Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kong / Kuma Community / 12 Jan 2022
Kong / Kuma Community / 12 Jan 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kuma Community Call - January 12, 2022

Description

Kuma hosts official monthly community calls where users and contributors can discuss about any topic and demonstrate use-cases. Interested? You can register for the next Community Call: https://bit.ly/3A46EdD

This month’s topics include:
Upcoming Kuma release, Mid Feb 2022
- Tools for visibility (WIP)
- Mesh membership
- Zone Egress (WIP)
Release policies
Q&A

A

Yeah, I think we can start so hello. Everyone welcome to the kumo community. Call it's monthly, uh so feel free to put any items into agenda list. We have two items prepared.

A

First of all, we will speak about upcoming, common release that we planned for with february, and then we will speak about new release. Policies. Probably charlie will speak about details, okay, so we plan newcomer release for mid february and it will include tools for visibility.

A

This work right now in progress. We want to add additional endpoints in api that will allow people to debug service mesh easier. What policies were matched for more data planes and vice versa, and also we will provide functionality to easier, get config dumps from the data planes without uh going to without execution to real code and fetching config dump. We want to have this in control plane. Api next thing I think jacob can cover mesh membership.

B

Yes, we are adding mesh membership functionality and I wanted to show like a bit of dogs, but for some reason I cannot find this yet and it's not um it's not released yet so anyways the functionality is about building extra rules, whether data plane can or cannot join the mesh.

B

What this allows you to do is, for example, to restrict that only data planes from namespace demo can join the mesh demo because before you could join uh any mesh, you want by changing the annotation.

B

This also enables you to put some requirements if you define your own data planes and well also labels and kubernetes. So, for example, you can require that every data plane that joins a mesh needs to define uh tag, for example, version right, and this way you can enforce some extra extra rules on your on your mesh.

B

That's it.

A

Yeah that sounds cool and sounds like a really necessary feature.

A

And the last thing, probably or yes, the last thing that we going to ship in the next coma release is zone ingress, egress last community call. I think we discussed the proposal now. It's final and now work in progress yeah by the way mesh membership is already merged right. I wasn't sure it is yes, okay, cool, so yeah uh to work in progress, and one already done.

A

Okay and next item, I think, is to charlie release policies.

C

Yeah right, um there's two parts to that: um one that is already like done, um which is uh switching from um back forwarding by default to back porting as an exception. um The goal of that is to have patch releases that only contain critical fixes, um so you can check in contributing dot md, and this will.

C

This is more or less detailed. What patches can be candidate um to be back ported?

C

The idea is, whenever you feel like you need to back port something um you should socialize it, probably through slack and then like well, have a bigger discussion on whether or not like a patch should be backported.

C

um It's more or less security, security fixes and and big bugs big critical bugs that potentially would make cumin usable already. um So that's for the first part, um the the second part is, we are working on well. Jacobs is working on um a change in our ci and cd pipeline to actually publish docker containers and binaries for every single comet on any branch.

C

So you would get a cent there that is, for example, um one 1.4.0 um dash and then the the get hash um the goal for that is to be able to put actual usable releases in the ends of people as soon as they want.

C

um That can be useful for figuring out um trying out new features uh before they release, for example, and and provide feedback to to us.

C

That's and the second goal to that is also like, simplify on our side to release process, because it will be just an extra different tagging, but that's all that's about it. For release policies.

A

Then, if there is no more items in our agenda, we can start q a session. So if anyone has any questions, we can discuss.

D

I have two questions.

A

Three phones, okay,.

D

uh The first question is: should we look at using cosine to sign our kumar images?

D

um It looks like it's getting pretty popular just be run as a github action, um so we probably just need to generate a key and then sign it.

D

um I think it's just opt-in right, so if you don't have it, then just everything works, and if you want to use cosign to verify that we publish the images, then that would be great.

D

I'm happy to look at doing the integration. Like be honest, do any work, it's fine! Just are we open to it? Yeah.

C

I mean it's the same as build signing right. We have a signature that is a secret and like it's somewhere in the container. I guess right.

D

Yeah all right yeah, this one just signs it with cosine and then I think you can run a. I think, like it's a controller, you can run your cluster, which would just like verify the image signatures or whatever so yeah.

C

Yeah, I I don't think like uh do.

B

You know.

C

Yeah, I make sense, I don't know if anyone has strong feelings against signing containers.

A

Yeah.

D

I'll I'll write an issue and put some links in there, so folks can just like validate him yeah. So, let's see what folks wouldn't say, less security.

C

The the the one thing, though, is you mentioned github actions and you might not be able to with github actions and you might need to script it in our circle. Ci jobs.

D

Okay, cool, I mean yeah, I think there's probably a way of doing it there as well. There's examples we have actions but I'll look into it and figure it out yeah. I think that's if you need that cool and the second question was around. I don't know if you folks have heard of pollumi, it's like a um think, like terraform, but actual coding languages, instead of uh like actually called acl right, um it's getting pretty popular and you can um as well as defining infrastructure.

D

They have a pretty robust, like kubernetes ecosystem, where they support all of the built-in types. So you can like create a new deployment in code right type, script, python, I think, go and some code.

E

On our repositories, which breaks written in column, we are using.

B

Awesome, it's only, but it's something for spinning infrastructure for universal right, because the rest is in unsymbol.

E

No, what is natural.

B

Tools, or is it something else.

