►
From YouTube: Istio Networking WG meeting - 2018-05-24
Description
Agenda:
- Release 0.8 Status
- “FilterAugment” API design discussion
- HTTP/2 requires termination of TLS at the service
- SNI behaviour + things to be aware of for Gateway
- How to configure Gateway to allow both H1 and H2 on the same port
- Proxy-config command
- Meeting info
A
A
So
in
this
case,
I've
listed
the
hosts
as
the
reviews
prod
service,
so
any
listener.
That
is
my
inbound
listener
for
that
service
should
get
this
filter.
In
this
example,
then
there's
an
order
clause
which
tells
pilot
where,
with
respect
to
other
filters,
this
one
should
be
inserted.
So
this
one
should
be
inserted
just
before
the
router
filter,
and
then
this
is
an
HTTP
HTTP
filter
and
it
just
has
a
name
and
a
config.
B
A
So
that
was
one
of
the
the
questions
that
I
wanted
to
get
its
feedback
on.
Is
that
right
now
all
of
the
match
criteria
are
based
on
name
so
its
host
name
and
Gateway
name,
a
more
kubernetes
style
thing
would
be
to
do
this
with
a
label
selector
and
I.
Don't
know
how
people
feel
about
names
versus
label
selectors.
Do
we
want
both
do
kind.
B
B
A
Well,
so
the
use
case
that
I'm
particularly
interested
in
is
being
able
to
insert
the
Envoy
.
external
aussie
filter
so
that
it
can
call
out
to
a
authorization
service
like
calico,
but
it's
certainly
not
restricted
to
that
use
case.
I
know
there's
some
interest
from
many
users
for
inserting
arbitrary
lua
filters.
So
that's
the
example
that
that
I've
provided
I
mean.
B
D
B
C
A
C
A
A
I,
don't
think
so
right,
no
so
yeah,
so
you
I,
don't
think.
There's
a
mechanism
in
Envoy
that
allows
you
to
alter
the
filter
chain
based
on
the
route
selection
right
or
or
to
apply
filters
post,
routing,
correct,
yeah.
The
routing
filter
in
the
HTTP
manager
is,
is
the
one
that
actually
sends
the
traffic
to
and
to
a
cluster
and
and
sort
of
sends
it
out
of
envoy
yeah.
C
A
C
That,
actually,
it
could
be
so
I
created
an
issue,
an
envoy
I
think
was
merged,
or
here
are
those
merged
around.
So
you
can
attach
metadata
to
your
routes,
I
believe
and
that
get
fed
into
filters
that
you
can
reference
like
metadata.
I
have
to
find
it
again,
though.
Okay
I
don't
think
we
exposed
the
metadata
through.
It's
the
oh
yeah
yeah.
A
Well,
that
is
definitely
included
in
the
use
cases,
because
that's
that's
our
use
case,
but
it
is
not
intended
to
be
useful
only
on
on
those
use
cases,
at
least
by
global
I'm.
Interpreting
that
to
mean
this
is
a
filter
that
I
want
to
be
inserted
more
or
less
globally
across
the
mesh,
but
you
can
target
it
down.
You
can
say
just
for
this
specific
service
I
want
you
to
insert
filter
or
just
this
specific
gateway
where.
G
H
H
B
A
B
A
A
E
You're
conflating
two
different
kinds
of
services
here.
What
they're
saying
is
that
you
can
scope
these
things
to
listeners
on
particular
side
cars.
You
can
say
that
this
is
going
to
go
in
this
side,
car,
not
that
side
car
or
on
this
gateway,
not
that
gateway,
but
they're,
saying
that
you
cannot
do
this.
Based
on
what
upstream,
it's
going
to
connect
to
well.
A
No
because
they
we
create
multiple
listeners,
one
per
upstream
service,
so
like
in
a
typical
side
car.
If
there's
you
know
ten
other
services
in
the
mesh
there'll
be
ten
listeners,
one
for
each
of
those
services
in
the
mesh,
and
so
you
can
scope
it
down
to
say:
I
want
this
to
apply
just
to
listeners
that
go
to
service
foo.
Is
that
true?
It's.
I
B
B
A
So
in
in
principle,
you
can
yeah,
you
can
have
shared
data
structures
that
are
accessed
by
filters
and
and
things
like
that
in
the
specific
example
of
a
Lua
filter,
which
is
something
that
you
can
insert
sort
of
inline
code
with
this
API
I.
Don't
know
whether
or
not
that's
true,
but
if
you
wanted
to
you
know,
go
to
the
trouble
of
writing
a
new
envoy
filter
right
in
C++,
then
you
have
a
ton
of
flexibility
about
what
kinds
of
things
you
can
access.
Okay,
that
makes
sense.
Thank
you
well,.
