►
From YouTube: Contour Community Meeting - July 16, 2019
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Okay,
so
if
you
need
to
spin
up
clusters
locally
on
your
machine,
there
are
a
couple
different
ways
to
do
that:
I
used
to
run
a
vagrant
box
and
I
would
do
a
coop
admin
at
MIT
to
build
me
like
a
cluster
locally
and
then
mini
cube
is
another
thing
that
you
can
use,
which
again
spins
up
a
VM
on
your
machine,
and
it's
been
around
sort
of
longer
than
this.
Next
we're
going
to
talk
about
so
it
works.
B
Well,
the
difficulty
with
with
mini
cube,
I
think
is:
you
can
only
do
a
single
node
cluster,
so
this
other
tool
has
come
out
which
is
called
kind
and
it
stands
for
kubernetes
in
docker.
That's
what
the
kind
comes
from.
So
what
it
does
cool
is
that
it
uses
only
docker
under
the
hood
to
then
build
out
a
cluster,
so
this
now
allows
you
to
spin
up.
B
B
So
another
cool
thing
about
kind
is
as
fast,
so
you
can
basically
spin
up
a
cluster
quickly,
kill
it
and
recreate
create
a
new
one
which
is
nice
so
being
that
I
use,
kind
of
law,
I
figured
I
would
document
some
of
this
in
a
blog
post,
just
to
kind
of
walk
through
in
a
little
more
detail
kind
of
how
this
works.
So,
if
you
want
you
can
watch
a
video
I
did
a
whole
YouTube
video
on
this.
B
That
again
walks
through
this
whole
thing,
which
is
what
fun,
sometimes,
if
the
fill
in
the
missing
gaps,
that
the
blog
post
name
is,
but
the
the
big
the
big
steps
to
get
this
running
our
first.
You
need
to
go
to
get
kind
on
your
machine
somehow
and
it's
just
a
little
binary
once
you
have
that
and
we
can
go
ahead
and
create
a
cluster.
B
So
the
normal
way
to
do
it
is
you
just
say,
kind,
create
cluster
and
that's
going
to
create
you
a
one-note
cluster,
but
for
what
we're
going
to
do
with
contour
here
we
want
to
pass
in
some
configuration
things,
and
you
can
do
that
with
kind
through
one
of
these
configuration
files
and
out
here
on
kind.
There
is
a
whole
Doc's
section
on
what
that
looks,
like
I
think
it's
under
under
here
down
here
at
the
bottom
yeah.
So
here
you
can
talk
about
enabling
different
features
and
stuff
and
you're
in
your
cluster.
B
So
have
a
look
at
that.
That's
it's
it's!
It's
a
good
thing
to
look
at
in
terms
of
like
how
you
want
to
create
multi
node
clusters.
You
can
even
do
an
H,
a
control,
plane
and
kind
of
get
really
really
intricate
with
with
some
of
this
testing.
But
we
want
to
focus
on
today.
Is
this
way
that
we
can
pass
in
basically
port
mappings.
So
the
problem
with
Kai
in
the
past
was
that
when
we
spun
up
contour,
there
was
no
ports
or
there
weren't
any
ports
exposed
to.
B
Let
us
send
traffic
to
contour
and
then
subsequently
envoy.
So
now
what
we
can
do
with
this
new
config-
and
this
is
in
the
0.4
release
of
kind-
is
we
can
pass
in
this
configuration
file
and
what
this
does
is-
and
this
is
my
example,
you
could
change
it
to
your
to
your
own
liking,
but
here
I'm,
gonna,
Matt
port
80
to
your
host
as
well
as
port
443.
You
may
also
map,
like
a
node
port.
You
know
in
the
30,000
range
something
like
that,
but
what
I
want
to
do
is
kind
of
mimic.
B
What
I
would
do
out.
In
my
you
know,
production,
environment
or
staging
environment,
and
that
would
be
sending
request
at
80
and
443.
So
basically,
if
you
save
this
to
a
file
and
then
pass
it
into
the
concrete
command,
you'll
basically
create
you'll,
get
a
mapping
of
port
80
to
your
host,
which
is
which
is
cool
now.
The
only
downside
of
this
is
because
you
only
have
one
port
80
on
your
local
machine.
You
can
only
do
this.
We
only
have
a
one
node
cluster,
one
node
worker
cluster.
B
So
that's
the
only
caveat
you
have
to
to
look
at
you
which
I
think
I
know
it
here:
yeah
cool.
