►
From YouTube: Service APIs Office Hours for 20200902
Description
Service APIs Office Hours for 20200902
A
All
right
we're
recording
this
is
office
hours.
We've
made
it
into
the
month
of
september.
Everyone
happy
september
office
hours
for
september
2..
A
There
has
been
a
ton
of
progress,
usually
I'd
try
and
have
a
more
meaningful
pr
and
issue
triage
section
filled
out,
even
though
it
may
appear
that
there's
not
much
on
the
agenda.
Trust
me
there
is.
We
have
had
by
my
account
around
15
prs,
updated
in
the
past
week
that
have
not
been
merged,
yet
I
know
a
number
have
already
been
merged,
so
I
wanted
to
spend
a
lot
of
time.
Well
really
all
the
time
on
that
today,
but
I
figured
just
as
a
reminder
we
should
run
through
here.
A
B
A
A
A
Okay
and
yeah
tls
route
and
tl-
oh
there
is
a
pr
for
tls
on
rail
and
we
will
for
sure
get
to
the
yet
okay.
Okay,
thank
you
harry
for
making
this
somehow
I
missed
reviewing
this
entirely.
I'm
not
sure
how
I
know
it
was
even
mentioned
here.
Okay,
I
will
yeah
we'll
get
to
that
today.
A
Thank
you
for
all
your
work
on
that
we
got
the
route
filtering
in
request
viewing.
I
know
I've
reviewed
this
one
I
think.
Oh
I
I
know
I've
looked
at
it.
Apparently
I
didn't
leave
any
comments
yet,
okay,
more
to
cover
today
udp
route.
This
is
lgtm,
but
I
think
it
got
stuck
in
the
endless
endless
path
of
rebasing
all
the
things
I
think
it
needs
another
rebase.
A
A
B
A
C
I'm
trying
to
unblock
john's
removed,
protobuf
generation,
so
hopefully
it
reduces
some
of
the
stuff.
A
I
have
updated
this
back
end
policy.
Pr,
I
actually
haven't
respond.
I
need
to
respond
to
the
comments
on
here.
I
I
actually
have
resolved.
All
of
these.
I
just
haven't
had
a
chance
to
like
literally
a
few
minutes
before
this
meeting
and
did
not
get
a
chance
to
respond
to
harry's
excellent
feedback
here.
A
Conflict
handling,
there's
a
a
couple
pr's
in
the
works
here.
I
should
probably
add
one
more
linked
to
this.
Hopefully
we'll
get
a
chance
to
cover
them
and
then
finally,
status
and
conditions.
I
know
james
has
made
some
great
progress
with
this
doc
and
I'm
excited
to
see
it
transition
to
a
pr
and-
or
I
guess
I
guess
it
could
also
expand
scope
a
bit
for
routes
and
gateway
gateway
classes,
but
yeah.
I
think
this
is.
A
This
is
a
great
start
with
this
doc,
so
that
that
is
everything
that
I
am
aware
of.
That
needs
to
get
in
for
a
v1
alpha
one
release.
I
we're
we're
getting
close.
I
think,
and
I'm
especially
happy
to
see
all
the
activity
and
all
the
pr's
coming
in
this
week
and
with
that
said,
I
think
we
should
probably
review
and
review
some
of
them
and
see
if
we
can
unblock
a
number
of
these
pr's.
I
know
there's
there
is
a
lot
to
get
through.
A
I
know
mine
is
the
most
recently
updated.
Let's
start
from
the
bottom,
I
think
james
work
is
going
to
update
or
replace
this
gateway
polarity
work.
I
don't
see
damian
on
this
call,
so
I'll
leave
closing
this
for
a
little
bit.
I
think
we've
already
asked
somebody
may
have
already
asked
if
we
can
close
this.
D
A
D
D
A
Yes,
yes,
okay,
yeah,
that
sounds
good
harry.
I
know
you
have
to
leave
in
20
or
so
minutes.
Maybe
we
should
cover
some
of
your
prs
first
here.
Are
there
ones
any
particular
prs
that
you'd
like
to
cover
here.
B
I
think
we
probably
are
pretty
much
aligned
on
this
one.
I
just
want
to
get
a
sense
of
you
know.
If
this
is
essentially,
you
know,
mirroring
a
filter.
Mirroring
is
implemented
as
a
filter
and.
