►
From YouTube: Contour Community Meeting - Jan 21, 2020
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
A
B
C
D
D
So
in
also
in
1.1,
we
brought
back
a
prefix
view
right
support,
so
this
was
the
future
of
ingress
route
that
we
had.
We
did
a
couple
rethought
some
redesigns
around
how
we
wanted
to
implement
it
in
the
spec,
so
that
left
support
in
the
one
got
a
release
of
contour,
but
this
is
now
back
and
this,
along
with
the
tool
that
Nick
helped
write
the
yeah
I
our
to
proxy,
that
that
gives
us
enough
now
to
fully
migrate
away
from
ingress
route.
D
So
if
you
haven't
looked
at
HTTP
proxy
yet
or
lifted
that
new
spec,
it's
a
good
way
to
dig
in
now
and
migrate
from
one
to
the
other,
so
super
clear
now,
I
think
we're
a
feature,
we're
a
feature
complete
of
ingress
route
to
proxy
and
this
new
tool
now
that
Jonas
is
bringing
up,
will
help
you
actually
migrate.
Nick,
don't
you
want
to
talk
a
little
bit
about
this?
How
this
works
or
functions
or
anything
yeah.
B
So
it's
pretty
simple
tool:
it's
just
intended
to
run,
takes
one
yell
at
a
time
and
one
that
has
an
ingress
route
in
it
and
then
outputs
one
HTTP
proxy,
the
it
can
handle
80
to
90%
of
the
standard
stuff.
If
it
can't
understand
what
you
needed
to
do,
it'll
warn
you
are
both
on
standard
out
and
in
a
comment
in
the
file.
B
So
if
you
are
generating
all
the
files
with
some
sort
of
batch
script
or
something
like
that,
then
you
can
just
output
them
to
a
directory,
and
you
can
be
confident
that
you
won't
lose
all
those
comments.
One
of
the
big
ones
is
that
for
delegation,
the
delegation
you
can't
that
was
James's
idea.
That's
one
jokes
for
delegation:
you
if
you
are
doing
converting
an
ingress
route,
that
is
not
the
route
ingress
route
and
there's
only
one
route
in
there.
B
Then
there's
no
way
to
determine
what
the
prefix
should
be,
because
the
previous
behavior
is
done.
I
mean
you
scroll
down
a
bit
further
joining
us.
Some
there's
a
caveats
thing
section
at
the
bottom
yeah.
So
this
three
caveats
mainly
but
yeah
and
those
are
all
the
error
conditions.
You
might
get
a
warning
conditions
you
might
get
in
your
file
yeah
and
if
you
come
up,
you
can
find
anything
else
that
doesn't
work.
Then
please
log
an
issue
there
and
if
I,
don't
it's
a
ping
me
twisting
it's
like
yeah
an
issue.
C
C
B
Easily
and
have
that
release
about
only
seen
yeah,
it's
available
on
home
brew
for
install
you
can
just
at
the
top
of
you,
can
see
under
installation
there's
a
brew
tab
available,
and
then
you
can
just
brew,
install
IATA
proxy
an
upgrade
real
quick.
Thank
you
very
much
to
go
release
it
yeah.
That
is.
F
Yeah,
absolutely
so
so
what
very
likely
we
will
complete
duplicate,
English
route
at
the
next
release
of
contour
after
June
2020,
so
in
about
close
to
six
months
from
now,
whatever
the
next
release
of
control
will
be
after
that
that
one
will
completely
deprecated.
So
if
folks
are
having
increased
route
today,
start
looking
into
higher
to
proxy
to
convert
them
and
know
that
the
the
window
of
them
being
supported
in
contour
is
closing
in
very
soon
negative.
C
I
just
want
to
call
that
out
because
I
in
the
past
I'd
give
me
some
quite
Cavalier
statements
of
generally
first
gonna
get
rid
of
it.
Let's
just
put
that
down
to
naivety,
and
so
the
the
window
is
the
next
six
months,
like
whatever,
whatever
the
recent
release
plans
around
the
June
time
frame,
that's
that'll
be
the
last
one
that
supports
ingress
wrap,
but
maybe
the
not
very
subtle
subtext
here
is
really.
We
will
move
on
to
HD
poxy.
That's
where
all
the
action
is.
F
And
I
guess
the
one
holiday
the
one
more
thing
to
add
to
that
is:
you
know
we're
not
deprecating
just
because
we
can
right,
there's
a
very
high
cost
of
both
maintenance,
as
well
as
testing
and
validation,
to
keep
the
older
api's
around,
and
we
think
that
it's
a
much
better
use
of
our
time
and
effort
to
move
forward,
making
forward
progress
into
the
new
HTTP
proxy
API,
which
is
why
or
giving
a
timeline
of
complete
application.
Thank
you.
C
Absolutely
right
and
we'll
be
talking
a
little
bit
more
about
like
where
we're
gonna
be
taking
that
bandwidth,
but,
like
you
think
of
things
that
are
being
deprecated
is
investment.
Where
we're
going
to
reinvest
that
later,
a
little
bit
lower
down
the
agenda.
I
will
send
an
a
second
talking
about
the
work
that
I
did
fall
under
one,
which
was
a
bunch
of
edge
cases
around
TCP,
proxy
validation
and
around
its
interaction.
There
are
some
subtle
edge
cases.
C
Tcp
proxy
mode,
effectively
means
that
HTTP
port,
80
and
port
443
aren't
linked
in
the
way
that
we
might
think
of
them
when
they're,
both
in
hatchapee
mode
and
there
are
bunch
there
are
a
bunch
of
edge
cases
which,
if
you've
not
seen
them,
you
don't
need
to
worry
about
them,
especially
cuz
they're,
all
things
so
that
there
was
a
bunch
of
things
at
work
that
I
recall
doing
in
1.1
and
he's
James
back
on
the
line.
