►
Description
[SIG-Network] Bi-weekly Ingress NGINX meeting for 20211012
A
Okay,
folks,
good
morning
for
those
that
are
in
the
morning
or
still
waking
up
in
kubecon
good
afternoon
and
good
evening
or
whatever
time
zone
you
are,
this
is
network
ingressing
exo
project
meeting
today
is
october
12th
2021.
This
is
a
kubernetes
community
meeting.
So
we
ask
we
kindly
ask
you
to
comply
with
the
code
of
conduct,
which
is
basically
be
excellent
with
with
each
other.
A
My
name
is
ricardo.
I'm
gonna
be
your
host
today.
If
you
see,
if
you
wanna,
see
some
some
violation,
just
report
that
violation
to
me
or
to
any
of
the
sick
chairs
or
to
the
code
to
the
code
of
conduct
committee
of
kubernetes
of
kubernetes
community
and
let's
get
started
so
I'm
gonna
watch
james
scream
because
he's
sharing.
So
it's
better.
B
A
C
Anyone
else
yeah,
I
can
go
so
my
name
is
ashley
started
two
weeks
ago
when
this
meeting
was
cancelled,
but
I
at
least
got
in
touch
with
long.
I've
contributed
a
little
bit
over
the
last
weeks
and
I'm
sticking
around.
D
F
A
Amazing
cool
welcome
you
all,
and
I
hope
we
can
also
help
you,
while
wanting
to
start
contributing
to
make
your
your
first
contribution
and
maybe
keep
doing
that
with
us
as
well
anyone
else
or
should
we
move
forward
to
the
topics.
A
A
Yay
add
flag
to
set
custom
buckets
for
prometheus
instagram.
This
one
is
a
bit
old
right,
yeah,
mate,
27,
anyone
that
is
aware
of
pro
videos
and
when
I
think
I
look
into
that
and
maybe
some
first
review.
What
does
this
mean
for
us
if
this
is
gonna
break.
G
I
don't
know
if
we've
gotten
anyone
familiar
with
the
prometheus
setup,
do
we
have
do
we
have
anyone
recording.
B
A
Yeah,
so
I
guess
the
context
that
they
want
is
actually
to,
instead
of
having
a
prometheus
histogram
bucket,
a
hard-coded
promito's
histogram
bucket,
allowing
the
user
to
customize
that
that
that
histogram,
like
instead
of
having
like
0.05
0.,
0.1,
etc.
They
want
to
have
these
packets
customizable
via
via
flex.
G
D
A
D
Yeah,
do
we
have
any
more
flag
or
any
other
flags
that
use
lists
like
this?
I'm
curious
if
the
syntax
is
of
the
the
flag
is
a
consistent
one.
A
Review
it
thoroughly.
Okay
sounds
good
next,
one.
A
That
one
to
me,
I
can
take
a
look,
but
alex
is
also
looking
into
that.
I
I'm
not
sure
about
that,
because
one
thing
is
calling
with
the
own
update
right.
So
when
you
have
when
you,
you
need
to
update
the
nginx
configuration
the
other
one
is
when
you
are,
when
you
are
doing
the
validation
web
hook
and
you
wanna
and
you
wanna
see
if
that
thing
is
gonna
change.
So
I
agree
that
maybe
this
is
like.
We
have
two
two
boundaries.
A
A
Yeah
this
yeah,
so
I've
seen
this
problem
as
well.
When
I
was
trying
to
debug
that
cordon
stuff,
when
you
put
a
lot
of
when
you
put
a
lot
of
load,
you
put
a
lot
of
ingress
objects,
you
have
a
race
condition
happening
right,
so
you
have
a
lot
of
you
have
a
lot
of.
How
can
I
say
process
run
in
parallel
and
all
of
them
they
try
to
replace
the
template
of
inginx
and,
and
sometimes
it
breaks.
A
A
We
are
just
starting
to
to
in
kiwi
a
lot
of
stuff
right
and
and
another
thing
that
could
be
a
solution
for
this
would
be
that
idea
that
someone
gave
about
splitting
the
configuration
files
per
maybe
their
front-end
or
perfect.