So
once
you
have
that
up
and
running
you
can
go
ahead
and
deploy
contour
and
I'm
using
the
daemon
set
on
the
split
model
which
I
think
Dave's
gonna
talk
about
some
of
the
work
we've
done
with
that
recently.
This
is
where
you
deploy
contour
as
a
deployment
and
then
envoy
as
a
daemon
set.
So
it
runs
one
instance
on
every
node
and
then
also
in
this
model.
We
use
this
thing
called
host
networking.
B
So
when
the
pod
spins
up
it
binds
your
port,
80
or
443
directly
to
the
host,
which
is
great
because
now
that
we
bind
that
to
the
host
because
we've
configured
the
port
mapping
back
to
your
machine
through
this,
you
basically
have
a
full
path
into
your
into
your
cluster.
Now,
once
you
have
that
running,
then
you
can
deploy
your
applications
and
get
things
running
and
test
it
out
by
I.
B
Think
guys
use
core
de
that
local
yeah,
so
a
request
sent
sent
to
Cordy
to
local,
and
then
that
gets
routed
to
your
doctor,
node,
which
kids
heads
on
voi
and
and
the
request
gets
gets
fulfilled
by
the
the
backend
service.
So
how
look
at
that?
If
it
has
any
questions,
I
can
go
through
that
or
we
can
look
at
it
more.
If
we
have
time.
A
B
Sure
so
yeah,
so
once
you
have
your
because
you've
got
this
path
now
into
your
into
your
ingress
controller.
So,
typically,
if
you
deployed
this
a
to
AWS,
you
would
spin
up
some
sort
of
load
balancer.
So
like
an
e
lb
or
an
N
LD,
or
something
like
that,
and
you
would
direct
all
your
traffic
at
that
load
balancer
and
that
load
balancer
would
send
traffic
to
to
contour
we've
sort
of
done
that
the
same
way
now,
so
everything
on
localhost
is
now
getting
routed
to
contour
or
on
Ville.
B
So
in
this
example,
we're
matching
the
slash.
So
this
domain
name
cordy
debt,
local
and
then
slash
is
getting
all
of
the
requests.
So
we
could
create
basically
new
names.
If
you
wanted
to
so
I
could
create,
like
you
know,
Steve,
that's
loca
or
whatever
domain
name.
I
wanted
to
and
I
could
create
new
paths
as
well.
So
you
know,
slash
blog
goes
to
a
different
service
and
then,
when
I
hit
that
path
locally,
you
know,
contour
and
and
on
we're
gonna,
then
redirect
the
traffic
to
the
right
back
end
service
cool.
B
B
We
talked
a
little
bit
about
you
know
a
deployment
or
a
daemon
set.
Why
would
use
one
or
the
other
and
then
also
how
to
do
things
like
mini
cube
as
well
as
in
kind
so
there's
again,
some
more
documentation
here
outside
of
the
the
blog
post
and
how
to
test
and
stuff?
So
that's
a
good
place
to
check
out
as
well.
C
C
C
Is
it
change
direction
landed
in
0.13
prior
to
that,
because
of
a
long-running
limitation
in
envoy
I
way,
basically
needed
you
to
tell
it
the
port
that
the
request
was
going
to
come
in
on
so
for
so
in
kind
of
like
in
production
settings
you've
got
your
ports
are
gonna,
be
80
and
443,
but
in
setups,
like
kind
and
especially
mini
cube,
which
kind
of
just
choose
a
random
port.
When
they
start
up,
you
need
to
cut
you
there.
C
There
is
a
requirement
to
thread
that
kind
of
ephemeral,
port
all
the
way
through
all
the
different
to
envoy
and
then
to
any
mappings,
and
things
like
that.
This
was
just
so
that,
because,
when
you
actually
type
in
like
localhost,
you
know
:
five,
five,
five
five
five,
some
browsers
will
actually
include
that
suffix
that
that
port
number
in
the
host
header
and
then
it
wouldn't
match
what
I'm
boasting
nothing
nothing
works
so
prior
to
zero
13.
C
We
we
had
to
ask
you
to
tell
us
the
numbers,
the
port
numbers
that
we're
using
with
these
two
flags
employ
external
HTTP
and
HTTPS
port.
That
was
super
annoying.
Fortunately,
in
0:13
we
figured
a
way
around
this,
and
so
that's
how
we
can
make
user
experience
for
not
just
kind
deployments
on
laptops,
but
just
in
any
situation
where
you
don't
necessarily
know
the
port,
that's
going
to
be
forwarded
through
to
envoy.
