►
From YouTube: SIG Network Gateway API Bi-Weekly Meeting for 20221010
Description
SIG Network Gateway API Bi-Weekly Meeting for 20221010
A
Foreign,
hey
welcome
to
the
Gateway
API
community
meeting
for
October
10
2022..
We
are
getting
awfully
close
to
kubecon
thanks
to
everyone
who
made
it
here,
just
a
few
things
on
the
agenda
today,
but
before
we
get
to
it,
just
a
quick
reminder
that
this
is
just
like
any
other
kubernetes
community
meeting
Guided
by
the
same
code
of
conduct,
which
is
generally
just
to
be
nice
to
each
other.
A
There's
a
lot
more
details.
If
you
look
up
the
kubernetes
community
code
of
conduct,
but
I
think
we've
all
been
very
friendly.
So
another
reminder
that
please,
if
you
have
anything
to
discuss,
don't
hesitate
to
bring
it
up,
you
can
anyone
should
be
able
to
edit
this
agenda
or
you
can
drop
some
Link
in
chat
as
well
or
just
speak
up
whatever
works
best
for
you
with
that,
let's
get
started
on
the
agenda.
A
First
up,
we've
got
kubecon
we're
wow
a
couple
weeks
away
so
hopefully
see
some
of
you.
There
we
put
a.
We
had
a
couple
cfps
for
contrib
Summit.
Both
of
them
got
in
one
of
them
is
an
actual
talk
of
sorts
that
we
need
to
give
for.
Anyone
who
hasn't
been
to
contrib
Summit
before
it's
a
pretty
informal
thing
but
I
am
very
much
looking
for
for
different
contributors.
A
So
you
know,
if
you're,
if
you're
able
to
make
it
reach
out
to
myself
or
Shane
and
we'd
love
to
fit
you
in
and-
and
you
know,
have
you
help
out
with
this
talk
again,
it's
a
pretty
informal
thing,
but
I
would
love
to
get
some
other
people
speaking
about
Gateway
API
and
just
not
put
anyone
on
the
spot.
But
does
anyone
want
to
volunteer
now
any
chance.
C
A
Yes,
well,
this
is
a
good
intro
anyways
welcome
Philip,
maybe
just
give
a
brief,
intro
yeah.
That
was
a
bit
yeah.
C
So
so
I'm
Phil
cloudy
and
I
I'm
a
product
manager
at
F5,
and
there
are
a
couple
of
different
groups
at
F5s
that
are
interested
in
the
Gateway
API.
C
C
You
know
all
of
the
service
providers
are
launching
5G
on
kubernetes
and
it's
just
starting
to
happen,
and
so
you
know
I've
been
working
for
the
last
couple
of
years
on
a
product
we
call
SDK
or
service
proxy
for
kubernetes,
which
is
about
the
sort
of
Ingress
and
egress
like
tying
together,
North
and
South
bound
traffic
for
launching
5G
and
I
only
became
aware
of
the
Gateway
API
a
few
months
ago,
but
it
strikes
me
that's
what's
going
on
here
is
actually
kind
of
vitally
important
to
the
work
I'm
doing-
and
you
know,
we've
already
done
some
like
demos
and
things
to
get
our
product.
C
You
know
where
we
can
use
the
Gateway,
API
and
stuff
to
show
it
off
and
we're
getting
questions
from
some
large
carriers
about
whether
they
should
be
pushing
their
vendors
to
comply
with
Gateway,
API
et
cetera,
et
cetera,
and
so
you
know,
I
think
I-
think
it's
a
direction.
We're
very
interested
in
I
I
have
also
on
the
phone
Quang
who's
on.
C
My
team
and
you'll
probably
see
some
other
folks
too,
but
this
is
something
we're
really
interested
in
and
I'm
actually
going
to
be
at
kubecon
at
the
cloud
native
Telco
day
on
Monday
and
I'll
be
presenting
actually
about
my
product
and
the
sort
of
networking
in
kubernetes,
45g
and
I'm
hoping
I
can
you
know
meet
some
of
you
guys
there
at
kubecon,
I,
don't
know
what
time
of
day
the
the
stuff
you're
talking
talking
about
is
on
Monday
but
I'll
be
presenting
just
afternoon
like
one.
A
Hey
that
that
is
awesome,
that's
a
great
intro.
Welcome
everyone
from
the
team
excited
to
see
where
that
goes.
I've
I've
just
had
a
few
other
people
reach
out
about
Telco
and
how
what
that
means
for
Gateway
API,
so
I
would
be
good
to
make
those
connections
and
see
where
we
can
go
with
that
and
I
I.
Imagine
I'm,
not
the
only
person
who's
had
those
discussions,
so
yeah,
that's
awesome,
I
I
know
for
contribute,
Summit,
it's
it's
basically
an
all-day
thing.
I.
A
The
schedule
is
supposed
to
really
be
released
sometime
today,
but
at
last
I
checked
it
hadn't
been,
but
we
should
know
soon
when
these
things
are
going
to
be.
If
not
I
know,
I've
I've
been
trying
to
set
aside
time
on
Tuesday
and
I.
Think
some
other
maintainers
have
some
time
on
Tuesday
as
well
to
just
have
some
informal
meetings
and
discussions.
A
So
if
you
happen
to
have
some
time
on
Tuesday
free
I
know
we'd
love
to
meet
then
too,
all
right,
so
yeah
just
awesome,
don't
don't
hesitate
to
reach
out
in
Gateway
API
slack
and
yeah
we'd
love
to
love
to
follow
up
yeah
welcome.
A
You
awesome
and
so
yeah
just
yeah
one
last
reminder
if
you
are
interested
in
either
being
part
of
the
working
session.
Hopefully
that's
many
of
you
and
also,
if
you're
interested
in
helping
to
present
our
crd
talk.