Also
at
least
you
may
have
like,
if
you
have
a
lot
of
ingress
with
a
lot
of
different
v-hosts,
you
at
least
would
and
with
different
files
and
a
chance
of
getting
some
race
condition
would
be
lower.
A
But
I
remember
that
that
gentile
say
that
maybe
splitting
the
files
wouldn't
be
a
good
approach.
Yeah.
G
G
Adjust
the
the
priority
to
it,
we
can
increase
it
and
then
just
be
one
of
the
next
things
we
look
at
for
yeah.
C
Question
yeah
yeah:
do
you
have
some
context
on
why
the
splitting
of
the
files
was
bad
or
does
the
main
conflict
that
inputs
all
of
them
still
become
the
bottom
neck,
which
is
probably
why
the
splitting
is
not
the
right
solution
for
the
tissue.
C
A
I
can
yeah,
I
remember
that
someone
yeah,
I
remember
that
someone
told
that
wasn't
like
a
good
idea,
maybe-
or
I
can't
remember-
if
the
it
wasn't
like
a
good
idea
or
if
this
was
something
that
could
that
wouldn't
solve
like
memory
usage
or
something
like
that.
Gentile
gentile
told
about
that
about
that.
So
maybe
we
should
bring
that
discussion
again
in
in
slack
and
and
discuss
at
least
like,
if
not
for
like
performance,
at
least
for
organization.
If
this
makes
sense
or
not.
C
Oh
yeah,
I
I
can
say
that
at
least
in
my
job,
where
we
use
engine
x-
let's
say
maybe
forty
fifty
thousand
viewers-
we
do
have
them
as
the
files
and
we
haven't
clearly
seen
the
issues
so
that
like
technically
doesn't
seem
to
be
the
issue.
But
maybe
something
about
how
english
essentially
is
set
up,
makes
it
difficult
or
different.
H
Yeah
using
using
includes
is
a
is
a
common
pattern,
but
usually
it
focuses
on
the
problem
of
I'm
trying
to
manage
the
configuration
in
a
scalable
way
right,
so
you're,
so
you
have
an
upstream
include
you've
got
a
server
block,
include
you've
got
a
location,
include,
you've
got
a
general
include
that!
That's
that's!
H
A
Yeah,
actually,
we
don't
use
the
include
here.
We
have
like
a
whole
file
with
like
40
000
lines
of
of
configuration,
so
my
my
questioning
was,
if
maybe
splitting
using
the
include
on
the
main
one
and
splitting,
for
example,
each
virtual
host
into
a
file
would
at
least
help
us
later.
Solving
some
some
race
condition
like
putting
some
some
lock
into
that
specific
file
and
don't
allow
it
to
reload,
while
some
of
those
files
were
locked.
H
Nginx
is
still
going
to
rectify.
Nginx
is
still
going
to
rectify
them
all
when
you,
when
you
try
to
do
the
reload,
so
it's
it's
still
going
to
it's
still
going
to
search
search
the
path
for
the
include
files.
You,
you
just
have
to
add
an
include
directive
and
have
everything
in
individual
individual
directives.
You
just
have
to
be
careful
in
the
code
that
you
don't
accidentally
create
conflicts.
H
A
A
Each
url
would
get
their
their
own
file
and
from
there
you
are
gonna
like
that,
make
some
derivation
of
like
the
back
end
and
etc,
and
just
change
that
specific
file.
So
if
you
have
someone,
for
example,
some
specific
ingress,
that's
that's
messing
up
like
some
infinite
loop
or
someone
with
some
ci
cd
broken
into
a
specific
ingress
object.
A
So
I
guess
that's,
maybe
an
approach
that
we
can
take
for
the
next
future
release,
not
not
for
the
bit
not
for
the
bug
fix
release,
but
we
can
start
thinking
about
that
and
we
can.
I
I
I
miss.
So
this
is
something
that
I
miss.
Actually,
we
don't
have
like
some
some
metrics
about
how
the
things
they
were
before
we
apply.
Some
vr
some
conformance
tests
right,
so
I
don't
know
how
we
can
do
that,
even
if,
if
we
have
a
cpu
for
doing
that,
but
I
I
kind
of
missed
that,
like
tracking.
