►
From YouTube: Contour Community Meeting - Sept 8, 2020
Description
September 8, 2020
News
Contour 1.8.1 was released with a performance fix for status updates
What have we been working on?
[stevesloka] go-control-plane xDS Server
InFlight PR
Config File
[stevekriss] internal/dag refactoring
Discussion
[Chad Cravens] External Auth Providers, how do they work?
https://github.com/projectcontour/contour/blob/main/design/external-authorization-design.md
https://www.envoyproxy.io/docs/envoy/v1.15.0/intro/arch_overview/security/ext_authz_filter#arch-overview-ext-authz
https://github.com/projectcontour/contour-authserver
A
B
Yeah,
so
we
released
contour
1.8.1
last
week.
I
think
we
talked
about
at
the
last
office
hours
real
quick,
but
this
is
the
just
for
future.
Folks
might
be
watching
this,
so
matt
moore
works
on
k,
native
and
as
part
of
the
k
native
deployment.
You
can
use
contour
as
the
ingress
controller
to
route
traffic
around
in
all
the
candidate
of
inner
workings.
B
So
contour
is
in
charge
of
writing
status
out
to
different
objects,
so
things
like
http
proxy
objects
as
well
as
ingress
objects,
so
it
writes
status
for
those
updating
you
know,
is
it
valid?
Is
it
invalid
all
that
sort
of
stuff?
There
was
a
an
issue,
how
we
were
doing
that
as
updates.
Basically,
the
api
server
was
rate
limiting
us,
the
updates
would
stack
and
it
caused
envoy
to
get
slow.
So
that's
in
that
was
the
reason
of
the
1.8.1
real
quick.
B
So
so,
if
you're
up,
if
you're
running
contour,
this
is
a
great
recommendation.
Now
this
only
really
affected
large
large
clusters.
I
think
the
smaller
ones
didn't
really
notice
it
as
much
just
because
the
problem
wasn't
as
apparent
but
yeah,
so
it's
cool.
So
thanks
shout
out
to
matt
for
his
work
and
nick
for
doing
the
change
really
quickly.
Last
week,.
B
Jonas,
what
we
have
now
in
the
config
file
there
there's
this
xds
server
type
option,
and
the
idea
here
is
that
contour
ships
with
its
own
built-in
xds
server
and
the
idea
was
that
we
wanted
to
have
a
way
that
you
could
switch.
This
go
control
plane
type,
but
not
actually
have
to
do
it
all
at
once
right,
so
maybe
you
weren't
ready
to
switch,
and
we
want
to
you
know
test
it
some
more!
So
now
you
can
toggle
between
the
two.
So
contour
is
the
default
one.
B
B
D
So
I'm
continuing
with
that
a
little
bit
to
continue
to
to
sort
of
improve
the
internal
interfaces
around
this
and
really
the
goal
here
is
to
make
it
easier
for
contoured
developers
in
the
future
to
add
new
code
that
that
adds
objects
to
the
dag.
So
as
we're
looking
at
implementing,
you
know
additional
apis,
so
things
like
service
apis
or
ingress
v2.
D
B
Yeah
folks
are
interested
in
that.
I
know
that
the
last
office
hours
we
went
through
a
big
walkthrough
of
how
contour
takes
data
from
kubernetes
and
then
processes
through
to
get
to
envoy.
So
that's
a
good
once
that
gets
posted
up
on
youtube.
That'll,
be
a
good
thing
to
watch
anyone's
interested
in
understanding
a
little
bit
more
about
what
steve's
working
on
so
yeah,
and
that
would
be
nice
that'd
be
nice
to
break
those
things
apart.
A
Speaking
of
the
the
office
hours,
there
were
a
lot
of
people
that
joined
in
on
thursday
last
week.
So
thank
you.
Everyone
for
for
joining
in
it
was
fun
to
see
a
full
house
and
you,
you
talked
about
a
bunch
of
different
things
in
there
and
you
covered
a
lot
of
ground
in
in
two
hours.
