►
From YouTube: SIG Network Gateway API Bi-Weekly Meeting for 20221010
Description
SIG Network Gateway API Bi-Weekly Meeting for 20221010
A
Foreign,
hey
welcome
to
the
Gateway
API
community
meeting
for
October
10
2022..
We
are
getting
awfully
close
to
kubecon
thanks
to
everyone
who
made
it
here,
just
a
few
things
on
the
agenda
today,
but
before
we
get
to
it,
just
a
quick
reminder
that
this
is
just
like
any
other
kubernetes
community
meeting
Guided
by
the
same
code
of
conduct,
which
is
generally
just
to
be
nice
to
each
other.
A
There's
a
lot
more
details.
If
you
look
up
the
kubernetes
community
code
of
conduct,
but
I
think
we've
all
been
very
friendly.
So
another
reminder
that
please,
if
you
have
anything
to
discuss,
don't
hesitate
to
bring
it
up,
you
can
anyone
should
be
able
to
edit
this
agenda
or
you
can
drop
some
Link
in
chat
as
well
or
just
speak
up
whatever
works
best
for
you
with
that,
let's
get
started
on
the
agenda.
A
First
up,
we've
got
kubecon
we're
wow
a
couple
weeks
away
so
hopefully
see
some
of
you.
There
we
put
a.
We
had
a
couple
cfps
for
contrib
Summit.
Both
of
them
got
in
one
of
them
is
an
actual
talk
of
sorts
that
we
need
to
give
for.
Anyone
who
hasn't
been
to
contrib
Summit
before
it's
a
pretty
informal
thing
but
I
am
very
much
looking
for
for
different
contributors.
A
So
you
know,
if
you're,
if
you're
able
to
make
it
reach
out
to
myself
or
Shane
and
we'd
love
to
fit
you
in
and-
and
you
know,
have
you
help
out
with
this
talk
again,
it's
a
pretty
informal
thing,
but
I
would
love
to
get
some
other
people
speaking
about
Gateway
API
and
just
not
put
anyone
on
the
spot.
But
does
anyone
want
to
volunteer
now
any
chance.
C
A
C
You
know
where
we
can
use
the
Gateway,
API
and
stuff
to
show
it
off
and
we're
getting
questions
from
some
large
carriers
about
whether
they
should
be
pushing
their
vendors
to
comply
with
Gateway,
API
et
cetera,
et
cetera,
and
so
you
know,
I
think
I-
think
it's
a
direction.
We're
very
interested
in
I
I
have
also
on
the
phone
Quang
who's
on.
A
Hey
that
that
is
awesome,
that's
a
great
intro.
Welcome
everyone
from
the
team
excited
to
see
where
that
goes.
I've
I've
just
had
a
few
other
people
reach
out
about
Telco
and
how
what
that
means
for
Gateway
API,
so
I
would
be
good
to
make
those
connections
and
see
where
we
can
go
with
that
and
I
I.
Imagine
I'm,
not
the
only
person
who's
had
those
discussions,
so
yeah,
that's
awesome,
I
I
know
for
contribute,
Summit,
it's
it's
basically
an
all-day
thing.
I.
A
The
schedule
is
supposed
to
really
be
released
sometime
today,
but
at
last
I
checked
it
hadn't
been,
but
we
should
know
soon
when
these
things
are
going
to
be.
If
not
I
know,
I've
I've
been
trying
to
set
aside
time
on
Tuesday
and
I.
Think
some
other
maintainers
have
some
time
on
Tuesday
as
well
to
just
have
some
informal
meetings
and
discussions.
A
You
awesome
and
so
yeah
just
yeah
one
last
reminder
if
you
are
interested
in
either
being
part
of
the
working
session.
Hopefully
that's
many
of
you
and
also,
if
you're
interested
in
helping
to
present
our
crd
talk.
I
would
would
love
to
hear
from
you
again
just
reach
out
in
slack
or
in
chat
or
whatever
works
best
Nick.
It
is
great
to
see
you
alive
again.
Welcome
back
yeah
thanks.
D
Cool
I
haven't
I,
I
talked
to
Rob
about
it,
but
yeah
for
those
of
you
who
don't
know.
Yeah
I
went
to
I,
went
on
skiing
trip
a
little
while
ago
and
have
blown
my
snapped.
My
ACL
and
torn
my
MCL
on
my
left
leg
and
tore
my
MCL
on
my
right
leg.