I
would
would
love
to
hear
from
you
again
just
reach
out
in
slack
or
in
chat
or
whatever
works
best
Nick.
It
is
great
to
see
you
alive
again.
Welcome
back
yeah
thanks.
D
Cool
I
haven't
I,
I
talked
to
Rob
about
it,
but
yeah
for
those
of
you
who
don't
know.
Yeah
I
went
to
I,
went
on
skiing
trip
a
little
while
ago
and
have
blown
my
snapped.
My
ACL
and
torn
my
MCL
on
my
left
leg
and
tore
my
MCL
on
my
right
leg.
So
I
am
on
crutches
and
T-Mobile
and
will
not
be
able
to
make
it
to
kukon,
which
I
am
extremely
upset
about.
So.
B
D
D
Yeah
yeah,
it's
pretty
painful,
but
yeah
Lewin
just
asked.
If
we
can
attend
the
working
session
remotely
through
Zoom
I
personally
would
love
it.
If
I
could
at
least
be
a
fly
on
the
wall,
you
know
so
that
I
can.
Even
if
I
have
to
get
up
at
some
stupid
hour,
it
would
be
nice
to
try
and
or
at
least
if
it's,
if
it's
on
zoom
and
recorded
at
least
I
can
catch
up
yeah,
so
yeah
I
definitely
would
have
loved
to
have
been
there.
D
D
Also
for
getting
started,
I
can
see
you
getting
started
on
implementing
the
one
three
six
four
stuff
as
well.
Thanks.
A
Cool
yeah,
so
yes,
big,
big,
plus
one
to
feel
better
soon.
Nick
that
sounds
awful,
but
also
I
should
follow
up.
I've
been
talking
with
I.
Think
Jason
and
Bob
are
the
two
people
that
I've
been
talking
with
about
contrib
Summit
I'll
check
in
with
them
to
see.
If
there's
any
like
good
way
to
do
that,
but
yeah
I'd
love
to
have
some
kind
of
hybrid,
so
much
of
the
conference
is
hybrid
I
would
love
to
see
if
we
could
make
that
happen.
For
this
particular
part
of
it.
E
A
Cool
and
maybe
maybe
just
reach
out
on
slack
or
post
a
message
or
something
if
you're
one
of
the
people
that
would
be
interested
in
you
know
doing
something
but
aren't
able
to
make
it
do
contrib,
Summit
or
kubecon
in
person,
and
we
can
try
and
set
something
up
that
way
too.
A
Yeah
yeah
cool
all
right.
Next
on
the
agenda,
the
Ingress
to
Gateway
repo
is
live
and
I
like
you.
You
are
not
wrong.
There's
nothing
here!
This
is
just
from
the
template.
I
still
need
to
make
a
PR
with
actual
code
in
here,
but
the
maintainers
here
are
the
same.
Maintainers
of
Gateway
API,
so
I
think
we'll
cover
any
one.
I
think
this
is
going
to
be
a
pretty
small
project,
but
I
think
we
can
cover
it
under
the
same
meetings.
A
A
You
know
it
works,
but
barely
that
we'll
take
Ingress
resources
from
your
cluster
and
output,
equivalent
emo
for
Gateway
API
resources,
and
it
understands
some
subset
of
implementation,
specific
annotations,
so
yeah,
that's
the
thing
that
I'll
try
and
get
a
pierra
out
for
soon
on
this
repo,
but
again
for
anyone,
who's,
a
Gateway,
API
maintainer,
already
you've
kind
of
been
volunteered
to
also
maintain
this.
Thank
you,
but
also
anyone
else
is
welcome
to
just
pay
attention
and
review.
A
Any
changes,
contribute
I,
know,
I,
know
the
last
time
I
presented
this.
There
were
a
few
people
that
that
seemed
interested
in
in
helping
out.
So
by
all
means
we
can
always
use
more
contributors,
and
this
is
a
great
opportunity
if
you're
new
and
just
want
to
help
out
so
yeah,
that's
Ingress
to
Gateway.
It
is
ready
for
contribution.
Well,
I
need
to
make
a
PR,
but
then
I'll
be
ready
for
contributions
yeah
and
then,
with
that
I
think,
let's
get
into
the
060,
Milestone
and
I
think
Mike.
A
Let's
just
start
with
your
thing
on
get
1364
and
what
what
we've
got
coming
up
next.
B
Sure
so
yeah
I
just
broke
out
two
PRS
and
one
issue
that
was
not
addressed
explicitly
in
the
Gap,
but
it
is
kind
of
a
corollary
from
things
that
got
I
think
the
suggest
should
be
necessary.
B
So
I
think
that
those
so
I
closed.
Two
of
my
older
issues.
They
were
kind
of
like
sprawling
meta
issues,
so
so
these
three
should
be
relatively
direct
and
actionable
to
get
into
the
060
milestone.
B
This
is
fantastic
gateways,
the
other
one
is
adding
accepted
to
listeners
and
the
third
one
is
adding
a
pending
status
for
appending
reason
for
all
the
different
conditions
for
each
resource,
because
setting
a
reason
is
required
for
a
condition,
even
when
the
status
is
unknown.
D
B
D
The
default
value
we
have
when
it's
condition
state
is
unknown.
You
need
to
have
a
reason,
and
so
the
reason
is
on
status,
unknown
reason
pending.
B
B
You
think
I
think
so
there
is
some
current
usage
or
it's
currently
there's
a
listener
condition
reason
pending
that
I'm
not
entirely
clear
on
if
it
should
be
used
in
some
other
way,
I
think
it's
associated
with
false,
but
I
think
that's
just
more
of
a
documentation
issue
than
like
an
actual
different
use
case.
