker,
because
it
relies
on
saving
some
files
and
obviously
on
docker.
A
You
don't
have
any
any
storage
typically,
so
we
have
to
do
something
slightly
different
and
and
while
doing
this
this
those
changes,
it
becomes
obvious
that
that
they
benefit
regular
kubernetes
as
well.
So
the
goal
here
is
to
support.
Obviously,
first
goal
is
to
support
running
histo
in
in
non-kubernetes
environment
orientating
web,
which
is
not
available.
A
The
second
case
is
running
history
in
clusters,
where
you
do
not
have
mutating
webhook
permissions.
So
if
you,
if
you,
if
you
run
on
a
your,
you
have
a
class
that
you
have
just
the
permission
in
your
own
name
space
and
nothing
else.
You
cannot
install
any
web
book.
A
You
cannot
use
those
crds,
but
you
still
want
to
participate
in
selection,
and
this
is
probably
not
very
common,
but
it's
identical
with
the
docker
environment,
where
you
have
a
docker
container
environment,
nothing
else
available,
and
if
we
can
support
docker,
we
can
also
support
those
use
cases.
I
mean
for
overlappings,
where
you
don't
touch
anything
with
cluster
admin
and
proxies
grpc,
which
we
also
starting
to
support
in
history.
Where
again,
there
is
nothing
to
inject
because
they
are
not
using
a
proxy.
A
So
so
they
don't
even
need,
but
they
still
need
to
discover
istio
d.
I
have
some
brief
discussion
of
use
cases
and
trying
to
go
for
how
people
will
would
use
this
mode.
A
Please
read,
leave
comments
again.
There
are
other
use
cases
that
are
possible,
there's
just
an
example
for
what
I
think
it's,
it's
probably
the
most
useful
mode
for
this
injection
less,
but
we
can
discuss
for
regular
clusters
where
we
have
injection
where
we
want
to
continue
to
use
injection
this
proposal
is,
is,
is
basically
reducing
the
injection
template
to
basically
five
lines
about
around
five
lines.
A
I
mean
just
the
container
with
the
image
with
the
proxy
one
container
in
it
container
with
the
image
no
parameters,
no
volumes
mounted
no,
absolutely
nothing
else,
except
those
two
boilerplate
lines
which
are
very
similar
to
what
we
are
doing
for
the
gateway,
except
that
in
this
mode
we
don't
even
need
to
inject
anything
else,
because
the
the
startup
will
be
able
to
detect
it
and
the
benefits
really
for
us
not
only
simplifying
and
reducing
maintenance,
but
it
also
means
that
the
workloads
are
no
longer
tightly
coupled
with
with
a
control
plate,
because
the
issue
one
line,
has
an
injection
template.
A
A
It's
yes,
as
as
as
john
cancer
john
question
on
the
on
the
sideline
bernard
skis
is
a
secondary
case.
For
me
I
mean
my
primary
goal
was
to
support
docker.
It's
just
that
accidentally.
A
If
we
support
docker
well
and
then
those
environments
were
injection
into
the
table,
kubernetes
becomes
very
simple
and-
and
I
think
we
should
have
a
strong
interest
in
simplifying
the
injection
temperature
in
kubernetes
and
and
supporting
kubernetes
without
taking
webhook,
because
upgrades
and
a
lot
of
other
things
become
become
trivial
with,
and
our
support
partner
will
become
much
smaller,
but
I
didn't
start
to
solve
the
quantities
just
accidentally
happened
so,
but
the
solution
is
the
same
basic
and
it's
a
solution
that
solves
both
cases
so
how
it
works
and
why
it
works
right
now.
A
Mutating
weapon
does
the
three
things
it's
adding
the
employee
and
pirate
agent,
because
you
need
obviously
the
mesh.
It
adds
a
bunch
of
environment
variables
that
change
from
version
to
version.
It
adds
volume
mounts
including
the
token
and
it
with
any
container.
It
makes
sure
that
you
know
the
ip
tables
are
set
up.
