Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
VMware / Contour Community Meetings / 21 Jul 2020
VMware / Contour Community Meetings / 21 Jul 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Contour Community Meeting - July 21, 2020

Description

July 21, 2020
What have we been working on?
[jonas] Contour now has a Passing CII Badge: https://bestpractices.coreinfrastructure.org/projects/4141
[stevek] consistent timeout syntax across HTTPProxy and config file, and internal refactoring
[slokas] go-control-plane: Tests pass!
[youngnick] Adding Conditions to HTTPProxy: https://github.com/projectcontour/contour/blob/master/design/httpproxy-status-conditions.md
[robinfoe] OIDC support for external authorization. Proof of Concept Demo!
[youngnick] Contour’s Landscape, July 2020: https://projectcontour.io/contours-landscape-jul-2020/

A

Hello and welcome everyone to another uh contour community meeting today is july, 21st, 2020 or july 22nd, depending on your time zone. I can't speak um today, yeah we're going to go through what we've been working on and if you have any questions or anything like that that you want to add to the meeting today, please do so in the hackmd and with that I'm going to share my screen, so you all can see and let's go through things, so I actually have an item today.

A

So the first item of today is that contour now has a passing cii badge. uh This is a badge that is kind of shows that a an open source project is following best practices when it comes to engineering processes and community engagement.

A

So if you click on this link, you will see exactly what we're doing within contours. You can get a lot of information on how we do things, how engineering is run, how a bunch of code, reviews and stuff like that, it's all detailed in here.

A

Of course we want to go above passing and look at future, uh future um silver, badges or maybe even gold badges, but that that comes later. But right now we're super super happy that we actually have a best practices badge here for contour, so yeah.

B

Thank you, jonas and steve for taking care of this is awesome to actually have that in the mix.

A

So yeah small small little thing that we now have in our uh in our repertoire and I think it's been added to the readme now as well um and yeah. Next up, we have steve chris.

C

Yeah, just a quick update following on the um I've, been working on adding some additional configurable timeouts to con tour that exposed some of the underlying envoy timeouts over the last couple of weeks and then going through that. I just noticed that there were a couple of inconsistencies in the the syntax that contour accepts between the config file and the http proxy crd.

C

So I've just been doing some work to kind of make the syntax across those two consistent. So it's one one kind of unified user experience for specifying timeouts um and there's a some kind of internal code cleanup to to help make that more clear throughout the code base.

C

As things are passed around uh yeah, that's pretty much it for me.

A

Awesome any questions, comments for steve.

D

um I just wanted to say nice work steve. It's really good to see that stuff, actually making a name.

C

Well, thanks yeah, it's uh it's once I got in there. I realized that there was a little bit more to it than just you know, adding a couple of toggles, but I feel good about where it's going.

A

Awesome um next up, we have steve sloka.

E

Yeah, so I've been working on swapping out our our custom, xds control plane with the envoys go control, plane, package or project. uh So it's been been an interesting struggle to get this sort up and working um the the control plane itself was easy to get running was getting all the tests behind the scenes to pass so uh this afternoon I got the model worked now.

E

Finally, so I had sort of a breakthrough as to what what was going wrong with with everything, so everything works, as is uh with some updates to how the tests are run.

E

The only thing I had to do um just you know refactoring, is how the how we assert that you know it's doing what it's supposed to do, but um this is cool because we can rip out all of our custom code now now we're going to run off the open source, the upstream control plane as well as gives us a good path to move to ads. If we want to do that, so it's good news all around that's all does that impact uh being able to go to v3 if the api.

F

As well, make it easier.

E

uh I don't know if it makes it easier or not, but um we we use the control plane anyway behind the scenes. uh But that's that's on our list here soon as well. I know some of the work that james is doing with auth, as well as the deprecation coming up here at the end of the year, um we're going to have to move the v3 here very soon.

F

Go control plane what they did was they copy. They copied the whole thing. So there's a go: control, plane, v2 package and go control, plane, v3 package for the v3 api, so um because it doesn't make it easier it I I don't know it probably doesn't make yeah, it's probably neutral or just more code code churn.

D

Yeah, I think we absolutely you know uh we absolutely will be doing the v3 thing soon. um I was hoping I was hopeful that the go control plane would help more than it than it seemed to. But the big thing that we've got to do for the v3 migration is to move um all of the stuff where we actually use the envoy protobufs. The onboard types are the v2 types to the v3 types and we use it quite extensively throughout contour. So that's the thing. That's uh that's a bit bigger! That's the bigger code.