A
Yeah
tracking,
which
pr
inserted
some
some
change
into
the
behavior
like
not
not
on
the
canary
stuff
but
at
least
on
performance
systems.
So,
for
example,
we
we've
got
that
we've
got
that
cordon
stuff.
I
know
that's
not
related
to
something,
but
we
could
at
least
say
hey.
This
was
inserted
in
this
pr
or
not
right,
so
we
can
get
some
metrics
some
peso
metrics
from
each
pr
that
gets
merged.
A
Then
I
kind
of
miss
that
so
if
someone
gets
some
idea
of
how
we
can
apply
that,
even
if,
if
we
do
something
like
daily
instead
of
for
each
pr,
we
run
some
conformance
tests,
and
we
know
that
this
day
the
metrics
were
this
way,
and
this
day
the
methods
were
this
way.
So
maybe
it
would
be
helpful
to
check
if
we
apply
a
change
like
this
one.
If
this
is
going
to
be
a
problematic
or
not
by
the
side
of
cpu
and
memory
usage,
for
example,.
G
A
I
I
Oh
go
ahead.
Sorry,
I
will
just
say
we
are
working
on
some
projects
internally
that
are
going
to
be
released
as
open
source.
That
might
actually
be
a
good
solution
for
this
problem.
So
as
as
that
testing
tool
that
we're
working
on
progresses,
we'll
definitely
keep
you
guys
in
the
loop
and
let
everyone
know
when,
when
it
looks
like
it's
going
to
be
publicly
available
cool
amazing.
A
Yeah
one
thing
that
I
was
discussing
with
folks
was
like
if
we
should
try
to
replace,
for
example,
open
rusty,
some
places
or
some
some
parts
of
open
residue
to
the
njs
right,
the
the
javascript
thing
inside,
and
I
have
no
way
to
test
that
right
now
to
say
like
if
this
was
something
if
we
got
some
difference
into
that
or
not
so
I
was
like
yeah.
I
can
do
that.
But
is
this
going
to
be?
I
I
I
know:
we've
had
some
we've
done
some
benchmarking
internally
between
njs
and
lua,
but
not
in
specifically
for
the
ingress
controller
use
case,
but
we
do
have
some
metrics
around
that
for
more
generic
nginx.
I
G
Cool
thanks
thanks
on
that
all
right,
I'll,
open
an
issue,
so
we
can
track
that
this
is
the
next
one.
This
is
a
pr
I
guess
that
needs
to
review.
Let
me
go
back
to
what
noah
are
saying:
yeah
needs.
A
A
review
yeah
all
right,
so
this
one,
this
one
is
something
that
got
I've
seen
that
before
we
accepted
the
pr
and
then
we
got
to
revert
that
one
because
of
we
were
breaking
something
right,
multiple
origins
with
cores,
and
this
is
a
new
one.
I
guess
so.
I
remember.
A
C
A
C
A
I
muted
sorry,
so
maybe
we
can
we
can
put
that
one
in.
I
don't
want
to
put
that
one
on
the
release
that
I
want
to
make
today
as
we
need
to
fix
that
open,
ssl
bug,
and
I
I
want
to
fix
the
the
the
affinity
stuff,
but
maybe
we
can.
We
can
put
this
one
into
version.
1.1.
A
But
thank
you
thank
you
for
reviewing
this
one
folks,
seven
two
and
and
if
you,
if
do
you
do
you
have
so,
do
you
have
something
that
you
are
missing
on
this
pr
or
do
you
think
that's
just
fine
to
to
to
make
that
one.
C
So
I
think
I
approved
it
just
before
his
last
commit,
and
maybe
this
that
was
good
from
the
testing
perspective.
His
last
comment
seems
to
have
broken
it,
so
I
haven't
seen
that
last
comment,
but
as
up
till
that,
like
the
last
part,
one
comment
it
looked
good,
it
was
backwards
compatible.
It
didn't
break
anything.
J
Himself
is
saying
that
his
tests
are
not
confirming
what
we
were
talking
about:
the
danger
of
multiple
multiple
origins,
getting
accepted.
J
C
The
code
goes
to
add
a
star,
for
course,
which
allows
all
origins,
and
this
is
the
way
it
behaves
today,
and
this
pr
continues
to
do
that,
which
I
feel
is
fine
from
a
backwards
compatibility
perspective.