I
mean
the
ultimate
result
of
this
injection
is
that
evitable
setup
and
the
sidecar
is
connected
to
the
control
plane.
A
The
solution
for
for
for
non-kubernetes
environment
is
basically
to
like,
like
on
vms.
We
just
add
pilot
agent
with
on
changes
that
are
proposing
this
document
as
well
as
same
way.
We
are
going
to
set
the
docker
image
and
the
set
has
the
same
same
same
same
same.
It
takes
care
of
the
first
step
which
lightens
the
binaries.
A
Once
this
happens
at
startup,
we
change
a
bit
the
startup,
so
we
do
not
depend
on
the
environment
variables
instead
of
having
inject
or
add
some
environment
variables
to
support
spec,
the
pod
will
make
a
look
up
and
get
whatever
that
cluster
needs
in
terms
of
environment
variables
and
what
is
the
configuration
as
an
opaque
current
request,
with
http
request,
the
the
the
whole
implementation
is
not
dependent
on
any
version
of
issue.
A
I
have
it
working
with
instio,
1,
9
and
110,
because
it
really
this
yo
d
doesn't
care
that
that
some
workloads
happen
to
want
to
configure
themselves
in
a
different
way
and
yeah.
Let
me
let
me
go
to
to
explain
the
actual
implementation,
because
the
real
real
trick
here
is
to
start
with
a
config
map
that
is
using
the
system
authenticated
permissions.
That's
really
the
key
of
this
document
that
that's
you
know
what
made
this
happen.
A
So
what
we
are
doing
is
we
use
those
parameters,
make
a
current
request
to
api
server
and
we
get
back
all
the
environment
variables
that
we
need
plus
xds
root
certificate,
plus
everything
else
that
that
the
injection
typically
does,
and
then
we
start
pilot
agent
just
as
normal,
and
then
we
do
it
with
the
parameters
if
you
are
running
outside,
for
example,
in
in
case
of
doppler
in
my
particular
example,
I'm
using
the
some
google
apis
to
locate
the
jk
server
and
get
the
ip
and
certificate.
A
A
And
that's
pretty
much
the
the
everything
that
is
required
here.
There
is
some
discussion
about
having
this
mesh
environment
file,
which
is
again
an
opaque
file.
It's
not,
we
are
not.
We
don't
want
to
repeat
the
mistakes
of
proxy
configuring,
other
things
where
we
we
have
a
strict
specification.
It's
just
some
blobs
that
that
is
guaranteed
to
be
repeats
on
the
url
may
change.
When,
when
upgrade,
when
exhibitions
are
upgraded,
may
be
refreshed,
but
in
the
end
all
it
needs
to
do
is
to
make
sure
the
mesh
is
configured.
A
The
second
interesting
part
here
and
and
the
second
requirement
for
for
the
design,
is
how
to
get
the
istio-scoped
tokens
which
are
needed
for
cn
for
other
purposes,
and
for
that
there
are
several
options
discussed
all
of
them
work.
A
combination
of
them
can
be
used.
A
Pretty
much
it
relies
on
on
calling
token
request
on
api
server,
either
from
the
board
or
from
from
from
an
sds
server.
That
would
be
bundled
with
with
history.
A
Let
me
take
a
break
to
answer.
The
comments
on
the
market
feel
free
to
ask
as
well
so
api
server
access
from
proxy
is
not
great.
That's
actually
true.
A
To
some
extent
in
there
is
a
project
that
is,
it's
actually
using
accessing
api
server
directly
with
http
request,
because
with
with
yes,
we
have
a
there's,
a
big
library
and
has
dependencies
and
has
all
kind
of
of
issues
with
with
throttling
other
things.
But
all
we
need
to
do
is
make
an
http
request
to
get
a
blob
with
a
job
token,
so
we
don't
really
need
the
entire
aps
server
and
it's
not
necessary
that
api
server
is
needed.
A
B
A
It
has
a
public
set
exactly
same
thing
with
api
server.