A

Change.

A

Sorry uh any other questions comments.

A

All right.

D

Nick did you talk about this already? No, no! um So uh yeah this that's a link to uh design a design document that I um that uh I mentioned a while ago. Oh, I should oops. I should update the status um but yeah um this one has been accepted. uh So basically, this is a design doc about how I am currently adding uh conditions to http proxy and to the other uh project. Contour types, the conditions are the communities api standard way to communicate extra status information um in an extensible way.

D

So the reason we're doing this is that there's a bunch of tooling that lets you wait. um The cube, client go and cue control both have um both have a weight for condition um loop built into them. So uh with uh cube kettle, you can just be like cube kettle weight uh condition uh true, and it will wait until a condition has been true right.

F

Now.

D

um So this is to add extensibility for later. Eventually, what I would like to see us do is have some way for a particular http proxy to uh reflect the st the fact that envoy has been correctly programmed with the config from the http proxy. That's a ways away, because there's a bunch of other wiring we've got to do.

D

The first condition that we're going to put in is one called valid that just that mimics the behavior of the current current status field, um but uh has additional spaces places for information so that you can, if you've got multiple errors in your http proxy you'll, find them all at once, rather than having to do multiple passes.

D

um So this has been a bit of a journey just to figure out what everyone else is doing, what the what the state of the art is and figure out what we were going to do um so, but yeah I'm in the process of putting and pulling in some uh the actual uh cid changes now uh and then, once we've done that then I'll then I'll uh bring in the code changes to actually populate the fields correctly um yeah. So it's sort of this is all sort of very low down uh uh like design work.

D

That's gonna open up our problem space for us to be able to use more later.

D

So yeah how to have a read of that link? um That's that's design that I'm uh that I started implementing uh and uh yeah. That's that's where that's at thanks awesome.

A

Thank you nick uh any questions. Comments on this.

A

All right uh we got uh robin uh robin you're new to the community call here: do you wanna, introduce yourself.

G

uh Yeah hi, I'm I'm robin I'm part of the global design, enablement team. So basically I was actually uh asked to help on one of the project: contour, the the authentication and the authorization to the to oidc collectors.

G

So basically, I think today uh james invited me to join the meeting to actually do some showcase of or maybe a poc of what we have been doing so far.

A

Awesome, absolutely uh I've stopped sharing. So if you want to do, if you want to share your screen, go.

G

Ahead, yup sure, okay, let me start sharing.

G

Yep, I mean just a brief overview. Basically, this is what we have been doing. Basically user will call the envoy, then we actually created a new so-called external authenticator for the envoy, which is what called as a ydc. It will talk through the grpc in and instance, the the oidc connector will actually talk to the dex. uh You can install this again individually and the reason why we are using a tax is uh because we want to.

G

uh We don't want to create a multiple type of the conductors to talk to the different kind of provider, so we're thinking of using a tax as using it as a form of the identity provider, identity, federation to actually filter it all those kind of requests to a different car provider, and you return it into a single in the and you return as a jwt and pass back to the envoy services.

G

I mean: do you guys have any questions around here so far,.

G

Okay, so I there's no question I'll just go ahead and show you so basically, this is my. uh This is a call to my back-end services. It will actually pass through the android route. If you hit this you can.

G

You will see that I have already configured this actually to do the call uh to do the call back to my desk in my kubernetes cluster, so inside here inside the desk, I did configure whether you can log in as a static okay with the example. If not, you can do a git locking with the github.

G

Otherwise you can do a login with the with the ldap connectors. So let's try the ldap connectors. First.

G

If I get the password through here, you can see that you go back to my local services and you can have a look into the cookies here. You will see that inside the contour we do have a injection of the cookies and injection of the gwd in the form of the cookies.

G

So if let's say you want to log into the let's say.

G

Github.

G

You redirect you to the github login page, so if it is basically my own personal github, login I'll set up the, I did set up the oadc for this.

G

Give me a moment, I can't remember the.

G

Password.

G

Yep so basically, after the github after the github, successfully verify your user and basically route back to the desk and the dex will actually relock your request back to the android services to enter my backend services and it's the same thing. What you can see here, basically once you've got the token ready, you'll be stored as a part of the cookies in the client request.

