►
From YouTube: [SIG-Network] Ingress NGINX meeting for 20230706
Description
[SIG-Network] Ingress NGINX meeting for 20230706
A
Hello:
everyone,
it's
July,
6
2023,
and
this
is
the
Sig
networking
Ingress
nginx
sub-project
meeting,
which
means
that
it
is
here's
to
the
cncf
code
of
conduct,
which
means
be
awesome
to
each
other.
If
you
have
any
issues,
please
report
those
to
myself
or
Ricardo
or
to
the
Sig
networking
lead
with
that
we'll
go
ahead
and
get
started.
We
always
try
to
welcome
new
members.
I
do
see
a
username
on
here
that
I
don't
recognize
I'm
wondering
if
that
is
Michael.
But
if
not,
if
you'd
like
to
introduce
yourself,
please
go
ahead.
B
A
Okay,
well
welcome.
Brendan.
Thanks
for
coming
and
hanging
out
with
us.
I
don't
see
anybody
else.
I
did
introduce.
I
did
ask
someone
to
join.
They
were
asking
about
the
mod
security
issue.
You
guys
thought
you
remember
seeing
that
one,
the
one
with
the
performance
issues
once
they
flip
it.
It
just
shuts
everything
down
in
production.
A
I
asked
them
to
join,
but
I
don't
see
them
on
so
we'll
go
ahead
and
roll
through
old
action
items,
probably
a
bunch
of
things
that
I
didn't
look
at
The
annotation
validations,
that's
the
stuff
you're
working
on.
You
said
that
that's
ready
to
go
Ricardo
to
review.
A
Okay,
I
didn't
put
anything
in
the
two
hour
release
stuff
here,
I
guess
we
could
move
this
to
your
to
the
permanent
issue
that
you
just
put
in.
So
we
can
start
having
a
discussion
there
instead
of
being
in
docs
and
showing
dots
around
okay,
yeah
I.
A
A
A
We
can
continue
to
try
to
ask
folks,
but
we
just
keep
putting
information
out
there
and
they're
not
reading
it
they're
not
reading
it.
That's
the
unfortunate
part,
especially
with
this
2o,
all
the
deprecations
in
2o,
coming
out.
A
Okay,
that's
the
review
the
action
items.
Ricardo
we're
gonna
put
a
timer
on
the
issue
triage,
because
we've
got
to
continue
to
make
sure
we
do
that.
I
know
we're
I'm
bad
at
it.
I
try
to
do
it
throughout
the
week,
but
let's
give
it
the
15
minutes
that
it's
due.
A
Are
there
any
issues
that
folks
know
about?
Besides
the
mod
security
timeout
issue
that
we
should
review
before
we
go
into
just
triaging?
What's
there.
A
No
okay
go
right
back,
go
right
into
it,
starting
at
the
top
of
the
list.
I
haven't
even
reviewed.
This
I
haven't
even
looked
at.
This
is
actually
we've
got
some
new
ones
already.
B
C
Yeah
I
think
this
one
is
it's
right
because
right
now
the
way
that
the
client
of
works
it
will
get.
Your
I
mean
it's,
it's
gonna,
it's
gonna,
validate
your
certificate
and
then
just
say:
okay,
it
doesn't
match
whatever
I
need
so
block
it.
C
A
solution
for
that
would
be
to
have
some,
let's
say,
move
the
the
decline
validation
to
below,
like
the
location,
I'm,
not
sure.
If
this
works,
I
need
to
double
check,
I
think
it's
optional
and
and
then
it
takes
the
location.
C
I
need
to
double
check
that
and
maybe
have
some
authentication
leak
nor
field
that
says
that
all
of
the
dash
dot
well
known
or
anything
that
should
be
public,
that
you
have
rfcs
or
things
that
say
that
they
are
public
locations
by
definition
like
Slash
dot,
well
known,
let's
use
it
via,
let's
create
oauth
and
all
of
those
things.
Maybe
we
can
just
skip
all
of
the
validations
for
those
locations,
but
I
need
to
see
if
this
is
like
expected.