E
B
F
B
More
more
like
canarying,
and
that
can.
A
B
Yeah:
okay:
we
need
to
get
this
prn
to
to
finish
the
advanced
routing,
yeah,
epic
or
whatever.
We
call
it.
G
And
we
don't
necessarily
need
to
add
this
to
the
pr,
but
I
think
it's
important
that
we
have
some
kind
of
documentation
that
explains
it
with
a
mirror
or
the
mirror
filter
that
we
there's
there's
no
response
from
that
target.
G
A
A
Yes,
all
right!
Well,
this
I
mean
I
I
will
make
a
note
too,
to
actually
follow
up
after
the
meeting,
but
I
I'm
not
seeing
anything
I'll
have
to
check,
for
you
know
typos
or
something,
but
the
concept
seems
really
straightforward
to
me.
I
I
don't
really
have
any
hesitation
just
take
a
closer
look
afterwards.
A
Anyone
else
seeing
anything
that
is
unexpected
or
not
what
we
want
for
mirroring.
B
E
B
A
A
Yeah
this
remind
me
again,
I
think
I
think
you've
mentioned
it,
but
the
transition
from
plural
certificates
to
singular.
B
Yeah,
so
I
think
that's
the
same
comment
that
bowie
had
so
I
could
be
mistaken
here.
So
you
know
feel
free
to
correct
me,
but
I
think
the
previous
prs
was
more
about.
You
know:
here's
a
bunch
of
certificates,
sorry,
the
previous
api
was
here's,
a
bunch
of
certificates
and
the
proxy
or
the
gateway
has
to
ensure
that
the
right
certificate
is
served
for
the
right,
dls
handshake.
B
What
this
change
sort
of
goes
through
is
ensures
that
okay,
here's
my
host
name
and
please
use
this
sort
of
specific
certificate
drive
for
this
hostname.
Now
that
could
be
for
a
wildcard
domain
or
that
could
also
be
for
a
specific
domain.
I
mean
specific
host
name
right
and
this.
What
enables
you
to
do
is
you?
If
you
have
you
know,
certificates
that
are
even
incorrectly
or
badly
named,
you
could
still
use
them.
B
C
B
E
B
So,
let's
back
up
a
little,
so
can
you
scroll
up
a
little
bit?
Rob
I
think,
the
so
here
tls
config
is
inside.
B
I
think
this
is
hidden
in
here,
but
tls
config
is
inside
the
listener
element
inside
http
route.
The
listener
is
configured
either,
as
you
know,
a
wildcard
match
on
the
domain,
or
is
it
it's
configured
as
the
exact
match
on
the
domain
and
the
the
matching
of
certificate
follows
the
same
thing
right.
So
if
you
specify
a
wildcard
match
for
a
host
name
in
that
listener,
all
the
wildcard
you
know
subdomains
use
the
same
tls
config,
which
is
the
same
certificate.
D
The
thing
is,
you
don't
need
to
do
so
you
don't
need
to
do
matching
on
anything
in
the
certificate,
because
you
have
the
matching
kind
specified
as
part
of
the
listener,
and
you
have
now.
You
have
one
certificate
ref,
so
you
just
have
it
right.
You
don't
need
to
now
because
of
this
change.
You
don't
need
to
have
specify
any
sort
of
matching
process
through
the
slice
of
certificate,
refs,
correct.
C
D
B
B
C
G
What
about
this
use
case?
So
I
guess
the
use
case
generally
is
like
certificate
expiration
right.
So
if
we
get
a
route
and
we've
got
a
server
certificate
tied
to
that
route,
host
name
it's
going
to
expire
and
if
we
supported
multiple
certificates
as
that
certificate
was
getting
ready
to
expire,
we
could
add
the
the
upcoming
certificate
to
use
so
that
when,
when
it
does
expire,
the
the
new
certificate
can
be
used
from
that
list
of
certificates,
as
opposed
to
just
having
a
single
certificate
tied
to
the
hosting.
B
Yeah,
so,
okay,
that's
interesting,
so
the
way
usually
most
proxies
work
is
they
can
serve
only
one
specific
certificate
at
a
time
for
a
given
sni
right.
Even
if
you
configure
two
certificates-
and
you
know-
maybe
you
can
have
the
intelligence
baked
into
the
proxy
where
it
can
choose
the
right
certificate.
