►
From YouTube: [SIG-Network] Ingress NGINX Bi-Weekly Meeting 20221208
Description
[SIG-Network] Ingress NGINX Bi-Weekly Meeting 20221208
A
Hello:
everyone,
it's
James
strong
today
we're
going
to
be
talking
about
Ingress
nginx,
which
means
it
is
a
cncf
project
and
we
have
to
adhere
to
the
cncf
code
of
conduct,
which
means
be
kind
to
each
other.
If
you
have
any
issues,
please
report
those
to
me
or
Ricardo,
or
anyone
on
the
Sig
networking
leads.
A
So
today,
let's
go
ahead
and
get
started
as
always
as
fun
as
I
was
talking
before
we
started.
Recording
I
have
meetings
back
to
back
on
Thursdays,
so
I
wasn't
able
to
go
start
looking
at
any
of
the
triage
meetings,
but
I
saw
some
new
faces,
or
at
least
faces
I
haven't
seen
before.
So
if
anybody
would
like
to
introduce
themselves
their
connection
with
the
project
or
what
they'd
like
to
get
out
of
helping
with
the
project
or
being
on
the
meeting
feel
free
to
go
ahead
and
talk
about
yourself
now.
B
A
C
C
A
A
A
A
So
anyway,
let's
go
ahead
and
just
Dive
Right
In
I'll
try
to
keep
track
of
the
time
and
discuss
before
we
just
start
going
through.
Are
there
any
pertinent
issues
that
anyone
knows
that
we
need
to
look
at
anything?
That's
been
brought
up
in
the
slack
channel
before
we
just
dive
into
the
ordered
list
that
we
have.
C
A
A
E
E
A
A
A
A
C
D
C
A
D
D
A
D
A
A
A
I'm
going
to
group
these
up
because
I
I
there's
a
lot,
there's
been
a
lot
of
them
and
I,
don't
know
if
it's
disparate
ones
or
things
like
that.
Also
I
saw
some
documentation
because
I
was
reading
through
it
the
other
day
for
AWS
those
blog
posts,
don't
get
updated.
With
newer
versions.
I
saw
a
blog
post
with,
like
version
0.30.
D
D
Yeah
you
can,
you
can
assign
this
one
to
me.
I'm
I'm
gonna
need
to
touch
this.
This
TCP
part.
Probably
that's
the
next
thing
that
I'm
touching
for
the
split
control,
plane
and
data
playing
so
I
I
can
take
a
look
into
that
because,
usually
usually
so,
the
the
drift.
The
configuration
change
drift
detection,
what
it
does
it's
it
just
verify
if
some
end
point
like
it
gets
the
whole
structure
configuration
and
it
removes
endpoint
certificates
and
things
that
are
Dynamic
and
it
verifies
hey.
Is
this
structure
different
or
not?
D
So
if
it's
different,
it's
going
to
trigger
the
the
full
reload
right?
So
maybe
something
when
you,
when
you
do
some
change
on
the
TCP
endpoint,
maybe
something
like
a
comment
or
even
a
strange
object,
changes
on
in
Gin
X
on
the
config
on
the
structure
and
then
it
triggers
the
the
the
fully
low
right
so
I
finally
went
to
me:
James
I,
I,
I
I,
won't
promise
that
I
will
take
a
look
into
this.
D
D
D
But
I
I,
I,
yeah
I,
don't
know
I,
don't
know
if
this
this
TCP
proxy
part
I
remember
that
there
is
a
proxy
inside
of
the
controller
that
does
some
some
TCP
proxy
I
can't
remember
if
this
is
just
for
SSL
pass
through.
If
this
is
the
DCP
part
to
part
proxy
or
something
like
that
right,
so
I
need
to
take
a
look
into
that,
but
it
probably
reloads
because
something
in
this
part
changes
right.
D
A
A
A
D
D
D
A
D
Yeah
yeah
yeah
you
should.
The
thing
is
that
in
in
sec,
I
guess
in
what
security,
snippet
and
SEC
rule
engine,
maybe
you
need
to
add
some
specific
rules
saying
block
not
just
inspect
with
block
like
the
Defoe
action.
It's
a
block,
I
I'm,
trying
to
remember
if
you
want
to
go,
go,
go
for
it,
go
move
forward
with
the
issues
and
as
soon
as
I
find
something
I.
I
will
post.