J
A
J
It's
a
picture
we
had
for
quite
a
bit.
I,
don't
think
we
have
a
lot
of
documentation
because
it's
very
rarely
used
my
point
is:
it
will
probably
need
a
bit
of
I,
don't
documentation
to
specify
forward
or
or
better
targeting,
to
specify
if
it's
for
HTTP
filter
where
it
applies,
I
mean
you
should
probably
apply
to
all
HTTP
filters,
so
we
can
cut
I,
don't
know,
I
mean
that's
a
tricky
tricky
problem,
you
don't
don't
forget
to.
B
J
I
want
is
clear,
an
outbound.
It's
is
much
important
and
the
other
comment
ahead
is
in
the
API.
So
far
we
have
a
pretty
clear
distinction
between
inbound
and
outbound
for
outbound
to
use
destination
rules
for
inbound
to
use
virtual
service
and
sends
a
notification
policy.
It
may
be
less
confusing
if
we
also
had
two
top-level
augmentations.
If
you
want
to
use
that
word,
I
keep
it
kind
of
the
separation.
It's
also
cleaner
for
further
for
outbound
it's
much
easier
since
host
is
clearly
the
the
main
singers.
D
A
J
G
B
B
A
B
Criteria
is
if
it's
not
part
of
our
kind
of
stable
feature
set,
that
we
call
production
ready,
which
this
won't
be.
Then
you
know
how
is
it
turned
on?
Does
that
code
affect
the
stability
of
other
parts
of
the
stack
as
long
as
it
meets
a
reasonable
bar?
There
then
I
think
it's
fine
like
we
can't
stop
people
developing
features
right,
but
we
are
trying
to
make
sure
that
features
are
put
in
in
a
safe
way.
Yeah.
J
G
G
So
for
people
who
don't
have
the
invite
like
the
Ritter
is
a
place.
I
can
add
it
to
the
meeting
notes
as
well,
but
if
you
want
to
have
like
a
direct
invitation,
please
send
me
an
email
all
right,
so
I
think
we
can
move
to
the
next
item
in
the
agenda,
which
is
okay,
so
HTTP
2
requires
termination
of
TLS
at
the
service.
So
this
is
a
use
case
from
Cloud,
Foundry
and
Shannon
would
like
to
cover
it
and
discuss
a
bit
about
it.
Shannon
or
again.
B
Gonna
follow
the
GRDC
team
and
the
goaline
team
here
at
Google.
This
is
a
bit
silly,
so
I'm
going
to
put
some
pressure
on
them
to
support
HTC,
because
there
are
real
news
cases
for
TLS
offload
and
yeah.
They
should
just
come
around
on
this
I
know
these
two
specs
says
there
are
lots
of
people
who
disagree
with
what
the
h2
spec
says.
So
I
think
we'll
make
some
progress
here
and
I'm
happy
to
pick
up
the
baton
and
Corral
people
here
at
Google
to
make
progress.
I
was.
F
B
Go
chose
not
to
implement
it
for
reasons
that
I
don't
fully
understand,
but
I'm
gonna
go
and
find
out
about
I.
Think
it's
because
some
internal
wrangling,
the
GRDC
team,
doesn't
principled
stance
on
this,
because
the
other
GRDC
implementations
implement
h2c
support
and
so
don't
require
eggs
and
TLS
in
the
libraries.
My.
B
F
B
G
F
Maybe
they
want
to
use
G,
RPC
protocol
and
we're
running
into
issues
where
frameworks
like
golang
as
an
example,
only
support
h2,
if
it,
if
the.
If
the
workload
itself
terminates
TLS-
and
this
is
a
problem
before
for
us,
because
both
Cloud
Foundry
and
sto
service
mesh,
we
believe,
provide
tremendous
value
in
removing
the
burden
for
management
of
certificates
from
the
app
developer.
F
We
don't
want
the
app
developer
to
have
to
include
certificates
in
their
application
code.
We
don't
want
the
application
developer
to
have
to
worry
about
terminating
TLS.
We
want
the
sidecar
and
the
edge
eight
way
of
all
of
this
for
them
and
the
sidecar
to
do
clear
text
all
the
time
with
the
local
workload.
J
F
If
we
were
to
attempt
to
support
h2
for
these
workloads,
given
current
limitations,
it
seems
like
all
of
the
intermediating
routing
components
would
have
to
pass
through
TCP
and
we
would
lose
all
these
benefits
and
that
doesn't
seem
viable
for
us.
So
we're
interested
in
supporting
h2,
while
maintaining
all
the
benefits
that
the
foundry
platform
and
the
service
mesh
proxy
model
enabled.
J
You
so
I
can
once
more
comment
here.