So
this
is
this
kind
of
way
of
saying
it
used
to
be
really
annoying
and
we
fixed
it.
C
C
So,
since
the
earliest
days
we've
had
this
directory
of
different
deployment,
examples,
kubernetes
is
very
flexible.
You
may
want
to
deploy
contro
non-void
in
a
bunch
of
different
ways.
The
obvious
one
is
diamond
set
or
deployment
like
it
and
that
the
next
extension
of
that
is
to
maybe
split
them
between
split
the
life
cycles
of
contour
and
envoy
into
separate
pods,
and
that's
what
this
des
hostnet
split
is.
C
This
this
very
this
differs
from
the
other
examples
that
you
have
in
the
rather
than
deploying
a
pod
with
two
containers
in
it.
It
deploys
to
a
part
two
different
sets
of
pods
one
right
into
a
Demian
set,
which
are
the
envoys
which
are
on
the
host
network
and
the
other
writing
to
the
contours,
which
are
the
control
plane,
which
are
just
a
standard
deployment
kind
of
kind
of
thing.
This
means
that
the
life
cycles,
these
two
different
processes,
are
different.
C
So
that's
why?
When
you'd
go
down
a
model
like
this,
this
is
something
we've
been
doing
for
over
it
for
over
a
year
now.
But
one
of
the
drawbacks
in
this
model
is
the
authentication
of
the
probe.
The
communication
between
contour
and
envoy
is
not
based
on
kind
of
like
my
keys
and
passwords
or
things
like
that.
C
A
C
C
C
C
So
let's
apply
the
the
hostnet
split.
Let's
have
a
quick
look
it's
so
now
we
have
separate
pods
for
contour
and
on
void.
We
can
see
now
they
have
one
of
one.
It's
just
quickly,
so
they
are
now
have
separate
pods
one
if
one
is
driven
by
a
deployment
which
is
the
contour,
so
that
has
just
a
set
a
small
set
of
replicas
we
just
have
to
in
this
example
and
the
envoy
diamond
set
sorry.
C
Is
envoy
is
a
diamond
set.
We
have
one
per
node,
so
it's
the
number
of
nodes
in
this
cluster
goes
up
and
down.
It
can
follow
that.
We
also
have
a
job
which
I'll
come
back
to
in
a
second.
So
it's
to
see
if
they're,
all
up
and
running
so
I
just
need
to
pause
for
effect,
because
because
we've
split
them,
they
now
have
separate
services.
C
C
So
this
is,
this:
is
the
Envoy
gaming
set.
This
is
the
spec
for
the
spec
for
it,
and
if
we
go
down,
we
see
that
the
only
real
difference
between
how
you
may
be
used
to
the
contour
the
plant
looking
is
that
there
is
in
now
a
configuration,
configuration
volume
and
also
ones
related
to
certificates.
We're
using
what
people
call
mutual
TLS.
It
is
a.
We
have
created
CA
that
CA,
then
signs
to
certificates,
one
that
contour
holds
ones
envoy,
holds
and
because
they're
both
signed
by
the
same
CA.
They
trust
each
other.
C
That
is,
that
is
the
the
authentication
mechanism
that
so
as
well
as
mounting
those
secrets
in
volumes
and
then
referring
to
them
refrains
them
later.
Nothing's
really
changed
there
are.
There
are
some
small
small
changes
to
the
boot,
but
the
bootstrap
configuration
just
to
say:
you'll
find
use,
certificates
and
you'll
find
them
here.
C
C
That's
okay,
so
all
this
curl
line
is
saying
when
curl
expects
to
talk
to
HD
Bindo
tiptoe,
Cheney,
4,
4,
3
I
actually
connect
to
this
IP
address.
So
it's
a
easy
way
of
doing
hosting
hacking,
but
like
localhost,
EDC
hosts
hacking
and
I
reckon
we've
been
fast.
Then
yep,
that's
that's
running,
so
we
now
have
a
split
contract
envoy
deployment
running.
You
saw
that
there
was
no
configuration
that
I
needed
to
do
like
it
was
just
applying
the
straight.
C
The
example
the
example
yeah
and
we
have,
and
the
communication
between
contour
and
envoy
is
now
secure.
So
if
you
don't
trust
the
underlying
Network
we
and
interesting
at
Network
environments,
your
your
services
deploy
it
into
now.
Now
there
is
both
authentication
and
authorization
between
those
two
between
those
two.