D
Yeah
I
think
in
general
the
pending
reason
seems
to
fit
the
best
with
the
unknown
one
I,
don't
think
you
would
have
it
pending
as
like
a
we're
waiting
for
something
to
happen
that
fits
best
with
the
unknown
State,
not
the
true
or
the
false
State,
true
or
false
kind
of
implied
strongly
imply,
like
the
any
operations
associated
with
the
condition
of
terminated,
and
so
action
needs
to
be
taken
to
change
the
state,
whereas
pending
implies
a
way
to
know
yet
yet,
which
is
the
same
as
unknown.
B
D
D
Sense,
just
one
more
place
where
we're
consolidating
the
different
reasons
that
we
had
across
different
conditions
to
to
be
the
same
reason
across
different
conditions
across
different
conditions
that
are
used
in
different
places
like
the
Gateway
class
conditions,
the
Gateway
condition
and
the
route
condition.
We
want
them
to
have
similar,
States
and
similar
reasons,
so
that
when
you're.
Looking
at
one
thing
you
can
you
know
you
can
transfer
your
knowledge
about
one
thing
to
another.
A
B
I
would
be
happy,
for
this
is
relatively
straightforward
if
any
new
contributor
is
interested
in
picking
this
up
and
the
other
two
I
I.
Obviously
I
have
a
question
that
Shane
started
answering
about
if
there's
any
specifics,
as
far
as
like
Cube
Builder
validation
or
anything
like
that
for
just
like
deprecating
things
properly,
but
those
two
I
could
probably
finish
up
and
check
myself.
B
Thank
you
and
there's
at
least
one
other
one
that
probably
needs
a
PR
around
the
like
HTTP
route
rules
and
the
changes
from
The
Gap
and
just
making
sure
those
are
all
clearly
documented
in
our
actual
docs.
That
one
is
much
more
involved.
The
the
Gap
spells
out
well,
but
but
the
documentation
updates
are
going
to
be
much
more
involved
and
comprehensive.
I
think
so.
I
haven't
done
that
and
I'll
probably
not
have
time
for
that.
One
I.
A
A
Crpc
route
is
almost
done,
there's
just
one
more
docs
PR
to
get
in
and
then
almost
everything
is
related
to
status
now,
so
anything
we
can
do
to
help,
and
this
is
that
you
know
I'm
not
trying
to
rush
anyone
either.
I
know
that
things
take
time
and
we
don't
want
to
rush
to
release
out
the
door
so
just
but
yeah.
Let
us
know
how
we
can
help,
and
it
sounds
like
that.
So
it
sounds
like
everyone.
It
sounds
like
all
the
pieces
of
this
Gap
are
accounted
for
in
some
way
right.
A
D
Think
the
last
the
last
thing
from
The
Gap
is
is
that
at
some
point
we
have
to
flip
the
conformance
tests
to
check
for
programmed
rather
than
ready,
that's
the
big
sort
of
broken
change.
We.
D
B
D
Yeah,
so
we
could.
We
could
certainly
phase
this
and
have
it
be
that
you
know
for
o60,
we
put
you,
we
put
it
that
you
must
set
accepted
and
we'll
check
for
accepted
in
the
conformance
tests
and
then
but
we'll
leave
ready
as
it
stands
and
then
make
it
that
070
is
when
we
break
ready
and
we
put
and
we
Skip,
and
we
flip
that
to
programmed
and
have
and
move
ready
to
Extended
or
we
can
do
it
yeah.
Just
like
that,
it's
more
the
only
reason
I
would
suggest
not
doing
it.
D
This
time
is
because
just
the
amount
of
work
that's
required
to
flip
all
the
performance
tests
and
get
it
and
review
it
and
do
all
that
sort
of
stuff-
and
then
you
know,
is,
is
a
lot
I
I
kind
of
would
prefer
to
do
it
all
at
once,
so
that
so
everyone
has
to
do
like
one
big
update
to
the
status
calculations,
but
it's
just
going
to
depend
on
how
if
we
can
get
that
in
in
time.
D
So
it's
just
so
maybe
we
hold
that
in
our
back
pocket
and
if,
if
Mike
and
I
managed
to
smash
the
the
other
stuff
pretty
quickly
and
we're
and
I'm
sitting
around,
you
know
the
week
before
kubecon
with
nothing
to
do.
Then
then,
maybe
maybe
I'll
try
and
get
it
in
then,
because
since
I'm
not
traveling
I
can
you
know.
D
I
I
have
a
little
bit
more
bandwidth
that
I'm
not
going
to
be
like
preparing
to
travel
and
traveling
and
stuff
so
yeah
I
I
can
probably
push
the
release
buttons
just
before
qcon
as
well,
if
required.
So
it
could
be
that
we
will
have
enough
time.
It
just
depends
on
bandwidth,
but
I.
D
Think
the
back
backup
plan
in
my
mind
is
that
we
go
with
I
think
we
definitely
want
the
accepted
changes
in
for
this
for
06
over
definitely
and
and
we
should
have
conformance
tests
for
accepted,
you
know
60
and
then
we
hold
the
you
know
we
wait
and
see
how
much
time
we
have
for
to
flip
the
ready
Behavior
over.
A
Yeah
I
think
my
bias
is
to
my
preference
here
is
just
to
go
ahead
and
wait
until
everything
is
ready.
You
know,
I
I
think
this
is
a
very
large
change,
I
like
to
make
sure
it's
it's
well
thought
out
and
that
we
have
conformance
test
coverage
of
everything
that
we're
trying
to
change.
A
D
So,
let's
so
to
just
wrap
this
wrap
that
statement
up
in
so
ready
will
will
be
changed
to
programmed
as
a
part
of
the
o60
release.
It
may
not
happen
before
kubecon
because
timing,
but
but
we
will,
but
we
will
make
sure
that
that
ready
gets
changed
to
programmed
with
conformance
tests
updates
before
we
actually
cut
the
final
o60
yeah.