C
That's
the
common
name
checking.
So
we
have.
We
have
this
feature
on
on
the
client
certificate
of
right.
When
you
send
the
certificate
you
can
check
if
the
common
name
matches
or
rejects
or
like
a
a
single
string,
saying
like
hey,
I
I
accept
certificate
authentication,
but
just
from
James,
even
if
Ricardo
have
a
certain
that
on
that
CA
as
well.
C
Yeah
yeah,
let
me
hold
on
James.
One
second,
keep
your
keeping
your
yeah.
It
gets.
The
sir
only
does
the
validation
yeah.
So
can
you
see
also?
There
is
like
an
SSL
verified
client
own
on
on
the
snippet
that
he
said:
yeah
yeah,
just
just
a
bit
above
yeah
yeah,
yeah,
correct
there
yeah,
the
other
one
yeah
with
the
underline.
C
Yeah,
the
first
one,
the
the
yeah,
the
line
just
just
below
this
one
yeah,
that's
a
selfie
verified
client.
So
the
right
way
of
doing
that
would
be
like
having
an
option
now.
I
think
there
is
a
flat
on
that
he
can
set
the
flag
for
optional,
but
still
feel
that
line
below
that
line
above
it
doesn't
really
failure,
because
there
is
no
no
match
right
so
that
validation
should
be
inside
probably
the
location
or
inside
something
else.
C
So
you
can
have
the
optional
it
will
shed
and
then
you
can
and
then
you
can
say:
okay
if
something
is
wrong,
I
want
to
send
it
to
another
patient
somewhere
else.
Otherwise
I
can
accept,
but
that's
that's
kind
of
tricky
to
do
that.
C
Yeah
I'm
not
sure
because
the
SSR
verified
client
own.
We
already
block
him
right
because
it's
not
optional,
but
yeah
assign
me
to
this.
One
I
will
try
to
take
a
look
as
soon
as
I
have
some
time
if
you
want,
or
if
someone
wanna
drill
down
into
a
certificate
requests,
it's
it's
it's
kind
of
tricky.
What
he's
trying
to
do,
but
I
think
there
is
some
some
room
for
our
Improvement
here.
A
C
A
Okay,
avoid
external
external
Hub,
with
rcrl
I.
C
Yeah
I,
will
you
don't
need
to
assign
this
one
to
me,
but
that's
on
my
my
radar
I
will
take
a
look
and
I
think
that
we
need
a
better
way
of
doing
that
because
accepting
things
to
localhost
may
be
dangerous
for
us
right
now
on
our
current
situation,.
C
C
B
A
A
C
Yeah,
let's,
let's
just
keep
it
simple,
Let's,
explain
the
use
case
on
the
authentication
one.
That's
all,
let's
see
how
this
goes.
Yeah.
B
C
This
is
a
duplicate.
There
is
something
else
if
you,
if
you
find
the
issues,
can
I
go
to
the
issues.
C
C
C
So
this
is
something
that
that
I'm
gonna
take
a
look:
I'm
I'm,
gonna
refactor
the
whole
SSR
pass
through
today.
The
way
that
we
do
it's
a
proxy
that
runs
inside
the
controller
another
inside
engine,
X
Because
by
the
timing
of
the
implementation
engine
X,
didn't
support
it
right
and
I.
C
I
think
there
is
an
issue
that
I
have
open
to
refactor,
that,
if
you,
if
you,
if
you,
if
you
search
for
that,
you
can
just
say,
hey
associate
what
we
with
the
other
and
I,
will
take
a
look
at
that.
B
B
B
B
A
I'm
gonna
go
back
and
comment
and
just
I
probably
should
go
back
through
and
look
at
all
the
SSL
pass-through
ones.
I,
don't
want
to
say
that
they're,
your
implementation
or
the
native
implementation
will
fix
those
issues,
but
we
want
to
put
them
on
the
backlog
and
let
them
know
that
where
you've
looked
at
it
and
we're
gonna
refactor
it
yeah
yeah
it's
down
on
the
laundry
list
of
things.