Nobody
can
connect
two
envoys,
a
RPC
service
unless
they
have
contour
certificate
and
those
both
those
certificates
live
inside,
live
inside
the
contour
namespace.
So
if
your
our
back
is
working
as
as
appropriate,
then
people
can't
access
that.
A
C
Let
me
talk
a
little
bit
about
that,
because,
if,
even
though,
in
the
in
these
examples
they
this
is
very
pithy
kind
of
these
certificates
just
come
from
somewhere,
actually
doing
that
that
mechanics,
if
you
were
to
do
it
by
hand
with
open
SSL,
is
a
little
bit
annoying
CA.
You
have
to
make
a
key
pair.
You
have
to
then
create
a
pair
of
social
scientific
codes.
You
have
to
push
them
all
answer
so
difficult.
We
outline
all
of
like
this.
C
This
document
is
how
you
could
do
it
by
hand
if
you
wanted
to
do
it
by
hand.
This
is
how
you
could
do
it.
However,
what
we
provide
is
a
job
now
the
way
that
so,
when
you
first
deploy
the
hostnet
example,
there's
actually
job
in
there,
which
is
a
different
contour
command.
It's
called
search
in
just
like
you
used
to
bootstrap.
It
will
create
these
certificates.
C
There's
no
there's
no
requirement
for
these
certificates
to
be
signed
by
like
a
public's
difficut
Authority.
It's
literally
the
thing
that
secures
all
this
trend
is
a
random
number.
We
make
up
the
search
end
makes
up
a
random
number.
It
creates
two
other
random
numbers
based
on
the
first
one
and
then
throws
the
original
random
number
away,
so
it
cannot
be
used.
So
if
we
look
at
the
the
the
secret.
C
We
only
have
the
like
part
of
the
secret
we've
thrown
away
the
private
part,
which
means
isn't
this
cart.
This
is
not
a
general-purpose
certificate
generation
mechanism,
it
it.
It
just
does
enough
to
generate
the
the
parts
that
contour
an
envoy
need
and
then
throws
away
the
rest.
So
can't
you,
even
if
this
CI
leaked
out
it
couldn't
be
used
to
sign
additional
clients,
but
this
is
how
we've
automated
this
long
and
annoying
open
SSL
process,
which
you
may
not
even
have
open
SSL
on
your
machine
in
Windows,
will
something
like
that.
C
C
Which
runs
once
so,
you
don't
need
to
brand
every
time
and
the
job
actually
generates
a
certificate
right
to
that
there's
secrets
and
then
I.
We
say
it's
an
idempotent
if
you've
run
it
again,
won't
do
anything
so
that
that's
how
we
populate
the
secrets
for
you,
if
you
don't
have
another
mechanism
of
doing
it.
This
is
just
so.
We
can
keep
a
nice
kind
of
first
user
experience
to
come
back
to
what
I
think
your
question
was
Jonas.
If
you
don't
want
to
use
this,
that's
totally.
C
C
We
expect,
if
you
are
in
an
environment
that
cares
a
lot
about
TLS
between
all
the
different
services.
Then
you
probably
have
some
internal
key
service
like
maybe
using
something
from
AWS
and
the
service
no
means.
Maybe
you've
got
bolt
running
internally.
Something
like
that.
If
you
environment
already
has
the
process
for
creating
and
signing
certificates,
not
as
part
of
like
part
like
public
facing
change,
but
just
a
secure
transmission
between
different
parties,
then
all
you
need
to
do
is
provide
again.
We.
C
We
lay
out
the
three
things
you
must
do.
You
must
have
a
certificate
in
this
in
this
secret,
with
the
key
of
that
name
saying
for
contour
same
for
envoy,
if
you,
if
you
don't
want
to
use
the
thing
that
we
wrote
and
you
want
to
use
vault
or
something
like
that
or
maybe
you
have
made,
maybe
your
your
admins
are
totally
fine
with
doing
it
by
hand
by
necessarily
have
some
kind
of
deployment
mechanism
some
ansible,
or
something
like
that,
will
do
that,
for
you
go
right
ahead.
C
A
C
That's
really
that's
really
up
to
the
position
of
your
admins
in
your
security
team,
one
of
the
so
what
one
of
the
because
the
communication
between
envoy
and
contour
is
not
based
and
kind
of
like
username
and
password,
or
something
like
that
in.
If
you
don't
use
TLS
in
this
connection
or
you
don't
use
client-side
certificates,
anybody
who
can
make
a
connection
to
the
contours
XTS
by
contours
endpoint
can
ask
questions
as
if
it
was
on
point,
which
means
they
can
ask
for
any
of
the
configuration,
including
secrets,
including
endpoints
things
like
that.
