►
From YouTube: [SIG-Network] Ingress NGINX meeting for 20230706
Description
[SIG-Network] Ingress NGINX meeting for 20230706
A
Hello:
everyone,
it's
July,
6
2023,
and
this
is
the
Sig
networking
Ingress
nginx
sub-project
meeting,
which
means
that
it
is
here's
to
the
cncf
code
of
conduct,
which
means
be
awesome
to
each
other.
If
you
have
any
issues,
please
report
those
to
myself
or
Ricardo
or
to
the
Sig
networking
lead
with
that
we'll
go
ahead
and
get
started.
We
always
try
to
welcome
new
members.
I
do
see
a
username
on
here
that
I
don't
recognize
I'm
wondering
if
that
is
Michael.
But
if
not,
if
you'd
like
to
introduce
yourself,
please
go
ahead.
A
Okay,
well
welcome.
Brendan.
Thanks
for
coming
and
hanging
out
with
us.
I
don't
see
anybody
else.
I
did
introduce.
I
did
ask
someone
to
join.
They
were
asking
about
the
mod
security
issue.
You
guys
thought
you
remember
seeing
that
one,
the
one
with
the
performance
issues
once
they
flip
it.
It
just
shuts
everything
down
in
production.
A
A
A
A
A
A
A
A
B
C
C
C
I
need
to
double
check
that
and
maybe
have
some
authentication
leak
nor
field
that
says
that
all
of
the
dash
dot
well
known
or
anything
that
should
be
public,
that
you
have
rfcs
or
things
that
say
that
they
are
public
locations
by
definition
like
Slash
dot,
well
known,
let's
use
it
via,
let's
create
oauth
and
all
of
those
things.
Maybe
we
can
just
skip
all
of
the
validations
for
those
locations,
but
I
need
to
see
if
this
is
like
expected.
C
That's
the
common
name
checking.
So
we
have.
We
have
this
feature
on
on
the
client
certificate
of
right.
When
you
send
the
certificate
you
can
check
if
the
common
name
matches
or
rejects
or
like
a
a
single
string,
saying
like
hey,
I
I
accept
certificate
authentication,
but
just
from
James,
even
if
Ricardo
have
a
certain
that
on
that
CA
as
well.
C
Yeah
yeah,
let
me
hold
on
James.
One
second,
keep
your
keeping
your
yeah.
It
gets.
The
sir
only
does
the
validation
yeah.
So
can
you
see
also?
There
is
like
an
SSL
verified
client
own
on
on
the
snippet
that
he
said:
yeah
yeah,
just
just
a
bit
above
yeah
yeah,
yeah,
correct
there
yeah,
the
other
one
yeah
with
the
underline.
C
Yeah,
the
first
one,
the
the
yeah,
the
line
just
just
below
this
one
yeah,
that's
a
selfie
verified
client.
So
the
right
way
of
doing
that
would
be
like
having
an
option
now.
I
think
there
is
a
flat
on
that
he
can
set
the
flag
for
optional,
but
still
feel
that
line
below
that
line
above
it
doesn't
really
failure,
because
there
is
no
no
match
right
so
that
validation
should
be
inside
probably
the
location
or
inside
something
else.
C
C
Yeah
I'm
not
sure
because
the
SSR
verified
client
own.
We
already
block
him
right
because
it's
not
optional,
but
yeah
assign
me
to
this.
One
I
will
try
to
take
a
look
as
soon
as
I
have
some
time
if
you
want,
or
if
someone
wanna
drill
down
into
a
certificate
requests,
it's
it's
it's
kind
of
tricky.
What
he's
trying
to
do,
but
I
think
there
is
some
some
room
for
our
Improvement
here.
A
C
C
C
B
A
A
C
B
C
C
C
C
B
B
B
B
A
I'm
gonna
go
back
and
comment
and
just
I
probably
should
go
back
through
and
look
at
all
the
SSL
pass-through
ones.
I,
don't
want
to
say
that
they're,
your
implementation
or
the
native
implementation
will
fix
those
issues,
but
we
want
to
put
them
on
the
backlog
and
let
them
know
that
where
you've
looked
at
it
and
we're
gonna
refactor
it
yeah
yeah
it's
down
on
the
laundry
list
of
things.
C
B
A
B
B
B
B
A
Yeah,
this
just
looks
like
a
support
request.
They
didn't
put
in
the
the
other
one
I've,
never
well
I,
keep
saying
this
there's
a
lot
of
configuration
options,
I
just
never
set
for
years.
I
just
used
the
default,
like
I,
just
use
a
very
basic
Ingress
when
I'm
using
it
anyway
yeah
cool,
fun
times
all
right.
That
was
the
15
minutes
on
the
issue
triage.
A
C
Yep
I
just
wanted
to
raise
that
I
I've
seen
this
some
repo
that
I
use
I,
can't
remember
which
one
was
but
I
thought
that
the
idea
was
going
to
be
actually
great
right.
So
that's
a
locket
issue
that
you
meet
probably
Gentile.
