Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Istio / Environments Working Group / 15 Sep 2021
Istio / Environments Working Group / 15 Sep 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Istio Environments Meeting 2021-09-15

Description

Istio Environments Meeting 2021-09-15

A

Only item on the agenda: if people want to add more stuff, let me know so I can we can they can go in front of me if you want.

A

Click on the link.

A

Okay,.

A

So I mentioned in the previous meetings.

A

I was planning to do to discuss this this subject. um The short version is that, um well, as you know, we right now, it still depends heavily on on on limitating web hook and injection and that works well. It has a lot of benefits, but it is specific to kubernetes and it is a pretty complicated template that that um you know it's it's hard to maintain and, and we have what kind of problems with uh with it. um The document I'm presenting is based on some work.

A

I I did to attempt to use um to support hto on docker container plain docker container, uh in particular in google server uh cloud run and, as you know, in vms and in other environments, since we don't have mutating webhook, we need to do something else. We need we and and the solution we have for vm, it's relatively complicated and and uh doesn't work very well in docker, because it relies on saving some files and uh obviously on docker.

A

You don't have any any storage typically, so uh we have to do something slightly different and and while doing this uh this those changes, it becomes obvious that that they benefit regular kubernetes as well. So uh the goal here is to support. Obviously, first goal is to support running histo in in non-kubernetes environment orientating web, which is not available.

A

uh The second case is uh running history in clusters, where you do not have mutating webhook permissions. So if you, if you, if you run on a your, you have a class that you have just the permission in your own name space and nothing else. You cannot install any web book.

A

You cannot use those crds, but you still want to participate in selection, and this is probably not very common, but it's identical with the docker environment, where you have a docker container environment, nothing else available, and if we can support docker, we can also support those use cases. I mean for overlappings, where you don't touch anything with cluster admin um and proxies grpc, which we also starting to support in history. Where again, there is nothing to inject because they are not using a proxy.

A

So so uh they don't even need, but they still need to discover uh istio d. um I have some brief discussion of use cases and trying to go for how people will would use this mode.

A

um Please read, leave comments again. There are other use cases that are possible, there's just an example for what I think it's, it's probably the most useful mode for this uh injection less, but um we can discuss for regular clusters where we have injection where we want to continue to use injection uh this proposal is, is, is basically reducing the injection template to basically five lines about around five lines.

A

I mean just the container with the image with the proxy one container in it container with the image no parameters, no volumes mounted no, absolutely nothing else, except those two boilerplate lines which are very similar to what we are doing for the gateway, except that in this mode we don't even need to inject anything else, because the the startup will be able to detect it um and the benefits really for us not only simplifying and reducing maintenance, but it also means that um the workloads are no longer tightly coupled with uh with a control plate, because the issue one line, has an injection template.

A

If you want a different injection template, when you upgrade from one night one, then you must do a rolling upgrade. You must change the control plane, because, obviously the parameters have changed in the injection and you don't know what's going to happen.

A

uh It's yes, as as as john uh cancer john question on the on the sideline bernard skis is a secondary case. For me I mean my primary goal was to support docker. It's just that accidentally.

A

If we support docker well and then those environments were injection into the table, kubernetes becomes very simple and- and uh I think we should have a strong interest in simplifying the injection temperature in kubernetes and and supporting kubernetes without uh taking webhook, because uh upgrades and a lot of other things become become trivial with, uh and our support partner will become much smaller, uh but I didn't start to solve the quantities just accidentally happened so, uh but the solution is the same basic and it's a solution that solves both cases um so how it works and why it works uh right now.

A

Mutating weapon does the three things it's adding the employee and pirate agent, because you need obviously the mesh. It adds a bunch of environment variables that change from version to version. It adds volume mounts including the token and it with any container. It makes sure that you know the ip tables are set up. I mean the ultimate result of this injection is that evitable setup and the sidecar is connected to the control plane.