So
I
am
on
crutches
and
T-Mobile
and
will
not
be
able
to
make
it
to
kukon,
which
I
am
extremely
upset
about.
So.
B
D
D
Yeah
yeah,
it's
pretty
painful,
but
yeah
Lewin
just
asked.
If
we
can
attend
the
working
session
remotely
through
Zoom
I
personally
would
love
it.
If
I
could
at
least
be
a
fly
on
the
wall,
you
know
so
that
I
can.
Even
if
I
have
to
get
up
at
some
stupid
hour,
it
would
be
nice
to
try
and
or
at
least
if
it's,
if
it's
on
zoom
and
recorded
at
least
I
can
catch
up
yeah,
so
yeah
I
definitely
would
have
loved
to
have
been
there.
D
D
A
Cool
yeah,
so
yes,
big,
big,
plus
one
to
feel
better
soon.
Nick
that
sounds
awful,
but
also
I
should
follow
up.
I've
been
talking
with
I.
Think
Jason
and
Bob
are
the
two
people
that
I've
been
talking
with
about
contrib
Summit
I'll
check
in
with
them
to
see.
If
there's
any
like
good
way
to
do
that,
but
yeah
I'd
love
to
have
some
kind
of
hybrid,
so
much
of
the
conference
is
hybrid
I
would
love
to
see
if
we
could
make
that
happen.
For
this
particular
part
of
it.
E
A
Yeah
yeah
cool
all
right.
Next
on
the
agenda,
the
Ingress
to
Gateway
repo
is
live
and
I
like
you.
You
are
not
wrong.
There's
nothing
here!
This
is
just
from
the
template.
I
still
need
to
make
a
PR
with
actual
code
in
here,
but
the
maintainers
here
are
the
same.
Maintainers
of
Gateway
API,
so
I
think
we'll
cover
any
one.
I
think
this
is
going
to
be
a
pretty
small
project,
but
I
think
we
can
cover
it
under
the
same
meetings.
A
A
You
know
it
works,
but
barely
that
we'll
take
Ingress
resources
from
your
cluster
and
output,
equivalent
emo
for
Gateway
API
resources,
and
it
understands
some
subset
of
implementation,
specific
annotations,
so
yeah,
that's
the
thing
that
I'll
try
and
get
a
pierra
out
for
soon
on
this
repo,
but
again
for
anyone,
who's,
a
Gateway,
API
maintainer,
already
you've
kind
of
been
volunteered
to
also
maintain
this.
Thank
you,
but
also
anyone
else
is
welcome
to
just
pay
attention
and
review.
A
Any
changes,
contribute
I,
know,
I,
know
the
last
time
I
presented
this.
There
were
a
few
people
that
that
seemed
interested
in
in
helping
out.
So
by
all
means
we
can
always
use
more
contributors,
and
this
is
a
great
opportunity
if
you're
new
and
just
want
to
help
out
so
yeah,
that's
Ingress
to
Gateway.
It
is
ready
for
contribution.
Well,
I
need
to
make
a
PR,
but
then
I'll
be
ready
for
contributions
yeah
and
then,
with
that
I
think,
let's
get
into
the
060,
Milestone
and
I
think
Mike.
B
D
B
D
B
B
D
D
Sense,
just
one
more
place
where
we're
consolidating
the
different
reasons
that
we
had
across
different
conditions
to
to
be
the
same
reason
across
different
conditions
across
different
conditions
that
are
used
in
different
places
like
the
Gateway
class
conditions,
the
Gateway
condition
and
the
route
condition.
We
want
them
to
have
similar,
States
and
similar
reasons,
so
that
when
you're.
Looking
at
one
thing
you
can
you
know
you
can
transfer
your
knowledge
about
one
thing
to
another.
A
B
I
would
be
happy,
for
this
is
relatively
straightforward
if
any
new
contributor
is
interested
in
picking
this
up
and
the
other
two
I
I.
Obviously
I
have
a
question
that
Shane
started
answering
about
if
there's
any
specifics,
as
far
as
like
Cube
Builder
validation
or
anything
like
that
for
just
like
deprecating
things
properly,
but
those
two
I
could
probably
finish
up
and
check
myself.
B
Thank
you
and
there's
at
least
one
other
one
that
probably
needs
a
PR
around
the
like
HTTP
route
rules
and
the
changes
from
The
Gap
and
just
making
sure
those
are
all
clearly
documented
in
our
actual
docs.