I
mean
we
have
the
the
the
the
it's
not
the
public
server
it
has.
We
have
the
key
basically,
and
if
you
use
external
history
or
other
things
again,
you
you
may
not
even
know
the
address
of
the
study
in
the
first
place,
maybe
not
because
you
didn't
it's
your
system,
because
if
you
are
running
in
a
cluster
you
don't
have
your
system.
Then
then.
B
What
are
you
going
to
do
well
yeah,
but
you
still
need
the
url
of
the
bucket,
so
you
still
need
like
you
need
the
url
of
something.
So
why
not
just
give
it
e2d?
I
don't
know
I'm
a
bit.
I
am
very,
very
hesitant
to
doing
this
on
kubernetes
itself,
I
mean
I
get
like
in
a
docker
environment,
it's
useful
and
even
in
a
vm
environment.
It
may
be
like
there's
cases
where
some
people
may
want
to
do
things
today,
where
they
run.
B
A
Your
concern,
the
community,
is
the
last
one
that
I'm
planning
to
so
the
plan
is
to
to
support
all
others,
support
kubernetes,
where
you
don't
have
stod,
because
that's.
I
think
we
agree
that
it's
a
valid
use
case,
or
hopefully
it's
it's
about
use
case.
But
if
you
have
a
sturdy,
just
use
injection
and-
and
you
don't
have
to
use
this
still
it-
we
can
get
it
from
history
if
we
find
a
way
to
to
connect
with
you
and
what
you're
describing,
but
we
still
want
to
simplify
the
template.
A
C
B
A
Again,
this
is
minimal
config,
it's
it's
the
address
and
and
the
certificate
that
would
certificate
and
instead
of
having
injecting
those
things,
we
just
get
them
from
kubernetes
because
that's
already
taken
care
by
the
cubelet.
So
that's
that's
really
simpler
and
same
with
same
effect,
and
if
we
find
out
the
api
server
doesn't
work
then,
and
latency
is
not
not
impacted
by
this.
Because
again
we
make
the
same.
B
I
don't
know
about
that.
I
think
it
has
more
efficient
watches
it
can
cache
across
like
it's
not
like.
If
you
have
100
proxies
it's
opening
up,
100
watches
on
the
config
map
right,
it's
opening
one
and
we're
using
it.
I
hope
I
assume
there's
no
work
involved.
There
is
no
much
importance
in
this
answer.
It's
just
the
pure
gets
on.
They
can.
D
Yeah,
so
so
I
think
the
the
other
use
case
of
this
apart
from
sort
of
having
common
path
for
starting
everything
is
yes,
it
is
forcing
us
to
simplify
the
injection
template,
or
at
least
hiding
it
right.
It's
not
it's
not
simplifying
it,
and
it's
also
useful,
I
think,
in
sort
of
in
place
upgrades,
because
one
of
the
reasons
why
we
just
can't
start
a
new
version
of
proxy
is
because
the
template
can
change.
D
So
if
we
have
this
way
of
bootstrapping,
which
is
get
the
end
file,
what
are
you
calling
it
mesh
and
or
something
like
that?
Okay,
it's
yes.
A
D
Right
so
so,
as
long
as
you
have
the
new
bits
available,
the
new
bits
of
the
proxy
available,
wherever
it
wants
to
start,
everything
else
is
obtained
from
this
sort
of
the
known,
endpoint
and
yeah,
and
so
so
I
think,
I'm
still
not
very
clear
on,
though
how
does
this
interact
with
the
indirection
that
we
get
through
revisions
and
web
books?
So
I
thought.
C
A
A
Yes,
I
didn't
include
this
this
part
in
the
document.
Actually,
I
did
include
something
at
the
end,
so
remember
that
what
divisions
do
effectively
is
provide
multiple
studies.
Those
are
multiple.
A
For
docker
again
you
don't
have
revisions
in
cluster,
you
don't
have
rotating
web
hook,
you
don't
select
them
to
tag
or
anything.