C
So
when
contract
envoy
are
co-located
in
the
same
pod,
that
communications
they
below
co-host,
that's
not
a
concern
when
they're
separated
into
different
into
different
pods
and
they
communicate
over
the
network.
There
is
a
potential
that,
if
you
don't
trust
all
the
parties
in
your
cluster
networking,
then
a
rogue
process
can
connect
to
contours.
End
point
and
say
tell
me
all
the
secrets.
So
you
know
so
that's
the
that's
the
threat
model
that
we're
protecting
it's
perfect.
C
Thank
you
to
give
a
little
bit
more
of
a
little
bit
more
background
of
where
this
this
is
going.
This
is
more
than
just
the
particular
security
in
terms
of
that,
we
want
to
the
design
that
probably
most
of
it,
I
used
to
with
contour
and
with
being
co-located,
has
a
number
of
limitations.
It
was
great
for
getting
started
as
pretty
good,
getting
started
user
experience,
but
it
has
both
scaling
limitations
and
kind
of
operation
in
all
the
limitations.
C
The
scaling
ones
are
obviously
everyone
for
you
deploy
kind
of
has
a
contour
that
goes
with
it.
That's
necessary
one
contour
can
serve
all
the
envoys.
That's
like
the
reason
for
a
data
plane,
control,
plane,
split.
The
second
one
is
that
envoy
eggs
are
contour
blotches,
a
lot
of
things
in
the
kubernetes
api
watch,
all
the
endpoints
or
services
all
ingress
routes.
I,
don't
have
a
good
kind
of
like
cost
estimate
for
what
that
kind
of
watching
costs,
but
you
can
imagine
watching
all
the
influence
in
a
busy
cluster
is
a
lot
of
traffic.
C
Splitting
the
content
envoy
apart,
allows
allows
administrators
to
size,
contour
the
data,
the
control
plane
to
a
different
sizing
shape
to
avoid
the
dot
the
serving
data
plane,
but
you
may
want
one
two
three
contours.
Just
to
give
you
kind
of
some,
some
redundancy
and
I'll
come
back
to
that
in
a
second,
and
you
may
want
as
many
own
voices
you
have
hosts
in
your
fleet.
So
that's
that's.
That's
a
one
of
the
reasons
for
making
for
investing
in
this
split
model.
C
The
second
one
is
that
the
data
plane
in
the
control
plane
have
different
life
cycles.
Envoy
used
roughly
on
about
a
three-month
cadence
contour
is
on
a
much
much
shorter,
cadence.
C
Some
of
most
of
the
configuration
that
is
not
kind
of
read
through
the
kubernetes
api
is
provided
to
contour
in
the
form
of
CLI
flags.
If
you
want
to
change
those
flags,
you
need
to
bump
the
deployment
at
the
moment,
because
contour
and
envoy
are
in
the
same
pod.
Changing
contour
means
you
roll
both
of
them.
It
would
be
nice
not
to
it
would
be
nice
not
to
have
to
have
a
role
of
envoy
on
voice
of
the
envoy
process
and
losing
eating
in
process
connections.
C
Just
because
you
wanted
to
change
something
about
your
control
plane.
So
that's
whether
that's
one
of
the
more
kind
of
fundamental
reasons
for
going
down
that
the
process
of
this
split
we
want
them.
We
want
to
have
them
to
have
different
life
cycles
because
they
do
have
different
life
cycles.
They
I.
C
Ideally,
if
there
is
no
requirement
for
the
operators
to
change
the
version
change
their
version
of
envoy,
they
should
be
able
to
change
the
version
contour
frequently
because
the
envoy
doesn't
need
the
control
plane.
It's
not
involved
in
ending
the
transmission.
It's
only
involved
in
changing
configuration,
it's
totally.
Okay,
if
contour
goes
away
from
a
little
bit
while
it's
being
restarted,
we
want
to
enable
that.
C
And
I
I
alluded
to
I
alluded
to,
like
some
kind
of
you
know,
one
two
or
three
contours,
one
of
the
things
that
is
coming
up
is
that
we're
going
to
implement
leader
election
in
contour.
Just
so
it's
more
like
some
of
the
rest
of
the
communities
controllers,
which
will
mean
you
have
a
small
set.
Most
of
them
sit
idle
until
they
win
the
leader
election.
Then
they
become
the
must.