A

uh The solution for for for uh non-kubernetes environment is basically to like, like on vms. We just add pilot agent with on changes that are proposing this document uh as well as same way. We are going to set the docker image and the set has the same same same same same. It takes care of the first step which lightens the binaries.

A

um Once this happens at startup, we change a bit the startup, so we do not depend on the environment variables instead of having inject or add some environment variables to support spec, the pod will make a look up and get whatever that cluster needs in terms of environment variables and what is the configuration as an opaque uh current request, with http request, uh the the the whole implementation is not dependent on any version of issue.

A

I have it working with instio, 1, 9 and 110, because it really this yo d doesn't care that that some workloads happen to want to configure themselves in a different way and uh yeah. Let me let me go to to explain the actual implementation, because the real real trick here uh is to start with a config map that is using the system authenticated permissions. That's really the key of this document that that's uh you know what made this happen.

A

As you know, when, when the pod starts, it has kubernetes ip red cpi, server id, it has a kubernetes api server certificate and it has a jot token that allows connection to to document api server.

A

So what we are doing is we use those parameters, make a current request to api server and we get back all the environment variables that we need plus xds uh root certificate, plus everything else that that the injection typically does, and then we start pilot agent just as normal, and then we do it with the parameters um if you are running outside, for example, in in case of doppler in my particular example, I'm using the some google apis to locate the jk server and get the ip and certificate.

A

uh Obviously that can can you know we can extend it to other platforms or you can have other ways or you can specify a url that is, uh that provides the same mesh environment that screened.

A

And that's pretty much the the everything that is required here. There is some discussion about uh having this mesh environment file, which is again an opaque file. It's not, we are not. We don't want to repeat the mistakes of proxy configuring, other things where we we have a strict specification. It's just some blobs that that is guaranteed to be repeats on the url may change. When, when upgrade, when exhibitions are upgraded, may be refreshed, but in the end uh all it needs to do is to make sure the mesh is configured.

A

um The second interesting part here and and the second requirement for for the design, is how to get the istio-scoped tokens which are needed for cn for other purposes, and for that there are several options uh discussed all of them work. A combination of them can be used.

A

Pretty much uh it relies on on calling token request on api server, either from the board or from from from an sds server. That would be bundled with with history.

A

Let me take a break to answer. The comments on the market feel free to ask as well um so api server access from proxy is not great. That's actually true.

A

To some extent um in there is a project that is, it's actually using accessing api server directly with http request, because with with um yes, we have a there's, a big library and has dependencies and has all kind of uh of issues with with uh throttling other things. But all we need to do is make an http request to get a blob with a job token, so we don't really need the entire aps server and it's not necessary that api server is needed.

A

You can configure to point to a storage bucket wherever and the same mesh environment I mean we are just using the the the api server because it's most convenient and it's already there, so you can configure.

B

It to point to a bucket, then why.

A

Don't you just configure it to point to east ud because you don't have the the purpose of getting this file is to to get the certificate of study to currently study. You need issue the address you need certificate. We don't know that, so we cannot connect with the id.

B

Well, don't we need to know the certificate of the bucket like this? Is that the bootstrap? Somehow no.

A

No, the bucket, I mean I mean you, know, google cloud, storage or amazon storage.

A

It has a public set exactly uh same thing with api server. I mean we have the the the the it's not the public server it has. uh We have the key basically, and if you use external history or other things again, you you may not even know the address of the study in the first place, maybe not because you didn't it's your system, because if you are running in a cluster you don't have your system. Then then.

B

What are you going to do well yeah, but you still need the url of the bucket, so you still need like you need the url of something. So why not just give it e2d? I don't know I'm a bit. I am very, very hesitant to doing this on kubernetes itself, um I mean I get like in a docker environment, it's useful and even in a vm environment. It may be like there's cases where some people may want to do things today, where they run.

B

You still cuddle and copy files over and some where they may want to effectively do that just from the vm on startup. But to do it in kubernetes. I think is highly suspicious understand.