You
have
just
this
file
and
the
idea
is
that
this
file
will
list
not
one
address
but
multiple
addresses
of
history,
including
for
each
revision
and
each
so
so.
Basically,
there
is
a
controller
that
is,
you
know,
looking
at
the
cluster
file
finding.
What
is
your
data
installed
and
creates
these
opaque
file?
A
My
recommended
configuration
is
to
have
typically
external,
I
mean,
have
a
number
of
water
regions
here,
zone
istio,
external
study
clusters
restore
the
configurations,
and
then
you
can
have
as
many
workload
clusters
where
you
just
have
workloads
and
you
get
a
list
of
revisions
and
idea
addresses
of
different
studies,
and
you
pick
one
based
on
whatever
you
choose.
I
mean
that
you
know
you
have
access
to
your
configuration.
You
can
choose
to
to
to
select
the
camera.
You
are
better
if
it
doesn't
work,
you
fall
back
with
the
other.
A
A
Okay,
let
me
get
a
bit
into
small.
You
know
fancier
iptable,
again,
there's
a
discussion
about
ap
table
in
this
mode.
Actually,
let
me
go
first
with
the
golden
image,
because
that's
that's
where
it
starts
so
normally
in
history,
we
in
in
kubernetes
we
have
a
report
running
for
your
book
info
and
we
add
the
second
container
that
is
running
this
joint
is
your
pilot,
agent
and
and
and
envoy
for
docker
and
and
vms.
Really.
A
I'm
calling
it
golden
image
because
have
everything
inside
that's
typically
maintained
by
the
mesh
admins
and
someone
who
provides
provides
space
in
each,
including
the
reference
operating
system
that
is
using
the
enterprise
or
whatever.
So
this
golden
image
is
deployed
in
any
docker
environment
can
also
be
deployed
in
in
kubernetes
environment
as
an
image.
A
So
it
will
be
your
application
for
your
with
mesh
included
and
you
can
deploy
it
anywhere
if
you
deploy
it
in
as
a
regular
user
in
a
regular
cluster
with
no
injection,
it
will
know
how
to
find
the
the
mesh
environment-
and
you
know,
connect
the
mission
to
everything
that
you
are
doing.
The
only
thing
that
is
a
bit
special
is
that
you
need
to
have
id
table
permissions
or
you
need
to
have
the
cli.
A
So
one
of
the
two
must
exist
or
we
fall
back
to
whitebox
history
which
still
works
so
so
it
will
basically
works.
It
works
everywhere.
Basically,
and
the
other
point
I
included
in
this
document,
which
is
a
bit
more,
you
know
kind
of
far
future.
Unless
someone
is
volunteering
to
use
a
writer
code,
we
can
also
inject
docker
images
directly.
So
there
is
a
program
called
code
that
is
basically
building
a
go
binary
and
then
it's
patching
it's
adding
a
layer
to
the
manifest
without
actually
using
docker
itself.
A
It's
just
uploading
a
target
z
as
a
layer,
and
then
it's
doing
a
small
patch
as
a
docker
file
manager.
We
can
actually
do
the
same
thing.
I
mean
take
any
docker
container
image,
we
run
a
command
and
it
automatically
becomes
a
mesh
enabled
docker
image.
Assuming
it
has.
You
know
it's
based
on
libc,
whatever
employee
needs,
yeah,
that's
kind
of
the
the
gist
of
of
of
this
proposal
that
what
kind
of
details
and
possible
extensions.
E
The
the
concept
of
the
golden
image
does
it
help
with,
like
the
whole,
the
application
container
into
your
proxies
ready.
It
doesn't
help
with
like
life
cycle
management.
Oh.
A
Yeah
it
does,
it
does
a
lot.
I
mean
it's
it's.
It's
simplifies
everything
because
the
whole,
the
golden
image
contains
a
starter
which
you
know
starts
and
boy
waits
for
employee
to
be
ready,
starts
for
application,
application
to
be
ready,
and
then
the
clerics
are
ready.