B
But
you
know,
as
far
as
you
know,
the
envoy
and
engine
x
I'm
familiar
with,
and
even
cloud
load
balancers
they
serve
like
a
single
certificate
and
expiration
and
rotation
is
a
little
easier
in
this
case,
because
you
can,
you
know,
sort
of
atomically
replace
the
certificate
that
you
want
to
solve
right
in
instead,
in
case
of
you
know
like,
if
you
have
a
cs
certificate
bundle
and
certificate
is
expiring.
B
B
C
C
Yeah
it's
an
interesting
thing.
It's
like
is
certificate
rotation,
something
that
is
the
future
of
the
distribution
of
certificates,
because,
as
harry
said
at
any
one
time,
there
can
only
be
one
so
people
just
make
a
time
period
of
validity
overlap
and
at
some
point
you're
gonna
have
to
switch.
But
it's
not
the
switching
doesn't
happen
at
the
proxy
layer.
It
actually
happens
when
you're
trying
to
distribute
it.
G
C
A
B
I
think
other
prs,
you
require
more
feedback,
and
this
like
asynchronous
feedback.
The
one
thing
that
we
can
discuss
rob
is
273,
which
is
probably
pretty
involved
where
we
are
talking
about
it's
a
little
down.
Thank
you,
yeah
yeah.
So,
where
we
are
discussing,
you
know
what
is
the
route?
Sorry,
what
is
an
action
versus
what
is
a
filter
and
this
pr
is
actually
pretty
small
it.
It.
F
B
And
I
think
that
is
all
it
does.
What
conversations
we
are
having
is
like
can
it
makes
that
can?
Does
it
make
sense
for
action
to
not
be
required
right,
and
there
are
definitely
some
cases
where
it
does
not
like
if
there
is
a
filter
which
you
know
performs
a
redirect
or
you
know
which
is
a
permanent
redirect,
maybe
it
does
not
make
sense,
but
then
should
that
like
redirect
be
part
of
the
action,
or
should
it
be
filter
right?
B
So
that's
that's
what
the
confusion
is
rob
has
proposed
something,
and
then
james
also
has
what
james
has
proposed
makes
a
lot
of
sense.
I
think
it
was
discussed
while
I
was
not
present,
but
if
we
sort
of
have
sort
of
a
general
agreement,
I
can
close
this
pr
out
and
you
know,
simplify
our
ghost
structs
to
update
what
james
has
proposed.
A
Yeah
for
context,
what
I'd
originally
proposed
was
that
an
action
was
kind
of
the
terminating
thing
it
was
forward
redirect
or
some
kind
of
extension,
but
I
later
on,
I
think
that
I
think
we
did
discuss.
This
is
a
james
proposal
here,
which
just
simplifies
everything:
it's
either
a
filter
or
a
forward,
and
that's
it
and-
and
I
think
this
is
really
straightforward.
D
D
B
C
A
The
way
I
saw
it
when
I
was
proposing
this
there
there
are
some.
You
know.
Filters
generally,
in
my
mind,
were
things
that
modify
an
action
and
actions
or
things
that
were
terminating
terminal,
in
the
sense
that
if,
if
you
had
a
filter
that
was
redirect
to
or
when
a
redirect
happens,
there's
generally
nothing
happening
after
that.
That
is
the
end.
Okay,
that's
an
oversimplification,
but
we'll
just
say
that's
the
end
and
that
you
know
this
forward
needs
to
be
optional.
A
A
I
think
I
think
I'm
in
favor
of
this
approach
as
long
as
we
suggest
that
forward
itself
is
an
optional
and
then
I
think
what
you're
saying
here
is
this
would
actually
be
http
forwarding
target.
Am
I
understanding.
E
A
And
at
that
point,
do
we
even
need
an
extension
ref
in
here,
or
can
we
just
have
forward,
go
directly
to
forward
to
target
and
extensions
happen
inside
filters.
D
I
think
we
do
need
an
extension
ref
there,
because
this
is
the.
This
is
basically
how
you
specify
the
hop
from
the
proxy
to
the
back
end,
and
that
seems
like
something
where
the
implementations
are
going
to.
It
seems
like
really
something
implementations
are
going
to
extend
like
quality
of
service
or
transport
security,
or
some
some
additional
some
additional
load
balancing
parameters.