C
B
A
B
B
No,
no
no
I'm
just
saying
I
would
need
to
check
this
because
I've
been
playing
around
with
default,
annotations
and
yeah.
It
only
needs
that
I
mean
default
back-ends,
and
it
only
needs
that
annotation.
But
it's
been
working
fine
with
from
what
I
can
see.
B
Yeah,
can
you
paste
the
link
to
this
yeah
custom
errors,
yeah.
B
Because
the
default
back-end
will
only
catch
catch
when
you
set
custom
errors.
So
if
the
your
server
responds
with
an
error,
it
will
root
to
a
default
back
end
on
a
specific
URL
foreign.
B
A
Yeah,
this
just
looks
like
a
support
request.
They
didn't
put
in
the
the
other
one
I've,
never
well
I,
keep
saying
this
there's
a
lot
of
configuration
options,
I
just
never
set
for
years.
I
just
used
the
default,
like
I,
just
use
a
very
basic
Ingress
when
I'm
using
it
anyway
yeah
cool,
fun
times
all
right.
That
was
the
15
minutes
on
the
issue
triage.
A
C
Yep
I
just
wanted
to
raise
that
I
I've
seen
this
some
repo
that
I
use
I,
can't
remember
which
one
was
but
I
thought
that
the
idea
was
going
to
be
actually
great
right.
So
that's
a
locket
issue
that
you
meet
probably
Gentile.
We
can.
We
can
edit
that
and
start
adding
the
braking
change
that
we
figured
out
or
before
the
release.
C
We
just
need
to
make
sure
that
the
approvers
they
know
about
that
right
and
and
then
we
can,
we
can
keep
a
track
on
things
that
are
going
to
be
removed
or
or
deprecated
like
on
version
1.9.
We
are
removing
hap
I
want
to
make
the
change
to
disallow
snippet
annotations
as
a
secure
measure
and
tell
people
that
this
is
a
breaking
change
and
we
have
renamed
a
white
list
to
allow
this.
C
It
still
works,
but
may
stop
working
right
so
and-
and
this
is
this
is
actually
I
forgot
to
add.
But
this
is
the
one
that
supports
validation
but
validation.
It's
not
enabled
by
default,
so
shouldn't
be
a
breaking
and
change
as
well,
right
and
and
then
on
version
110.
We
have
all
of
those
plans
to
to
to
to
to
to
change,
remove
open,
Jaeger,
Zipkin,
open
tracing,
zip,
India
gear
data,
dog
and
so
on.
A
I
I
like
it,
we
can
also
put
it
out
on
the
dev
mailing
list
as
well.
Just
so
folks
can
track
that.
A
List
here
too,
and
also
this
is
just
for
potentials
right.
This
isn't
what
we're
actually
like
what
we've
actually
put
out.
It
will
be.
C
I
think
that
we
should
keep
on
on
the
release
notes,
but
also
keep
adding.
So
just
so
just
a
second.
B
C
No,
my
cell
phone
is
ringing
yeah,
but
that
that's
okay,
so
I
I
wanted
actually
to
keep
this
open.
So
we
can
keep
a
track
on
things
that
that
broke
and
people
can
just
scroll
down
even
not
go
into
each
of
the
change
logs
as
well.
But
this
is
going
to
be
like
a
really
manual
step
by
I.
Don't
want
to
do
that
automated
I
think
it's
it's
a
good
way
of
just
keeping
the
track
and
allowing
people
to
see
hey.
Something
is
not
working.
C
So
did
you
take
a
look
into,
but
this
big
child
issue
right
as
you've
said
on
the
version
2.0.
If
you
take
a
look
into
the
bottom,
I
have
them
Planet
release
with
like
removing
all
the
SSL
protocols,
removing
mod
security
and
the
whitelisters
range
annotation.
So
when
we
decide
to
do
a
release
of
that,
let's
say
on
version
1.11,
we
just
move
to
the
top.
A
Okay,
there
was
those
changes
that
was
yeah,
that
was
in
the
2o
breaking
change
dock
that
I
made.