A
A
A
Assuming
you
are
willing
to
you
are
willing
to
maintain
an
image
or
to
patch
an
image
to
have,
but
but
again,
if
you
are,
if
you
are
you're
a
developer
and
you
run
both,
that
is
a
non-compared
lattice
environment,
you
probably
will
patch
the
image
for
for
the
nonpartisan
environment
and
then
why
not
use
it
for
competitors
as
well,
because
you
are
testing
it.
One
thing
I
forgot
to
mention
cicd
everything
that
I
described
here.
A
You
know
works
in
any
kubernetes,
any
docker
environment,
including
github
actions,
for
example,
or
any
other
google
cloud
builder.
It's
you
know
it's
a.
They
know
how
to
build
a
docker
image.
You
can
run
the
docker
image.
The
docker
image
can
download
the
mesh
environment
can
connect
to
xbs
can
have
mtls
certificate.
It
can
do
pretty
much
everything,
so
you
can
test
your
image
in
the
cicd
system
with
full.
You
know
access
control,
whatever
you
know
measure
you
are
using
and
then
you
can
deploy
it.
A
So
it's
a
bit
more
convenient
for
people
who
are
who
are
want
to
test
end
to
end
robert
is
asking:
when
do
we
write
on
the
bootstrap
config
for
envoy,
I'm
not
making
any
changes
to
the
bootstrap
config
for
employees.
A
D
A
No,
I've
got
to
say
technically
one
of
the
things
that
I
I
did
part
of
this
prototyping
is
to
try
to
minimize
the
number
of
round
trips
to
api
server,
because,
as
john
said,
you
know,
api
server
is
a
delicate,
delicate
server,
so
and,
and
it
impacts
the
startup
time.
So
it
is
possible.
You
know
the
bootstrap
discovery.
It's
you
know
going
to
xds
server
gets
bootstrap,
save
bootstrap,
starts
and
void,
connects
again
to
api
server
to
go
to
xds
server.
A
We
can
put
the
bootstrap
in
this
mesh
environment,
which
is
completely
opaque
file,
and
then
you
save
around
it.
That's
the
only
thought
I
gave
to
this
problem
in
this
implementation
and
and
and
again
since
it's
a
single
round
tripod
startup.
That
needs
to
happen
anyway.
You
save
a
bit
to
100
milliseconds
in
the
startup
time.
A
The
the
launcher,
because
this
reliance
on
some
binaries
that
is
now
is
coordinating
with
this
thing.
The
launcher.
Could
you
know
check
the
mesh
environment?
Has
pilot
version
change,
download
pilot
agent
download?
You
know
which
knows
the
bootstrap
template
download
the
m4a
and
launch
them
again.
So
it's
not
really.
D
Right
yeah,
so
so
it
can
do
the
whole
thing
and
then
it
would
be
repeatable
and
correct
yeah
at
the
cost
of
startup
speed.
A
A
To
answer
comment:
yes,
that's
something
that
is
highly
desirable,
but
slightly
orthogonal.
To
this
proposal
I
mean
it
will
mean
that
you
can
go
to
htod
to
get
this
measured
discovery
file.
A
So
that's
that's
pretty
much
it.
Please
take
a
look
comments.
I've
been
working
for
on
some
prototype
and
and
I'll
try
to
publish
it.
A
What
else
should
I
mention
here?
Let's,
let's
have
you
know
after
people
have
time
to
to
put
comments
and
and
any
strong
objections
to
to
this
proposal.
A
I
do
not
plan
to
make
any
changes
to
east
yo
itself
at
this
moment,
because
almost
everything
is
in
this
binary
that
is
completely
agnostically
to
istio,
and
these
two
versions,
I'm
planning
to
put
it
in
you-
know,
ecosystem
initially
get
feedback,
see
how
it
works,
and
only
after
that
we
discuss,
if
we
should
add
it
to
the
main
three.
The
benefit
is
that,
since
it's
agnostic
to
version,
people
can
try
it
and
and
start
using
it
with
your
1
10
11.