I
think
I
believe
it
is
on
youtube
already,
so
it
should
be
viewable
for
those
that
didn't
watch
it
if
it
isn't
it'll
be
up
later.
B
A
C
Yay,
okay,
yeah,
oh
thanks,
jonas,
and
also
real
quick
on
the
youtube.
I
do
remember
that
there
was
a
conversation
we
had,
probably
two
or
three
weeks
ago
regarding
setting
up
a
dev
environment.
So
I
I
haven't,
checked
the
youtube:
if
it's
there
or
not
yet,
but
I
just
wanted
to
also
throw
that
out
there
too,
that
I
think
that
would
probably
be
helpful.
Hopefully,
for
me.
E
C
C
That
translates
kubernetes
events
to
to
envoy
configurations
and
one
of
the
things
you
know,
obviously
like
the
purpose
of
contour
for
kubernetes
cluster
is
so
important,
right,
handling,
ingress
and
routing,
and
one
of
the
things
that
I'm
working
on
in
my
own
kind
of
cluster
is:
I
want
to
be
able
to
manage
authentication
and
authorization
for
pretty
much
everything
that
goes
into
my
cluster
right.
So
if
there's
a
route,
that's
being
directed
and
contours,
essentially
you
know
configured
that
route
yeah.
C
B
Yeah
sure
so
there's
a
couple
things
I
guess
so
a
lot
of
the
services
in
envoy
they
get
their
their
network
filters
that
you
add
onto
the
envoy
configuration
and
a
lot
of
times
they.
What
you
do
is
you
configure
some
external
service,
so
in
the
case
of
external
auth
you
would
have
stand
up
and
auth
service
and
that
service
would
talk
to
envoy
over
grpc.
B
So
one
thing
we
have
to
configure-
and
this
is
the
design
that
jonas
has
up
here-
that
james
worked
on
of
how
we're
actually
going
to
implement
this
external
auth
in
contour
but
anyway,
but
the
high
level
bit.
Is
that
what
you
first
do?
Is
you
define
this
thing
called
an
extension
service
and
what
this
is?
B
This
will
be
a
crd
which
will
define
what
that
service
looks
like
that
you're
going
to
connect
to
right
so
you're,
going
to
configure
envoy
to
say
hey
when
a
request
comes
in,
go
reach
out
to
this
external
service
over
grpc
and
ask
it
you
know
basically
thumbs
up
or
thumbs
down.
Should
this
request
be
authorized
or
not,
so
what
happens
is
envo
will
receive
the
request
once
this
is
all
configured
it'll
pass
it
off
to
that
external
service
and
that
external
service
will
do
whatever
magic
it
needs
to
do
you
know
it?
B
Could
it
could
reach
out
to
an
oidc
provider?
It
could
do
an
internal
check
of
a
database
whatever
it
needs
to
do.
It
can
do
and
then
it'll
return
a
result
back
to
envoy
and
then
we'll
respond
back
to
the
client
with
you
know,
like
you
know,
you
know:
200,
it's
okay,
keep
going
or,
or
you
know,
four
or
three
redirect
whatever
whatever
the
case
it
may
be
so
ideas
and
contours,
and
this
the
same
thing
works
for
like
the
rate
limiting
service.
B
So
I
think,
a
year
and
a
half
ago
I
wrote
a
bunch
of
rate
limiting
work
and
it
kind
of
fell
off
the
wagon,
but
we're
gonna
that
works
the
same
way
right.
So
you
stand
up
in
external
service
which
implements
how
rate
limiting
should
work,
and
then
a
request
comes
in
onward.
Asks
that
service
you
know.
Should
this
request
go
through
or
not,
and
then
that
happens
so
in
that
design
dock
that
that
we
had
there
in
the
notes
james
walks
through
a
couple
pieces.
B
B
One
is
we
have
to
bring
that
we
want
to
bring
that
service
into
the
envoy
cluster,
so
we
can
then
do
metrics
on
it
and
do
all
the
things
that
envoy
can
do
to
watch
that
service,
and
then
we
want
to
be
able
to
have
an
extension
point
to
implement
other
bits,
so
things
like
rate
limiting
and
there's
like
some
logging
things
that
we
could
do
as
well,
that
this
extension
service
can
be
reused
for
so
that's
the
high
level
bit.