D
Is
that
yeah
are
there?
Are
there
any
objections
from
anybody
about
that
plan?.
D
A
Okay,
I'll
yeah
I'll
take
silence
as
a
good
sign,
but
please
anyone
on
the
call
don't
hesitate
to
to
speak
up
if,
if
anything
sounds
even
a
little
bit
off,
do
you
let.
D
Us
know
yeah,
yes,
I
remember,
for
everyone
who's
an
implementer.
This
change
is
going
to
be
a
big
one.
You
will
have
to
stop
programming
ready
or
you
can
keep
programming
ready
if
you
want,
but
you
will
need
to
program.
The
programmed
condition
as
well
like
the
programmed
condition,
will
be
what
the
conformance
tests
used
to
to
sort
of
be
to,
as
the
signal
that
hey
now
I
can
actually
start
checking
that
your
thing
is
conformant
rather
than
ready.
B
A
Cool
thanks
thanks
Nick
and
Mike
for
taking
that
on
that's
a
ton
of
work
but
excited
to
to
get
it
through
yeah.
Let
me
run
through
the
rest
of
the
Milestone
items
here.
Sorry
Mike
were
you
about
to
say
something:
I
may
have
missed
all
right
cool
all
right,
so
this
is
status.
This
is
grpc,
Route
I
think
we're
good
on
that
front.
Thank
you.
Richard
I
saw
one
more
PR
update
from
you
that
I
need
to
review,
or
anyone
can
review.
A
Richard
has
done
some
great
work
on
docs
I.
Think
grpc
route
is
going
to
be
one
of
our
best
documented
resources
as
it
graduates
to
Beta.
So,
thank
you.
Then.
This
one
is
a
nice
to
have.
We
had
a
volunteer,
but
I
don't
know
if
that
volunteer
has
made
any
progress.
A
Yeah
I
can
follow
up.
But
again
this
is
something
like
we've
considered,
non-blocking
more
status
status.
A
Oh
there's
a
PR
for
this
and
I
missed
it.
Sorry
Shane
you've
reviewed
this
PR.
Do
you
remember
the
state.
D
B
A
A
Yeah
I.
Anyone
that
wants
to
volunteer
just
add
a
comment
and
again
love
any
contributions
on
this
one.
D
Yeah,
so
the
so
this
one
is
I'll
update
the
types
and
then
and
then
just
check
that
the
reference
that
we
have,
that
the
conformance
test
cover
everything
right
again,
I
think
we
have
pretty
good
Converse
coverage
already,
but
yes,.
A
Yes,
actually
pretty
good
coverage
on
reference
Grant.
The
weird
thing
I
didn't
really
know
how
to
explain
this,
but
John
went
through
a
couple
weeks
ago
and
did
this
kind
of
clever
thing
where
we're
using
type
aliases
for
everything
in
Alpha
two.
This
makes
it
a
bit
easier
to
implement
if
you're
trying
to
support
both
Alpha
2
and
beta
1.,
but
it
means
that
the
types
files
are
not
an
exact
copy
anymore.
It's
instead,
you've
got
to
do
some
type
aliasing.
A
Cool
and
then
the
next
item
up
here,
more
status
status
and
this
one
from
Mike
I
think
Mike.
You
said
this
one
yeah.
This
is
just
waiting
for
someone
to
volunteer.
D
Okay,
I'll
I'll
make
an
issue
for
the
for
the
other
route
updates.
The
route
rule
updates
so
that
it
can
be
in
here
as
well.
B
A
All
right
so
with
that
I
think
if
there's
nothing
else,
that
oh
no
there's
one
more
thing
thanks
Candace
and
then
we'll
jump
into
triage,
all
right,
so
1282
background
properties,
maybe
Candace!
E
Last
week,
I
I
am
made
a
pull
request
to
include
the
implementation
for
what
we
had
been
discussing
in
the
meeting
for
backend
properties.
The
back
end
properties
are
the
way
that
we
decided
to
go
forward
for
TLS
re-encrypt,
also
known
as
Upstream
encrypt
and
I
got
some
feedback
from
it
from
a
lot
of
people.
E
Thank
you
very
much
for
that
and
I
made
some
changes,
but
the
one
that
I'd
like
to
spend
just
you
know
five
ten
minutes
on
in
a
face-to-face
meeting
is
what
do
we
call
this
field
because
I
mean
I
I
just
want
to
make
sure
that
it's
something
that
everybody
can
you
know
can
can
understand
when
they
see
it
for
me
that
that
word
was
re-encrypt,
but
I
unders
completely
understand
that
that's
not
a
a
common
way
of
looking
at
the
encryption
that
happens
from
from
the
back
end,
sorry
from
the
gateway
to
the
back
end,
as
opposed
to
the
encryption
that
happens
and
terminate,
which
is
from
from
the
from
the
route
to
the
Gateway
or
pass
through,
which
is
doesn't
stop,
doesn't
stop
in
the
middle
encryption,
so
I
noticed
in
our
docs
I.
E
Think
there's
a
link
here
to
our
Docs,
so
we
use
the
terms
pass
through
and
terminate,
and
what
I
was
going
to
suggest
was
something
like
forward
or
extended.
E
D
Yeah,
that's
definitely
some
Envoy
terminology
creeping
in
there
because
that's
how
all
the
way
it
talks
about
it,
yeah
I
think
it's
it's
a
really
interesting
naming
problem,
I'm!
Actually,
I
I!
You
I'd
actually
be
a
little
bit
more
kind,
because
this
thing
is
I'm
already
a
back-end
properties
thing.
It
makes
sense.