A
D
A
A
A
D
C
D
B
A
D
D
So
it's
going
to
be
hard
if
we
keep
needing
to
change
everything
to
support
each
of
them
right
if
they
can
say
hey.
This
is
the
this
is
what
is
missing.
We
can
just
take
a
look
and
see.
Okay,
this
makes
sense
or
not.
We
don't
have
liveness
probe
and
the
redness
probe
for
nothing
other
than
the
controller,
probably
what's
failing
for
them.
It's
the
web
hooks.
C
D
Take
a
look
into
ours,
you're
gonna
see
the
deliveness
and
the
redness
probe.
They
exist
for
the
controller
right,
so
yeah
I,
don't
think
it
does
make
sense
to
have
this
on
a
job,
but
because
the
job
is,
it's
actually
going
to
be
a
shortly
with
the
thing.
So
it's
gonna
run
and
then
it's
gonna
die
right.
A
C
A
D
D
A
A
A
A
A
D
Yeah
yeah
it's
getting
harder
to
pass
the
tests
so
so
last
time
from
the
four
almost
400
tests
that
we
have
only
20
were
problematic,
but
those
are
been
like
some
blocking
tests.
So
one
example
I
figured
out
that
when
you
use
The
annotation
for
authentication
for
basic
of
the
controller
writes
in
that
moment
the-
and
actually
this
may
be
a
vulnerability
as
well
in
the
future
that
we
need
to
take
care,
but
the
the
the
the
file
with
the
authentication
got
written
in
in
in
in
a
file.
D
At
that
moment
it
never
gets
sent
to
the
template
config
or
something
like
that.
So
I
never
get
this
thing
on
on
the
data
plane.
This
thing
that
never
had
a
chance
to
get
into
the
data
plane,
so
I
will
start
looking
into
that
this
weekend
to
make
sure
that
I
can
I
can
put
those
Secrets
as
part
of
the
reconciliation,
and
maybe
one
thing
that
I
would
do,
and
it's
probably
going
to
be
a
breaking
change.
It's
that
the
secret
should
contain
a
specific
label.
D
D
So
so,
if
you
take
a
look
into
that
like
all
of
the
ones
that
are
marked
as
off
or
no
off,
they
are
problems
with
this
test,
so
they
are
probably
five
or
six
of
those
and
two
or
three
of
them
are
proxy.
Ssl,
slash,
TCP
services
that
it's
the
other
part
of
the
code
that
I
told
that
I
I
would
touch
and
see
how
it
works.
Now,
right
some
things
they
are
disabled
on
on
the
data
plane
like
open,
open,
trace
and
other
things
that
generate
templates.
D
So
as
soon
as
I
can
get
rid
of
at
least
like
the
the
authentication
part
of
the
TCP
Services
proxy
part,
I
would
say:
okay,
we
can
do
an
offer
release
on
that.
Ask
people
to
test
on
that.
Let
them
know
that
this
is
not
production
already,
because
we
don't
have
authentication
between
control,
plane
and
data
plane
yet
and
then
start
working
on
this
wire
layer.
Working
specifically
on
the
grpc
layer,
so
adding
compression,
adding
load,
balancing,
adding
turning
the
keep
alive
and
turning
the
Keeper
Live
configurable.
D
Turning
all
of
those
things
configurable
from
the
helm
chart,
because
today
they
are
kind
of
hard
coded.
A
good
thing
is
that
during
one
of
those
tests,
I
figured
out
that
I
was
testing
the
when,
when
I
connect,
when
a
control
plane
dies,
I
was
testing
it
wrong,
so
it
never
gets
updated
again.
The
data
plane
should
be
restarted
when
it
works,
and
this
is
fixed
now
so
at
least
this
High
availability
stuff
and
keep
fasting
to
see
if
the
control
plane
is
is
available
or
not.
It's
working.
So
the
next.
D
The
next
steps
they
are
going
to
be
a
more
like,
adding
all
of
the
authentication
layers
and
and
maybe
having
some
more
complicated
tests
like
killing
the
control
plane
and
seeing
if
the
data
plane
is
still
working
then
and
enabling
the
control
plane
again
and
seeing
if,
if
everything
is
the
way
that
it
should
be
everything,
it's
working.
The
way
that
it
that
it
should
be
nothing
gets,
gets
that
during
this
this
moment,
I
am
a
bit
worried
about
performance.
