►
From YouTube: SIG Network Gateway API meeting for 20230116
Description
SIG Network Gateway API meeting for 20230116
A
Hi
everyone
welcome
to
the
go
API
meeting
for
January
16th
2023..
This
is
a
small
light,
No
Agenda
meeting,
because
it's
a
holiday
in
the
US
today,
so
yeah
we're
just
gonna
talk
about
whatever
today
so
Dave
you
had
a
you
got
anything
yeah
there.
A
Last
thing,
I
forgot
to
say
was:
you
know,
as
always,
code
of
conduct
be
nice
to
each
other,
here's,
the
kubernetes
meeting
and
so
on
and
so
forth.
A
B
Joking,
there
is
a
discussion
in
the
Gateway
API
under
the
GitHub
discussions
section
about
what's
their
local
I'm,
just
going
to
try
to
move
that
forward
with
the
get
so
far
I
just
included
the
intro
some
goals,
non-goals
I,
think
the
known
goals
kind
of
like
kind
of
want
to
avoid
this
be
getting
lumped
into
gamma
stuff,
because
when
people
think
about
like
cluster
local
like
oh,
maybe
you
can
also
link
to
other
clusters.
Thinking
balloon
into
a
larger
discussion.
B
I
haven't
included
implementation,
yet
even
though
Evan
kind
of
just
said
like
a
really
lightweight
one
in
the
GitHub
discussion,
but
because
it
might
be
worth
just
thinking
about
some
Alternatives
prior
to
figuring
out
what
we
want
to
do
so
I'm.
Just
bringing
up
here
see
if
anyone
has
comments,
but
I
can
also
bring
it
up
next
week
for
a
wider
audience.
A
Yeah
I,
think
and
I
can
definitely
say,
I
understand
the
use
case
like
you're.
It's
mainly
kind
of
the
hairpinning
style
use
case
really
so
yeah
I
think
it's
very
easy
for
people
to
see
this
as
oh
yeah
yeah
service,
much
light
so
I
think
it's
fair,
but
I
think
I
would
probably
to
be
honest.
A
Like
yeah,
so
this
is
this
is
like
a
thing
that
you
would
do
in
sort
of
an
old
school
yeah
data
center
Network,
where
you
had
a
firewall.
That
was
like
the
border
of
your
the
border
of
your
security
domain,
so
hair
pinning
is,
when
you
sort
of
reach
out
to
the
outer
edge
of
the
firewall
from
inside
and
then
and
the
traffic
is
routed
back
in
so
it
passes
through
the
firewall.
So
it's
like
a
hairpin
turn,
so
that's
happening,
got
it
yeah,
so
yeah
yeah.
So
that's
that's!
A
That's
kind
of
what
that's
kind
of
what
this
does
right,
like
you're,
reaching
like
out
to
the
outer
edge
of
the
of
the
Gateway
listener,
even
though
the
outer
edge
is
kind
of
weird,
because
it's
using
an
internal
address,
and
but
you
want
to
do
that
because
you
want
to
be
able
to
use
the
Gateway
style
routing
as
though
you
were
coming
from
outside
the
cluster
and
that's
exactly
yeah
yeah,
and
so
that's
that's
why
hair
painting
is
a
good
one,
because
it's
like
you're
not
trying
to
do
this
like
a
yeah,
it's
it!
A
C
B
B
A
I'll
put
a
comment
on
there
to
something
like
something
to
that
effect
that
it's
like
this
is
not
like
a
full
service
mesh,
where
you
expect
every
service
to
have
like
all
a
majority
of
services
to
have
this
functionality
turned
on.
This
is
like
you
want
to
expose
the
a
service
on
like
an
internal
like
a
non-public
routed.
Ip
address
is
yeah
yeah,
so
this
is
where
internal
and
external
gets
a
little
bit
confusing,
because
you
know
it's
internal
to
your
Wan,
but
not
necessarily
internal
to
the
cluster
yeah.
A
You
could
do
it
with
cluster
IP
servers,
if
you,
if
you,
if
you
make
the
cluster
IP
subnet
range
routable,
that's
one
of
the
reasons
that
I
haven't
pushed
too
hard
on
this
is
that
you
end
up
getting
into
the
weeds
of
like
exactly
how
does
the
routing
work
and
how
do
you
you?