A

Your concern, the community, is the last one that I'm planning to so the plan is to to support all others, support kubernetes, where you don't have stod, because that's. I think we agree that it's a valid use case, or hopefully it's it's about use case. But if you have a sturdy, just use injection and- and uh you don't have to use this still it- we can get it from history if we find a way to to connect with you and what you're describing, but we still want to simplify the template.

A

So it's still beneficial for us, even if your head is still here. Even if you get this file from mrd, it's still useful to not have to inject all those. You know, 50 parameters.

B

Yeah, I think something like the bootstrap discovery stuff that we we worked on like.

C

Yeah.

B

Like you have minimal config to connect to east od and then easter egg gives you the rest of the giving, instead of injecting it that's reasonable. But.

A

Again, this is minimal config, it's it's uh the address and and the certificate that would certificate and instead of having injecting those things, we just get them from kubernetes because that's already taken care by the cubelet. So that's that's really simpler and same with same effect, and if we find out the api server doesn't work then, and latency is not not impacted by this. Because again we make the same.

A

The same calls are made by by the cubelet on our behalf to mount the token amount, the volume us and and mount the configmap that the the agent will not change the number of requests to api server.

B

I don't know about that. I think it has more efficient watches it can cache across like it's not like. If you have 100 proxies it's opening up, 100 watches on the config map right, it's opening one and we're using it. I hope I assume there's no work involved. There is no much importance in this answer. It's just the pure gets on. They can.

A

Set up or sometimes.

D

um Yeah, so so I think the the other use case of this apart from sort of having common path for starting everything is yes, it is forcing us to simplify the injection template, or at least hiding it right. It's not it's not simplifying it, and it's also useful, I think, in sort of in place upgrades, because one of the reasons why we just can't start a new version of proxy is because the template can change.

D

So if we have this way of bootstrapping, which is um get the end file, uh what are you calling it mesh and or something like that? Okay, it's yes.

A

It is environment because it's not actually specific to issue. It can be used with any other mesh that we may support.

D

Right so so, as long as you have the new bits available, the new bits of the proxy available, wherever it wants to start, everything else is obtained from this sort of the known, endpoint and yeah, and so so I think, um I'm still not very clear on, though how does this interact with the indirection that we get through revisions and web books? So I thought.

C

As long.

A

As.

D

As long as we do that uniformly, I I think.

A

Yes, I didn't include this this part in the document. uh Actually, I did include something at the end, so um remember that what divisions do effectively is provide multiple studies. Those are multiple.

A

For docker again you don't have revisions in cluster, you don't have rotating web hook, you don't select them to tag or anything. You have just this file and the idea is that this file will list not one address but multiple addresses of history, including for each revision and each so so. Basically, there is a controller that is, you know, looking at the cluster file finding. What is your data installed and creates these opaque file?

A

That is understood by the pilot agent and is created by the controller, and it has a list of in cluster out of cluster ic addresses.

A

My recommended configuration is to have typically external, I mean, have a number of water regions here, zone uh istio, external study clusters restore the configurations, and then you can have as many workload clusters where you just have workloads and you get a list of revisions and idea addresses of different studies, and you pick one based on whatever you choose. I mean that you know you have access to your configuration. You can choose to to to select the camera. You are better if it doesn't work, you fall back with the other.

A

You are no longer tied to you know strictly coupled to a particular history by the you know, injection template. You can pick anything you choose.

A

Okay, let me uh get a bit into small. uh You know fancier uh iptable, again, there's a discussion about ap table uh in this mode. Actually, let me go first with the golden image, because that's that's where it starts so uh normally in history, we in in kubernetes we have a report running for your book info and we add the second container that is running this joint is your pilot, agent and and and envoy uh for docker and and vms. Really.

A

What you have is is a single container that includes pilot agent and void the application.