B
B
C
B
Like
you're,
not
imagining
it
as
a
replacement,
yeah
yeah,
I
I
imagined
it
as
a
replacement,
and
it
was
like
thinking
more
like
service
level
config
and
the
problems
we're
solving
there.
That's
the
place
where
people
or
users
rather
can
modify
the
behavior
of
communication
between
the
gateway
and
the
next
hop.
A
Great
well
yeah.
I
I
appreciate
the
suggestion
here.
I
think
it
I
think
it's
a
great
one.
It
any
any
any
other
comments
on
this
pr
before
we
move
on
okay
harry.
I
know
you
have
only
a
couple
minutes.
Is
there
anything
else
you
wanted
to
cover
here.
B
No,
I
think
rest
of
the
pr
haven't
had
much
feedback
at
all.
So
just
you
know
asking
folks
to
take
a
look
at
it
and
then
you
know,
then
we
can
probably
have
some
discussion
in
office
arts
next
week.
A
A
Thanks
to
john
for
for
adding
this
back,
we
accidentally
removed
customized
support
so
yeah.
I
think
that's
good.
We
already
covered
this
just
go
ahead.
G
Rob
really
quick
if
you
click
on
that
add
customized
support.
There
should
be
a
link
to
a
pr
that
I
created
today.
That
goes
with.
That.
Did
I
reference
it
somewhere
keep
going
down,
maybe
fixes
install
make
target.
That's
thank.
A
A
Yeah
I
yeah
that's
my
this
is
my
only
comment.
I
think
I
think
it's
great.
I
noticed
actually,
as
I
was
doing
a
review
somewhere
else,
that
we
had
something
that
would
have
violated,
I
think,
go
format
or
at
least
go
lint
and
I
thought
well.
We
should
have
verified
catching
that
and
I
and
then
I
saw
this
pr
like
right
after
that.
Oh
okay,
thank
you.
G
It
because
we
ran
one
of
the
coup
builder,
make
targets
that
yeah
so
yeah,
I
I
haven't
looked
at
it
since
I
submitted
it.
So
we'll
take
a
look
at
your
feedback.
A
Okay,
cool
yeah:
it
was
just
a
simple
little
thing
of
we
had
format
and
vet
and
both
make
files
and
yeah
anyway,
cool
okay
covered
this
one
downstream
tls
certificate.
I
think
harry
had
mentioned
that
this
hasn't
gotten
much
feedback,
so
this
is
more
of
a
reminder
that
we
should
provide
feedback,
and
this
I
I
didn't
even
notice
this
pr
come
in.
A
So
that's
my
fault
for
not
already
giving
some
feedback
yeah,
I'm
glad
it
exists,
but
I
this
is
my
very
first
time
looking
at
it,
so
I
don't
have
much
to
to
add
at
this
point
other
than
that
we
should.
We
should
all
take
a
closer
look
whenever
there's
time.
A
Okay,
the
tls
route,
I
think,
falls
under
the
same
category,
except
it
has
gotten
some
feedback.
A
A
This
is
just
a
pure
cleanup
pr.
This
was
based
on
this
was
to
avoid
blocking
a
previous
pr.
I
think
it's
really
straightforward.
It
just
cleans
up
some
some
names
and
I
think
it
also
may
have
fixed
yet
it
does
fix.
This
would
have
been
a
go
format,
yeah
or
maybe
go
lint.
I
don't
you
go
lint
yeah.
We
don't
run
glint,
that's
why,
but
this
is
a
little
typo
and
a
couple
other
things
as
far
as
naming.
So
I
think
this
is
already
lgtm
and
straightforward
yeah.
A
Okay,
let's
keep
on
moving
our
way
up
here.
Okay,
this
one's
gonna
take
a
while
sure
we'll
get
into
this
one.
All
right.
I
was
really
lucky
to
get
some
great
feedback
from
tim
on
this
api.
A
I
spent
a
couple
hours
on
friday
going
through
the
api
and
reviewing
it
with
him,
and
he
had
some
great
feedback
and
I'm
going
to
try
and
clean
up
my
notes
and
make
it
a
little
bit
more
digestible
and
share
it
a
bit
more
broadly,
but
I
thought
it
was
good
kind
of
intermediate
intermittent
feedback
and
one
of
his
confusions
or
things
that
didn't
make
sense,
lined
up
with
something
I'd
done
but
never
loved,
and
that
was
the
allowed
route
name
spaces
on
gateway
class.