We
can.
We
can
edit
that
and
start
adding
the
braking
change
that
we
figured
out
or
before
the
release.
C
We
just
need
to
make
sure
that
the
approvers
they
know
about
that
right
and
and
then
we
can,
we
can
keep
a
track
on
things
that
are
going
to
be
removed
or
or
deprecated
like
on
version
1.9.
We
are
removing
hap
I
want
to
make
the
change
to
disallow
snippet
annotations
as
a
secure
measure
and
tell
people
that
this
is
a
breaking
change
and
we
have
renamed
a
white
list
to
allow
this.
C
It
still
works,
but
may
stop
working
right
so
and-
and
this
is
this
is
actually
I
forgot
to
add.
But
this
is
the
one
that
supports
validation
but
validation.
It's
not
enabled
by
default,
so
shouldn't
be
a
breaking
and
change
as
well,
right
and
and
then
on
version
110.
We
have
all
of
those
plans
to
to
to
to
to
to
change,
remove
open,
Jaeger,
Zipkin,
open
tracing,
zip,
India
gear
data,
dog
and
so
on.
A
A
C
B
C
No,
my
cell
phone
is
ringing
yeah,
but
that
that's
okay,
so
I
I
wanted
actually
to
keep
this
open.
So
we
can
keep
a
track
on
things
that
that
broke
and
people
can
just
scroll
down
even
not
go
into
each
of
the
change
logs
as
well.
But
this
is
going
to
be
like
a
really
manual
step
by
I.
Don't
want
to
do
that
automated
I
think
it's
it's
a
good
way
of
just
keeping
the
track
and
allowing
people
to
see
hey.
Something
is
not
working.
C
So
did
you
take
a
look
into,
but
this
big
child
issue
right
as
you've
said
on
the
version
2.0.
If
you
take
a
look
into
the
bottom,
I
have
them
Planet
release
with
like
removing
all
the
SSL
protocols,
removing
mod
security
and
the
whitelisters
range
annotation.
So
when
we
decide
to
do
a
release
of
that,
let's
say
on
version
1.11,
we
just
move
to
the
top.
A
Okay,
there
was
those
changes
that
was
yeah,
that
was
in
the
2o
breaking
change
dock
that
I
made.
Let
me
go
ahead
and
add
those
because
we
had
strict
validations
that
the
true
that's
definitely
a
breaking
change,
control,
plane,
data
plane,
removing
Jaeger,
etc
for
otel
and
mod
security,
removal
and
or
replacement,
and
then
Gentile
has
removing
ajp
support
that
would
probably
not
have
to
go
into.
Oh
I
could
probably
go
in
190110.
You've
already
got
the
pr
out
there
right.
C
A
C
I
think
it's
a
good
I
think
it
would
be
good
for
us
if
we
do
that,
at
least
for
the
major
breaking
breaking
changes.
So
yeah
people
can
comment
on
the
PRS
right
as
an
example,
but
not
on
this
issue.
This
issue
would
be
just
for
watching
and
not
spamming
people
with
a
bunch
of
comments,
random
comments.
A
C
A
A
B
A
C
B
B
C
C
I
know
that
Gentile,
it's
gonna,
probably
take
a
look
into
this
until
next
week,
but
as
this
thing
is
kind
of
dragging
for
some
time-
and
we
have
some
priority
to
manage
this.
If,
if
you
understand
me,
I
would
just
ask
people
to
really
take
a
look
into
that
see
if
they
missed
something.
If
they
figure
out,
there
is
something
weird
and
otherwise
just
getting
that
merger.
B
C
C
I
mean
this
is
the
one
that
we
block.
This
is
the
one
that
will
block
based
on
on
the
web
hooks
right
and
there
there
are
some
all
of
the
validations.
They
have
unit
tests,
at
least
on
the
on
The
annotation
unit,
as
they
have
passed
it
yeah,
and
there
is
some
STAR
test
as
well
and
on
the
starter
that
we
were
or
or
work
based
on
on,
the
parts
are
being
enabled
or
not
right.
C
B
C
A
A
C
A
good
idea,
I
can
I
mean
I
will
I
will
keep
my.
My
problem
would
be
on
the
test
that
actually
we
we
enable
or
disable
the
flag
right,
but
other
than
that
I
can
yeah.
Yeah
I
will
create
just
for
one
release,
because
I
think
we
are
not
messing.
The
way
that
we
deal
with
kubernetes,
but
just
with
the
annotations
right
and
and
see
how
this
goes
and
what's
going
to
break
yeah
sounds
good.
I
can
do
that.
C
A
A
C
A
B
A
C
C
Probably
because
it's
going
to
be
a
major
architectural
change
with
control,
plane
and
data
plane,
then
we
should
do
on
the
2.0,
but
the
validation
I
would
just
keep
on
the
next,
not
on
one
line
when
I'm
going
to
keep
disabled
as
they
do
on
kubernetes
with,
like
future
flags
and
and
the
apis
right.