What
internal
address
range?
A
Are
you
exposing
and
all
that
sort
of
stuff
that
you
can
kind
of
hand
wave
away
a
lot
when
you're
doing
external
IP
addresses
that
I
serve
as
a
public
load,
balancer
yeah,
exactly
essentially
yeah
yeah,
so.
A
Yeah
cool
I
think
that's
good,
but
yeah
I
mean
I.
Think
it's
worth.
You
know,
sort
of
calling
out
that
this
is
this
is
the
same
as
can
we
use
a
cluster
IP
for
a
you
know
for
a
list
for
a
gateway's
address,
12
or
something
you
have
something
similar
like
yeah.
A
It's
worth
saying
it's
similar
to
that
use
case,
yeah,
yeah
and
like
yeah,
because
because
I
I
spent
a
bit
of
time
like
playing
around
with
Kaden
and
K
native,
so
I
understand
what
you're,
what
you're
doing
you
want
to
be
able
to
have
it
so
that
you
know
you
can
have
do
k-native
stuff,
but
that's
not
on
a
public
iPad,
but
that's
exactly
yeah.
It's
about
avoiding
the
use
of
public
IP
addresses
and
using
obviously
1918
address
space,
not
about
you
having
the
pods
be
directly
reachable
for
one
another.
Yeah.
A
A
Got
to
say
four
or
five
different
ways
to
to
people
to
really
rock
what
you're
talking
about,
because
yeah
everyone's
brain
works
differently
and
yeah
cool,
okay,
no
worries,
yeah,
I,
think
yeah
I'll
definitely
have
a
look
at
that
and
then
yeah
I
think
that
it's
a
good
time
to
reopen
the
discussion
there
as
well.
A
That
sounds
good.
Well,
I
guess:
do
you
guys
have
any
other
things
that
you
want
to
talk
about.
A
Okay,
I'm
gonna
do
I'm
gonna
use
my
super
cow
powers
and
derail
into
talking
about
the
Taylor's
use
cases
thing
I
am
trying
to
sort
of
resurrect
that
a
little
bit
here
is
that.
A
So
yeah
I
updated
this
a
little
bit.
I
added
I
changed
a
couple
of
things
where
people
had
some
comments,
but
then
I
also
added
one
other
thing
on
the
end,
which
is
client
certificate
settings
we
currently
don't
have
anywhere
in
the
API
to
represent
I
want
things
that
are
connecting
to
the
outside
of
my
listener
to
require
a
client
certificate
and
I
want
to
do
some
sort
of
validation
on
my
client's
ticket.
A
That's
why
I
left
this
as
italicized
and
bolded
to
be
clear
that
this
is
not
about
from
the
connections
from
the
gateway
to
the
back
end
using
client
certificates
there
yeah,
so
just
for
anybody
watching
the
recording
yeah.
That's
what
I've
started
poking
on
this
again.
I
would
like
us
to
go
back
to
this,
because
this
is
going
to
be
required
for
us
to
do
something
about
what
ended
up
as
back-end
properties
and
didn't
end
up
going
very
well,
because
it
was
too
much
Crossover
with
gamma.
A
What
TLS
use
case
are
we
talking
about
because
it
can
be
very
confusing
if
someone
is
talking
about
https
pass
through
and
the
other
people
think
think
about
they're
talking
about
yeah
termination
and
re-encryption,
because
they've
been
kind
of
similar.
You
know
that
though,
but
they
have
subtle
and
extremely
important
differences.
A
So
yeah
does
anyone
have
anything
they
want
to
say
there.
Micaiah
I
know
that
you
all
are
interested
in
the
back-end
encryption
stuff.
Is
there
anything
you
have
that.
C
Sorry,
I
haven't
looked
at
the
most
recent
changes.
We
are
very
interested
in
both
TLS
pass
through
and
the
decrypt
pre-encrypt
use
cases.
We
don't
have
particularly
fancy
requirements
around
that
and
we
really
at
this
point.
We
just
want
the
basic
functionality
to
be
defined.