That
one
is
much
more
involved.
The
the
Gap
spells
out
well,
but
but
the
documentation
updates
are
going
to
be
much
more
involved
and
comprehensive.
I
think
so.
I
haven't
done
that
and
I'll
probably
not
have
time
for
that.
One
I.
A
A
Crpc
route
is
almost
done,
there's
just
one
more
docs
PR
to
get
in
and
then
almost
everything
is
related
to
status
now,
so
anything
we
can
do
to
help,
and
this
is
that
you
know
I'm
not
trying
to
rush
anyone
either.
I
know
that
things
take
time
and
we
don't
want
to
rush
to
release
out
the
door
so
just
but
yeah.
Let
us
know
how
we
can
help,
and
it
sounds
like
that.
So
it
sounds
like
everyone.
It
sounds
like
all
the
pieces
of
this
Gap
are
accounted
for
in
some
way
right.
A
D
D
B
D
Yeah,
so
we
could.
We
could
certainly
phase
this
and
have
it
be
that
you
know
for
o60,
we
put
you,
we
put
it
that
you
must
set
accepted
and
we'll
check
for
accepted
in
the
conformance
tests
and
then
but
we'll
leave
ready
as
it
stands
and
then
make
it
that
070
is
when
we
break
ready
and
we
put
and
we
Skip,
and
we
flip
that
to
programmed
and
have
and
move
ready
to
Extended
or
we
can
do
it
yeah.
Just
like
that,
it's
more
the
only
reason
I
would
suggest
not
doing
it.
D
So
it's
just
so
maybe
we
hold
that
in
our
back
pocket
and
if,
if
Mike
and
I
managed
to
smash
the
the
other
stuff
pretty
quickly
and
we're
and
I'm
sitting
around,
you
know
the
week
before
kubecon
with
nothing
to
do.
Then
then,
maybe
maybe
I'll
try
and
get
it
in
then,
because
since
I'm
not
traveling
I
can
you
know.
D
A
D
D
So,
let's
so
to
just
wrap
this
wrap
that
statement
up
in
so
ready
will
will
be
changed
to
programmed
as
a
part
of
the
o60
release.
It
may
not
happen
before
kubecon
because
timing,
but
but
we
will,
but
we
will
make
sure
that
that
ready
gets
changed
to
programmed
with
conformance
tests
updates
before
we
actually
cut
the
final
o60
yeah.
D
D
Us
know
yeah,
yes,
I
remember,
for
everyone
who's
an
implementer.
This
change
is
going
to
be
a
big
one.
You
will
have
to
stop
programming
ready
or
you
can
keep
programming
ready
if
you
want,
but
you
will
need
to
program.
The
programmed
condition
as
well
like
the
programmed
condition,
will
be
what
the
conformance
tests
used
to
to
sort
of
be
to,
as
the
signal
that
hey
now
I
can
actually
start
checking
that
your
thing
is
conformant
rather
than
ready.
B
A
Cool
thanks
thanks
Nick
and
Mike
for
taking
that
on
that's
a
ton
of
work
but
excited
to
to
get
it
through
yeah.
Let
me
run
through
the
rest
of
the
Milestone
items
here.
Sorry
Mike
were
you
about
to
say
something:
I
may
have
missed
all
right
cool
all
right,
so
this
is
status.
This
is
grpc,
Route
I
think
we're
good
on
that
front.
Thank
you.
Richard
I
saw
one
more
PR
update
from
you
that
I
need
to
review,
or
anyone
can
review.
A
A
A
D
B
A
A
A
Yes,
actually
pretty
good
coverage
on
reference
Grant.
The
weird
thing
I
didn't
really
know
how
to
explain
this,
but
John
went
through
a
couple
weeks
ago
and
did
this
kind
of
clever
thing
where
we're
using
type
aliases
for
everything
in
Alpha
two.
This
makes
it
a
bit
easier
to
implement
if
you're
trying
to
support
both
Alpha
2
and
beta
1.,
but
it
means
that
the
types
files
are
not
an
exact
copy
anymore.
It's
instead,
you've
got
to
do
some
type
aliasing.
A
D
B
E
Last
week,
I
I
am
made
a
pull
request
to
include
the
implementation
for
what
we
had
been
discussing
in
the
meeting
for
backend
properties.