A
A
It
meant
it
made
for
a
relatively
messy
implementation
and
understanding,
and
so
we
talked
about
potential
alternatives,
and
this
is
my
interpretation
of
and-
and
you
know
that
he
did
not
say
do
exactly
this
to
be
clear,
but
I
I
think
this
is
a
good
step
in
in
the
direction
that
that
we
had
been
discussing
so
instead
of
having
a
loud
route
namespaces
on
gateway
class.
A
I
I
thought
why
don't
we
switch
this
around
and
make
the
authorization
happen
on
routes
so
for
a
gateway
to
reference,
a
route
in
a
different
name
space?
The
route
has
to
agree
to
it.
That's
maybe
the
easiest
way
to
describe
this
within
the
same
namespace.
Everything
just
works
by
default,
everyone's
happy
hurrah,
but
across
namespaces,
both
the
gateway
and
route
have
to
agree.
So
there's
some
kind
of
bi-directional
agreement.
I
know
we'd
already
discussed
this
kind
of
bi-directional
route.
A
So
with
that
said,
my
proposal
would
add
a
route
gateways
field
or
just
a
gateways
field
on
route
at
the
same
level,
at
the
very
top
level
right
alongside
posts
and
by
default
you're
not
going
to
have
to
touch
this.
A
The
default
implementation
here
is
going
to
be
allow
same
name
space,
so
it
says
gateways
in
the
same
name.
Space
can
use
this
route
and
that's
it.
That's
default
on
same
behavior
as
we
already
have,
but
we
also
have
two
other
ways
that
we
could
do
matching
allow
list
would
say
only
gateways
that
I've
specified
in
this
separate
list
will
be
able
to
use
this
route
or
secondary,
allow
all
which
means-
and
I
I'm
really
hesitant
to
even
add
this
option,
but
it
would
mean
that
any
gateway
anywhere
can
use
this
route.
A
And
it's
fine
that
I
I
don't
know
how
I
feel
about
that.
But
I
imagine
that
there
are
some
use
cases
where
it
could
be
helpful,
so
the
actual
struct
is
really
straightforward.
You
have
allow
and
a
list
of
gateway
references,
so
the
allow
by
default
is
just
going
to
be
same,
the
same
name
space
and
that's
it
every
everything
works
as
it
does.
A
Yeah
that
that
was
the
idea
here.
I
dramatically
decreases
the
blast
radius,
one
of
the
big
problems
with
having
this
kind
of
attribute
on
the
gateway
class
level.
Is
it
dramatically
what
just
had
a
massive
glass
radius,
a
change?
There
could
invalidate
tons
of
routes
for
tons
of
gateways
it
yeah.
It
was
not
great.
A
A
G
I
like
it,
I
think
it's
interesting,
because
I
know
we
were
going
back
and
forth
with
this
a
while
back
and
it
was
always
okay
does
the
gateway
bind
to
the
route
or
the
route
by
the
gateway?
And
this
is
essentially
saying
it's
like
a
two-way,
binding
yeah.
I
like
it.
D
Isn't
I
thought
so
the
the
original
notion
behind
the
allowed
routes
wasn't
that
too
basic?
My
understanding
was
it's
basically
to
prevent
bad
actors
in
the
cluster
from
injecting
things
into
the
gateway?
A
It's
so
because
it's
bi-directional
the
way,
the
way
I
imagine
implementations
are
going
to
do
this
is
first
they
will
select
every
route
that
matches
whatever
the
gateway
route.
Selector
says
it
should
select.
So
that
includes
the
list
of
namespaces.
It
should
look
in
and
well
yeah
and
whatever
labels,
whatever
labels,
it
should
look
for
on
those
routes
and
then
from
there
when
it
gets
that
list
of
routes.
It's
going
to
look
at
this
gateways
attribute
on
each
one
and
say
no.
I
can't
use
this
one.
A
A
If
a
route
existed,
it
could
be
selected.
That
was
the
problem,
and
so
this
adds
some
basic.
You
know
security,
I
guess
you
could
say
your
authorization
that
one
ensures
that
by
default.
A
C
D
A
Yeah
yeah,
so
that
that's
true,
I
I
think
it's
a
it's
a
it's
a
reasonably
safe
compromise,
in
the
sense
that
if
you
have
a
route
owner
and
a
gateway
owner
agreeing
to
something,
it's
probably
a
fairly
safe
thing
to
do
what
the
the
issue
we
had
with
the
gateway.