C
A
A
And
so
that's
what
I
was
trying
to
be
really
clear
on
there,
because
you,
when
you
start
talking
about
TLS
to
back
ends,
people
like
oh,
isn't
that
mtls
and
it's
like
whoa,
sometimes
yeah,
and
sometimes
it
means
the
same
thing
as
what
people
mean
in
service
mesh
when
they
say
mcls
in
sometimes
it
doesn't,
and
in
your
case
the
thing
you
really
need,
I,
don't
think
it
does
kind
of
mean
exactly
the
same
thing,
but
yeah
I
want
and
that's
another
case
where
we
need
to
be
really
careful
about
the
exact
language
you
use,
because
it's
otherwise
this
very
strong
crossover
into
sort
of
gamma
territory
and
and
there's
a
you
know,
then
they
become
a
lot
of
other
concerns.
A
I
think
Mark's.
Suggestion
here
about
saying
you
know:
maybe
should
we
consider
modeling
the
re-encryption
as
a
filter
is
like
that's
a
kind
of
interesting
idea.
It
would
at
least
give
us
a
place
to
hang
the
config
off,
but
yeah
I
think
that's.
The
problem
is
like
new.
As
always,
where
do
you
hang
the
config?
And
what
do
you
put
in
there
in
the
config?
A
The
yeah
I
think
the
problem
with
TLS
back-end
properties
with
back-end
properties
was
that
it
was
too
broad
and
there
was
too
many
applications
and
I
think
that
we're
going
to
have
much
better
success
at
designing
something.
That's
a
bit
more
tightly
focused.
B
B
We
just
want
to
say,
like
let
Opera
say
turn
on
internal
encryption,
we'll
just
manage
the
shirts
for
you
stuff,
like
that
I,
don't
know
if
that
use
case
makes
sense.
The
temperature
here.
A
It
would
be
in
this
case,
so
I
mean
that
that
come
starts
coming
more
into
like
what
we're
talking
about
for
gamma,
where,
where
we're
talking
about
you
know,
hey
mtls
in
the
service
mesh
use
case
is
kind
of
an
implementation
detail.
You
know
you
you're
only
talking
about
the
service,
you
use
the
naming
when
you
talk
about
the
services
and
the
fact
that
it's
encrypted
in
mtls
does
not
like
important
in
terms
of
the
routing.
A
You
know
it's
like
an
implementation
detail,
whereas
the
use
case
that
Mikaya
is
talking
about
is.
It
is
important
because
the
person,
the
workload
owner
the
person
who
actually
owns
the
pods
has
handle,
has
sort
of
configured
their
service
to
do
TLS
and
require
TLS
and
thus
yeah.
If
you
want
to
be
able
to
afford
traffic
to
it,
your
thing
needs
to
be
needs
to
do
a
TLS
thing
itself
or
to
deal.
B
A
Yeah
and
so
I
mean
I,
think
I
think
there's
nothing
wrong
with
doing
that,
but,
like
in
that
case
like
it's
quite
again,
it
becomes
kind
of
an
implementation
detail
where
you
kind
of
don't
want
the
person
who
configures
the
gateway
to
have
to
configure
the
TLs
that
they're
going
to
have
to
use
to
connect
to
all
the
backends
right
like
you
want
that
to
not
be
configured
it's
so
in
that
case,
that
means
it's
kind
of
like
this
is
a
thing
that
you
do
in
your
implementation
and
it's
not
it's
not
relevant
in
terms
of
configuration
and.
B
A
Yeah
exactly
yeah
yeah,
so
so
you're
going
to
be
doing
it
but
like
but
the,
but
this
and
I
guess
maybe
that's
another
thing
that
I'll
go
back
and
add
in
here
that
this
is
not
about
the
you
you're
doing.
You
know
magic
TLS
to
the
back
end
where
everything
is
sort
of
Auto
tier
list.
This
is
about
the
service.
The
person
who
owns
the
service
wants
the
TLs.
A
B
A
Cool
okay,
well
yeah,
with
that
I'll
stop
sharing!
That's
everything
I
had
to
talk
about
today.
Do
either
of
you
guys
have
anything
that
you
would
like
to
talk
about
today.
Otherwise
we
can
call
it
done
and
give
you
give
everyone
some
more
time
back.