The
back
end
properties
are
the
way
that
we
decided
to
go
forward
for
TLS
re-encrypt,
also
known
as
Upstream
encrypt
and
I
got
some
feedback
from
it
from
a
lot
of
people.
E
D
Yeah,
that's
definitely
some
Envoy
terminology
creeping
in
there
because
that's
how
all
the
way
it
talks
about
it,
yeah
I
think
it's
it's
a
really
interesting
naming
problem,
I'm!
Actually,
I
I!
You
I'd
actually
be
a
little
bit
more
kind,
because
this
thing
is
I'm
already
a
back-end
properties
thing.
It
makes
sense.
D
It
makes
it
actually
makes
sense
to
me
what
Tara
was
saying
about
just
calling
it
TLS,
because
this
is
then
the
TLs
properties
of
the
back
end,
because
you're
describing
the
back
end,
you're,
describing
the
service
and,
and
so
this
and
so
having
a
btls
I.
Don't
I
think
because
it's
a
separate
object.
It's
okay
to
use
the
word.
That's
sort
of
my
initial
feel,
but
I
think
I.
E
E
D
D
It
makes
sense
to
do
that,
and
it
also
means
that
you
you're
sort
of
reusing
a
word
means
that
your
people
can
kind
of
expect
that
the
behavior
will
be
similar
when
you
put
the
TLs
properties
on
The
Listener
and
the
TLs
properties
on
the
back
end.
It's
like
this
is
the
TLs
details
you
use
to
connect
to
this
thing.
D
I
think
you
would
need
explanation
in
the
docs,
obviously,
but
but
because
I
think
the
all
of
the
things
that
that
you're
saying
like
I
agree
that
recrypt
is
not
it's
also,
not
that
great.
But
you
know
and
and
say
and
you
other
options
are
then
sort
of
you're
sort
of
saying,
like
you're,
describing
the
behavior
that
you're
getting
rather
than
a
property
of
the
the
object.
D
A
B
E
B
E
E
Name
it
what
it's
named,
but
if
you
want
feedback
on
what
seems
to
be
understandable,
then
I,
just
I
just
made
those
suggestions
of
you
know
a
for
something
that
that
you
could
put
in
this
document
that
we're
that
you're,
showing
on
the
screen.
Now
that
would
describe
to
people
I
mean
you
couldn't
put
well
I,
don't
know
if
you
would
even
describe
it
in
here.
A
Now
remember
we
had
this
discussion
back
in
the
day
when
we
were
talking
about
different
options
for
TLS
mode
and
re-encrypt
was
one
of
the
options
we
considered
but
again,
I
think
at
that
point
in
time.
The
the
idea
was
that
we
really
just
want
to
describe
what
happens
at
the
listener,
and
you
know
on
on
the
way
in
from
client
to
Gateway
and
then
leave
gateway
to
service
for
some
other
configuration
such
as
now
backend
properties,
so
I
think
in.
If
we
continued
with
that
line
of
thought,
then
nothing
here
would
change.
D
Yeah
I
mean
I.
Think
importantly,
back-end
properties
doesn't
make
one
of
the
good
things
about
having
it
be
separate
is
that
it
makes
no
representations
about
what
the
protocol
on
the
business
side
is,
but,
like
it's
completely
valid,
it
seems
to
me
that
it
should
be
completely
valid
to
you.
Have
you
come
in
on
clear
text
and
then
encrypt
to
the
back
end
right,
like
it's
they're
completely
orthogonal
concerns.
D
You
know
whether
or
not
the
listener
is
encrypted
and
whether
or
not
the
back
of
the
connection
to
the
back
end
from
the
Gateway
is
encrypted.
Would
you
do
that
like
have
clear
text,
HTTP
and
then
https
to
the
back
end
that'd
be
super
weird,
but
hey
like
by
that,
but
having
them.
Orthogonal
concerns
means
that
it
means
that
you
don't
need
to
like
intertwine
the
two
things
sorry
I
spoke
over
you.
What
were
you
gonna
say.
E
D
E
D
D
So,
in
my
mind,
the
the
person
who
owns
the
service
owns
the
back-end
properties
for
the
service.
A
person
who
owns
the
Gateway
owns
the
TLs
properties
for
the
listener,
so
the
cluster
admin
owns
The
Listener
owns
like
owns.
If
their
cluster
admin
owns
the
Gateway
in
The
Listener
then,
is
their
responsibility.