A
Whatever
is
the
current
version,
and
you
know
we
can
get
feedback
and
and
see
without
having
to
worry
about
upgrading
versions,
and
I
mean,
since
one
of
the
main
goal
is
to
decouple
the
golden
image
and
the
workload
image
from
the
control
player.
E
A
In
in
recent
history
I
mean
we
had
a
number
of
acquiring
compatible
changes,
but
yeast
your
master
today
works
with
control,
plane.
1.9,
assuming
I
mean,
if
you
solve
the
problem
of
injection
template,
which
is
different.
If
you
just
take
the
energy
and
why
it
doesn't
it's
really
agnostic
to
to
to
almost
agnostic
to
the
version
of
the
control
plane
in
the
last
few
versions,
and
we
can
we
can
make
it
a
bit
more
strict
in
testing.
A
I'm
not
saying
that
it's
infinite,
I
mean
any
version
with
any
version,
but
you
know
one
nine
one,
ten
one
eleven
one
twelve
are
all
more
or
less
compatible
and
don't
forget
we
are
trying
to
add
proximate
grpc,
which
is
completely
different
repository
differently
and
proximate.
Grpc
works
not
only
with
any
version
of
eto,
but
it's
also
working
with
other
xds
servers.
E
A
I
should
I
should
mention
for
for
any
docker
environment.
So
if
you're,
if
you're,
not
an
exclusive
kubernetes
shop,
you
build
a
docker
image.
You
have
a
ci
cd
that
is
building
docker
images
and
and
the
requirements
for
for
such
environments
is
that
periodically
weekly
or
whatever
you
are
doing
is
a
build.
You
pick
up
any
fixes
from
the
operating
system
from
libraries
from
any
other
binaries.
You
are
using
it
in
in
in
your
golden
image,
including
envoy
and
pilot
agent,
so
so
so
part
of
the
ci
cd
system.
A
That
is
building
the
golden
image
and
it's
not
specific
to
east
europe
or
avoid
that
it's
a
bug
enough
where
you
need
to
pick
it
up.
You
can't
believe
c
can
believable
business
open
ssl.
It
can
be
anything
else
in
the
image
we
are
just
not
having
a
different
process
for
security
fixes
in
a
void
versus
security,
open
ssr.
A
I
should
make
it
more
clear
in
the
document
that,
with
golden
images,
responsibility
of
the
mesh
administrator
for
every
week
to
to
build
a
new
image
and
pick
any
security
and
critical
bug
fixes
for
anything,
including
operating
system
and
and
the
same
same
as
vms
today,
right
so
some
of
the
vms.
Today
we
have
the
same
requirement.
If
you
are
operating
on
vm,
you
need
to
do
update
whatever
to
install
the
new
range,
but
it's
not
very
clear
to
users.
That
is
a
responsibility
and
they
need
to
be
sure
to
patch
their.
A
E
Right,
which
is
why
I
also
agree
what
john
mentioned
earlier.
It
sounds
like
you
know.
The
existing
cycle
injector
model
would
be
continue
to
be
the
best
for
kubernetes
environment.
When
you
know
when
the
mutating
web
hooks
are
allowed-
and
this
will
be
a
nice
alternative
for
other
environments
or
when
they
can't
use
mutating
weapons.
A
I
I
mean,
if
you
are,
I
agree
with
you
if
it's
exclusive
kubernetes,
if
it's
not
exclusive
kubernetes,
if
you
have
at
least
one
docker
or
clcd
system-
and
you
need
to
maintain
a
tool
and
a
golden
image,
then
probably
you
are
better
off
using
the
golden
image
and
not
using
the
injector
at
all,
because
you
will,
you
know
test
this
image
control
the
rollout
of
this
image.
You
are
not.
You
know,
you
are
using
the
same
process
for
any
security
fix
and
you
don't
have
a
split.
A
E
Yeah,
that
makes
sense
and
don't
forget,
we
actually
had
an
outstanding
issue
on
vm
right.