B
C
B
Yeah
and
user
question:
can
you
actually
just
gonna
check
this
back
quickly
hold
on.
A
Well,
you
do
that
Makaya
did
you?
Were
you
gonna
ask
something
as
well.
B
Is
there
this
back
and
ref
limited
to
any
kubernetes
services,
or
can
you
have
a
back
ref
as
a
different
HP
row.
A
No
so
having
backendrift
would
be
another
HTTP.
Router's
kind
was
one
of
the
mechanisms
we
talked
about
for
delegation
and
inclusion.
A
That
Gap
is
kind
of
held
up
at
the
moment,
because
it
was
a
huge
Rabbit,
Hole
of
shenanigans
and
so
yeah
see
you
can
use
different
kinds
that
are
not
service
like
that's.
Why
there's
a
there's,
a
4gbk
selector
in
there
I
would
not
recommend
doing
it
with
HTTP
route
unless
you
spend
a
lot
of
time,
have
a
read
over
The
Gap
and
the
pr
the
update
PR
for
The
Gap
that
was
sort
of
closed
for
Stillness
a
while
ago.
A
There's
a
lot
of
discussion
on
there
but
yeah
like
if
you
want
to
allow
HTTP
route
to
point
to
another
HTTP
route.
You've
got
to
start
thinking
about
how
many
layers
deep.
Do
you
want
that
to
be?
How
do
you
prevent
Loops?
How
do
you
like?
How
do
you
handle
like
people
overriding
stuff
that
you
need
them
not
to
override
and
a
bunch
of
other
problems
like
that.
B
I
guess
maybe
I
could
backtrack
and
talk
about
my
use
case.
We
have
something
called
domain
mapping,
essentially
just
like
creating
a
top
level
domain
for
like
a
but
it's
pointed
at,
for
example,
key
needed
service
which
would
be
funded
by
HP
route.
So
really,
what
I
would
think
would
be
the
implementation
of
it
would
be
like
hey
for
any
routing.
That's
hitting
this
host
rewrite
the
host
to
be
just
other
hostname
and
then
apply
the
routing
rules
of
that.
B
Is
interesting,
yeah
it
sort
of
like
brings
lets
people
bring
like
a
custom
domain
over
top
of
their
usually
Canadian
Services
have
like
name
space
in
their
name,
and
things
like
that,
and
this
is
how
people
kind
of
use
it
to
expose
things
to
a
top
level
right.
Okay,
could.
A
A
A
A
Sorry,
from
the
from
the
back
end
owner's
point
of
view,
like
the
service
that's
actually
running
inside
the
whatever
back
end,
you're
can
editing.
Does
that?
Does
that
need
to
see
the
you
know,
k-native
service
name
or
just
doesn't
matter
if
it
gets
the
the
domain
name.
B
A
To
be
honest,
is
just
to
create
a
Gateway
with
like
a
bunch
of
listeners
that
have
separate
domains
and
then
put
the
have
the
HTTP
routes,
because
you're
controlling
all
of
the
specs
for
all
of
these
things
that
are
automatically
created,
I,
would
have
HTTP
routes,
then
use
the
the
section
naming
thing
of
the
parent
ref
and
so
point
to
the
thing
to
pick
a
particular
listener
and
and
just
map
it
only
to
that
thing
or
just
have
a
great
way
per
one.
A
If
that's
yeah,
if
you
can
do
that,
architecturally
but
like
the
important
part
here,
is
that
you
just
have
one
listener
per
domain
name.
That
then
points
to
all
of
the
you
know
the
maps
that
that
does
exactly
what
your
domain
mapping
is
doing
and
maps
that
listener
to
the
to
a
route
that
describes
that
service
I,
see
okay,
because
the
only
reason
yeah
it
feels
like
the
only
reason
you
would
need.
That
is.
If
you
really
need
the.
A
If
the
backing
service
needs
to
see
a
specific
domain
name
right,
that's
why
you
need
to
do
the
domain
rewrite
in
there
I
mean
you
can
actually
and
even
then
you
could
actually
do
that
using
using
like
a
host
a
host
rewrite
using
the
header
rewrite
stuff,
so
you
could
do
a
header
rewriting
a
HTTP
route.