One
of
the
issues
we
have
of
the
gateway
class
level
authorization
field,
the
allow
route
namespaces
is,
if
you
wanted
different
variations
of
that,
you
actually
had
to
create
an
entirely
new
gateway
class
which
felt,
like
you
know,
maybe
not
ideal.
A
You
know
this
external
load,
balancer
gateway
class.
Can
you
know
I
don't
know
reference
routes
in
these
three
namespaces
and
this
other
class
can
reference
routes
in
these
other
three
namespaces
that
that
felt.
A
You
know
not
ideal
that
that's
just
my
perspective
on
this,
but
is.
Is
there
any?
Are
there
any
particular
controls
that
you
think
we're
losing
here
that
are
significant
or
that
that
we
can't
communicate
well?
This.
D
Yeah
yeah,
I
think
it's
just
changing
the.
D
So
obviously
you
had
previously,
you
know
you
from
the
gateway
class.
You
trusted.
You
specify
that
you
trust
some
namespaces
to
create
gateways,
but
you
scoped,
you
also
scoped
the
routes
so
now
you're
just
you're
delegated
now
the
gateway
class
is
delegating
more
trust
down
to
the
gateways
to
say,
okay,
we
trust
you
to
do
the
right
thing
with
with
routes
in
in
general,.
A
D
Yeah,
that's
true
which
doesn't
seem.
I
mean
it
seems
pretty
it's
much
more.
It's
consi!
It's
more!
It's
consistent
with
the
with
ingress.
D
A
Is
it
I,
I
think
it's
going
to
address
the
critical
ones
you're
right,
that
it
won't
address
all
of
them,
but
I
think
at
least
from
my
perspective,
as
I
was
initially
working
on
the
security
model.
I
one
of
the
big
concerns
was
that
a
gateway
could
reference
any
route
if
it
could
reference
routes
across
namespaces,
it
could
reference
anything
and
there
was
really
almost
no
control
of
that
that
we
had
no
meaningful
authorization.
So
if
you
let
someone
create
a
gateway,
regardless
of
what
namespace
that
gateway
was
in,
it
could
reference.
A
I
I
admit
that
there
there
still
is
you
know
with
this
model
we
we
are
delegating
more
trust
to
admins
of
both
gateways
and
routes,
because
somebody,
you
know
the
you
know,
bowie
mentioned
fat
fingering,
the
the
new
version
of
fat
fingering
or
you
know
whatever
would
be
creating
a
route
and
letting
anything
target
it.
You
know
the
the
allow
all
kind
of
thing
that
that
is
the
new
risk
model
of
somebody
created
a
route
somewhere
and
let
any
gateway
target.
A
You
probably
shouldn't
do
that,
but
if
you
did,
that
is
that
is
a
real
risk
here,
but
the
beyond
that.
The
only
other
way
to
allow
a
gateway
to
reference
a
route
is
act
outside
outside
of
the
same
name.
Space
is
to
actually
list
that
gateway
as
a
reference,
and
that
feels
pretty
safe
and
very
clearly
intentional.
A
I
didn't
want
to
require
that
for
everything,
because
that
that
felt,
like
a
you,
know,
a
lot
of
overhead
to
always
have
to
reference
the
gateway,
especially
in
the
same
name
space,
but
I
think
for
multi-name
space
references.
We
want
it
to
be
very
clear
that
this
route
is
being
referenced
by
this
gateway
way
over
here.
A
So
maybe
maybe
an
argument.
Maybe
this
is
all
an
argument
to
remove
the
option
of
all.
Maybe
we
shouldn't
even
consider
that
maybe
we
should
only
allow
same
name,
space
or
list.
I
don't
know.
D
D
A
Yeah
yeah
yeah.
I
appreciate
that
and
I
did
try
to
update
that
like
I
did
update
the
security
model
dock
here.
So
I'd
appreciate
some
review
on
on
this
section
as
well.
If
anyone
has
time
to
take
a
look
but
yeah
it
is,
it
is
a
change.
It
is
definitely
a
change
to
how
this
is
implemented.
A
Okay,
well
thanks
thanks
for
the
feedback
on
this
one
I'll
move
on
to
the
next
one,
because
I
know
there
is
still
lots
less
to
get
through
here.