D
I
didn't
test
that
yet,
but
that's
something
that
I
would
need
some
help
to
see
if
you
create
a
bunch
of
ingresses
at
owns
or
if
we
create
a
bunch
of
or
if
some
back
end
like
some
ink
point
is
in
Crash
loopback
or
keeps
changing.
How
will
this
impact
into
this
communication
between
control,
plane
and
data
plane,
because
today
we
don't
do
adelpha
configuration?
D
It's
always
a
huge
package
with
everything
running
I
didn't
have
time
to
make
this
Logic
on
like
getting
just
the
end
points
or
getting
something
getting
other
things.
I
I
want
to
I,
have
on
my
mind
how
to
do
that
and
split
like
when
it's
something
from
just
endpoints
and
something
that's
the
full
configuration,
but,
to
be
honest,
I,
don't
think
it's
going
to
be
part
of
this
release.
D
A
D
Yeah
well,
I
would
like
to
do
that
yeah
sure,
because
I
know
that
there
is
some
some
expectation
on
these
and
and
to
be
honest,
I
think
that
the
main
problem
about
security
is
going
to
be
solve
it.
But
we
are
going
to
figure
out
that
some
other
things
they
may
be
not
working
even
I'm,
even
willing
to.
If
there
is
some
blocking
stuff
that
we
cannot
solve
in
a
short
term
to
leave
it
out
of
the
release,
say:
hey
we
don't
support
as
an
example.
D
I
didn't
test
it
yet,
but
I've
seen
that
it's
failing
or
like
TCP
Services
TCP
proxy.
It's
not
working
right
now
when
we
are
going
to
work
on
a
future
release
and
even
ask
people,
hey
people,
you
prefer
Gateway
API
or
you
prefer
TCP
services
to
be
supported
on
this
split
control,
plane
and
data
plane,
because
it's
going
to
be
hard
to
work
on
both
yeah.
A
D
A
C
D
A
D
A
C
D
A
A
So
just
thinking
through
all
the
logical
steps
and
programming
them
out.
I'm
thinking,
one
of
the
things
I
might
want
to
do
is
move
our
build
process
into
GitHub
actions.
So
we
can
track
that
a
little
easier
and
or
work
with
Sig
release
so
that
our
GitHub
action
has
permissions
to
pull
from,
because
we
need
to
know
the
gets,
the
the
digest
of
the
image
we
create.
A
So
I
think
it's
still
going
to
be
three
pull
requests,
because
we
have
to
have
a
pull
request
to
change
the
tag
to
kick
off
the
the
container
build,
and
then
we
have
to
do
the
pull
request
for
kubernetes
iOS
k8.io
to
put
from
staging
to
production
and
then
the
final
really,
the
final
pull
request
is
all
of
the
release
updates.
So
I
think
it's
still
all
going
to
be
three
separate:
pull,
requests
and
I.
A
Don't
think
we
can
fully
automate
that
yet
without
getting
some
changes
on
how
we
actually
do
the
build,
but
we're
almost
there
the
release,
notes
and
curating.
The
release
notes
is
the
last
piece
so
I
can
generate
all
of
those
I
can
get
all
of
the
merge
requests
and
log
messages
between
a
current
tag
and
a
new
tag,
and
then
it's
now
the
last
piece
is
just
curating.
A
Those
so
I
would
say
60
of
the
way
there
and
like
Ricardo
I've
got
I've
got
time
off
between
Christmas
and
the
new
year
and
I
really
want
to
hammer
it
out
so
that
we
can
in
one
command,
do
a
do
a
full
release
and
that
four
releases
that
last
that
last
one
where
it's
got
all
of
the
release,
notes,
changes
and
everything.
But
eventually
it
is
just
one
commit.
A
If
we
could
do
that,
not
one
commit,
we
can
consolidate
the
build
process
in
GitHub
actions
and
then
it's
just
automating
the
pull
request
from
staging
to
production
once
that
gets
accepted
and
then
running
through
it.
So
still
a
three-stage
process,
but
almost
there
in
that
final
stage
of
having
that
fully
automated,
so
that
when
we
get
cve
requests,
we
get
all
of
this
other
stuff
done.
A
A
A
D
Hey
why
you
try
to
find
that
so
just
a
comment
on
this
release?
I
wasn't
seeking
for
yesterday
and
I
have
added
this
to
the
to
the
agenda.