D
It
makes
it
actually
makes
sense
to
me
what
Tara
was
saying
about
just
calling
it
TLS,
because
this
is
then
the
TLs
properties
of
the
back
end,
because
you're
describing
the
back
end,
you're,
describing
the
service
and,
and
so
this
and
so
having
a
btls
I.
Don't
I
think
because
it's
a
separate
object.
It's
okay
to
use
the
word.
That's
sort
of
my
initial
feel,
but
I
think
I.
E
We
use
yeah,
we
use
the
word
TLS
as
a
listener
property
and
it's
for
everything
except
re-encrypt.
E
D
D
It
makes
sense
to
do
that,
and
it
also
means
that
you
you're
sort
of
reusing
a
word
means
that
your
people
can
kind
of
expect
that
the
behavior
will
be
similar
when
you
put
the
TLs
properties
on
The
Listener
and
the
TLs
properties
on
the
back
end.
It's
like
this
is
the
TLs
details
you
use
to
connect
to
this
thing.
D
I
think
you
would
need
explanation
in
the
docs,
obviously,
but
but
because
I
think
the
all
of
the
things
that
that
you're
saying
like
I
agree
that
recrypt
is
not
it's
also,
not
that
great.
But
you
know
and
and
say
and
you
other
options
are
then
sort
of
you're
sort
of
saying,
like
you're,
describing
the
behavior
that
you're
getting
rather
than
a
property
of
the
the
object.
D
A
I'll
figure
out
how
to
unmute
myself
at
some
point
sorry,
so
yeah
I
I
was
actually
of
the
same
mind
as
Nick
here
at
least
initially,
and
now
I'm
at
least
a
lot
a
little
unsure.
A
B
E
B
E
E
Name
it
what
it's
named,
but
if
you
want
feedback
on
what
seems
to
be
understandable,
then
I,
just
I
just
made
those
suggestions
of
you
know
a
for
something
that
that
you
could
put
in
this
document
that
we're
that
you're,
showing
on
the
screen.
Now
that
would
describe
to
people
I
mean
you
couldn't
put
well
I,
don't
know
if
you
would
even
describe
it
in
here.
E
You'd
have
to
rework
this
this
document
for
sure,
because
TLS
mode
applies
only
to
The
Listener
that
doesn't
apply
at
all
to
the
big,
the
back
end
capabilities,
which
only
have
one
TLS
mode.
A
Now
remember
we
had
this
discussion
back
in
the
day
when
we
were
talking
about
different
options
for
TLS
mode
and
re-encrypt
was
one
of
the
options
we
considered
but
again,
I
think
at
that
point
in
time.
The
the
idea
was
that
we
really
just
want
to
describe
what
happens
at
the
listener,
and
you
know
on
on
the
way
in
from
client
to
Gateway
and
then
leave
gateway
to
service
for
some
other
configuration
such
as
now
backend
properties,
so
I
think
in.
If
we
continued
with
that
line
of
thought,
then
nothing
here
would
change.
D
Yeah
I
mean
I.
Think
importantly,
back-end
properties
doesn't
make
one
of
the
good
things
about
having
it
be
separate
is
that
it
makes
no
representations
about
what
the
protocol
on
the
business
side
is,
but,
like
it's
completely
valid,
it
seems
to
me
that
it
should
be
completely
valid
to
you.
Have
you
come
in
on
clear
text
and
then
encrypt
to
the
back
end
right,
like
it's
they're
completely
orthogonal
concerns.
D
You
know
whether
or
not
the
listener
is
encrypted
and
whether
or
not
the
back
of
the
connection
to
the
back
end
from
the
Gateway
is
encrypted.
Would
you
do
that
like
have
clear
text,
HTTP
and
then
https
to
the
back
end
that'd
be
super
weird,
but
hey
like
by
that,
but
having
them.
Orthogonal
concerns
means
that
it
means
that
you
don't
need
to
like
intertwine
the
two
things
sorry
I
spoke
over
you.
What
were
you
gonna
say.
E
D
Yeah
but
the
but
in
my,
but
it
really
makes
sense
to
me
that
the
the
the
concerns
are
orthogonal
right
like
it,
that
the
whether
or
not
the
back
end
encryption
happens
or
not
is
is
a
completely
separate
decision
to
whether
or
not
you're
having
Christian
at
the
the
listener.
D
E
D
E
You
can
configure
The
Listener
and
it
would
be
the
the
cluster
admin
who
would
configure
the
or
vice
versa,
who
would
configure
the
second
hop
yeah.
D
So,
in
my
mind,
the
the
person
who
owns
the
service
owns
the
back-end
properties
for
the
service.
A
person
who
owns
the
Gateway
owns
the
TLs
properties
for
the
listener,
so
the
cluster
admin
owns
The
Listener
owns
like
owns.
If
their
cluster
admin
owns
the
Gateway
in
The
Listener
then,
is
their
responsibility.
What
certs
are
used
and
how
that
TLS
connection
happens
and
then,
as
a
as
an
application
developer,
I
can
say
well,
I
want
the
connection.
D
I
want
the
connection
from
your
gateway
from
the
gateway
to
my
back
end,
to
be
also
to
be
TLS
and
that's
within
my
control
and
this.
Thus
the
back
end
properties
is
mine
and
that's
another
good
reason
to
have
the
the
two
things
be
orthogonal
is,
that
is
that
it
lets
you
split
the
decisions
about
which
things
are
TLS
to
the
to
between
the
personas.
E
Okay,
can
can
you
show
the
the
pull
request
or
I
can
yeah.
A
Oh
either
way,
let
me
let
you
be
co-host
and
then
you
should
be
able
to
share
away
as
well,
and
that
might
be
easier
to
highlight
in
the
areas
you
want
to
I
think
you've
got
to
stop
sharing
yeah
thanks.
E
E
A
There
have
been
some
good
comments
in
chat
here.
I
can
try
and
go
through
those
soon
too.