Let
me
go
ahead
and
add
those
because
we
had
strict
validations
that
the
true
that's
definitely
a
breaking
change,
control,
plane,
data
plane,
removing
Jaeger,
etc
for
otel
and
mod
security,
removal
and
or
replacement,
and
then
Gentile
has
removing
ajp
support
that
would
probably
not
have
to
go
into.
Oh
I
could
probably
go
in
190110.
You've
already
got
the
pr
out
there
right.
A
That
was
the
reason
why
we
moved
the
release
to
release
branches
right,
yeah
yeah,
that's.
C
A
C
I
think
it's
a
good
I
think
it
would
be
good
for
us
if
we
do
that,
at
least
for
the
major
breaking
breaking
changes.
So
yeah
people
can
comment
on
the
PRS
right
as
an
example,
but
not
on
this
issue.
This
issue
would
be
just
for
watching
and
not
spamming
people
with
a
bunch
of
comments,
random
comments.
A
C
That's
okay,
we
can,
we
can.
We
can
take
care
of
that
later.
I
mean
just
like
put
add
some
some
placeholder
for
the
things
that
we
don't
know
the
category
yet
and
we
can
just
keep
moving.
A
A
Okay,
I,
like
it
definitely.
A
B
A
C
Yeah
I
think
it's
actually
passing
out
of
the
tests.
It's
ready
to
be
merge.
It
I,
yeah,
cool,
great
right
and
take
a
look
into
the
just
5
000
lines.
I
think
it's
it's!
Okay
right!
We
can
imagine
how
to
check
in
so.
B
B
C
So
so
this
thing
is:
is
ready
to
be
merged.
I
I
know
that
there
are
going
to
be
some
needs
for
improvements
on
the
rejects.
We
are
relying
a
lot
of
on
rejected
to
validate
some
annotations
even
having
some
common
validators
as
well.
C
I
know
that
Gentile,
it's
gonna,
probably
take
a
look
into
this
until
next
week,
but
as
this
thing
is
kind
of
dragging
for
some
time-
and
we
have
some
priority
to
manage
this.
If,
if
you
understand
me,
I
would
just
ask
people
to
really
take
a
look
into
that
see
if
they
missed
something.
If
they
figure
out,
there
is
something
weird
and
otherwise
just
getting
that
merger.
B
C
I
mean
this
is
the
one
that
we
block.
This
is
the
one
that
will
block
based
on
on
the
web
hooks
right
and
there
there
are
some
all
of
the
validations.
They
have
unit
tests,
at
least
on
the
on
The
annotation
unit,
as
they
have
passed
it
yeah,
and
there
is
some
STAR
test
as
well
and
on
the
starter
that
we
were
or
or
work
based
on
on,
the
parts
are
being
enabled
or
not
right.
C
The
flag
that
enables
the
validation
is
the
flag
that
allows
that
changes,
the
risks
and
the
cross
name.
Spaces
are
config
map.
B
C
A
C
A
good
idea,
I
can
I
mean
I
will
I
will
keep
my.
My
problem
would
be
on
the
test
that
actually
we
we
enable
or
disable
the
flag
right,
but
other
than
that
I
can
yeah.
Yeah
I
will
create
just
for
one
release,
because
I
think
we
are
not
messing.
The
way
that
we
deal
with
kubernetes,
but
just
with
the
annotations
right
and
and
see
how
this
goes
and
what's
going
to
break
yeah
sounds
good.
I
can
do
that.
C
A
I'm
just
trying
to
prevent
us
from
heartache
from
the
next
time,
so
the
question
is
n2o,
we'll
flip
it
to
false.
So
it's
always
validating,
because
that.
A
C
A
B
A
C
I
think
we
can.
We
can
actually
do
that
in
one
to
ten,
because
we
usually
do
breaking
changes
between
Amino
releases,
not
patches,
and
this
is
the
idea
of
the
the
branch
as
well
right,
like
I've,
been
released,
Online,
release,
110
and
then
on
release.
2.0.