A
You
do
to
rewrite
the
service
to
the
to
the
candida
theme,
so
rather
than
modeling
it
as
like
around
the
rest
or
another
route
is
just
a
listener
that
listens
to
the
domain
name
and
then
the
right
and
then
the
route,
the
routes,
all
the
traffic
for
that
domain,
name
out
to
the
correct
service.
Let's
see,
okay,.
B
Yeah
I'll
play
with
that
then
I
realize
I
need
to
do
a
giant
like
a
mirror,
Board
of
like
use
case
how
what
are
the
resources
they
need
to
make
yeah
yeah,
yeah,
yeah
yeah,
so.
A
Yeah
and
like
so
I
think
yeah,
like
I'd,
certainly
be
having
to
look
at
that
use
to
the
mirror
board
for
you,
man
like
because
I
think
it's
one
of
the
things
that
we
so
we
need
a
lot
more
of.
Is
that
sort
of
cookbook
style
thing
of
like
I
want
to
do
this,
and
so
we
say,
oh,
the
way
you
do
this
is
to
do.
A
Yo
is
to
have
a
have
a
listener
that
points
the
route,
and
you
know
blah
blah
blah
like
you
and
there's
a
couple
of
other
similar
use
cases
that,
where
people
I
think
there
was
one
where
people
had
were
like,
oh
I
want
to
Auto
generate
I
want
to
Auto,
generate
HTTP
routes
from
a
Swagger
description
and
they're
like
oh,
you
know,
I
wanted
to.
You
know
only
allow
the
get
post
and
stuff
that
the
Swagger
says,
and
then
they
put
it
all
into
one
HTTP
route
and
they
were
like.
A
Oh
there's,
two
I
have
too
many
part:
I
have
too
many
route
maps
to
to
fit
in
a
HTTP
route
and
I'm
like
well.
That's
because
you're
kind
of
doing
it
wrong,
like
you,
want
to
break
those
up
a
little
bit.
Maybe
have
each
endpoint
be
a
you
know.
Each
end
point
be
a
separate
HTTP
route
rather
than
putting
everything
into
one
big
HTTP
route,
and
that
that's
that's
the
exact
sort
of
thing
right.
A
I've
got
to
do
for
myself
to
to
do
to
to
sort
of,
say:
hey
if
you
want
to
use
when
you're
using
the
Gateway
API
like
here's,
some
other
here's,
some
use
cases
that
have
come
up
and
here's
how
we
think
you
should
he's
sort
of
the
recommended
way
to
do
this
and
the
more
that
we
can
have
build
a
sort
of
a
cookbooky
thing
like
that.
Then
I
think
that
will
help
people,
because
it's
a
reasonably
complex
API,
because
it's
got
a
lot.
It's
solving
a
large
problem
space.
A
A
B
Know
yeah,
and
maybe
my
last
question
has
there
ever
been
any
discussion
about
protocol
and
automatic
protocol
negotiation
with
back-ends,
so
the
user
might
not
even
have
to
declare
any
like
back-end
capabilities
like
what?
What
protocol
and
what
ports
Etc.
B
A
Yeah
with,
in
the
absence
of
something
like
alpn,
that's
designed
to
do
that
it
seems
like
it
would
be
hard
like
you
know,
if
we're,
if
we're
talking
a
HD
like
a
port
80
like
you
and
you
want
to
do
something
in
addition
to
http
or
I,
mean
HTTP
already
will
Auto
negotiate
versions
for
you
right
like
it
seems
like
it
needs
to
be
built
into
literally
the
layer,
7
protocol
that
we
that
whatever
layer
7
protocol
you're
using
for
the
port
in
like
when
I
was
working
on
Contour.
A
We
had
a
thing
where
yeah.
If
you
wanted
to
be
able
to
specify
which
port
to
use
for
which
type
of
traffic
there
was
like
it
should
be
proxy,
there
was
a.
There
was
a
thing
that
said.
You
know
this
is
a
TLS
yeah
I
want
you,
I
want
the
I
want
Contour
to
do
a
TLS
connection
to
the
backend
service,
and
you
should
use
this
port.