A

I'm calling it golden image because have everything inside that's typically maintained by the mesh admins and someone who provides uh provides space in each, including the reference operating system that is using the enterprise or whatever. So uh this golden image is deployed in any docker environment can also be deployed in in kubernetes environment as an image.

A

So it will be your application for your with mesh included and you can deploy it anywhere if you deploy it in as a regular user in a regular cluster with no injection, it will know how to find the the mesh environment- and you know, connect the mission to everything that you are doing. uh The only thing that is a bit special is that you need to have id table permissions or you need to have the cli.

A

So one of the two must exist or we fall back to whitebox uh history which still works so so it will basically works. It works everywhere. Basically, uh and the other point I included in this document, which is a bit more, you know kind of far future. Unless someone is volunteering to use a writer code, uh we can also inject docker images directly. So uh there is a program called code that is basically building a go binary and then it's patching uh it's adding a layer to the manifest without actually using docker itself.

A

It's just uploading a target z as a layer, and then it's doing a small patch as a docker file manager. We can actually do the same thing. I mean take any docker container image, we run a command and it automatically becomes a mesh enabled uh docker image. Assuming it has. You know it's based on libc, whatever employee needs, um yeah, that's kind of the the gist of of uh of this proposal that what kind of details and possible extensions.

E

uh The the concept of the golden image does it help with, like the whole, the application container into your proxies ready. It doesn't help with like life cycle management. Oh.

A

Yeah it does, it does a lot. I mean it's it's. It's uh simplifies everything because the whole, the golden image contains a starter which you know starts and boy waits for employee to be ready, starts for application, application to be ready, and then the clerics are ready.

A

So.

E

What about the shutdown time does it also help.

A

I haven't looked at shutdown, yet I mean, but it's pretty cool yeah the prototype is again. I started with the requirement for docker, where you cannot have a sidecar, and it's just that accidentally. This. This image will also work, let's perfectly without any any problem.

A

Assuming you are willing to you are willing to maintain an image or to patch an image to have, but but again, if you are, if you are you're a developer and you run both, that is a non-compared lattice environment, you probably will patch the image for for the nonpartisan environment and then why not use it for competitors as well, because you are testing it. uh One thing I forgot to mention cicd uh everything that I described here.

A

uh You know works in any kubernetes, any docker environment, including github actions, for example, or any other google cloud builder. uh It's you know it's a. They know how to build a docker image. You can run the docker image. The docker image can download the mesh environment can connect to xbs can have mtls certificate. It can do pretty much everything, so you can test your image in the cicd system with full. You know access control, whatever you know measure you are using and then you can deploy it.

A

So it's a bit more convenient for people who are who are want to test end to end um robert is asking: when do we write on the bootstrap config for envoy, I'm not making any changes to the bootstrap config for employees.

A

So it's it's still, it's not the same pilot. I mean it's executing pilot agent and generating the same bootstrap based on the same process.

D

And, and for that particular thing, we already have bootstrap discovery service.

A

That's that already exists. I don't think it's enabled by default. It's not.

D

Enabled by default, but if the bootstrap template changes during an upgrade, we can just call bootstrap discovery service and get the with the right version injected or yeah. Technically.

D

No go ahead.

A

No, I've got to say uh technically one of the things that I I did part of this prototyping is to try to minimize the number of round trips to api server, because, as john said, uh you know, api server is a delicate, delicate server, so uh and, and it impacts the startup time. So it is possible. You know the bootstrap discovery. It's you know going to xds server gets bootstrap, save bootstrap, starts and void, connects again to api server to go to xds server.

A

We can put the bootstrap in this uh mesh environment, which is completely opaque file, and then you save around it. That's the only thought I gave to this problem in this implementation and and and again since it's a single round tripod startup. That needs to happen anyway. You save a bit to 100 milliseconds in the startup time.

D

Right, I think I think that supports the use case, where only bootstrap template has changed in structure but you're, not introducing any new variables.