C
Probably
because
it's
going
to
be
a
major
architectural
change
with
control,
plane
and
data
plane,
then
we
should
do
on
the
2.0,
but
the
validation
I
would
just
keep
on
the
next,
not
on
one
line
when
I'm
going
to
keep
disabled
as
they
do
on
kubernetes
with,
like
future
flags
and
and
the
apis
right.
So
we
can
keep
it
disabled
for
one
eye.
110.
C
C
We
have
we
had
this
this
flag
for
some
time
and
now
and
as
one
to
nine,
it's
gonna
have
some
breaking
changes
as
well
as
we
are
removing
a
JP
I
wanted
to
flip
this
flag
to
a
true
and
now.
If,
if
you
want
to
allow
your
users
to
use
an
epider
notation,
you
need
to
flip
that
back
to
false
and
announce
that,
because
then
it's
going
to
be
like
an
assumed
risk
right.
So
we
gave
people
a
lot
of
time
to
take
a
look
into
that.
C
We
know
that
some
folks
they
are
gonna,
have
like
complaints
about
like
hey
you,
don't
support
headers,
you
don't
support
something
else,
and
we
have
that
on
on
the
backlog
right,
but
I
think
that
it's
going
to
be
good,
that
people
know
that
they
should
now
assume
the
risk
of
enabling
these
Snippets.
B
A
What's
the
ramification
if
we
disable
Snippets
and
someone
has
Snippets
that
they're
using
so
in
an
upgrade
it's
going
to
cause
that
would
be
a
breaking
change.
Yeah
I!
Don't
think
we
can
change
I,
don't
think
we
can
flip
it
for
one,
nine,
okay,
okay,
from
a
user's
perspective.
If
they
go
to
upgrade
to
one
nine
and
this
stuff,
Snippets
are
disabled,
they
don't
read
the
release,
notes
we're
going
to
get
a
bunch
of
issues
open
up.
A
Deprecations
I
think
are
fine
for
minor
releases,
so
I'm
moving
on
to
the
next
one
I,
don't
besides
datadog.
No
one
else
has
yelled
about
the
other
ones
right,
open,
tracing,
Zipkin,
Jaeger,.
C
Yeah
and
and
data
they
have
a
plan
as
well
right.
So
I
wanted
to
state
that
we
are
not
going
to
remove
that
on
1.9,
as
they
asked
us
for
some
time
to
implement
that.
But
we
are
going
to
remove
that
on
1.10.
C
It's
it's
on
on
the
main
repo.
If
you
click
on
Ingress
in
Chinese,.
A
A
Okay,
I
just
want
to
add
that,
like
the
list,
I
just
want
to
put
a
list
of
like
deprecations
like
we'll
give
people
like
hey
here
is
here's
the
notification
about
plan
deprecations
and
our
changes
in
this
penned
permanent
issue
and
here's
the
individual
ones
that
you
should
be
aware
of
that
are
coming
and
the
moving
everything
open.
Telemetry
is
one
of
them.
A
A
Yeah,
let's
go
ahead
and
look
at
this
one,
let's
probably
be
the
last
thing
we
look
at
so
I
was
talking
with
this
person
and
it's
very
interesting
this
one.
So
again,
this
is
a
scale
problem.
A
A
I,
don't
know
if
there's
any
issues
with
the
because
we're
running
the
latest
version
of
The
Mod
security
Library,
which
is
one
of
three
and
I,
don't
I
have
not
looked
in
to
see
if
they
have
any
scaling
issues
but
again,
I,
don't
know
how
large
of
an
environment
that
they
say
that
this
is
any
other
thoughts
on
mod
security.
Just
deciding
to
give
up
when
it's
supposed
to
do
its
job.
B
C
I
think,
last
time
what
I
said
and
I
I
didn't
check
it,
but
it's
I
have
this
feeling
that
when
you
are
on
the
set
detection,
only
what
happens
it's
that
and
it
would
be
really
helpful
if
they
have
some
logs
on
somewhere
of
the
engineers
yeah.
Here
we
go.
A
Yeah,
so
I
was
looking
at
that
and
I
see
a
lot
of.
C
I
would
say
that
probably
this
is
a
timeout.