E
Yeah
I
did
I
did
make
some
changes
already.
There's
some
I
I
wasn't
so
sure
about,
but
we
don't
have
to
talk
about
it
in
the
meeting.
Necessarily
do
you
wanna
I
mean
what
I'm
talking
about
now
is
particularly
the
use
of
the
word.
I
use
the
word
re-encrypt
to
to
Signal
this,
but
let's
look
at
the
whole.
Look
at
the
whole
thing
actually.
A
Yeah
somehow
we
lost
a
lot
of
comments
along
the
way,
but
that's
GitHub
but
yeah
just
I
think
yeah.
You
change
it
to
encrypt
I've.
E
Changed
it
to
forward
actually,
but
that
you
know
that's
what
we're
discussing
now.
E
So
this
is
I
mean
just
to
remind
everybody
who
hasn't
had
a
chance
to
to
look
we'd,
be
using
this
back-end
capabilities
that
has
just
basically
the
spec
and
the
status,
and
the
spec
itself
is
what
contains
the
configuration
for
for
the
re-encrypt
section,
plus
a
back-end,
Target
reference,
and
then
encrypt
type
is
what
has
you
know,
the
information
specific
information
that
we'd
be
using
for
that
second
hop
encryption.
E
So
what
we're
kind
of
talking
about
now
is
still
can't
get
that
that
tab
thing
to
work
there.
Let's
start
it
the
the
name
to
put
on
this.
E
E
If
we,
if
we
just
you,
know
substitute
TLS
there,
there
are,
as
I
mentioned,
there
are
other
places
where
there
is
a
TLS
object
and
putting
it
here.
If
that,
if
that
works-
and
everybody
is
okay
with
it,
then
I
can
I
have
no
no
problems
doing
that,
it's
just
going
to
be
me
who's
confused
afterwards.
If
everyone
else
agrees
with
it,.
D
D
E
I,
what
don't
think
so
go
ahead?
Rob.
A
So
currently
on
Gateway,
we
don't
have
any
kind
of
like
clients
or
we
don't
have
a
CA
bundle
that
I'm
aware
of
which
I
think
would
be
important
here,
but
I
I
think
that
could
be
a
cool
goal
because
it
does
seem
like
maybe.
A
It
would
be
very
confusing
yes,
but
if,
if
they
could
at
least
start
to
look
similar
in
their
structure,
I
guess
yeah
you're
right,
Mike
is
commenting
in
chat.
The
TLs
mode
would
not
be
applicable
that
that's
a
good
one.
E
D
I,
just
I
just
wanted
yeah
there
I
just
wanted
to
have
asked
the
question
because,
like
in
my
mind
the
one
of
the
best
things
that
you
can
do
with
an
API
like
this
is
to
any
time
you're
talking
about
two
or
less
settings
have
very
have
the
same
or
similar
keys.
Because
then
it's
it's
easier.
There's
less
of
a
conceptual
leap
for
you
to
understand
like
what
you're
talking
about
and
I.
Think
in
my
mind,
that's
the
reason
to
sort
of
have
it
be
like
the
this.
D
This
thing,
configures
your
TLS
and
you've,
got
like
the
thing
that
lets
you
specify
the
certificate.
Like
the
client,
you
know
a
client
certificate,
that's
used
and
and
a
service
certificate
that's
used.
We
do
have
outstanding
issues
to
allow
for
client
certificate
for
for
setting
like
a
CA
for
clients.
So
it's
on
the
listener.
D
You
know-
and
we
do
want
to
do
that
at
some
point
and
so
the
fact
that
we're
going
to
have
to
do
it
for
the
back
end
like
says
to
me:
well,
hey,
looking
ahead,
we're
going
to
need
to
do
this
for
the
listener
at
some
point.
If
we
name
this
thing,
similarly
to
The
Listener
one
and
give
it
some
new
fields
that
we
then
later
on
backboard
to
the
to
listen
to
one
and
sort
of
harmonize
the
things
later,
then
that
you
know
that
yeah.
E
D
My
mind
that
makes
sense
right
because
the
listener
has
like
this
is
the
the
TLs
stands
are
in
that
case,
for
both
of
these
things
configures
the
TLs
details.
You
need
to
use
to
connect
to
this
thing,
either
The
Listener
or
the
back
end
and
I
mean
if
we
just
like
you
know,
it
describes
the
TLs
properties
of
the
object,
and
that's
that's
what
I
like
about
it
like
Pro,
describing
the
properties
of
the
object
is
what
kubernetes
specs
are
supposed
to
do.
A
D
D
Please
use
this
specific
client
search
to
connect
to
this
specific
back
end,
whereas
in
The
Listener
case
you,
you
don't
generally
want
to
have
a
one-to-one
pairing
like
that
you're
always
having
a
many-to-one
pairing
where
you're
saying
you
know
we're
going
to
have
some
arbitrary
number
of
clients
connect
to
us,
and
they
all
need
to
be
validated
by
this
ca
for
the
for
the
listener
client
search
case,
you
want
to
see
a
Point,
not
not
a
back,
not
a
client-side
point
for
this
case.
You
do
want
you
having
a
client.
D
A
In
the
in
the
world
where
there
are,
you
know,
10
different
gateways
that
all
end
up
forwarding
to
the
same
service
extreme
case,
but
theoretically
could
happen.
It
seems
like
the
ideal
implementation
of
that
is
each
one
of
those
is
using
a
different
client
is,
and
that
that
would
not
be
something
representable
with
this
config.
It
feels
like
the
client
served
in
that
case
is
actually
in
the
wrong
place.
D
A
It's
like
the
Gateway
in
that
case
is
is
the
client
and
it
should
have
its
own
identity.
I,
don't
know,
there
have
been
some
great
comments
in
chat
too.