It's
more
of
a
policy
question.
If
you
want
to
change
that,
behavior.
A
A
All
right,
okay,
I'm
gonna,
I'm
gonna,
take
a
look
into
that.
Probably
later
this
weekend.
I
will
bring
you
on
slack.
I
did
here
so
it's
good.
Thank.
C
You
so
yeah
one
idea
I
had
was
if
the
validation
webhook
does
exist,
I
haven't
quite
looked
at
it.
We
could
fail
the
ingress
object
at
the
validation
web
book
and
not
have
to
deal
with
this
problem.
For
example,.
A
Okay
sounds
like
an
idea:
we
just.
We
just
need
to
be
sure
that
everybody
understands
that
validation
web
hook
is
not
required,
so
you
as
a
user
you
can
deploy
in
english
in
genex,
without
the
validation
webhook
right.
So
we
just
need
to
be
careful
like
assuming
that
we
are
not
adding
any
any
vulnerability
or
something
like
that
saying
hey.
This
is
not
gonna
happen,
because
we
have
validation
webhook,
because
this
may
not
be
true
yeah.
We.
A
G
A
C
Sure
so,
basically
there's
an
annotation
for
ssl
redirect,
which
is.
If
someone
sends
a
plain
text
request,
then
you
have
to
send
a
301
back
with
https
as
the
scheme.
I
remembered
yes
so
that.
A
C
C
A
C
G
G
G
A
Yeah
this
one,
this
one-
I
am
I'm
working
on
this
one
long
long
raised
this
one
to
me-
I
am
just
I
would
just
use
my
my
afternoon
today
to
to
take
a
look
into
this
one
before
releasing
the
new
version.
A
I
can
take
a
look
into
this
one
as
well
and
if
so,
it's
funny,
because
I
I
have
sort
of
implemented
the
certificate
stuff
in
in
english,
in
gynex
the
certificate
authentication.
So
if
someone
want
to
take
a
look
into
that
one
feel
free
to,
and
I
can
help
you
otherwise,
I
can
take
a
look
into
that
certificate.
Key
check
phase
as
well.
G
J
Because
for
everything
on
the
internet,
for
all
searches,
he's
talking
about
the
order
of
the
certificates
and
all
examples
that
are
talking
about
the
common
order
where
the
leaf
comes
first
intermediate
comes
second
and
root,
is
last
and
he's
saying
he
wants
the
root
to
be
on
top,
because
only
the
root
will
have
the
key.
So
do
we
even
want
to
discuss
it
or
do
we
have
to
even
or
do
we
have
to
search
for
standards?
A
Well,
I
think
we
can
discuss,
but,
as
far
as
I
remember,
open,
ssl
doesn't
rely
on
the
order
of
the
certificates.
J
J
J
C
G
Yeah,
I
don't
want
to
say
accepted,
it's
not
duplicate,
just
needs
information.
Is
that
fair
to
say.
G
J
So
the
funny
part
is,
he
himself
is
accepting
that
upstream
engine
x
has
a
flag
for
default
certificate
and
there
the
order
works.
He
wants
it.
He
wants
this
reverse
order.
Only
in
the
annotation.
G
A
G
D
A
A
A
I'll
sign
this
one
to
me,
I
can
take
a
look
I
can.
I
can,
and
maybe
maybe
when
I,
when
I
am
debugging
this
one.
If
someone
is
interested,
we
can,
we
can
make
some
online
stuff
like
creating
a
decks
or
key
cloak
stuff
and
having
some
fun
with
that.
That
does
sound.
A
What's
your
handle.
G
Thanks
for
taking
that
yeah
and
when
you
guys,
you
guys
set
something
up,
I
would
just
like
to
be
a
fly
on
the
wall.
G
G
I've
been
closing
issues
that
have
older
versions
and
just
being
putting
in
the
politeness
saying
you
haven't,
looked
at
this
no
one's
interacted
with
this
issue
in
a
while
you're
running
older
versions,
please
upgrade,
and
if
you
still
continue
to
have
issues,
let
us
know,
because
you
know
if
we've
got
to
enforce
what
we
say,
we're
going
to
enforce,
to
be
able
to
do
what
we've
been
trying
to
do.