What
certs
are
used
and
how
that
TLS
connection
happens
and
then,
as
a
as
an
application
developer,
I
can
say
well,
I
want
the
connection.
D
I
want
the
connection
from
your
gateway
from
the
gateway
to
my
back
end,
to
be
also
to
be
TLS
and
that's
within
my
control
and
this.
Thus
the
back
end
properties
is
mine
and
that's
another
good
reason
to
have
the
the
two
things
be
orthogonal
is,
that
is
that
it
lets
you
split
the
decisions
about
which
things
are
TLS
to
the
to
between
the
personas.
E
E
E
Yeah
I
did
I
did
make
some
changes
already.
There's
some
I
I
wasn't
so
sure
about,
but
we
don't
have
to
talk
about
it
in
the
meeting.
Necessarily
do
you
wanna
I
mean
what
I'm
talking
about
now
is
particularly
the
use
of
the
word.
I
use
the
word
re-encrypt
to
to
Signal
this,
but
let's
look
at
the
whole.
Look
at
the
whole
thing
actually.
A
E
E
E
If
we,
if
we
just
you,
know
substitute
TLS
there,
there
are,
as
I
mentioned,
there
are
other
places
where
there
is
a
TLS
object
and
putting
it
here.
If
that,
if
that
works-
and
everybody
is
okay
with
it,
then
I
can
I
have
no
no
problems
doing
that,
it's
just
going
to
be
me
who's
confused
afterwards.
If
everyone
else
agrees
with
it,.
D
D
A
D
I,
just
I
just
wanted
yeah
there
I
just
wanted
to
have
asked
the
question
because,
like
in
my
mind
the
one
of
the
best
things
that
you
can
do
with
an
API
like
this
is
to
any
time
you're
talking
about
two
or
less
settings
have
very
have
the
same
or
similar
keys.
Because
then
it's
it's
easier.
There's
less
of
a
conceptual
leap
for
you
to
understand
like
what
you're
talking
about
and
I.
Think
in
my
mind,
that's
the
reason
to
sort
of
have
it
be
like
the
this.
D
This
thing,
configures
your
TLS
and
you've,
got
like
the
thing
that
lets
you
specify
the
certificate.
Like
the
client,
you
know
a
client
certificate,
that's
used
and
and
a
service
certificate
that's
used.
We
do
have
outstanding
issues
to
allow
for
client
certificate
for
for
setting
like
a
CA
for
clients.
So
it's
on
the
listener.
D
You
know-
and
we
do
want
to
do
that
at
some
point
and
so
the
fact
that
we're
going
to
have
to
do
it
for
the
back
end
like
says
to
me:
well,
hey,
looking
ahead,
we're
going
to
need
to
do
this
for
the
listener
at
some
point.
If
we
name
this
thing,
similarly
to
The
Listener
one
and
give
it
some
new
fields
that
we
then
later
on
backboard
to
the
to
listen
to
one
and
sort
of
harmonize
the
things
later,
then
that
you
know
that
yeah.
E
D
My
mind
that
makes
sense
right
because
the
listener
has
like
this
is
the
the
TLs
stands
are
in
that
case,
for
both
of
these
things
configures
the
TLs
details.
You
need
to
use
to
connect
to
this
thing,
either
The
Listener
or
the
back
end
and
I
mean
if
we
just
like
you
know,
it
describes
the
TLs
properties
of
the
object,
and
that's
that's
what
I
like
about
it
like
Pro,
describing
the
properties
of
the
object
is
what
kubernetes
specs
are
supposed
to
do.
A
D
Please
use
this
specific
client
search
to
connect
to
this
specific
back
end,
whereas
in
The
Listener
case
you,
you
don't
generally
want
to
have
a
one-to-one
pairing
like
that
you're
always
having
a
many-to-one
pairing
where
you're
saying
you
know
we're
going
to
have
some
arbitrary
number
of
clients
connect
to
us,
and
they
all
need
to
be
validated
by
this
ca
for
the
for
the
listener
client
search
case,
you
want
to
see
a
Point,
not
not
a
back,
not
a
client-side
point
for
this
case.
You
do
want
you
having
a
client.
D
A
In
the
in
the
world
where
there
are,
you
know,
10
different
gateways
that
all
end
up
forwarding
to
the
same
service
extreme
case,
but
theoretically
could
happen.
It
seems
like
the
ideal
implementation
of
that
is
each
one
of
those
is
using
a
different
client
is,
and
that
that
would
not
be
something
representable
with
this
config.