If
that
makes
sense,
I
know
there's
another
link.
B
C
C
In
our
manifest
right,
like
in
in
in
some
sort
of
manifest,
we
tell
contour,
hey,
register
this
external
service
and
I
guess
we
give
it
a
service
name
and
then
contour
is
going
to
tell
envoy
hey
connect
to
this
grpc
service
as
an
external
provider
and
then
once
contour's
configured
envoy.
To
do
that,
then
contour
is
no
longer
kind
of
in
the
picture
right.
The
request
comes
into
envoy.
The
grpc
goes
to
that
external
service.
C
B
It's
definitely
in
flight
right
now,
so
so
there's
some
bits
here
so
yeah
out
here
in
contour.
There's
a
couple
pr's
that
james
has
so
the
first
one
is
implementing
the
support
for
this
external
service
through
some
of
the
internal
bits,
this
one's
just
about
ready
to
go.
So
this
one
will
allow
the
the
thing
that
steve
was
talking
about
that
that
dag
processor
bit.
B
We
need
a
way
to
include
that
those
external
services
now
into
contour
to
let
them
like
contour,
know
about
how
you
know
what
they
are,
because
right
now,
contra
just
watches
for
kubernetes
services,
and
this
new
type
is
going
to.
Let
us
watch
for
this
new
crd
type
once
that's
in.
I
believe
james
has
another
one
here,
which
adds
this
implements
the
bits
into
hdb
proxy.
C
C
B
Yeah
you're
gonna
have
to
yeah
you're
gonna
have
to
deploy
some
sort
of
service.
That's
gonna
be
that
external
bit,
so
here
out
in
project
contour.
I
think
james
has
this
auth
server
here.
So
this
is
a
generic
auth
server
that
james
wrote
that
you
could
stand
up
to
be
that
grpc
endpoint,
and
I
believe
this
was
just
for
testing.
This
is
going
to
use.
You
know
passwords.
B
B
You
stand
up
some
service
to
to
do
that
part.
So
I
guess
this
is
the
part
that
was
confusing
for
me
as
well,
but
this
design
here
this
external
opposition
support,
is
just
designing
the
plumbing
to
hook
up
contour
to
some
sort
of
authorization
server
right.
That's
all
the
plumbing
bits
to
get
everything
wired
up
to
talk
to
something
the
actual
implementation
is
still.
You
know
at
this
point
you
know
we
have
to.
You
know,
make
this
a
little
more
mature,
but
up
to
you
to
get
that
integrated
properly.
B
So
I
guess
we
got
to
figure
that
out
and
understand
from
the
community
and
you
folks
that
hey
you
know,
what
are
you
looking
to
talk
to?
Do
you
need
you
know
some
sort
of
generic
service
that
we
can
all
contribute
to,
or
is
it
specific
to
your
environment?
Or
you
know,
however,
however,
that
might
might
look
and
feel.
C
Absolutely
and
I
think,
from
our
perspective
right
we're
going
to
have
probably
several
authentication
mechanisms.
I
think
we're
going
to
have
some
kerberos
like
in
internally
we're
going
to
have
an
external
auth
provider.
Now,
from
my
understanding,
our
external
auth
provider
is
not
actually
like
oidc
like
fully
compliant.
I
think
I've
got
andrew
andrew.
Are
you
on
here,
because
andrew
did
a
lot
of
that
integration?
He
knows
kind
of.
A
C
C
So
I
so
so
I
think
the
fact
that
it's
generic
enough
steve,
like
you,
said
that
there's
like
so
many
kind
of
like
yeah,
we
don't
want
to
have
something
where
it's
like.
We've
got
to
try
to
fit
something.
That's
so
kind
of
pre-baked.
For
us,
I
think,
having
the
flexibility
is,
like
you
know,
just
point:
hey,
here's,
the
auth
provider.