You
can't
you
can't
run
your
service
in
docker
container
with
cyca
if
you're
running
on
vms,
sometimes
the
outbound
traffic
will
conflict.
A
I
I
I
I
tested
extensively
in
in
in
in
docker
on
my
vm
I
tested
on
on
cloud
builder
and
and
guitar
action.
So
I
think
it's
working
fine
in
some
some
documentary
environments,
the
problems
you
don't
have
official
net
capability,
net
admin
capabilities
and
that's
where
the
fallback
to
whitebox
comes
into
picture
and
I
submitted
some
patches
to
improve
a
bit
the
white
box
and
it
works
pretty
nice.
Now
I
mean
if
you,
if
you're
in
http
or
connect,
you
change
your
code
to
localhost
it's
it's!
It's
really!
Nice.
A
That's
great
again,
I'm
just
saying
you
know
it's
prototype
and
proposal.
Don't
just
expect
this
to
work
tomorrow,
but
if
we
agree
on
this
direction,
I
think
we
can
make
pretty
fast
progress
because
there
are
not
a
lot
of
big
changes.
Really,
this
proposal
is
just
you
know:
it's
like
small.
You
know
taking
the
environment
variables
from
from
injection
template
and
putting
them
in
a
config
map,
and
then
few
adjustments.
A
John,
yes,
the
main
one
is
containers
living
container
service,
but
it
accidentally
also
works
on
on
dms
with
docker.
Also
accidentally
works
on
regular
vms,
where
you
just
debug.
A
A
A
Okay,
so
if
the
other
working
group
leads
are
okay
with
this,
and
and
after
we
get
more
feedback,
it
will
be
good
to
to
have
some
covers
and
I'll.
I
think,
linear.
You
are
now
the
master
of
each
ecosystem
or.
A
Okay,
so
after
after
this
approval,
I'll
I'll
I'll
be
asking
for
for
to
create
a
repository
to
to
start
some,
the
prototype
and
some
code.
E
Yeah
sure,
just
let
me
know
you
know,
like
your
repository
name,
a
basic
description
for
your
repository.
A
I
think
we'll
discuss
this
again.
I
mean
I
just
this.
Is
you
know
I
just
presented
this?
I
don't
think
everyone
had
the
time
to
absorb
everything
and,
and
probably
we
need
to
figure
out,
maybe
and
what
else
we
want
to
do
about
it.
A
Other
questions
or
concerns
we
can
again
take
next
week
or
in
two
weeks
to
give
people
time
to
comment
to
have
another
brief
q,
a
and
and
figure
out.
If
we
can
move
forward
with
this.
E
So
just
trying
to
understand
john's
comment,
I
think
john
you
kind
of
indicate
like
if
I
have
multiple
different
different
levels,
assuming
I
think
you
can't
really
indicate.
I
don't
really
need
this
too.
Wrong
run
the
services
on
docker.
On
top
of
my
vm.
B
Yeah,
I
think
the
the
only
case
where
you,
where
you
absolutely
need
this,
I
mean
unless
you
want
to
do
everything
manually,
of
course,
that
this
is
doing
is,
if
you
have
basically
a
service
where
you
just
throw
a
container
at
it,
and
it
runs
it
there's
a
lot
of
these,
like
you
know,
cloud
build
as
an
example
cloud
run
or
if
I
know
my
non-google
services,
aws
lambda,
maybe
they
have
a
container
one
as
well.
I
think
every
time
you.
B
B
B
This
could
still
be
used
to
make
it
simpler
like
in
some
cases
it
may
be
simpler
to
do
the
current
setup
where
you
run
easter
cuddle
and
you
pre-compute
this
and
then
stick
it
on
the
vm
in
some
it's
simpler
to
do
it
dynamically,
probably
most
dynamically,
to
be
honest,
but
it's
not
necessarily
required
in
those
cases
like
you
can
still
do.
Docker
on
vms
today,.
A
Yeah,
the
the
real
real
issue
here
is:
if
you
have
a
hybrid
environment,
where
you
have
you,
you
have
both
vms
docker
services,
container
services,
vms
and
whatever
you
just
build.