G

So any question on here.

F

It looks really good. I'm one question I had is: does this? Does the oidc proxy that you have here in the original diagram? Is that constrained to work with dex or could it work with other oidc providers directly.

G

It can work with the other oedc provider directly. There's no issue on that, because it's still back to those oedc protocol right but again, uh currently, the one that you are seeing here is basically it's a three-legged authentication. uh That's what is the actually that we uh I'm building against I'm bringing towards uh one thing. One of the limitations that I haven't do is basically on the two lake authentication.

G

Basically, when you use a, if you look into the most of the scenario, sometimes system to system call, you may don't want, you may not want to actually show those lock-in screen at all. You just want to pass in the credentials through the cookies header, so you'll be able to get the background.

F

Thanks robin all right.

G

Okay, now stop sharing then.

D

It's really neat robin thanks. Welcome.

A

Yeah, this is great, uh thank you so much for for the demo. Any uh questions, comments for robin.

F

Thank you for getting up early, appreciate you coming down.

D

Very much so I know how that feels.

H

Yes, good job, but we have robin. Do you have any uh put up any documentation for the steps how to set up this.

G

So currently I did host this in my own github repo. Currently I'm building the readme file for that I'll share it with in the group chat a bit later. Maybe.

F

Thanks, I think it'd be also really interesting um to get people who have real applications to um give some feedback on this. I think that you know I'd like to get feedback on what part where we need um different things to be configured, so your applications need to be able to specify cookie names.

F

Do they need to be able to fish fields out of the um fish fields out of the tokens to then you know to be able to specify scopes, and I think, there's a lot of potential parameters in this area, but I'd like to get some real world use case um to support which configuration people would find useful in practice.

A

Awesome um moving along here nick uh you want to talk about contours landscape. Do you want to share your screen without the blog post and can I talk through it or you want.

D

Yeah, so we've got a little while left. Maybe I should do that. uh Sorry, let me pull up.

D

Okay- uh okay, great uh so yeah this. uh This is a blog post that I wrote recently um just to sort of um be the uh sort of official I'm you know taking over from dave as the tech lead, um we hadn't done any real communication, since that happened um so yeah.

D

uh This is an official thank you to dave for getting the project off the ground and for everything he's done, uh but yeah as part of coming on board. What I wanted to do is to write down some thoughts about uh where conquest been and where it's going um so, um but yet before we get to that, we had the uh this was.

D

This was me celebrating that we got into the this ncf at the incubating level, um yeah, which, which is a quite a it's a substantially big deal, that we were able to skip the sandbox level um and come straight in and incubating. um So thanks to everybody who has contributed to making the community um work well enough that we were able to do that, and thanks to michael for all of the hard work that he's done to actually make it happen um so yeah.

D

So in terms of the things that that I think that uh condo has been uh doing well um is that you know we've done you everybody's here, we're all here, we're you know we got in. We got accepted into incubating, there's a there's, a definite piece of software that is regularly released. That people seem to find useful. um We created a crd, we you had some people use it. We found some when we went to add some features.

D

We found a problem, so we created a new one um and we fully deprecated it and removed that the old crd now so you we definitely had velocity along the project for for the entirety of its lifetime, um but yeah and you that's yeah. This is one of the things that I think is really good about control. We have done our best to be responsive to to the needs of our users and to to meet people where they're at um and one of the things that has come out.

F

Of that.

D

Is http proxy um and the http proxy cid and it you it is built to help people solve some of the problems that you have when you're trying to use the ingress object in a more multi-tenant style environment, where it's very easy to accidentally have ingress objects, clobber each other and cause problems um now.

D

So one of the one of the other things, though, that that we've done as part of that is, we've tried really hard to you know making sure that we're not exposing too much of the fact that we're using envoy so that this is so you don't need to know everything about envoy to be able to use contour. um You know, I think, we've done pretty well at that.

D

um I think that's one of the things that we'll talk more about in a minute about the stuff we haven't done as well, but uh we've also but yeah. I think that in general, we've done a pretty good job of being able to make it so that you can pick up and use contour pretty easily without needing to know everything about envoy um and we've we've done a lot to over the course.

D

Since I've been working on contour to fix, fix uh to make to make it easier to operate, contour which I know there are people on the call who you have are definitely operating control for reals uh and uh so yeah like this is. This is what we want to do. We want to make it so contra is a a real thing that is really straightforward and you make doesn't make it hard for you to actually operate it.