It
feels
like
the
client
served
in
that
case
is
actually
in
the
wrong
place.
D
A
F
Yeah,
so
one
thing
we've
talked
about
in
the
gamma
group
is
that
things
like
mesh
mpls.
We
don't
want
that
to
be
a
part
of
any
API.
That's
not
what
this
is
mesh
mpls
or
maybe
they
don't
even
use
MPS.
Maybe
these
wire
guard
or
ipsec
or
whatever
right,
that's
not
what
back-end
properties
is.
The
back
end
is
like
what
the
application
actually
does
and
if
the
service
mesh
wants
to
Tunnel
over
heb2
or
use
bioguard
whatever
that's
that's
up
to
them.
It's
kind
of
orthogonal.
D
Sorry
go
ahead,
yeah,
so
what
so?
What
you're
saying
there
John
is
that
the
the
back
end
properties
that
we're
talking
about
here
in
the
back
end
capabilities,
we're
talking
about
are
these
are
the
certs
that
if
you
connect
to
the
port
that
you're
given
on
this
on
this
service,
it
will
expect
you
to
you
to
connect
using
TLS
using
their
sports.
D
That's
what
having
this
stanza
set-
and
this
thing
implies-
is
that
if
you
try
and
connect
to
a
port
directly
running
on
this
service,
then
the
service
like
running
inside
the
Pod
will
have
these
TLS
details
right
like
there's.
No,
this
is
not
like
the.
This
is
not
some
abstracted
thing
where
the
there's
like
some
implementation,
is
doing
some
magic
stuff
for
you.
This
is
like
this
service
running
inside.
The
Pod
is
actually
presenting
these
TLS
certs.
As
part
of
this
thing,
and
that's
why
this
is
a
back-end
capability.
D
The
containers
that
run
the
service
not
add
some
infrastructure
at
some
magic
infrastructure
layer,
and
so
the
point
of
these
back-end
capabilities
is
to
say:
hey.
If
you
connect
to
this
service,
you
need
to
have
these
TLS
details
set
or
you
know.
For
example,
we
put
the
websockets
thing
in
or
if
you
connect
to
this
service-
and
you
know
you
have
websockers
available
on
these
paths
or
you
know,
or
you
should
use
this
low
balancing
algorithm
or
like
that's.
D
F
Yes,
that
does,
if
you
don't
mind
that
kind
of
transitions
to
my
next
question,
so
it
feels
like
there's
almost
two
different
types
of
things
that
we
want
to
describe.
One
is
this:
is
these
are
properties
at
the
back
end
like
it
is
running
on
TLS
it
Sports
HTTP,
2
and
HTTP
one
or
you
know
all
these
different
things,
but
then
there's
another
property,
that's
what
should
I
actually
send
when
I'm
requesting
you
know
sending
requests
to
this
back
end
if
they
support
HTTP,
2
and
HTTP.
F
One
right
I
have
a
choice:
I
could
choose
one
or
the
other
if
it's
TLS,
it's
almost.
It
feels
almost
obvious
like
oh
well.
We
should
just
encrypt
it
right,
but
what?
If
the
request
is
already
encrypted?
If
it's
an
HTTP
route,
we
probably
know
if
it's
a
TCP
route,
we
may
not
know
right,
it
could
be.
You
know,
opaque
PCP
stream,
but
that's
actually
T
loss
fights
and
then
we
don't
want
to
pre-encrypt
it
so
I,
don't
know
what
that
looks
like
from
an
API
standpoint,
but
I.
F
D
D
D
E
But
you
you've
compared
it
to
something
that
John
had
said,
which
was
completely
different
because
he
was
talking
about
you
know
I
think
I
mean
not
sure
I
understand
what
John
was
talking
about
either,
but
I
think
he
was
talking
about
you
know
to
to
whom
who
needs
to
know
about
this
and
that's
a
question
I.
That
I
had
too,
like
it's
an
implementer's
question
and
I'm
not
actually
coming
from
an
implementer's
Viewpoint,
so
I
mean
when
you
think
about
it.
E
B
G
Well,
yeah
I,
you
know
here's
one
implementation,
I
can
Envision,
let's
say
for
example,
if
we're
running
this
in
the
cloud
infrastructure
like
say,
for
example,
AWS
we
may
we're
thinking
about
maybe
just
handle
this
under
by
the
cloud
infrastructure.