I
want
to
make
sure
you
know
Mike
Micaiah,
Lewin
John,
and
he
any
comments
you
want
to
raise
out
loud.
G
Yeah
I
I
just
have
in
my
mind
you
think
that
it's
more
like
the
transport
property
between
Gateway
and
the
back
end
I'm,
just
curious,
maybe
John
can
come,
and
how
does
the
ambient
solve
this
because
you
got
Waypoint
connecting
to
back
end
is
that
you
can
leverage
that,
like
a
transport,
you
got
this
Edge
phone
transport
people,
whether
there's
something
similar
to
that
way.
F
Yeah,
so
one
thing
we've
talked
about
in
the
gamma
group
is
that
things
like
mesh
mpls.
We
don't
want
that
to
be
a
part
of
any
API.
That's
not
what
this
is
mesh
mpls
or
maybe
they
don't
even
use
MPS.
Maybe
these
wire
guard
or
ipsec
or
whatever
right,
that's
not
what
back-end
properties
is.
The
back
end
is
like
what
the
application
actually
does
and
if
the
service
mesh
wants
to
Tunnel
over
heb2
or
use
bioguard
whatever
that's
that's
up
to
them.
It's
kind
of
orthogonal.
D
Sorry
go
ahead,
yeah,
so
what
so?
What
you're
saying
there
John
is
that
the
the
back
end
properties
that
we're
talking
about
here
in
the
back
end
capabilities,
we're
talking
about
are
these
are
the
certs
that
if
you
connect
to
the
port
that
you're
given
on
this
on
this
service,
it
will
expect
you
to
you
to
connect
using
TLS
using
their
sports.
D
That's
what
having
this
stanza
set-
and
this
thing
implies-
is
that
if
you
try
and
connect
to
a
port
directly
running
on
this
service,
then
the
service
like
running
inside
the
Pod
will
have
these
TLS
details
right
like
there's.
No,
this
is
not
like
the.
This
is
not
some
abstracted
thing
where
the
there's
like
some
implementation,
is
doing
some
magic
stuff
for
you.
This
is
like
this
service
running
inside.
The
Pod
is
actually
presenting
these
TLS
certs.
As
part
of
this
thing,
and
that's
why
this
is
a
back-end
capability.
D
I'm
kind
of
asking
generally
like
the
yeah,
so
I
think
that's
what
what
John
is
saying
is
like
yeah,
like
the
for
the
mesh
case.
D
The
containers
that
run
the
service
not
add
some
infrastructure
at
some
magic
infrastructure
layer,
and
so
the
point
of
these
back-end
capabilities
is
to
say:
hey.
If
you
connect
to
this
service,
you
need
to
have
these
TLS
details
set
or
you
know.
For
example,
we
put
the
websockets
thing
in
or
if
you
connect
to
this
service-
and
you
know
you
have
websockers
available
on
these
paths
or
you
know,
or
you
should
use
this
low
balancing
algorithm
or
like
that's.
D
F
Yes,
that
does,
if
you
don't
mind
that
kind
of
transitions
to
my
next
question,
so
it
feels
like
there's
almost
two
different
types
of
things
that
we
want
to
describe.
One
is
this:
is
these
are
properties
at
the
back
end
like
it
is
running
on
TLS
it
Sports
HTTP,
2
and
HTTP
one
or
you
know
all
these
different
things,
but
then
there's
another
property,
that's
what
should
I
actually
send
when
I'm
requesting
you
know
sending
requests
to
this
back
end
if
they
support
HTTP,
2
and
HTTP.
F
One
right
I
have
a
choice:
I
could
choose
one
or
the
other
if
it's
TLS,
it's
almost.
It
feels
almost
obvious
like
oh
well.
We
should
just
encrypt
it
right,
but
what?
If
the
request
is
already
encrypted?
If
it's
an
HTTP
route,
we
probably
know
if
it's
a
TCP
route,
we
may
not
know
right,
it
could
be.
You
know,
opaque
PCP
stream,
but
that's
actually
T
loss
fights
and
then
we
don't
want
to
pre-encrypt
it
so
I,
don't
know
what
that
looks
like
from
an
API
standpoint,
but
I.
F
D
I
think
your
point
is
fair,
that
all
of
the
things
that
we're
talking
about
are
really
only
useful
for
HTTP
route
right,
like
all
the
things
most
all
sorry,
not
all
of
our
things,
but
most
of
the
things
we're
talking
about
here
are
really
only
useful
as
for
HTTP
right,
where
you've
terminated
the
connection
and
now
you're
creating
a
new
HTTP
connection
from
your
gateway
implementation,
you're
not
passing
through
at
the
TCP
level,
the
the
stream
you're
not
doing
only
TLS
route
style,
routing
based
on
Sni,
you
know
you're
doing
this
is
your
only
your
your.
D
This
is
a
unencrypted
terminated,
HTTP
stream,
where
you're
you
know
where
now
you're,
trying
to
where
now
you're
trying
to
describe
the
properties
of
the
that
your
gateway
should
use
to
create
a
new
connection
to
this
HTTP.
So.
D
D
E
But
you
you've
compared
it
to
something
that
John
had
said,
which
was
completely
different
because
he
was
talking
about
you
know
I
think
I
mean
not
sure
I
understand
what
John
was
talking
about
either,
but
I
think
he
was
talking
about
you
know
to
to
whom
who
needs
to
know
about
this
and
that's
a
question
I.
That
I
had
too,
like
it's
an
implementer's
question
and
I'm
not
actually
coming
from
an
implementer's
Viewpoint,
so
I
mean
when
you
think
about
it.
E
You
have
to
you're
gonna,
have
to
pull
up
this
back-end
capabilities
at
at
the
point
where
you've
got
traffic.