So
we
can
keep
it
disabled
for
one
eye.
110.
C
C
We
have
we
had
this
this
flag
for
some
time
and
now
and
as
one
to
nine,
it's
gonna
have
some
breaking
changes
as
well
as
we
are
removing
a
JP
I
wanted
to
flip
this
flag
to
a
true
and
now.
If,
if
you
want
to
allow
your
users
to
use
an
epider
notation,
you
need
to
flip
that
back
to
false
and
announce
that,
because
then
it's
going
to
be
like
an
assumed
risk
right.
So
we
gave
people
a
lot
of
time
to
take
a
look
into
that.
B
A
What's
the
ramification
if
we
disable
Snippets
and
someone
has
Snippets
that
they're
using
so
in
an
upgrade
it's
going
to
cause
that
would
be
a
breaking
change.
Yeah
I!
Don't
think
we
can
change
I,
don't
think
we
can
flip
it
for
one,
nine,
okay,
okay,
from
a
user's
perspective.
If
they
go
to
upgrade
to
one
nine
and
this
stuff,
Snippets
are
disabled,
they
don't
read
the
release,
notes
we're
going
to
get
a
bunch
of
issues
open
up.
A
C
A
A
Okay,
I
just
want
to
add
that,
like
the
list,
I
just
want
to
put
a
list
of
like
deprecations
like
we'll
give
people
like
hey
here
is
here's
the
notification
about
plan
deprecations
and
our
changes
in
this
penned
permanent
issue
and
here's
the
individual
ones
that
you
should
be
aware
of
that
are
coming
and
the
moving
everything
open.
Telemetry
is
one
of
them.
A
A
A
A
I,
don't
know
if
there's
any
issues
with
the
because
we're
running
the
latest
version
of
The
Mod
security
Library,
which
is
one
of
three
and
I,
don't
I
have
not
looked
in
to
see
if
they
have
any
scaling
issues
but
again,
I,
don't
know
how
large
of
an
environment
that
they
say
that
this
is
any
other
thoughts
on
mod
security.
Just
deciding
to
give
up
when
it's
supposed
to
do
its
job.
B
C
A
C
C
C
C
C
This
is
so
those
efforts
they
are
probably
so
so
it
seems
that
someone
is
doing
some
scan
right
and
and
testing
some
random
servers
there
right,
but
not
passing
the
hostname
or
something
like
that
or
even
there
is
like
hostname
customer
one.
So
they
may
not
have
the
certificate
set
on
this
on
these
Ingress.
A
A
C
Yeah,
so
this
one
it's
because
they
don't
have
a
a
certificate
right,
another
one
of
on
what
security
yeah,
the
other
one
on
what
security,
and
they
would
probably
a
help
on
that.
It's
because
hold
on
server
post
configuration
unexpectedly
or
400.
It's
failing
to
reconfigure,
can
I
see
it
like
it's
failing
even
to
reconfigure
the
this
is.
This
is
actually
interesting.
C
It's
it's
trying
to
reconfigure
something
like
the
back
ends
and
it's
not
working
access
denied
that
called
400.
parameter.
Hey
hold
on
this
is
this
is
actually
nice.
Okay.
This
is
this
is
great
James,
okay,
here's
the
thing:
okay,
okay,
I
I
see
the
problem.
So
here
is
the
thing
we
have.
This
slash
configuration,
slash,
servers
internally
right
on
our
internal
part:
okay,
okay,
fine
and-
and
we
pass
a
Json
with
the
whole
configuration
that
should
be
set
on
nginx
right,
okay
and
when
they
enable
mod
security.
A
A
C
Yeah
short
term,
it
would
be,
but
I
can
take
a
look
and
do
and
ignore
that,
because
it
doesn't
make
sense
actually
to
have
much
security
running,
because
this
part
is
just
exposed
internally,
and
we
don't
really
don't
know
what
what
secret
is.
So
it's
it's.
Just
like
probably
adding
to
the
template,
saying
like
to
the
local
mod
to
the
local
configurations.
It
shouldn't
be
passing
too
much
security,
exact
rule
engine
should
be
off
for.
A
B
C
C
C
C
Yeah
yeah
I
think
you
can.
There
is
the
configuration
of
what
security
is
on
it's
it's
inside
the
server
definition
I
think,
but
we
can
set
mod
security
that
there
is
already
one
like
Insurance
Security
will
not
run
on
customer
or
pages,
and
we
should
probably
set
this
on
the
same
here.
This
is
the
line
we
should
set
this
to
the
internal
configuration
as
well.
This
one
I've
sent
that
to
you.
A
C
B
A
There's
no
snippet
to
change,
because
that's
all
internal
to
our
configurations
that
they
added
they
tried
to
do
something
on
localhost
it
wouldn't
work.
I
would
think
I
will
I'll.
Let
them
know
we've
identified
the
issue,
we'll
put
a
fix
in
for
182
and
let
them
know
what
the
actual
issue
was
and
if
they
want
to
change
it
on
their
side,
they
can.