One
called
an
image
with
your
application,
which
is
this
proposal,
and
then
you
stick
it
you
throw
it
everywhere.
You
don't
have
to
do
things
slightly
different.
For
the
end,
I
mean
it
is
possible
to
do
a
lot
of
different
things
like
this.
You
can
have
all
the
ejection
or
vms.
E
Okay,
yeah,
that
makes
sense
so
today
I
we
don't
necessarily
we
they
are
work
around
that.
I
guess
I
forgot.
There
is
workaround,
I
guess
you
could
run
docker
host
network
or
you
could
potentially
with
the
ip
flag
you
mentioned,
so
you
don't
necessarily
have
to
use
this,
but
it's
nice.
If
you
run
your
services
on
different
environments,
which
provides
you
the
same
image,
whether
you're
running
on
docker,
around
vm,
directly
or
running
in
cube.
A
Yep
and
another
nice
thing,
if
you're
not
using
the
workarounds,
is
that
you
can
run
as
many
as
you
want,
because
with
the
current
workaround,
it's
a
bit
more
difficult.
If
you
have
a
if
you're
running
a
host,
you
can
have
only
one,
and
so
it's
a
bit
more
inflexible.
If
you,
if
you
use
the
work
around
them
than
the
golden
image.
C
A
The
the
main
idea
is
that
the
config-
I
probably
should
have
discussed
a
bit
this,
so
the
config
is
a
configmap
with
a
bunch
of
environment
variables
which
are
the
correct
environment
variables
that
we
all
know
and
love,
and
some
extra
with
the
ca
certificate
which
we
will
currently
use
in
the
is
a
protein
multiplication
for
distributing
the
root.
A
A
The
upgrade
scenario
is
the
controller,
make
sure
that
the
blob
contains
everything
necessary
for
the
protections
installed
in
the
system,
so
you
have
pst
110,
111,
112
and
some
external
stod.
The
controller
will
populate
this
blob
with,
with
whatever
is
necessary
for
all
of
them
by
patching
and
and
an
important
thing
that
we
discussed
is
ability
to
if
the
configmap
is
flat,
it's
very
easy
to
patch
it
from
from
multiple
controllers,
and
each
version
can
maintain
its
own
variables
with
with
patching
without
touching
the
other
ones.
A
At
least
that's
how
we
implemented
it.
So
far,
now
the
upgrade
experiences,
the
user
picks.
Whatever
version
of
this
you're
saying
the
current
pressure
issue
in
the
weekly
build
of
the
golden
image
and
that
is
deployed-
and
that
will
pick
the
blob
which
will
have
hopefully
everything
that
is
necessary
inside.
C
Okay,
so
with
within
the
single
config
map,
there
are
different,
pretty
much
like
environment
variables
and
everything
else
per
version
right
like
or
is
it
all
pulling
from
like
an
aggregate.
A
To
be
honest,
currently
I'm
just
putting
the
default,
but
but
you
you
and
I
didn't
implement
yet
the
fall
back.
I
don't
know
check
revision
eight.
A
If
it
doesn't
work,
you
didn't
pay
your
check
extra
so,
but
the
idea
is
that
that
it's
a
you,
know
list
of
config
settings
that
will
this
has
some
the
unification
of
all
the
active
control
places
that's
available
in
the
system
and
the
workload
will
pick
whatever
it,
and
I
don't
know
exactly
how
we're
going
to
pick,
because
this
model
doesn't
rely
on
on
any
annotations,
templates
or
or
or
labels.
A
But
I
think
it's
important
to
to
have
this
fallback
because
it
increases
reliability,
because
if
the
canary
is
bad
and
if
you
try
to
deploy
112
1
15
and
it
has
a
problem-
it's
very
useful
for
the
board
to
be
able
to
say
hey.
I
cannot
connect
with
dslr.
I
cannot
get
certificate.
Okay,
let's
track
the
other,
the
previous
environment,
and
and
not
fail.