So.
G
G
That's
interesting
that
they're
running
44
or
the
client
versions-
122.,
okay,
so
they're
running
it
on
119..
So,
okay,
this
is
the
the
part
where
we
you
know.
If
this
is
five
days
ago,
they're
running
it
on
119
but
they're
running
at
44..
So,
let's
see
if
anyone
has
asked
them
to
upgrade
and
try
again,
but
I
haven't
read
through
this
one
yet
either.
D
G
Gotcha,
that's
definitely
something
we
can
ask
them
to
look
at
a
lot
of
java
applications
with
the
annotation
ajp
looks
great
but
they're
having
some
issues
with
timeout.
A
D
So
yeah
I
actually
had
to
deal
with
this
just
a
couple
days
ago.
Now
that
I
think
about
it,
someone
was
asking
me
how
to
how
to
set
the
timeouts
for
grpc,
because
it's
it's
different
or
it
it
it.
These
these
annotations
depend
on
the
back-end
protocol.
It's
the
point
he's
making
and
I
so
yes,
it
could
be
documented,
better.
D
A
A
J
A
Yeah,
just
just
just
just
asking
yeah
but
anyway
I
I
would
say
that
at
least
for
me,
I
have
work
for
the
next
one
month
to
take
a
look.
So
if,
if
you
think
that
this
certificate,
one
is
more
like,
is
have
priority,
we
can,
we
can
just
shift
the
priorities
of
those
one.
Otherwise
I
would
say
that
we
can
maybe
live
for
the
offline
scene,
like
first
lag.
J
J
A
Yeah,
I
would,
I
would
try
to
fix
something:
that's
impacting
more
users
right
now
and
then
go
back
later
to
this
one.
Okay,
if
this
is.
A
If
this
is
something
like
the
affinity,
one
is
something
that
you
could
confirm.
So
it's
easy
to
reproduce.
We
know
that's
something
like
generic
right.
This
is
l1.
Maybe
it's
like
something
really
specific
that
we
would
need
more
time.
I
don't
think
we
need
to
just
get
get
rid
of
that,
but
maybe
that's
it
can
wait.
Otherwise
more
people
would
be
complaining
right.
A
I
I
was
talking
with
james
yesterday
about
that
that
maybe
I
really
want
to
have
some
time
to
stop
doing
some
firefighting,
at
least
for
the
next
month
and
think
about
the
features
for
a
bit.
So
I
would
say
that
maybe
we
should
just
try
to
not
insert
any
new
bug
and
say:
hey,
okay,
so
this
we
can
consider
stable,
stable
enough
to
start
thinking
about,
like
gateway
api
on
the
other
features
right.
J
A
A
All
right,
yeah,
so,
okay,
so
james,
you,
you
have
added
the
reload
issues
and
looking
into
the
js.
I
can't
remember
about
those
issues.
But
what
are
that.
G
A
A
A
G
So
you
want
to
go
ahead
and
close
7564
and
just
track
track.
All
of
the
updates
in
7268.
A
G
But
it's
good
to
know
that
that
even
on
49,
it's
still
an
issue,
so
that
was
going
to
be
the
other
thing
I
was
just
looking
at
okay.
Let
me
I
don't
think
we
have
a
priority
or
anything
on
this.
A
H
G
A
Let's
see,
would
you
like
changes
in
wrong
order
needing
to
security
issue.
G
G
A
G
C
J
Actually,
regardless,
you
have
to
make
a
very
important
comment
on
this.
The
guy
is
actually
using
explicit
redirect
with
the
with
the
url
okay
he's
specifying
a
url,
so
he's
sending
a
request
to
domain
a
and
is
very
clearly
using
the
redirect
annotation
that
is
and
specifying
the
domain
as
b.
But
then
then
he
goes
at
a
goes
ahead
and
claims
that
when
he
sends
a
request
to
domain
a
it
should
not
straight
off
redirect
to
domain
b,
it
should
first
upgrade
to
https
on
domain
a
and
then
a
second
step.
A
Okay,
okay,
I
got
it
and,
to
be
honest,
I
remember
that
we,
we
have
an
issue
on
that
on
past,
because
the
order
was
already
like
sent
into
https
and
then
sending
to
the
redirect
and
we
have
changed.