D

um So, let's get on to stuff that uh I wasn't that I haven't been so happy about um when looking back. um One of the things was deprecating ingress throughout and replacing it with http proxy was made a lot of work for people. um You know, I think, we've done everything we can to make that easier by providing a tool to convert from ingress out to http proxy.

D

But ideally we wouldn't do that again, and I don't think there's any good reason now for us to do that again to deprecate http proxy um http proxy is built with um the standard api guarantees around ga. It's now a ga crd, and so we won't be removing or deprecating it. We will carry we'll carry hp proxy um for for good. um The only thing that we will do is add things to it.

D

um If we're going to make substantial changes to it, we'll start with a v2 alpha and and move towards having a v2 of the cid, but v1 will always be around um so yeah.

D

I really wanted to make that statement to make to give people confidence that we're not going to pull the fuller rug out from under you again um and yeah. So, uh although we've um you know, we've made some strides in increasing the operability of contour.

D

Historically, we've had a lot of organic growth in how contour works, uh and so you, one of the things that um I wanted to do, is I want to move from away from having a million command line flags to having a config file that where all of those options live um I over time I would like to deprecate and remove as many command line flags as possible, so that we end up with basically only the stuff that you really need for local development and that's it and everything else is configured by the config file.

D

The reason for that is that is a purely practical operability, one. If we deprecate and remove a command line flag, then people's deployments will break when you, when you upgrade your version, um you, if you have the command line flag there and contour doesn't support it anymore. Then your deployments will go down and not come up when you change the when you pull change the image version, um it's as simple as that, whereas if we have a config file and we've, you know deprecated a setting in there and then removed it.

D

Your config file will be fine. Your program will start up and but and you'll get warning and logs and stuff, but you may have a partial, a partially working solution rather than a zero working solution. So that's that's sort of the reasoning why I really want to move away from command line flags and emphasize emphasize the config file.

D

um I think, lastly, the thing that the thing that I think we haven't done so well is that um you know: we've had a we've had a pretty strong stance on simplicity. We've had a pretty strong stance that we didn't want to add features without really understanding what they were being used for and if the thing that we were adding was the best way to to use that now.

D

I think that that has has been ease and has been an advantage, but one of the things that one of the things that affected everybody adversely there was that.

D

um I think a lot of us me and certainly dave, and I um on the team, really didn't twig to the fact that um one of the things that people use a proxy like envoy, 4 and a solution and english solution like contour for, is to fix up problems with apps that you can't change.

D

You know a a proxy is a great middleware place for if something, if an app is broken in some way, and it can't be changed because it's a legacy thing or that someone's relying on the you know and that you know people can't make the change for whatever reason. Then, then, the proxy is the place where that stuff gets fixed up um in the past. I think we were like well, you know, if you're, if your app can't do the right thing, then you should fix your app.

D

um But you know that's a bit naive uh and it's a bit. You know it doesn't really uh make allowances for the real world. Where sometimes you can't do that, and so um one of the things there was the the sort of the net effect there is that you we've really wanted to make it so that um to to be more open there to talking to people about what you know, what what are you needing?

D

What are you trying to get out of adding this feature, um and you know to say to to make people feel like we're, not saying no, but we're saying like yes, but we just. We want to make sure that we build this everybody who uses contour, not just for the person who's asking for it um so and yeah.

D

You know I framed this in the good, the bad and the ugly. I think the ugliest part about what's happened. The history of contour is that you, although we've made a great product uh yeah and a great software project, the a bunch of people have felt the need that they needed to fork it and and main, and carry a fork of contour to be able to use it.

D

That to me, says that you know the people have significant use cases that we have just not met, um and you know, carrying a fork is a significant engineering effort and, if more than you know more than a few people are doing that. Then that means that we have missed something, and that's uh and this the thing that I have realized there is part of part of that is about um the fact that the proxy can be used as a fix-up point.

D

But it also means that you know we need to be more more accepting of changes that people want to make and have a better framework for people being able to make changes without us needing to ask a million questions about why they're doing it and how that and how the change should be added. And so that's one of the reasons. Another reason for why I really want to push towards a config file, because that makes it easier to add tweakable, knobs and stuff like that, without us having to have a million command line options.