This
one
is
also
mine.
A
It
updates
parameters
ref
there
for,
for
the
longest
time
we
had
a
problem
in
the
spec
that
said
that
inferred
that
the
local
object,
reference
that
is
parameters
ref
on
gateway
class
should
reference
anything
in
any
namespace,
but
we
didn't
actually
have
a
way
to
specify
namespace,
and
so
the
godoc
did
not
match
up
with
what
was
actually
possible,
and
so
my
initial,
my
initial
pr,
was
actually
the
complete
opposite
of
this
and
I'll
bring
that
up.
Just
for
a
bit
of
context.
A
Back
in
the
day,
I
made
this
pr,
which
was
hey.
We
should
add
a
namespace
to
parameters
ref
inside
gateway
class,
so
that
we
can
optionally
reference,
namespace,
scope,
resources,
and
so
you
know
I
thought
okay,
this
makes
sense.
A
But
before
I
went
any
further
with
this,
I
took
this
to
sig
network,
the
broader
community,
because,
as
you're
aware
gateway
class
is
entirely
parallel
to
the
ingress
class
resource
that
exists
in
the
ingress
api
and
we
also
intentionally
opted
not
to
add
a
namespace
reference
there
and
the
rationale
at
that
point
had
been.
We
should
be
referencing
crds.
We
want
the
crd
validation,
we
want.
You
know,
there's
very
minimal
advantage
over
referencing,
say:
namespace
scope,
config
map
over
just
annotations.
A
So
that
was
and
and
then
the
the
last
part
bit
was
that
any
kind
of
parameters
should
at
least
in
theory,
exist
at
the
same
level
of
as
the
gateway
class
as
the
thing
it's
being
referenced
by.
A
A
The
overwhelming
response
that
I
got
was
that
we
don't
want
to
do
this
for
ingress
class
and
given
that
we
didn't
want
to
do
this
for
ingress
class,
it's
very
hard
to
argue
that
we
should
do
it
here.
It
seems
like
if
we
want
to
do
it
here.
We
need
to
convince
the
broader
sig
network
community
that
it
should
be
done
elsewhere.
A
A
Right
now
is
inconsistent
and
we
should
make
it
clear
that
this
is
meant
to
reference
a
custom
resource
at
the
cluster
scope,
one
other
bit
that
if,
if
anyone's
still
on
the
fence
here,
I
it's
a
lot
easier
to
add
a
namespace
field
in
the
future
to
allow
names,
namespace,
scope,
references
then
to
remove
it
so
not
having
it
does
not
mean
we
can't
have
it
in
the
future
it
just
we
don't
have
it
right
now.
A
This
is
consistent
with
ingress
class,
etc,
and
really
all
this
pr
is
doing
is
cleaning
up
the
docs
to
match
what
is
actually
possible
right
now,
yeah.
That
is
a
really
high
level,
actually
not
that
high
level.
A
background
of
this
pr.
A
With
all
that
background,
does
anyone
have
any
any
thoughts
about
this
whole
conversation?
I
know
we've
had
some
strong
opinions,
one
way
or
the
other.
As
far
as
this
does
anyone
feel
strongly.
That's
in
this
group
here.
A
Okay,
definitely
leave
some
comments
on
this
pr
it.
It
does
seem
like
a
relatively
straightforward
pr.
It
just
happens
to
have
a
lot
of
history
behind
it
that
this
pr
on
its
own
may
not
show.
So
I
wanted
to
provide
a
little
bit
more
background.
I
have
linked
to
it
further
down
here,
but
yeah
I
I
will
leave.
I
will
leave
this
this
pr,
as
is,
if
anyone
has
more
thoughts,
feel
free
to
to
add
a
comment.
There.
A
Okay,
I
see
our
pull
request.
Number
is
going
down.
We
must
be
getting
some
prs
in
oh
yeah,
the
ones
that
okay
cool,
the
other
ones,
I
think,
are
all
actually
fairly
straightforward.
I
think
this
is
worth
discussing
as
a
broader
group.
It
feels
weird
to
me,
but
I
was
generally
fine
with
it
at
the
end.
A
I
tcp
route
match
is
one
that
we
have
it's
just
an
extension
wrap
like
we
don't
know
how
to
match
tcp
routes,
so
it's
just
an
extension
to
do
whatever
you
want.