Besides
ER
pcs,
there
is
another
nice
feature
of
h2,
which
is
push
support,
which
unfortunately,
right
now
is
not
supported
as
far
as
I
know
in
any
way,
and
we
don't
have
any
any
kind
of
way
to
do
it
if
I'm
wasting
anything.
But
that's
something
we
can
point
because
push
is
important.
So.
F
I
G
K
This
is
definitely
one
of
the
talking
points
of
h2,
but
I
actually
spent
a
lot
of
previous
years
in
the
web
performance
world
and
I
was
kind
of
I
found
that,
with
a
lot
of
experiments,
it
was
hard
to
get
eighty
to
push
to
actually
help,
but
it
doesn't
work,
I
mean
if
it
works,
but
I'm
not
sure
it
actually
makes
web
pages
faster
generally,
except
in
their
various
specialty,
but
that's
kind
of
both
sides.
The
point
it's
part
of
the
h2
of
maybe
it
should
be
part
of
yeah
part.
J
I
would
say
that
I'm
more
interested
in
the
millions
of
web
push
for
what
we
use
of
push
for
web
push,
which
is
a
protocol
used
by
browsers,
and
you
know,
maybe
IOT
devices
so
notifications
that
you
know
I
synchro
notification,
I,
don't
know
how
they
call
notifications
web
push.
The
idea
under
this
Web
push.
G
L
G
G
G
Okay,
because,
basically
I
would
like
to
have
like
a
statement
how
how
gateway
works,
especially
with
regards
to
Essen
eyes,
so
that
people
are
aware,
and
also
about
all
the
like
things
to
be
aware
of
so,
for
instance,
not
use
wild
card
to
complete
wild
card
in
the
Gateway,
because
that
will
not
work
when
with
us
and
I
and
all
those
things.
So,
if
you
could,
please
talk
a
bit
about
this.
G
M
Of
these
usability
bugs
have
been
resolved,
that
you
can
definitely
use
wild
cards
and
the
sni
will
automatically
be
disabled
and
so
on.
The
biggest
issue
that
is
left
right
now
is
organizing
the
spirits,
essentially
figuring
out
a
way
to
lower
the
multiple
certificates.
Okay,
they
are
launching
these
gateways,
I
mean
at
least
the
steel
version
of
gateways.
My
template,
where
we
have
hard-coded
to
secret
volumes
and
that
effectively
means
to
only
know
two
certificates.
One
of
them
is
actually
taken
up.
M
By
is
to
be
that's
the
East,
your
intelligence
education
certificate,
so
the
essentially
provide
the
user,
with
only
one
specific
secret
like
the
steel
ingress
and
so
on,
and
that's
the
only
key
banner
the
user
can
actually
load
into
the
gateway
and
that
one
of
the
string,
a
bunch
of
people
can
do.
Somebody
is
actually
like
you
know,
saggy
enough
to
go,
look
at
the
heaven
chart
and
tweak
it
and
had
more
secret
volumes
and
multiple
certificates,
and
once
you
do
that,
then
it's
very
easy
to
set
up
the
SMI
stuff.
M
I
mean
based
on
the
gateway
specification.
The
so
yes,
in
my
opinion,
that's
the
biggest
what
it
called
the
adoptability
issue
so
far
and
other
than
that
we
have
I
mean
the
other
painful
part.
Is
this
whole
namespace
business
with
the
gateways?
If
you
have
gateways
and
different
namespaces,
then,
if
aunty
as
to
how
to
address
these
gateways
across
different
namespaces
and
so
I'm,
working
with
Zack,
to
clarify
that
and
or
like
you
know,
simplify
that
piece
and
then.
M
M
Pod
I
mean
FAA
shipping
default
gateways
like
you
graduate
in
those
gateways,
but
people
might
want
to
launch
their
own
gateways
no,
and
so,
if
you
just
provide
people
with
generic
template
where
they
just
simply
replace
the
names
and
then
that
would
make
they
run
an
internal
gateway,
external
gateway
in
whatever
it
is,
and
we
can
continue
using
the
DCO
gateways
for
our
purposes.
So
that
is
probably
documentation
thing
or
some
template
or
scripting
things
such
that
somebody
can
quickly
generate
a
gateway.
A
service.
B
M
Pods
that
Metapod
mode
is
dr.
more
that's
all,
and
so
these
were
two
biggest
caveats:
an
odd
choice
with
the
gateway
stuff
and
based
on
what
I've
seen
people
like
struggle
with
in
a
meaningless.
It
seems
to
give
us
these
two
things,
especially
the
HTTP
stuff
I
mean
for
people
who
tested
this
thanks
a
lot
and
we
found
those
issues
on
the
SMI,
the
wild-card
stuff
and
all
the
vsms
of
matched
and
of
the
fix-up
logo,
and
that
fix
some
things
not
and
I
also
fixed
a
bunch
of
things
in
this
year.