Then
they
become
the
the
leader
of
the
the
process
group
that
the
pod
goes
away
comes
back,
sits,
might
still
it
becomes
a
nice.
C
That's
the
common
pattern
of
the
way
that
leader
election
works.
It's
like
communities
and
again
what
what
that
will
mean
is,
if
you
have
say
three
contours
deployed,
only
one
of
them
is
actually
going
to
be
active.
It's
only
actually
offering
the
listening
port,
and
so
as
leader
election
changes
between
them.
The
cluster
IP
changes,
and
so
the
envoys
that
are
communicating
with
their
cluster
IP
will
move
to
the
move
to
the
leader
of
that
group,
I'm
trying
to
say
master,
it's
another,
not
am
a
good
term
anymore.
C
C
26
I
think
which
was
next
Friday.
Given
that
two-thirds,
the
team
are
going
to
be
on
traveling
around
leave
in
a
week,
we've
moved
it
forward
to
to
this
Friday
just
because,
for
this
no
reason
why
Steve
should
sit
around
by
himself
just
waiting
for
a
week
to
to
do
the
release,
I
figure.
We
do
it
this
week
and
then
get
started
on
0.15
in
terms
of
the
user-facing
features.
The
big
one
is
securing
communication
between
contour
not
way.
That's
the
big
thing
we've
been
working
towards.
This
has
been
a
lot
of
plumbing.
C
In
the
background
that's
had
to
change,
but
in
terms
of
user
visible,
using
visible
features,
nothing.
No,
there
are
there,
aren't
that
thrown
a
lot,
it's
not
like
zero
update
and
we
had
a
whole
laundry
list
of
other
physical
changes.
Most
of
the
the
work
has
been
behind
the
hood
Steve.
Do
you
have
any
anything
to
add
today?
I
was.
B
Trying
to
think,
because
I
got
that
I
got
to
work
on
some
of
those
release,
notes
for
the
release.
No
I
mean
that
was
a
lot
of
it.
There's
a
bunch
of
little
things,
I!
Think
that
add
up
to
be
it's
kind
of
that.
You
know
the.
What's
that
term
the
death
by
a
thousand
cuts.
You
know
like
where
there's
a
bunch
of
little
things
we
fixed
I,
know
there's
a
PR.
B
We
have
now
in
process
to
not
trigger
a
dag
rebuild
if
an
unrelated
secret
or
service
changes
that
would
be
kind
of
a
cool
effect
on
larger
clusters.
So
you
know
your
ingress
resources,
use
secrets
and
services,
and
most
of
not
most
of
them,
but
a
large
percentage
of
them
I
think
are
not
ever
referenced
from
ingress,
but
what's
happening
today
is
if
random
service
or
secret
changes
in
the
cluster
contour
sees
that
and
triggers
rebuilt,
which
is
just
expensive,
and
it's
wasting
time
for
for
contour,
so
that
mean
can
help
for
certain
things.
B
C
Yeah
yeah
think
they're
that
they'll
be
there'll,
be
a
bunch
of
things.
We're
gonna
call
out
in
release
notes.
For
example,
there
are
so
there
were
some
flags
Milan
Flags
which
were
deprecated
in
0.13.
We
print
a
warning,
saying
yeah,
please
remove
these
we've.
We
stopped
listening
to
them
in
0.14,
they're
going
to
they've
been
removed.
So
actually,
if
you
have
a
deployment
that
store
references
them,
contour
is
not
going
to
start
the
this.
A
C
Sorry
go
ahead,
say
that
there's
there's
there's
something
that
I
I
I
want
to
call
that
employ
1.11
was
released
of
a
guy.
He
was
within
the
last
seven
days.
We
have
not
we're
not
going
to
we're
still
holding
the
line
that
envoy
0.14
its
competitor,
contour
0
at
14.
Its
companion
is
envoy
1.10.
There
is
three
zijn
for
this.
C
Is
it
arrived
late
in
the
cycle,
but
the
more
the
more
important
thing
is
that
any
of
the
things
that
we
would
like
to
take
advantage
of
that
errand
envoy
1.11
would
require
code
changes
on
our
side.
So
there
is
no
point
in
upgrading
envoy
and
until
we
until
we
have
changed
contour,
to
omit
the
right
configuration
to
activate
those
features.
C
So
it's
a
mixture
in
a
bun
of
an
abundance
of
caution
as
well
as
there
is
no
driving
neat,
but
envoy
1.11
will
be
like
that'll,
be
one
of
the
first
things
that
goes
into
0.15.