I
guess,
and
the
weird
thing
here
is
the
idea
that
we
should
pluralize
it
to
be
consistent
with
what
we
have
elsewhere.
A
A
D
Guess
my
rationale,
for
that
was
that
an
implementation
could
have
three
or
four
different
extension
refs,
that
expressed
different
kinds
of
matches,
and
it
would
be
awkward
to
then
have
to
have
another
extension
ref
which
just
basically
pluralizes
the
field.
A
That's
fair,
that's
fair,
yeah,
I'm
really
interested
in
what
what
these
extensions
are.
What
what
these
match
extensions
might
end
up
looking
like,
but
it
seems
like
a
pretty
low
risk
change
and
it
is
consistent
with
the
other
route
types
so
cool.
E
I
guess
just
depend.
A
We
we
are
quickly
running
into
this.
I
I
don't
want
to
call
it
a
problem,
but
it
is
a
an
issue
that
will
become
more
common
as
we
introduce
more
route
types.
It
means
you
know,
for
the
sake
of
consistency,
we'll
be
changing
the
same
field
multiple
times
across
multiple
routes,
not
the
end
of
the
world,
but
it
is
just
something
we'll
be
doing
more
of
all
right.
I
think.
Let
me
double
check
here,
damian's
pr.
A
We
briefly
discussed
to
install
the
make
target
yeah,
let's
yeah,
let's,
let's
cover
my
my
back
in
policy
thing
here,
real
quick,
so
I
got
some
great
feedback
from
harry
on
this
one.
We've
already
talked
about
back-end
policy
and
I've
dramatically
simplified
it.
It
is
just
tls,
config
harry
pointed
out
that
it
made
no
sense
to
use
the
same
tls
config
type
here,
because
we're
talking
about
basically
client.
A
You
know
config
at
this
point,
so
I
have
added
a
backend
tls
config
that
includes
client
certificate,
ref
and
certificate
authority,
refs
and
options
options
being
the
same
thing
that
exists
in
tls,
config.
A
This
seems
relatively
straightforward
at
this
point,
but
I
I
don't
pretend
to
be
a
tls
expert
either.
So
I
appreciate
any
kind
of
feedback
here.
A
A
Well,
okay,
so
the
argument
is
like
say,
nginx
or
or
something
like
that
it
provides.
I
think
they
call
it
a
trusted
certificate
or
something
like
that.
But
an
envoy
has
a
similar
concept
and
the
idea
is
that,
if
you're
using
a
self-signed
cert
or
something
like
that,
you
can
provide
your
kind
of
custom
ca
here
for
validation.
D
D
So
I
guess
I
missed
the
context
on
this
a
little
bit
my
attention
wandered,
so
I
apologize
is
the
idea
that
in
the
client
certificate
ref,
you
have
your
just
your
certificate,
but
then
you
have
the
ca
bundle
in
the
certificate
authority.
Refs.
C
D
D
I
I
know
bowie
looked
at
my
my
pr
to
kind
of
I'm.
I'm
doing
air
quotes
now,
but
you
can't
see
I'm
doing
air
quotes
standardize
this
upstream,
but
there's,
I
think,
but
the
usage
of
that
key
is
different
in
ingress
nginx.
D
So
I
think
there's
kind
of
consensus
across
the
ingress
community
that,
in
a
secret
ca.crt,
can
be
used
to
store
a
a
ca
bundle,
but
there's
not
consensus
around
which
certificate
that
ca
bundle
corresponds
to
whether
it's
the
ca
bundle
of
the
peer
you're
validating
or
this
or
the
ca
bundle
of
the
certificate.
That's
in
the
same
secret.
A
D
Yeah,
I
guess
this
ties
into.
I
know
micah
described
how
openshift
deals
with
tla
secrets,
specifically
too,
so
you
can
kind
of
have
least
privileged
ingressors
that
don't
need
to
be
able
to
have
access
to
all
secrets.
But
I
think
that
feels
like
that.
Specifying
that
feels
like
a
larger
post,
be
one
alpha.
One
task.
E
A
Okay,
well,
I
know
I
know
we
we
have
gone
over.
Thank
thank
you
to
everyone
for
the
feedback
here.
It's
very
helpful
I'll
update
the
pr's,
I'm
involved
in
and
yeah
we'll
talk
to
y'all
soon
have
a
good
rest
of
your
day.