They
are
really
so
I,
don't
know
if
everybody
knows
but
kubernetes.
It's
like
on
shorts
of
money
for
infrastructure
AWS
give
some
sponsor
as
well,
but
we
need
to
be
really
careful
on
on
that
and
the
majority
of
the
costs.
D
They
are
image,
repository
and
image,
download
and
other
things,
and-
and
they
have
this
new
project
called
registry
ktio
that
distributes
between
does
this
this
distribution.
We
are
already
using
registry,
but
Arnold
asked
me
yesterday
that
even
the
promotion
of
staging
to
production
should
be
using
this
artifact
instead
of
using
Pro
and
and
and
and
some
other
changes
that
we
need
to
do.
I've
asked
him
what's
our
action
item
and
he
told
me
yeah:
let's
talk
next
year,
but
let's
try
to
make
this
in
our
radar.
D
D
Yeah
and-
and
probably
this
is
gonna
change
as
well.
The
other
thing
that
I
would
like
to
do
is
maybe
take
a
look
into
our
old
Helm
shards.
If
we
can
do
that
in
that
branch
and
replace
everything
to
register
three
kids
IO
and
make
an
announcement
like
hey,
even
the
helm
charts,
we
are
going
to
use
the
registry
K
tile
right
now,
even
the
old
one
so
make
some
commit
to
to
the
home
chart.
B
D
And
they
are
already
published
as
a
using,
not
not
using
registry.
So
maybe
we
need
to
do
that
and
make
an
announcement
saying:
hey
people
if
you
have
some
security
rule
in
place,
please
please
make
sure
that
you
are
a
pointing,
because
kubernetes
is
doing
that
as
well,
and
we
are
so
I
know
that
the
first
one
is
Cube
proxy
and
we
are
probably
the
second
one
or
the
third
one,
most
downloaded
image
right
and
probably
the
bigger
one
because
of
mod
security.
So
we
need
to
help
them
get
in
okay.
D
A
D
D
A
I
was
just
thinking
through
that
what
I
want
to
do
what
I
was
getting
at
is
I
want
to
start
describing
Ingress
in
one
yaml
and
really
we
can
start
generating
a
lot
of
stuff
so
that
we
can
change
things
from
here.
So
I
haven't
added
it
yet,
but
I
want
to
add,
like
the
Go
version
as
well,
that
we're
running
so
that
again,
all
it
is
is
a
change.
A
We
change
this
yaml
and
it
will
change
it
across
all
of
the
different
files
that
we
have,
because
in
order
to
do
the
119
3
or
is
it
119
4
update?
We
have
to
go
change
like
six
files
and
we
have
to
do
it
manually,
and
then
we
have
to
rebuild
everything
as
well.
All
of
our
images
need
to
be
rebuilt
with
the
new
controller.
So
it's
again
it's
another
large
process.
We
have
to
change
the
end
to
end
Runner
to
be
the
have
the
new
Go
version.
Then
we
have
to
update
that.
A
A
So
I'm
going
to
start
testing
this
out
once
I
get
the
chain
fog
stuff
completed
as
well,
so
that
all
of
our
builds
instead
of
reading
from
tag
and
reading
from
nginx
base
like
we
did
a
while
back
it
all
all
of
it's
going
to
be
described
here
and
then
we
can
run
through
and
do
that.
And
so
then
Mage
can
generate
all
of
the
pull
requests
and
everything
that
we
need
to
do
to
do.
The
one
a
119,
3
update
or
all
of
the
supported
Matrix
versions.
A
A
Okay
sounds
good:
all
of
that
stuff's
gonna
live
in
Mage
files
and
that's
all
can
be
documented.
It's
all
going
to
be
documented
here
and
then
we've
got
all
the
steps.
So
really
the
process
is
what's
the
step.
What's
the
manual
process
is
automate
that
and
then
put
it
in
a
list
right
so
update
the
controller
tag
update
the
nginx
version.
C
A
C
A
A
A
D
D
E
E
Yeah,
so
the
the
long
and
short
of
this
when
I,
when
I
put
this
there's
two
of
them
I,
don't
know
the
other
I
have
to.
Let
me
look
in
slack
real,
quick
I
think
he
gave
them
to
me.
It's
like
7268
is
the
other
one
and
apparently
we
went
through
and
we
did
did
triage
on
this.