A
You
know,
rather
than
you
should
use
port
four
for
three
rather
than
put
Port
80
or
something
but
yeah,
and
so
like
I
understand
what
you're
saying
it'd
be
nice
to
be
able
to
have
it
be
some
sort
of
Auto
detection,
but
I
I,
don't
know
how
we
could
handle
all
the
conceivable
use
cases
easily.
There
I
think
it
seems
like
it
could.
You
could
do
an
interesting.
Like
extension,
like
a
you
know,
policy
attachment
or
a
you
know
some
other
sort
of
meta
resource.
A
A
You
I
mean
again,
you
could
actually
it
could
be
something
where
you
where
your
your
implementation
could
be
like.
You
know
you
do
a
HTTP
route
and
then
it
figures
out
like
what
port
your
implementation
figures
out.
What
what
the
HTTP
listener
is
listening
on
right
like
he
approves
it
out
or
something
like
that
right.
But
then
that's
an
implementation
detail
right
like
not
a
thing
that
we
need
to
configure.
A
I!
Guess,
that's
the
that's
one
of
the
key
things
is:
that's
really
important
to
remember
with
I.
Think
like
o
API
is
like
you,
we
need
to
put
only
the
things
that
we
really
need,
people
to
be
able
to
configure
and
know
and
no
more
and
then
leave
the
magic
to
be
magic
and
to
be
implementation.
Specific.
A
That
doesn't
mean
that
you
can't
like,
but
it
means
like
if
you
want
to
like,
we
need
to
talk
about
it
and
maybe
do
something
implementation
specific
like
by
that
I
mean
the
support
level
implementation,
not
just
the
generic
term
yeah
so
yeah,
it
is
an
interesting
use
case
and
I
do
think.
I
think
there
was
a
a
note
in
that
TLS
use
cases
thing
about
doing
something
with
alpn
instead
of
just
Sni,
which
would
make
sense
to
me.
But
we
hadn't
considered
that
earlier
so,
okay
yeah.
A
C
If
you
don't
mind,
if
I
weigh
in
yeah
I
really
agree
with
your
point
on,
we
don't
want
things
to
be
too
implementation
specific.
We
want
things
to
be
portable.
I'd
also
add
I'm
wary
of
too
much
magic
in
when
we
talked
you
mentioned
HTTP
HTTP
to
negotiation
using
alpn
that
that
kind
of
thing
scares
me
because
HTTP
2
has
surprises
like
clients,
doing
connection
coalescing,
so
I'm
always
wary
of
too
much
magic.
Auto
detection.
That
kind
of
thing
I
definitely
prefer
explicit,
apis
and
explicit
configuration.
C
If
anything
you
could
have
where
it
makes
sense,
an
option
to
say
Auto
detect
if
you
want
that
as
an
explicit
yes,
I
want
to
Auto
detect
what
protocol
to
use.
Otherwise,
though,
like
I
said,
I
would
prefer
explicit
apis
where
possible.
A
Don't
know
yeah
exactly,
but
so
I
think
the
the
thing
that
I
was
talking
about
there
with
alpm
was
you
seeing
if
it
was
possible
to
use
some
of
the
aop
and
handshake
stuff
to
for
TLS
routing
like
in
the
same
way
you
use
the
Sni
I,
can't
remember
the
exact
mechanisms
and
when
it
happens
in
the
handshake,
so
I
don't
know.
A
If
you
can
do
it
in
the
same
way
that
you
can
with
Sni
we
don't
you
don't
unwrap
the
packets
and
you
just
pull
them
on,
and
yeah
use
ala
alpn
as
a
routing
discriminator
to
be
able
to
say.
Oh
if
you
know,
if
you
negotiate
HTTP
to
send
it
to
this
service.
A
Otherwise,
if
you,
if
a
teacher,
should
be
one
send
it
to
their
service
or
something
like
that,
yeah
so
I
mean
that
that
that's
I
think
the
thing
that
we
were
talking
about
with
alpn,
not
not
anything
more
clever
and
I
I,
don't
even
know
if
it's
possible
I
need
to
go
and
read
the
aop
and
stuff
again.
A
Okay,
cool
I'll
make
we'll
put
a
couple
of
notes
in
there
about
some
of
the
stuff
we
talked
about,
but
I
think
with
that
we're
kind
of
done.