So
if
you're,
if
you're
wondering
hey,
there's
no
way
really
slash
like,
why
are
we
still
running
the
old
one?
That's
the
answer
that.
A
A
D
Sorry
David,
so
that's
what
support
for
adding
and
removing
headers
I
had
a
crack
at
it
Wow
for
about
a
year
or
so
ago
and
didn't
get
time
to
I
say
do
it
properly
and
it
was
one
of
these
things
where
I
kind
of
needed
it
so
I
just
coated
it
and
threw
it
out
there,
and
well
rightly,
if
I
didn't
get
married.
So
I
was
wondering,
like
I
kind
of
want
to
get
support
added
into
contour,
and
do
it
correctly
this
time
so
I'm
wondering
here's
what
the
next
steps
are
like.
C
So
the
usual
way
that
we
we
approach,
this
is
say:
what's
what
what
what
why
do
you
need
to
add,
remove,
remove
headers?
Is
there
like?
What
would
that
ability?
Let
you
do
well
is
that
what
is
there
kind
of
underlying
driver
so.
D
There's
a
couple
of
use
cases:
one
I
want
to
be
able
to
set
like
HTTP,
strict
Transport
across
everything
going
through
our
game
boy,
everything
basically
going
out
of
our
like
site,
and
we
also
want
to
be
able
to
sanitize
headers
coming
in.
There
was
also
a
request,
as
we
ought
to
be
able
to
add
a
specific
header,
for
he
was
linking
the
there's
a
couple
different
use
cases
I
have
that
first
currently,
so.
C
The
one
of
the
ways
that
we
can
we
can
kind
of
pull
this
apart
is
to
separate
each
of
those
use
cases
the
so
to
explain
the
the
problem
that
my
team
has.
Is
that
every
feature
we
add
to
katakana
is
not
just
obviously
it's
things
that
people
want,
but
contrary
a
commercial
product
like
we,
we
sell
commercial
support
on
so
everything
that
we
add
it
can't
just
be
our
like
someone,
Tom
was
using
this.
C
It
was
useful
for
them,
like
I,
don't
know
if
it
works
like
it
seemed
to
work
for
them
like
every
feature
that
we
add,
we
have
to
stand
behind
a
tucum
at
a
commercial
level.
So
when,
when
we're
looking
down
the
barrel
of
very
large
features
like
the
ability
to
add,
remove
and
rewrite
headers
arbitrarily,
that
carries
with
it
a
very
big
support
cost
so
the
way
that
the
way
that
I've
tried
to
approach
this
is
to
pull
it
apart
into
the
the
underlying
requirement,
so,
for
example,
strict
Transport,
Security
I.
C
B
C
We
don't
need
to
add
a.
We
don't
need
to
add
the
ability
to
set
that
here
and
that
people
have
to
get
the
spacing
and
casing
and
hyphenation
exactly
right.
We
just
took
we
just
turn
it
on
by
default
yeah,
but
with
with
an
option
just
like
we
have
the
permit
insecure,
he
said:
I
want
to
opt
out
of.
This
would
have
also
an
option
says
you
know:
disabled
HT
HSTs,
something
like
that.
Okay,.
D
So
one
I'm
not
sure
if
that
it
worked
too
well
from
my
use
case,
because
I've
got
basically
one
ingress
but
we're
using
it
for
G
RPC,
as
well
as
like
web
applications
like
website.
So
I,
don't
there's
not
much
point
setting
setting
the
header
on
the
grcc
like
requests
or
responses,
but
for
like
the
other
sites,
there
is.
C
Okay,
so
if
this
would
definitely
be
at
the
unrest
route,
that
is
going
around
the
virtual
host
and
attempt
potentially
if
it
needs
to
be
down
at
the
sub
route
level,
so
that
they're
really
three
places
that
we
can
talk
about
configuration
which
is
at
the
contour
level
like
that
is
effectively
for
the
cluster,
like
those
are
flags
which
are
on
contour
the
process
and
so
an
administrator.
Basically,
to
give
you
an
example,
as
one
is
permit,
route
namespaces,
which
is
contour,
will
only
look
in
these
particular
places
for
ingress
route
records.
C
That's
a
cluster
wide
change.
The
next
you
know,
scope
of
that
is
the
virtual
host
just
that
the
English
route
route,
which
is
the
details
about
the
particular
hosts
header,
it's
TLS
properties,
and
then
the
next
one
under
that
use
the
particular
route
prefix.
Just
we
and
we
we
to
give
an
example
there
at
a
per
at
level,
you
can
opt
into
WebSockets.