It's
going
to
give
you
the
you
know.
The
results
you
need,
I
think
is,
is
great.
So
that
sounds
awesome.
Yeah.
B
Yeah
and
we've
got
a
lot
of
work
in
everyone
heard
of
gangway
this
thing
this
was
from
heptio.
This
is
the
happy
labs
thing,
but
this
was
the
idea
of
this
was
to
let
you
get
some
credentials
to
talk
to
a
kubernetes
cluster
through
oidc
or
something
so
you
would
configure
gangway
to
then
talk
to
whatever
provider
that
was,
and
then
you,
this
you'd
log
into
this
website,
and
it
would,
it
would
generate
you.
B
A
config
file
then
talk
to
a
cluster,
but
this
is
sort
of
the
same
thing
we
just
talked
about
where
there's
a
whole
bunch
of
config
files
to
do
all
the
configuration
I'm
trying
to
see
where
the
I
forget
where
it
is,
but
yeah
each
one
has
a
different
like
setup,
setup
and
stuff,
because
gaming
is
a
little
different
than
google,
which
is
a
little
different
than
azure,
which
is
a
little
different
than
even
though
there's
standards
and
air
quotes.
There's
always
these
little
itty-bitty
things
that
are
different.
B
B
I
know
james
got
blocked
up
a
little
bit
on
some
of
the
other
plumbing
bits
internally,
like
we
had
to
switch
to
some
to
do
a
single
envoy
set
of
cluster
load
assignments
for
endpoints
and
stuff,
but
now
we're
over
the
hump
for
all
those
a
lot
of
those
bits
that
we
can
now.
You
know,
move
forward
quickly
with
this
stuff.
E
Fantastic,
hey,
steve.
I
had
a
quick
question
about
about
this
as
well.
So
I
know
this
has
been
in
development
for
quite
a
while
and
about
two
weeks
ago.
I
guess
a
new
iwolf
filter
landed
in
in
the
main
branch.
So
it's
not
yet
in
a
release,
but
it's
something
that
the
folks
that
pinterest
one
of
the
guys
at
pinterest
who
left
pinterest,
but
it
was
finished
off
by
the
pinterest
folks
and
it's
a
it's.
E
A
built-in
oauth
2,
filter,
okay,
and
I
was
wondering
what
impact
that
has
and
whether
that
would
be
an
additional
functionality
to
sort
of
turn
on
that
filter
and
whether
that
would
make
sense.
So
obviously
this
can
call
out
to
an
auth
server,
but
there
may
be
an
opportunity
to
just
leverage
your
filter
directly
inside
envoy
versus
externalizing.
As
a
as
an
additive
approach.
B
Yeah,
we'll
have
to
look.
I
know
during
some
of
the
design
stuff
that
james
did.
We
looked
at
that.
I
like
the
idea
of
not
having
these
extra
bits
running
around
right,
not
having
to
deploy
this
off
bit
and
configure
it
and
have
another
thing
to
manage
and
upgrade
and
run.
You
know,
I
think,
is
great,
so
yeah.
I
personally
think
that'd
be
a
great
move
to
allow
that
so
say
you
are
just
wanting
to
do
oitc.
B
E
E
Is
brand
new,
but
you
know
we've
got
teams
that
are
currently
doing
a
bunch
of
you
know:
custom
lure,
coding
and
stuff,
and
we've
been
following
this,
our
filter
for
a
long
time
and
it
finally
landed,
and
so
the
our
internal
teams
are
pretty
excited
because
they
think
they
can
actually
just
get
rid
of
a
whole
bunch
of
additional
scaffolding
and
custom
lure
code
and
just
completely
get
rid
of
that
yeah.
It
should
be
nice.
Oh.
B
B
E
B
C
C
You
know
it's
gonna
be
a
few
months
right
before
we,
I
think,
kind
of
already
that
we've
got
you
know
something
we
can
say:
hey
guys,
we
you
know,
we
got
it
and
it's
it's
working
or
it's
not,
but
definitely
we're
going
to
be
doing
a
lot
of
you
know,
custom,
I
wouldn't
say
customization,
but
you
know
external
authentication
and
authorization.