E
Excuse
me
for
a
second
you've
got
traffic
coming
in
from
the
Gateway,
and
you
need
to
figure
out
whether
you
need
to
encrypt
it
or
not.
But
you
need
to
know
whether
it's
encrypted
already
so
yeah.
B
G
Well,
yeah
I,
you
know
here's
one
implementation,
I
can
Envision,
let's
say
for
example,
if
we're
running
this
in
the
cloud
infrastructure
like
say,
for
example,
AWS
we
may
we're
thinking
about
maybe
just
handle
this
under
by
the
cloud
infrastructure.
So
once
you
come
into
Gateway,
you
know
the
the
owner
of
a
service
decide
what
kind
of
certificate
you
use
to
authenticate
a
client,
but
once
you
go
down
through
the
Gateway
between
Gateway
and
back
end
is
basically
the
cloud
infrastructure
can
automatically
encrypt
everything
coming
going
from
Gateway
to
the
endpoint.
G
So
that's
like
one
flag
here,
the
encryption
note,
so
the
the
endpoint
doesn't
really
know
because
the
traffic
is
already
encrypt
all
the
way
to
to
the
back
end
path.
That's
that's
one
use
case.
I
can
think
of
so.
D
That
sounds
a
little
bit
more
like
what
John
was
talking
about
with
the
mesh
one,
where
you
know,
if
the
and
that's
what
I
was
trying
to
say
before,
where
it
seems
to
me
like
this
back-end
capabilities
thing
almost
really
should
have
like
what
the
business
they
were
talking
about
here
would
re-encrypt,
actually
really
almost
should
be
under
our
HTTP
stanza
right
like
so.
This
is
a
HTTP
properties.
D
This
is
only
if
you're
trying
to
make
a
HTTP
connection
to
this
thing
right
like
and
that's
when
you
then
say:
okay,
the
TLs
details
are
required
right,
yeah,
or
something
like
that
like
so,
and
but
that
and
again
it
comes
down
to
the
fact
that
the
backing
capabilities
here
are
describing
what's
running
inside
the
Pod.
What
does
the
process
that's
running
inside?
The
Pod
expect
you
to
do
and
the
process
is
running
inside.
The
Pod
expects
to
receive
TLS
details
right
and
then
we're
saying
that
the
Gateway
that's
connecting
it.
G
G
Yeah
one
assumption
that
is,
you
know
if
you're
talking
about
Mewtwo
mtos,
the
authentication
part,
the
assumption
is,
the
Gateway
is
already
has
done
the
job
authenticating,
who
the
client
are
and
also
do
the
authorization
to
to
look
at
the
payload
to
see
whether
you
can
do
this
action,
so
that's
already
done
by
the
Gateway.
There's
really
no
atom
benefit
for
the
back
end.
To
do
that
again,
so
the
assumption
is
you
the
the
really
the
benefit
of
you
know,
Mutual
TRS
between
the
Gateway
and
the
client
or
transport
layer.
G
Security
is
just
to
secure
the
data.
So
it's
not
in
the
you
know
clear
text,
because
I
think
assumption
is
the
back
end:
the
Pod
running
application.
They
just
received
application
data.
They
already
assume
the
Gateway
is
doing
the
authentication
authorization
for
on
behalf
of
them.
D
I
mean
I.
Think
part
of
the
part
of
the
point
of
this
is
that
we
can
make
it.
So
you
don't
have
to
do
that
right
like
so
that
so
that
you
can
you
can
you
can
do
the
authorization
at
the
Pod
level?
If
that's
what
you
want
to
do
like
the
again
like
and
that's
I,
think
that's
where
John's
distinction
is
important,
that
that
the
mtls
we're
talking
about
here
is
not
the
service
mesh
magic
mtls,
where
it's
injected
for
you
by
the
platform
right.
D
A
G
A
And
just
I
want
it
encrypt
it
and
in
that
case,
like
I
I,
don't
know
how
to
communicate
that.
But
that
is
a
different
bit
of
configuration
than
what
we
are
exploring
here
or
or
an
alternative
way
to
say:
hey
I
just
wanted
encrypted.
Can
you
do
it
for
me
and.
G
D
Yeah,
so,
in
my
mind
this
this
thing
this,
like
back-end
properties
thing,
is
for
people
who
aren't
running,
who
don't
have
the
infrastructure
capability
to
automatically
do
encryption
right?
This
is
this
is
for
people
who
are
running
in
a
cluster.
You
know
it's
only
it's
only,
for
you
know,
people
who
are
running
in
a
cluster
that
doesn't
have
any
of
the
magic
stuff
where
you
need
some
way
to
be
able
to
specify
hey
from
my
gateway
to
this
to
the
back
end.
I
want
it
to
be
encrypted.
Please.
G
F
D
A
Yeah
and
I
so
I
agree
with
that
idea
and
I
do
want
to
do
a
time
check
because
we
we
are
at
time
here
I,
just
maybe
for
a
follow-up
offline,
I
I
think
the
disconnect
here
is
that
what
happens
when
we
have
gateways
that
see
this
back-end
properties
and
want
to
honor
it,
but
can't
or
like
can
we
just
say
some
gateways
can
just
ignore
it
because
I
don't
know
how
to
support
it.
You
know
that
that
would
be
I
guess
maybe
what
we
need
as
a
follow-up.
A
Sorry,
I
can't
sorry,
Candace
I
know
that
we
probably
just
went
in
circle.
Well,
we
had
lots
of
good
discussion,
but
I
don't
know
if
it
helped
make
make
this
any
less
confusing,
but
I
think.
Hopefully
this
served
as
a
good
reminder
that
this
PR
exists.
Please
take
a
look
at
it.
Some
good
comments
in
chat
and
in
discussion
today.
So
please,
let's
continue
that
discussion
on
this
PR,
it's
14,
30.