C
D
Okay,
what
about
other
headers
that
aren't
like
I,
say
common
or
like
standard
things?
So
there's
like
the
strict
Transport,
Security
yeah
sure
you
could
you
could
set
up
like
have
a
specific
point
before
that.
The
other
use
case
I
was
mentioning
that
it
was
like
setting
a
specific
header
for
link.
Indeed,
yeah.
C
So
III
fully
fully
admit
that
this
is
like
by
by
taking
the
general
facility
and
trying
to
find
specific
use
cases
that
we
still
we're
not
solving
the
general
problem,
but
the
general
problem
is
large
and
requires
our
support
people
to
be
experts
on
every
possible
permutation.
This
could
be
this
is
this
is
somewhat
of
a
decision
it's
out
of
my
control,
so.
C
The
what
I
can
offer
is
that
we
can
work
towards
solving
solving
individual
problems,
but
getting
adding
the
general
support
for
editing
and
rewriting
that
will
definitely
a
design
document,
and
it's
going
to
need
a
lot
of
buy-in
from
a
lot
of
people.
Ok,
so
my
my
my
offer
to
you
is
that
we
can.
We
can
do
strict
Transport
Security
and
that
probably
means
that
your
application
itself
might
have
to
set
the
other
headers.
C
If
that's
possible,
I
know
sometimes
people
back
in
onto
static
sites,
and
they
don't
have
that
up
that
option,
but
I'm
just
going
to
be
very
open
with
what
are
the
commercial
pressures
that
I
face
developing
this
product
that
he
had.
Unfortunately,
a
single
contribution
that
I
solves
the
problem.
We
have
to
maintain
them
in
forever.
We
can't
remove
these
features
after
they're
added
how.
C
D
C
E
D
C
C
One
of
the
routing
problems
that
we
we're
working
on
at
the
moment
is
the
ability
to
route
on
a
header.
Like
some
people
want
to
route
a
user
agent.
They
want
to
route
on,
like
you
know,
kind
of
a
be
testing
type,
headers
and
so
I
would
defer.
I
would
defer
any
discussion
of
adding
and
removing
headers
until
we
have
some
idea
of
how
we're
going
to
how
about
if
extracting
and
how
that
affects.
Delegation.
C
B
Yeah
I
think
these
use
cases
are
super
helpful
as
well
I
mean
I.
You
know
working
with
Dave
for
the
last
year
or
so
it's
taught
me
a
lot
of
like
you
know
like
we
get
requests
a
lot
like
hey.
You
know
this
other
controller.
Does
it
this
way?
Can
we
just
add
that
thing
and
I
think
this?
It's
it's
helpful
to
chat
about
like
what
do
you
want
to
do
with
that?
You
know
so.
B
I
think
the
design
doc
would
be
a
great
start
to
to
discuss
like
hey
I
want
to
do
X,
Y
&
Z,
and
they
come
up
with
a
way
to
solve
that.
Just
so
we
don't
get
stuck
in
that
we've
always
done
it
this
way.
So,
let's
just
add
the
same
thing
again
and
then
you
know
see
where
it
fits
I
think
that's,
there's
nod
use
cases
to
do
that.
All
over
the
place,
yeah
I
think
we
just
chatted.
Yeah,
write
up
a
doc
and
maybe
great
start,
and
then
we
can
yeah.
E
Just
repeating
what
Steve
said,
having
a
doc
to
look
at
with
use
cases,
other
use
cases
you
can
think
of
excuse
me
would
be
fantastic,
but
I
think
one
of
the
reasons
that
people
like
contour
is
that
its
surface
area
is
small
and
much
simpler
than
some
same
functionality,
but
a
smaller
surface
area.
So
we
try
to
really
keep
to
that.
So
that's
why
we're
careful
about
how
we
accept
new
features?
They
really
need
to
fit
into
the
shape
of
the
rest
of
the
system.
So
it's
it's
not
an
oh!
It's.
B
C
A
Awesome
well,
thank
you,
everyone
for
for
joining
today.
We
really
appreciate
all
the
feedback
that
we've
gotten
and
we
really
appreciate
these.
These
calls
with
you
all
as
well.
As
you
all
know,
these
are
every
third
Tuesday,
so
this
the
next
contour
community
call
will
be
on
August
20th.
So
we'll
see
you
all
then,
and
we
hope
you
all
have
a
fabulous
rest
of
the
week
have
a
good
morning.
You
thank
you
so
much
bye.