A

The the launcher, because this reliance on some binaries that is now is coordinating with this thing. The launcher. Could you know check the mesh environment? Has pilot uh version change, download pilot agent download? You know which knows the bootstrap template download the m4a and launch them again. So it's not really.

D

Right yeah, so so it can do the whole thing and then it would be repeatable and correct um yeah at the cost of startup speed.

A

Well, at the benefit of startup, because because again, once you get the mesh environment, you have everything you need. I mean you don't need to. I mean, assuming that the version doesn't change and you don't have to download, which is a different discussion.

A

uh To answer comment: yes, that's something that is highly desirable, but slightly orthogonal. To this proposal I mean it will mean that you can go to htod to get uh this measured discovery file.

A

Assuming you know that some of the other I mean somehow, you need to know that the ip address or or- and you can make it in the image, okay, golden image, could they discovery or a set of discover urls or you are going to look up for progresses as well.

A

So that's that's pretty much it. um Please take a look comments. um I've been working for on some prototype and and I'll try to publish it.

A

What else should I mention here? uh Let's, let's have uh you know after people have time to to put comments and and any strong objections to to this proposal.

A

um I do not plan to make any changes to east yo itself at this moment, because almost everything is in this binary that is uh completely agnostically to istio, and these two versions, uh I'm planning to put it in you- know, ecosystem initially get feedback, see how it works, uh and only after that we discuss, if we should add it to the main three. uh The benefit is that, since it's agnostic to version, people can try it and and start using it with your 1 10 11.

A

Whatever is the current version, um and uh you know we can get feedback and and see without having to worry about upgrading versions, and I mean, since one of the main goal is to decouple the golden image and the workload image from the control player.

F

And this is.

E

Maybe I missed something so the golden image. Don't you have to update it with every single cycle, proxy version.

A

uh In in recent history I mean we had a number of acquiring compatible changes, but yeast your master today works with control, plane. 1.9, assuming I mean, if you solve the problem of injection template, which is different. If you just take the energy and why it doesn't it's really agnostic to to to almost agnostic to the version of the control plane in the last few versions, and we can we can make it a bit more strict in testing.

A

uh I'm not saying that it's infinite, I mean any version with any version, but you know one nine one, ten one eleven one twelve are all uh more or less compatible uh and don't forget we are trying to add proximate grpc, which is completely different repository differently and proximate. Grpc works not only with any version of eto, but it's also working with other xds servers.

A

So we will need at some point to have a bit of broader compatibility at the protocol level xds protocol level, which will allow us to to to decouple further from from the current type coupling.

E

Okay, so you're talking about the compatibility perspective, I could potentially have older version of my psycho, but if user wants to move to newer version, maybe because we have a envoy crush fix or maybe it can gracefully shut down envoy, then they would have to kind of rebuild their golden image to pick up those okay, just.

C

Making sure, because today.

E

They don't have to do that with sai psychi injector right. They just need to restart their deployment.

A

I should I should mention for for any docker environment. um So if you're, if you're, not an exclusive kubernetes shop, uh you build a docker image. You have a ci cd that is building docker images and and the requirements for for such environments is that periodically weekly or whatever you are doing is a build. You pick up any fixes from the operating system from libraries from any other binaries. You are using it in in in your golden image, including envoy and pilot agent, so so so part of the ci cd system.

A

That is building the golden image and it's not specific to east europe or avoid that it's a bug enough where you need to pick it up. You can't believe c can believable business open ssl. It can be anything else in the image we are just not having a different process for security fixes in a void versus security, open ssr.

E

Yeah that makes sense.

A

I should make it more clear in the document that, with golden images, responsibility of the mesh administrator for every week to to build a new image and pick any security and critical bug fixes for anything, including operating system and and the same same as vms today, right so some of the vms. Today we have the same requirement. If you are operating on vm, you need to do update whatever to install the new range, but it's not very clear to users. That is a responsibility and they need to be sure to patch their.