M
So
these
products
shouldn't
be
gone
by
now
such
that
you
can
declare
a
gateway
or
the
sexy
TPS.
That
would
effectively
mean
it's
Taylor's
domination
and
forwarding
to
the
backend.
Does
you
know
I?
Should
he
be
HTTP
in
whichever
way
you
want
to,
and
you
can
do
the
same
thing
for
other
protocols
TCP
as
well
and
think
of
the
Gateway
as
a
proxy
which
always
dominates
TLS,
unless
otherwise,
you
tell
the
Gateway
to
not
terminate
TLS.
M
M
No,
you
can.
You
can
still
pick
lettuce
HTTPS,
but
there
is
a
mode
in
the
settings
for
the
Gateway
and
that
mode
has
like
multiple
options,
one
as
a
pass-through
mode
which
is
sni
pass
through.
So
if
you
specify
the
TLS
mode
as
possible,
then
the
Gateway
will
just
simply
route
the
traffic
and
it
will
not
terminate
LS.
But
if
it
is
okay,
retailers
or
mutual
Innes,
then
it
will
do
whatever
but
mode
phase.
E
M
G
M
M
Right,
that
is
what
constant
says:
he
just
simply
take
one
certificate
and
a
stick
in
a
whole
bunch
of
different
TLS
certificates
and
create
one
big
uber
certificate
and
you
certificate
as
a
secret
and
kubernetes
okay,
you're,
essentially
low.
You
are
socially
like
mount
multiple
secret
warnings.
Each
volume
contains
a
specific
TLS
certificate,
but.
M
J
J
M
J
G
But
in
the
end,
it's
up
to
the
user
to
decide
right,
for
instance,
if
they
are,
they
keep
adding
gateways
or
no
if
they
keep
adding
like
hosts
and
supports,
and
they
don't
want
to
change
their
original
certificate
right.
In
that
case,
for
them,
it
might
be
desirable
just
to
mount
a
new
ingress
and
modified
the
right
gateway
and
the.
J
G
I'm
saying
if
they
add,
let's
say,
and
they
one
add
the
new
certificate
in
the
system-
maybe
for
some
service
right,
they
maybe
for
them,
is
desirable
to
just
simply
modify
via
helm
or
just
keep
CTL
to
modify
the
ingress
specific.
The
Gateway
specification
to
mount
the
new
secret
right
without
altering
their
original
certificate.
The
big
one
they're.
J
G
J
E
J
E
F
E
J
E
E
J
For
a
hostname,
you
need
to
get
a
certificate
for
that
hostname
put
it
in
the
secret
and
then
create
a
gateway
where
you
specify
the
file
path,
where
you
put
a
certificate
for
that
host
and
from
that
and
way
will
be
configured
with
the
host
that
you
just
put
in
the
Gateway
and
pointing
to
the
file
that
you
specified.
So
it
is
required
some
user
intervention
and
user
configuration.
But
you
know
easier
if
you
put
everything
in
place
right.
E
Okay,
so
this
is
this
is
functionality
that
we
we
have
in
Cloud
Foundry
and
so
we're
just
sort
of
surprised
that
it's
not
baked
already
into
envoy,
but
we
can
I
guess
we
can
compensate
for
this
by
building
a
system
that
will
given
a
set
of
certificate
to
generate
a
gateway
for
each
certificate
right.
So.
G
E
J
M
J
M
E
M
You
know
want
to
do
when
when
it
makes
an
outbound
connection,
and
that
is
a
reason
we
asked
users
to
explicitly
state
when
the
HTTP
1-
not
true,
so
the
Gateway
did
not
just
for
interest.
You
can
also
use
a
gateway,
an
internal
gateway,
and
that
means
all
the
other
side
it
make,
and
in
this
case
this
is
this
gateway
is
no
different
than
kubernetes
service.
Then,
where
you
have
to
declare
what
type
of
is
being
useful,
so
this.
E
Okay,
so
if
we
are
seeing
a
situation
which
H
two
clients
are,
there
are
H
there,
H
to
upgrade
request
is
not
being
passed
through
to
our
back-end.
It's
not
because
our
gateways
misconfigured
it
might
be
because
our
service
protocol
is
H
one
instead
of
H
two.
Is
that
right?
Yes,
okay,
thank
you
and
make.
F
H
Yeah,
so
basically
I
just
wanted
to
make
everyone
was
the
proxy
conflict
commands
now
in.
So,
if
you
want
to
debug
either
we
want
to
debug
your
individual
proxies
so
envoy
running.
You
can
basically
the
input,
one
curls,
the
admin
interface
and
the
pilot
one
who
talks
to
pilots
debug
things
as
much
easy
way
to
debug
pilot
issues.
Basically
an
envoy
issues.