So
once
you
come
into
Gateway,
you
know
the
the
owner
of
a
service
decide
what
kind
of
certificate
you
use
to
authenticate
a
client,
but
once
you
go
down
through
the
Gateway
between
Gateway
and
back
end
is
basically
the
cloud
infrastructure
can
automatically
encrypt
everything
coming
going
from
Gateway
to
the
endpoint.
G
D
That
sounds
a
little
bit
more
like
what
John
was
talking
about
with
the
mesh
one,
where
you
know,
if
the
and
that's
what
I
was
trying
to
say
before,
where
it
seems
to
me
like
this
back-end
capabilities
thing
almost
really
should
have
like
what
the
business
they
were
talking
about
here
would
re-encrypt,
actually
really
almost
should
be
under
our
HTTP
stanza
right
like
so.
This
is
a
HTTP
properties.
D
This
is
only
if
you're
trying
to
make
a
HTTP
connection
to
this
thing
right
like
and
that's
when
you
then
say:
okay,
the
TLs
details
are
required
right,
yeah,
or
something
like
that
like
so,
and
but
that
and
again
it
comes
down
to
the
fact
that
the
backing
capabilities
here
are
describing
what's
running
inside
the
Pod.
What
does
the
process
that's
running
inside?
The
Pod
expect
you
to
do
and
the
process
is
running
inside.
The
Pod
expects
to
receive
TLS
details
right
and
then
we're
saying
that
the
Gateway
that's
connecting
it.
G
G
Yeah
one
assumption
that
is,
you
know
if
you're
talking
about
Mewtwo
mtos,
the
authentication
part,
the
assumption
is,
the
Gateway
is
already
has
done
the
job
authenticating,
who
the
client
are
and
also
do
the
authorization
to
to
look
at
the
payload
to
see
whether
you
can
do
this
action,
so
that's
already
done
by
the
Gateway.
There's
really
no
atom
benefit
for
the
back
end.
To
do
that
again,
so
the
assumption
is
you
the
the
really
the
benefit
of
you
know,
Mutual
TRS
between
the
Gateway
and
the
client
or
transport
layer.
G
D
I
mean
I.
Think
part
of
the
part
of
the
point
of
this
is
that
we
can
make
it.
So
you
don't
have
to
do
that
right
like
so
that
so
that
you
can
you
can
you
can
do
the
authorization
at
the
Pod
level?
If
that's
what
you
want
to
do
like
the
again
like
and
that's
I,
think
that's
where
John's
distinction
is
important,
that
that
the
mtls
we're
talking
about
here
is
not
the
service
mesh
magic
mtls,
where
it's
injected
for
you
by
the
platform
right.
D
A
G
A
A
G
D
Yeah,
so,
in
my
mind
this
this
thing
this,
like
back-end
properties
thing,
is
for
people
who
aren't
running,
who
don't
have
the
infrastructure
capability
to
automatically
do
encryption
right?
This
is
this
is
for
people
who
are
running
in
a
cluster.
You
know
it's
only
it's
only,
for
you
know,
people
who
are
running
in
a
cluster
that
doesn't
have
any
of
the
magic
stuff
where
you
need
some
way
to
be
able
to
specify
hey
from
my
gateway
to
this
to
the
back
end.
I
want
it
to
be
encrypted.
Please.
G
F
D
A
Yeah
and
I
so
I
agree
with
that
idea
and
I
do
want
to
do
a
time
check
because
we
we
are
at
time
here
I,
just
maybe
for
a
follow-up
offline,
I
I
think
the
disconnect
here
is
that
what
happens
when
we
have
gateways
that
see
this
back-end
properties
and
want
to
honor
it,
but
can't
or
like
can
we
just
say
some
gateways
can
just
ignore
it
because
I
don't
know
how
to
support
it.
You
know
that
that
would
be
I
guess
maybe
what
we
need
as
a
follow-up.
A
Sorry,
I
can't
sorry,
Candace
I
know
that
we
probably
just
went
in
circle.
Well,
we
had
lots
of
good
discussion,
but
I
don't
know
if
it
helped
make
make
this
any
less
confusing,
but
I
think.
Hopefully
this
served
as
a
good
reminder
that
this
PR
exists.
Please
take
a
look
at
it.
Some
good
comments
in
chat
and
in
discussion
today.
So
please,
let's
continue
that
discussion
on
this
PR,
it's
14,
30.