D

So um the, and so before, like one of the things that we that I want to do without doing. All of this is to allow to make it so that people want to don't want to carry forks anymore for one thing, but also to make it so that it's easier to add features to contour without having to back and forth with us a lot. So some of the ways we can do, that is um the you know.

D

I need to update it but to have a philosophy document that explains what contra is about and how and how we do things and to have more standard ways to add extra configurability for people who want to add it, but the converse of that is, we don't want to add features into contour that make it harder to use one of the things that I think is great about contour. Is that the initial hey? I want to kick the tires on this thing.

D

Experience is pretty straightforward like there's not you don't need to do a lot of config just to get started and you what I want is to have to have contour be in a place where there's you know that contour is useful in all as defaults, and then there is a large, uh a large swath of connect of extra configurability that you can touch if you need to, but you shouldn't need to touch it um unless you need that extra feature or that extra you know bit of configurability or you've got some reason to um so, and so yeah one of the things one of the big things themes that when I talk to people who have been doing forks, is this issue of configurability and making it so that you can tweak more things.

D

um That's what the us, the timeouts that steve chris is working on is the sort of the first instantiation of this um putting you know having better configurability about timeouts thinking carefully about when people set timeouts.

D

um You know if sometimes sometimes, because if the cluster admin may want to limit the time out, that you can apply one of the people who made a fork said that one of the problems that they had was that we added in a request, timeout and allowed you to set an infinite request, timeout and then that immediately messed up their centralized proxy. Because all of a sudden, all these application developers were like well.

D

If I can have a infinite request, timeout I'm going to do that, and so then their connection pools for their proxies filled up and their proxies fell over because because there were too many connections, because the requests were not never timing out, and so some people need to be able to put limits on the timeouts in if they're running it as a if they're running contour as a centralized proxy. And so that's one of the things that makes this whole thing a little bit more complicated. Is that we've got two personas.

D

We've got the application developers who want to be able to create http proxies and have those things exposed in a reasonably straightforward fashion. But we've also got people who are running a centralized proxy and need to be able to put limits around what people can do and so part of what we're trying to do here is to make it so that we've got patterns for for adding these features so that we know how to do it and we're not sort of needing to spend ages going backwards and forwards on design documents.

D

Every time someone wants to add a feature.

D

Another thing we want to do is to expose. We do want to expose more on voice specific configuration, um the the uh or stuff that james is working on is a great example of that. There's. This really amazing feature being able to delegate your external auth that lots of other proxies support that envoy has native support for that. We don't support, because we don't have a way to configure it, um and so again this is a.

D

This is a case where we want to make sure that we're exposing this feature in a way that that makes it so that it's very usable for somebody who only knows contour and doesn't know everything about envoy, and we have ways for you to use the feature in simple ways. Like you know, hey, I just want to have a basic auth, username and password on my on the services behind my thing.

D

That should be easy, but we need to have the on-ramp to be able to bring that up into things like uh things like rob and demonstrator, today, being able to use oedc and dex to uh to be able to you know to plug into whatever earth we've got available.

D

Yeah yeah we're running out of time. um The you know, the other two big things here are um being able to configure third-party services, of which auth is one, but we've also got requests for logging and rate limiting and some other ones. So we definitely really want to get all that stuff in as soon as we can and we want to.

D

We want to make sure that we're heavily involved, which we are with the service apis project for kubernetes and the future of ingress, so that we can be driving that and then we want to be one of the first people to implement it, if not the first, so sorry to have talked for a long time. um If anybody wants to ask questions, um I can stay around for a bit afterwards, but yeah.

D

I just wanted to quickly run through that, so that, for those of you who haven't read it, if you want to read the exact words I've written, please do, um please feel free to hit me up on um on twitter or um or the kubernetes slack. I'm young nick there. If you have any comments.

B

And- and I know that uh some of you are wondering when our next release is coming- 1.7- uh that's uh you know in a few days, so I know if we can provide a little more clarity, maybe early next week, but uh we're working on that and uh we should be able. I know, michael you asked for that in the past, so we'll give you a little bit more clarity when we're a few days away.

A

Thank you so much for for running through that uh nick really appreciate it. uh It's a it's an important piece here and yeah, as nick said. Please reach out on slack. If you have any questions um with that, I'm gonna uh end the uh the meeting. Now uh I hope you all have a fantastic rest of the week and uh we'll see you soon have a good.

H

One everybody.