A

You know images for everything not only for istio and in kubernetes. We benefit from this because again we don't have to have this alternate security, patching mechanism where you have the sidecar updated. You update your images periodically to catch other fixes and you get us for free.

E

Right, which is why I also agree what john mentioned earlier. It sounds like you know. The existing cycle injector model would be continue to be the best for kubernetes environment. When you know when the mutating web hooks are allowed- and this will be a nice alternative for other environments or when they can't use mutating weapons.

A

I I mean, if you are, I agree with you if it's exclusive kubernetes, if it's not exclusive kubernetes, if you have at least one docker or clcd system- and you need to maintain a tool and a golden image, then probably you are better off using the golden image and not using the injector at all, because you will, you know test this image control the rollout of this image. You are not. You know, you are using the same process for any security fix and you don't have a split.

A

You know if it is your security fix, do something. If it's something, if it's you know, please see security fix, you do something else. You you have. You know consistent across the board controllable process for rollouts.

E

Yeah, that makes sense and don't forget, we actually had an outstanding issue on vm right. You can't um you can't run your service in docker container with cyca if you're running on vms, sometimes the outbound traffic will conflict.

E

So this I assume custom what you're proposing would actually hopefully solve that problem.

A

I I I I tested extensively in in in in docker on my vm I tested on on cloud builder and and guitar action. So I think it's working fine in some some documentary environments, the problems you don't have official net capability, net admin capabilities and that's where the fallback to whitebox comes into picture and I submitted some patches to improve a bit the white box um and it works pretty nice. Now I mean if you, if you're in http or connect, you change your code to localhost it's it's! It's really! Nice.

A

That's great again, I'm just saying you know it's prototype and proposal. Don't just expect this to work tomorrow, but um if we agree on this direction, I think we can make pretty fast progress because there are not a lot of big changes. Really, this proposal is just you know: it's like small. You know taking the environment variables from from injection template and putting them in a config map, and then few adjustments.

A

uh John, yes, the main one is containers living container service, but it accidentally also works on on dms with docker. Also accidentally works on regular vms, where you just debug.

A

You know I'm I'm typically developing on my machine. I click on on run on the id and and it's doing kind of the same synthetic.

A

Yep.

A

Okay, so if the other working group leads are okay with this, and and after we get more feedback, uh it will be good to to have some covers and uh I'll. I think, linear. You are now the master of each ecosystem or.

E

Yeah I'm one of the admins.

A

Okay, so after after this approval, I'll I'll I'll be asking for for uh to create a repository to to start some, the prototype and some code.

E

Yeah sure, just uh let me know you know, like your repository name, um a basic description for your repository.

A

I think we'll discuss this again. I mean I just this. Is you know I just uh presented this? I don't think everyone had the time to absorb uh everything and, and uh probably we need to figure out, maybe and what else we want to do about it.

A

Other questions or concerns we can again take next week or in two weeks to give people time to comment uh to have another brief q, a and uh and figure out. If we can move forward with this.

E

So just trying to understand john's comment, um I think john you kind of indicate like if I have multiple different different levels, assuming um I think you can't really indicate. I don't really need this too. Wrong um run the services on docker. On top of my vm.

B

uh Yeah, I think the the only case where you, where you absolutely need this, I mean unless you want to do everything manually, of course, that this is doing is, if you have basically a service where you just throw a container at it, and it runs it there's a lot of these, like you know, cloud build as an example cloud run or if I know my non-google services, aws lambda, maybe they have a container one as well. I think every time you.

F

Have auctions.

B

Yeah, you have actions anything where you just throw one single container at it and it will run it for you. um This would help on a vm.

B

If you want to use docker, then that's fine, you could run estio proxy already in another docker container. Alongside it, you could run it on the host um either one of those works.

B

This could still be used to make it simpler like in some cases it may be simpler to do the current setup where you run easter cuddle and you pre-compute this and then stick it on the vm in some it's simpler to do it dynamically, probably most dynamically, to be honest, but it's not necessarily required in those cases like you can still do. Docker on vms today,.