A
Stop
sharing
I,
know,
I,
don't
know
where
all
these
buttons
are
so
I
see
a
bunch
of
these
errors
from
the
certificate
from
the
Lua
code,
but
I
also
see
the
mod
security.
So
the
400s
request
body
exploding
files
is
bigger
than
the
maximum
expected
yeah.
C
C
So
what
happens?
There
is
when
you,
when
you
set
in
any-
and
you
enable
the
the
body
inspection
and
let's
say
you,
you
enable
the
body,
inspection
and
you
say
like
a
PDF
or
10
megabytes.
C
So
my
security
won't
won't
validate
that
because
it's
gonna
say:
okay,
I
have
this
maximum
of
like
one
megabyte
or
something
to
validate
on
more
than
that.
I
can
I
can
right
to
protect
it
from
from
memory
problems.
C
So
so.
C
This
is
so
those
efforts
they
are
probably
so
so
it
seems
that
someone
is
doing
some
scan
right
and
and
testing
some
random
servers
there
right,
but
not
passing
the
hostname
or
something
like
that
or
even
there
is
like
hostname
customer
one.
So
they
may
not
have
the
certificate
set
on
this
on
these
Ingress.
A
A
C
Yeah,
so
this
one
it's
because
they
don't
have
a
a
certificate
right,
another
one
of
on
what
security
yeah,
the
other
one
on
what
security,
and
they
would
probably
a
help
on
that.
It's
because
hold
on
server
post
configuration
unexpectedly
or
400.
It's
failing
to
reconfigure,
can
I
see
it
like
it's
failing
even
to
reconfigure
the
this
is.
This
is
actually
interesting.
C
It's
it's
trying
to
reconfigure
something
like
the
back
ends
and
it's
not
working
access
denied
that
called
400.
parameter.
Hey
hold
on
this
is
this
is
actually
nice.
Okay.
This
is
this
is
great
James,
okay,
here's
the
thing:
okay,
okay,
I
I
see
the
problem.
So
here
is
the
thing
we
have.
This
slash
configuration,
slash,
servers
internally
right
on
our
internal
part:
okay,
okay,
fine
and-
and
we
pass
a
Json
with
the
whole
configuration
that
should
be
set
on
nginx
right,
okay
and
when
they
enable
mod
security.
A
C
Yeah
short
term,
it
would
be,
but
I
can
take
a
look
and
do
and
ignore
that,
because
it
doesn't
make
sense
actually
to
have
much
security
running,
because
this
part
is
just
exposed
internally,
and
we
don't
really
don't
know
what
what
secret
is.
So
it's
it's.
Just
like
probably
adding
to
the
template,
saying
like
to
the
local
mod
to
the
local
configurations.
It
shouldn't
be
passing
too
much
security,
exact
rule
engine
should
be
off
for.
A
B
C
C
All
right,
yeah,
I,
I,
found
it
hold
on
there.
Is
this
I
think
this
one
yeah
I'm
gonna,
send
you
the
the
link
of
the
line
here
right
and
what
we
should
be
doing
is
actually
on
on
this
case.
C
C
Yeah
yeah
I
think
you
can.
There
is
the
configuration
of
what
security
is
on
it's
it's
inside
the
server
definition
I
think,
but
we
can
set
mod
security
that
there
is
already
one
like
Insurance
Security
will
not
run
on
customer
or
pages,
and
we
should
probably
set
this
on
the
same
here.
This
is
the
line
we
should
set
this
to
the
internal
configuration
as
well.
This
one
I've
sent
that
to
you.
A
C
B
C
Otherwise
they
they
would
need
to
to
change
their
template.
For
that.
A
There's
no
snippet
to
change,
because
that's
all
internal
to
our
configurations
that
they
added
they
tried
to
do
something
on
localhost
it
wouldn't
work.
I
would
think
I
will
I'll.
Let
them
know
we've
identified
the
issue,
we'll
put
a
fix
in
for
182
and
let
them
know
what
the
actual
issue
was
and
if
they
want
to
change
it
on
their
side,
they
can.