You
know
at
essentially
every
request
level
right.
Every
request
level
on
in.
A
C
Case
essentially
needs
to
go
through
some
sort
of
authentication
authorization
and
I
think,
being
able
to
do
that
kind
of
at
the
ingress
level.
You
know
really
lets
people
know
that
yeah
we've
got
a
secure.
You
know,
we've
got
a
secure
environment
without
having
to
you
know,
try
to
manage
that
on
each
individual
deployment,
essentially
so
yeah
for
sure,
really
cool,
yeah,
okay,
yeah
and
yeah.
I
I
don't
think
once
I
start
getting
in
this
time.
I
have
more
questions,
but
thank
you.
This
is
this
is
awesome.
B
Yeah,
no
for
sure,
yeah
and
I
think
timing-wise
the
folks
are
looking
for
that.
I
know
that,
like
james
james
is
working
pretty
hard
in
this
and
it's
it's
middle
of
the
night
for
him.
So
he's
not
here
to
comment
before
he
is,
I
know
he's
got
a
couple
pr's
so
once
that
other
pr
runs
or
lands,
then
this
one
will
come
in
and
then
you
know
we
can.
We
can
probably
wire
it
all
together
being.
He
already
has
the
sample
off
server
out
here,
which
one
this
one.
B
C
Okay
cool,
then
I
might
actually
share
screen
real
quick,
if
that's
okay,
sure
and
what
so,
what
I
was
gonna
do
is.
Maybe
just
talk
really
quick,
so
I've
got
a
I've,
got
an
issue,
an
open
issue
and
there's
just
kind
of
some
interesting
updates
that
I
thought
I
might
want
to
share
and
just
kind
of
maybe
get
some
feedback
from
everybody
on
this.
So
let
me
see
so
this
kind
of
started
us
back
in
the
day.
C
C
What
you'll
see
is
you
know
over
the
browser
the
request
gets
sent
over
https.
You
know
it.
Does
the
search
manager
ssl
termination
here
then
it
goes
http
at
the
pod.
Then
the
application
is
what
sends
that
3021
redirect
with
that
location,
header
and
then
it
gets
fed
back
and
the
problem
is
we
sent
the
request
over
https,
but
the
response
came
back
to
http
right
and
then
that's
when
the
browser
goes
and
error.
C
Protocol
mismatch
right
and
what
we
would
need
for
to
happen
is
that
you
know
goes
https
http,
the
application
things
that's
running
over
http,
so
it
does
a
three
or
two
redirect
and
then
it's
actually
envoy.
That
would
be
essentially
you
know
changing
that
location.
You
know
header
from
an
http
to
an
https
right
and
then
I
kind
of
talked
about
you
know.
We've
got
these
add
these
set
and
these
remove
functions
right
in
envoy
and
then
also
in
contour
right,
where
we
can
essentially
specify.
C
But
then
I
put
here
you
know
the
problem
with
like
setting
right
so
like
if
I
were
to
try
to
do
a
set
on
like
a
per
app
basis
or
something
you
know,
then
we
have.
This
issue
happen
where
it
kind
of
like
does
a
circular
circular,
like
you
know,
redirect
redirect
every
time
and
then
you
know
so
anyways,
I
kind
of
brought.
You
know
that
up.
C
But
you
know
long
story
short,
so
I
was
doing
a
little
bit
of
research
and
then
I
noticed
that
there's
actually
an
envoy
issue
here
that
somebody
submitted
a
pr
for
right.
So
somebody
actually
just
about
the
same
time
that
I
submitted
my
issue
submitted
this
in
envoy,
and
this
is
before.
I
knew
that
really
there's
a
dependency
on
envoy
to
have
the
functionality
and
then
contour
just
does
the
configuration.