It
is
a
known
issue
for
us
and
what
what
Brian
told
me
was
that
they
determined
that
it
was
an
issue
with
Lua
and
then
they
just
they
just
stopped
looking
at
it.
A
E
B
C
C
D
D
They
are
open
in
opening
issues
or
PR,
saying
about
the
inclusive
name
for
like
a
block
list,
allow
lists
and
we
need
to
keep
some
consistence,
because
some
folks
they
open
some
PRS
asking
hey,
can
I
add
these
new
blocking
something
whatever,
but
they
put
it
as
a
blacklist,
because
we
have
the
white
list,
but
we
don't
have
the
alloli,
so
it
it
keeps
kind
of
out
of
consistency
and
and
the
third
one.
It's
one
about
something
discussion
that
that's
been
happening
on.
D
If
we
should
keep
the
rejects
path
in
in
in
Ingress,
just
as
part
of
of
implementation,
specific
and
and
like
the
path,
five
being
exact
or
prefix,
just
accepting
really
strict
strings
right
and
I
wanted
to
fix
these
things
even
before
making
the
release
of
control
plane
and
data
playing
first
of
all,
kubernetes
126
is
going
to
be
released
today,
so
pod
security
policies.
They
should
be
gone
and
in
in
in
previous
clusters,
and
we
need
to
get
rid
of
that.
The
second
one.
D
It's
mostly
something
that
may
be
a
breaking
change,
but
that's
an
improvement
that
we
need
to
do
about
the
validation,
stuff
and
and
and
and
the
consistency,
annotations,
I.
Think
it's
going
to
be
something
easier
to
fix,
at
least
like
having
both
annotations
but
converting
like
all
of
the
like
a
white
list
so
allow
lists
and
and
so
on.
So
I
would
like
someone
to
take
a
look
into
the
deprecation,
but
I
think
that
the
deprecation
one
needs
to
be
rebated
and
retested
again.
D
Remember:
Jin
Tao,
adding
some
reviews
on
that.
If
someone
wants
to
take
over
on
these,
please
take
over
on
this
deprecation
the
path
prefix,
it's
going
to
be
something
that
I
will
work
a
short
term
and
and
the
conversions
between
annotations.
If
someone
can
take
a
look
into
that,
it's
gonna,
be
it's
not
going
to
be
a
hard
a
hard
PR
to
make.
But
you
need
to
make
the
white
list
at
least
be
converted
to
allow
list
and
keep
this
this
we
can.
D
E
B
D
I
I
I
have
started
to
look
at
that.
I
was
expecting
that
the
agent
was
something
that
was
gonna
solve
the
hot
reloads,
but
right
now
by
the
architecture
that
I
saw
it's
mostly
something
that
keeps
watching
the
configurations
of
like
some
some
centralized
control
plane
and
keeps
configuring
in
Gen
X.
It's
kind
of
a
sidecar
right
so,
but
by
what
I
saw
so
I
think
for
the
split
control,
plane
and
data
plane
for
the
midterm.
D
It's
going
to
be
cool
like
if
we
can
Implement
all
of
the
Gateway
API
over
that
logic,
since
instead
of
implementing
everything,
I
think
it's
going
to
be
useful,
but
for
the
for
the
health,
reloads
I,
don't
think
this
I
don't
think
this
is.
This
is
the
problem
that
that
it's
solved
by
that
right,
even
if
it.
C
D
A
Thanks
everyone:
we
should
be
good
for
the
next
one.
Our
next
meeting
in
two
weeks,
I
think.
Are
you
a
team?
No,
actually
we
might
need
to
cancel
our
next
one
for
the
holiday
yeah,
so
I'll
get
that
one
canceled
and
then
our
next
one
will
be
in
the
new
year.
So
if
I
don't
talk
to
you
all
happy
New,
Year
and
I'll
see
you
all
in
January
thanks
yeah.
D
And
if
I'm
blocking
someone,
please
feel
free
me
feel
free
to
ping
me.
Thank
you.
So
Jin
Tao
is
going
to
take
one
yeah,
so
yeah
feel
free
to
ping
me.
If
I'm
blocking
someone
on
on
slack
I'll
do
my
best
to
unblock
you.
I
don't
want
to
be
the
blocker,
but
I
know
that
I'm
blocking
some
of
the
open
Telemetry.