G
A
C
C
Yeah,
I
can
still
reproduce
this.
The
only
difference
is
the
extra
annotation
for
ssl
redirect
that
isn't
in
the
previous
issue.
A
Okay,
okay,
okay
yeah,
we
we
should
probably
discuss
about.
I
would
I
would
try
to
to
search
the
the
history
of
this.
Why
we
have
changed
it.
I
remember
changing
this.
I
just
can't
remember
why.
But
I
I
remember
that
we
have
changed
this
in
past
because
of
some
issue
with
something
else
like
cloudflare
or
site
manager,
or
something
like
that,
and
I
will
take
a
look
into
that
and
if,
if
you
folks
find,
I
guess
one
thing
that
we
could.
A
That
could
be
helpful
for
you,
while
debugging
that
is
maybe
doing
in
the
template.
I
get
blame
because
probably
we
have
on
the
inginax
template
the
commit
that
changes
that
thing
right,
so
we
can
at
least
have
some.
I
don't
know
if,
if
you
try
to
do
that,
but
probably
we
have
why
that
has
changed.
A
Yeah,
we
probably
was-
I
remember,
changing
that,
so
I
don't
know
if
it
was
me
or
not,
but
we
can
take
a
look
into
that
template
and
see
hey.
This
was
changed
on
dcpr
and
then
we
at
least
we
will
have
more
context
to
see
if
they
are
right
or
if
we
are
right
or
if
we
may
have
some
mid
solution
like
adding
a
new
annotation
saying.
What
is
the
priority
say:
hey,
do
you
wanna?
A
G
C
C
Yeah,
I
was
gonna
say
I've
been
mostly
helping
along
with
the
issues,
but
I
can
do
dev
work
as
well.
So
if
there's
something
that
needs
attention
or
need
hands-on
for,
please
let
me
know-
and
I
can
start
to
pitch
in
appreciate
it.
A
Walkthrough
on
the
code,
okay,
okay,
we
can
yeah
yeah
yeah.
We
can
do
that
sure.
I
I'm
just
like
a
bit
in
a
rush
those
days
and
that
will
be
off
this
weekend.
But
if
that's
okay
to
you,
we
can
make
on
maybe
on
a
weekend.
Otherwise
I
can
try
before
I
start
working
like
eight
a.m.
Here,
which
probably
is
afternoon
in
india
in
the
time
zone,
we
can
do
a
cold
walk
through.
A
J
J
G
And
we
should
record
it
so
that
we
can
reference
it
for
future.
Folks,
definitely.
A
Very
quick,
I
was
going
to
say
I
can
I
can
open.
I.
I
have
a
new
feature
on
this
outlook.
Vmware
agenda
that
works
like
calendly,
or
something
like
that.
I
can
try
to
open
like
a
slot
and
say
hey
folks,
vote
whenever
it's
better
for
you
and
we
can
try
to
make
this
cold
walk
through
on
a
time
that
works
for
everybody.
A
Just
remember
me
that
I
I
can
I
can.
I
will
also
try
that
thing.
A
Just
just
remember
about
that
and
maybe
maybe
later-
and
I
can
open
that
I
will
forgot
for
sure
right
now,
but
I
will
let
let's
let's
do
this
yeah,
that's
good,
okay,
anything
else,
folks,
so,
for
those
that
are
on
kubecon,
enjoy
hong
kong
for
those
that
are
not
in
kubecon,
we
have
virtual
kubecon.
So
take
a
look.
We
have
keynotes,
you
can
get
the
keynotes,
you
can
go
through
the
booths
and
and
see
the
solutions.
A
I
will
send
the
link
to
you.
We
get
hallway
ongoing
on
on
cncf
slack.
So
if
you
want
to
meet
other
contributors,
other
members,
other
users
just
drop
that
I'm
gonna,
send
everything
on
on
slack
as
well
and
enjoy
the
rest
of
the
week.
Folks
and
take
care
you
are
james,
is
gonna,
be
on
dirty
to
get
some
stickers
and
some
t-shirts
for
us
on
the
physical
boots
and
send
to
all
of
us
during
the
during
the
next
week.
Okay,.