C
But
obviously
I
still
think
that
there's
something
that
we
could
talk
about
within
the
contour
in
terms
of
like
okay,
you
know
what
should
the
manifest
look
like
right
for
this
type
of
you
know
functionality
and
we're
kind
of
having
this
discussion.
I
think
now
on
the
envoy
issue
here,
where
somebody
kind
of
you
know
chimed
in
and
said
that
you
know
they
they
you
know,
look,
we've
already
got
a
set
and
remove
you
know.
Are
we
really
just
doing
the
same
thing,
but
I
don't
think
so
right.
C
I
think
that
there's
actually
a
need
for
like
a
replace
functionality,
and
this
isn't
actually
the
feature
that
I
was
looking
at.
It
would
be.
It
would
be
another
wait.
Actually
is
it
this
one
here
here
we
go
okay,
yeah
so
was
it
submitted
as
a
pr
looks
like
it
was
yeah,
so
so
this,
so
this
guy
actually
submitted
a
pr
regard
regarding
this
right
and
he
was
looking
for
the
exact
same
thing.
C
I
was
on
the
location
header,
which
is
the
exact
same
example
that
I
provided
in
my
contour
issue
here.
But
then
you
can
see
that
we
got
some
feedback
this
morning,
right
saying
that
you
know,
we've
already
got
api
fields
to
add
or
remove
response
headers.
You
know
there's
discouraging
from
introducing
a
redundant
mechanism,
but
I
feel
that
there's
actually
a
need
for
a
replace
mechanism
where
you
know
would
be.
C
C
C
B
What's
up
we
have
ad
removed
but
not
set,
I
don't
believe
yeah.
Sorry,
I
don't
think
I'm
making
any
sense.
I
need
to
check
to
see
if
how
this
replace
might
work.
Dude
I
mean
in
envoy
itself.
If
it
doesn't,
I
don't,
it
doesn't
seem
like
it
does
that
so
from
what
you
need,
we
have
to
think
about
how
else
we
might
be
able
to
do
this.
Maybe
external
auth
would
solve
you
because
you
wouldn't
have
to
have
your
back
end
app.
Do
the
auth
bit
then.
C
Yeah,
well,
this
isn't
actually
really
regarding
the
authentication
part,
but
more
just
like,
for
example,
you
know
he
has.
You
know
kind
of
some
examples
here
like
okay.
If
I
want
to
set,
you
know
like
service
name
and
then
there's
some
sort
of
like
remove
some
sort
of
internal
secret
header.
You
know
that
gets
passed
around
internally.
You'd
want
to
remove
that
before
it
kind
of
goes
outside
of
your.
C
So
that's
going
to
look
in
in
the
path
part
of
the
http
payload,
but
there's
nothing
for
like
headers
right,
and
so
I
think
this
would
actually
be
a
pretty
easy
thing
to
do
in
envoy.
I
think
it's
mainly
just
you
know
communicating
properly.
You
know
what
it
is
that
we're
doing
and
why
it's
necessary,
but
I
think
it
should
be-
and
you
know
we've
already
got
this.
You
know
this
pr
here
where
it
looks
like
they've,
they've,
already
kind
of
done.
C
Some
work
right
in
terms
of
like
you
know,
adding
the
different
parts
within
you
know
like
the
protobufs,
and
you
know
some
of
the
different
functions
and
stuff.
Now
they
call
it
location,
header
rewrite.
I
would
just
call
http
header
rewrite
right,
and
then
you
just
give
it
the
which
header
what
you're
looking
for
and
what
you
want
it
to
be
like
replaced
with
essentially-
and
so
you
know
just
my
overall
perspective,
I
think
this
should
be
actually
doable.
C
B
C
A
This
is
great,
thank
you,
so
much
chad
yeah
my
pleasure.
Thank
you.
We
are
at
time
so
with
that
we're
gonna
close
out
this
week's
meeting.
Thank
you
all
for
joining,
and
we
do
have
a
meeting
next
week
again
on
the
later
time
schedule
for
our
australia
folks,
and
we
also
have
a
a
contour
office
hours
next
week
as
well
on
thursday,
the
17th.