A

Yeah, the the real real issue here is: if you have a hybrid environment, where you have you, you have both vms docker services, container services, vms and whatever you just build. One called an image with your application, which is this proposal, and then you stick it you throw it everywhere. You don't have to do things slightly different. For the end, I mean it is possible to do a lot of different things like this. You can have all the ejection or vms.

A

You can run proxy in a different container and so forth, but you can also just throw this image everywhere and, and it will stick mostly.

E

Okay, yeah, that makes sense so today I we don't necessarily we they are work around that. I guess I forgot. There is workaround, I guess you could run docker uh host network uh or you could potentially with the ip flag you mentioned, so you don't necessarily have to use this, but it's nice. If you run your services on different environments, which provides you the same image, whether you're running on docker, around vm, directly or running in cube.

A

Yep and another nice thing, if you're not using the workarounds, is that you can run as many as you want, because with the current workaround, it's a bit more difficult. If you have a if you're running a host, you can have only one, and uh so it's a bit more inflexible. If you, if you use the work around them than the golden image.

E

Yeah, that makes sense thanks for the clarification.

E

Okay, that's all I had.

C

uh I think so I'm not super clear um on how the upgrade ux would look from like a user standpoint like um how do they indicate what revision they want uh to like pull down the config for uh it's.

A

The the main idea is that the config- um I probably should have discussed a bit uh this, uh so the config is a configmap with a bunch of environment variables which are the correct environment variables that we all know and love, um and some extra with the ca certificate which we will currently use in the is a protein multiplication for uh distributing the root.

A

um The idea is that if you have multiple versions, if each version can add their own environment variables, if you use a different measure, you can add more stuff, you cannot remove and then we need some some compatibility, so the blob needs to be compatible with a range of versions.

A

The upgrade scenario is the controller, make sure that the blob contains everything necessary for the protections installed in the system, so you have pst 110, 111, 112 and some external stod. The controller will populate this blob with, with uh whatever is necessary for all of them by patching and and an important thing that we discussed is uh ability to if the configmap is flat, it's very easy to patch it from from multiple controllers, and each version can maintain its own variables with uh with patching without touching the other ones.

A

At least that's how we implemented it. So far, now the upgrade experiences, the user picks. Whatever version of this you're saying the current pressure issue in the weekly build of the golden image and that is deployed- and that will pick the blob which will have hopefully everything that is necessary inside.

A

And if you have a different image with a different version or holder, it still picks the same blob and has you know whatever the older version required.

C

Okay, so with within the single config map, um there are different, uh pretty much like environment variables and everything else per version right like or is it all pulling from like an aggregate.

A

uh To be honest, currently I'm just putting the default, but but uh you you and I didn't implement yet uh the fall back. I don't know check revision eight.

A

If it doesn't work, you didn't pay your check extra so, uh but the idea is that that it's a you, know list of config settings that will this has some the unification of all the active control places that's available in the system and the workload will pick whatever it, uh and I don't know exactly how we're going to pick, uh because this model doesn't rely on on any um annotations, templates or or or labels.

A

Basically, probably it will be just an environment variable us to to to your word your docker, imager or container, where you specify the or or we can continue to use the injection to to to take care of the label, take the label and inject something to to hint which revision you want to use.

A

But I think it's important to to have this fallback because it increases reliability, because if the canary is bad and if you try to deploy 112 1 15 and it has a problem- it's very useful for the board to be able to say hey. I cannot connect with dslr. I cannot get certificate. Okay, let's track the other, the previous environment, and and not fail.

A

Okay back to this regular meeting.

A

Any other topics for today.

A

Sorry I took a bit too long.

A

Okay, if there are other topics, 10 minutes back to everyone and see you next week,.

F

Thanks see you next week, thanks austin.

E

Thanks everyone.

E

You.

E

You.

E

You.

E

My.

E

You.