E

There is something else that I forgot to know. I wasn't working on this for a few months and I remember we wrote, uh I wrote at least the code for aws, I think, or in or not nevermind. I will find it down.

D

So, okay, I mean it sounds like we're familiar, but so what I'm proposing is that um so folks- and we actually have customers wanting to do this today, which is the driver, um um is another folks in the community I've seen folks mention. It is auto-generate a pollumi sdk um for the languages that it supports on every release of puma, um so that then they can programmatically just import um akuma library for either go.net, typescript or python, and then they can programmatically generate kuma resources in their clusters.

D

So you could do like a new kuma dot mesh or a new kuma dot traffic policy.

D

It's complicated slightly by the fact that they use ap open api to like generate the whole schema, which we don't publish right now for kuma, um because it means to your pc rate, but at least you would get the name and the kind and the metadata- and you just have to fill in the rest yourself, but it at least enables folks to not just have to um do arbitrary yaml. They can at least have an npm package that they could like import or go package.

D

They can import all this can be auto generated, but let me have tools to do that and it would just make it more user-friendly for folks to um install kuma stuff using pollumi so thoughts again. It's.

B

All open.

D

But.

B

Yeah so the first question: are you talking more about kubernetes or is it like for the universal.

D

Kubernetes because uh polumi includes all of the built-in types, but obviously all of ours are crds.

B

Wouldn't a better idea be to create a quarantine operator, and then just you know, have a one piano that you deploy using plumi to to deploy kuma.

D

Plumi does have an operator, but if you're writing pollumi code, you need to be able to tell it that you want a new like mesh object, for example right like or a new traffic privacy or a new traffic group like you need a way of defining that in polumi's like code. But I am.

B

But I'm assuming there is a functionality for me to apply a yummy variety right.

D

Yes from a file or from an arbitrary string, but I guess what I'm saying is like it rather than force folks to have to template arbitrary ammo, because the whole idea of doing it in code would be like hey. I create I'm programmatically dynamically, creating a namespace earlier on in my code, and then I want to inject it later on. Rather than make them like template some custom, yaml right or like build it in. We can provide a slightly nicer abstraction where they could just create a new mesh.

D

Typescript object right and then just like put the namespace in there.

B

I see, but the value then would be to have an actual strong type on top of this right, because otherwise, if you don't have types you're, just you can as well just template with piano or.

D

A million percent agree with that. Yes, please, um when can we get the strong types, but in the meantime um I think this is like 15 better than the current way and like when we get the types it'll be 100 better than the current way.

B

Okay, the.

D

Only.

B

Thing that I have in mind is that if we introduce such thing, we need to like maintain this right so uh like. If we want to do this, we probably need to have some end-to-end tests. On top of this.

D

Well so it will also generate like please have a library to auto generate sdks um built based on crd definitions, um so I can write some automation, I guess similar to signing right, which could run and see it which it could run in circle. But when we release a new version it will automate it and push it to.

D

um Maybe we could do we have I'm guessing. We don't have like an npm organization, or maybe we could use cons as a stop gap um and just push it there for the typescript one, and I guess I'll just push to github for the um the go one. You just pull it as a module. I don't know if a python probably push it to pip right so that you could grab the sdks. I know that pollumi are also maintaining a like global repository.

D

They started doing it for like cert manager and all the popular kind of like operators that have custom crds right. um I spoke to their devrel team and they're like happy. They just say like oh yeah. Just push up, you know, push a change to this and we'll accept that stuff into the. I think. They're calling it plumiverse, which is like a searchable repo, so that's obviously, would be like a priority as well to get it up there, so we don't have to maintain it.

D

We just have to generate it and push it as part of our release process.

D

Again, I'm happy to look into like what it takes to do the work and actually do the work it's more of a like. Do. We think this is a good idea.

E

I like the idea yeah.

C

Yeah I like the idea like it's just down to what jacob said it was like maintaining. It might be tricky but, like I think I think it doesn't have to live in kumaichi kumar right. He can. You can live in another repo. That might be slightly less.

C

You know less supported, maybe.

D

I think it's literally just one command, which just runs the generator over your crds, so just be able to. I mean it'd, be just be like a shell step in whatever the release process is, but.

C

Okay? Okay, I guess I just don't not familiar enough.

D

I already I also looked into putting it in separate, like I thought like well, I could create a repo and I could just have a github action. Maybe that watches kumar's releases but github actions can't do cross repo um triggers. So that's why I didn't do that. Not true, not true.

D

Really, when I looked at that they said they can't do it.

E

We already are the cross sector. We are sending the request whenever something goes to master from command to government, using github actions.

C

But you have to take the other way around right, kuma.

E

Has.

C

To tell you that something is happening. Yes,.

E

Yeah.

E

Because I I designed it in a way that you can provide the repository names via the secret of the organization, so you can dynamically change this.

D

I'll take a look and like again I'll, throw an issue in with like the proposed solution. If we don't like it, that's fine. I'm also doing the same thing for kong. I know it's not super related, but like the ingress controller, um so all right.

D

All right I'll throw issues for both of those they're. My questions thanks yep.

A

Thank you um anything else.

A

Yeah, actually, john I've seen your comments about uh upgrade like about versioning. I just didn't have a chance to read more and reply, but I'm on it. We can discuss it later. I think.

A

Yeah, if uh no more questions, then I think we can wrap this up.

A

Thank you. Everyone have a good month, see ya.