He
could
talk
about
or
Steve
talked
about.
The
header
rewrites
well.
G
Matt
yeah
I'm
back
so
Steve
sloka
actually
implemented
hit
a
rewrite
for
the
host
header.
So.
G
The
reason
for
host
header
rewrite
specifically
is
for
proxying
to
external
name
resources.
So
if
you
want
to
expose
an
external
name,
so
a
non
a
HTTP
destination
which
is
outside
the
cluster,
you
might
need
to
rewrite
the
host
header
so
that
that
service
will
accept
your
requests.
So
that
was
one
of
the
initial
use
caters
for
header
header,
rewriting
at
the
other
use
case
for
header
re
writing
was
K
native
support,
which
that
we'll
talk
about
a
little
later.
G
So
at
the
moment
there
you
can
rewrite
you
can
set
headers
on
the
incoming
HTTP
request.
So
it's
probably
a
lot
of
other
use
cases
for
manipulating
headers,
so
I
think
we
have
specific
plans
to
implement
all
those
yet,
but
you
know
issues
we
should
raise
issues
and
kind
of
schedule.
The
completion
of
the
different
kinds
of
header
rewrite
cases.
C
Cool
well
now
comes
the
much
more
exciting
bit
because
we
have.
We
have
people
from
the
community
who
very
lovely
reached
out
and
said.
We
would
like
to
talk
that.
Can
we
have
some
time
on
that
on
the
on
the
green
eco,
to
talk
about
these
things,
the
answer
is
always
yes,
you
can
so
Tara.
Are
you
on
the
call.
H
I
H
So
yeah
I
think
that,
probably
probably-
or
at
least
most
of
you
are
familiar
with
the
problem.
So
it
is
exactly
this
XTS
interface
between
if
you
come
to
an
invoice
which
does
not
support
currently
the
rotation
of
certificates
without
having
a
trafficking
impact,
and
there
is
no
automation
for
rotation
of
the
certificates
either.
So
there's
two
two
problems
and.
H
What
when,
when
I,
went
through
and
studied
a
little
bit
about
the
problem
here,
you're
there,
because
that
I
could
find
so
far,
so
so
the
certificate
and
key
distribution,
meaning
how
to
get
this
updated
certificates
to
contour
and
enjoy
then
hot
reloading
how
to
take
them
into
use
without
any
traffic
impact
and
then
periodic
certificate
aki
generation.
So
how
do
matically
rotate
before
they
expire
for
the
third?
H
We
get
a
key
distribution
are
listed
here
proposal,
which
is
actually
something
that
we've
used
ourselves
in
our
environment
for
different
purpose,
so
rely
on
automatic
updating
of
mounted
secrets
when,
when
somebody
writes
a
secret
or
updates
a
secret,
there
will
be
a
with
the
complete
couplet
will
write
out
the
files
to
the
volume
mount
and,
of
course,
this
is
an
existing
functionality.
There
is
no
impact
in
years
of
certificates
and
keys.
H
There
is
a
1
point
here
that
update
of
the
contents
of
the
secret
is
nothing
mediator,
delay
cubelet,
sync
period,
which
is
one
minute
and
time
to
Lee
of
cash,
which
is
also
one
minute
generally.
This
should
not
be
a
problem,
because,
typically
the
validity
period
of
old
and
new
certificates
are
overlapping,
so
much
more
that
it's
not
the
time
critical
thing
to
take
new
certificates
into
use
immediately.
H
So
what
but
I
fountain
and
I
would
like
to
to
ask
your
opinion
that
in
go
one
that
Aiden
later,
that
there
is
a
method
for
dynamically,
generating
or
or
creating
the
economic
theorist
korvac
structure
when,
when
the
client
hello
is
sent
by
the
client,
so
you
can
lazily
load
the
certificates
and
keys
at
the
time
when
the
client
connects
or
establish
the
TLS
connection
towards
the
server
this.
This
would
be
a
really
minimum
minimal
chance
that
there
is
not
much
impact
other
than
just
moving
there.
H
There
is
no
small
impact
and
on
the
overhead
of
the
performing
the
TLS
handshake,
because
the
loading
of
the
certificate
and
key
is
happening
at
the
time
of
connection
establishment.
But
since
this
is
not
high
performance
use
case,
I
would
assume
really.
This
would
work
well
with
the
tango
and
was
not
not
being
that
many
that
and
the
connection
establishment
in
that
treatment.
H
Another
thing
that
I
would
imagine
is
that
lady
lazily
loading
loading,
the
the
fires,
the
cointegration
arrows
are,
of
course,
then
not
that
easy
to
know
this,
because
it
does
not
happen
at
very
beginning
of
starting
the
server.
But
of
course
we
can
then
move
to
serve
the
beginning
key
at
the
very
beginning
in
order
to
catch
the
configuration
errors
and
then
and
again
later
overriding
that
sort
of
became
a
key
that
was
loaded
at
the
very
beginning.
C
What
is
the
contour
is
not
part
of
the
data
handling
path.
What
is
the,
what
is
the
alternate
cost
of
just
changing
a
certificate
and
reloading
canto
yeah.
H
It's
of
course,
okay.
There
shouldn't
be
any
any
kind
of
problem
in
that
either
and
actually
we
used
as
a
temporary
work
around
ourselves.
We
have
this
kind
of
restart,
uruk's
external,
restarted
process
that
gives
Condor
installation
and
starts
again,
and
there
is
no
no
impact,
of
course,
in
any
way
forwarding
in
traffic
I
was
during
during
that
year,
but
not
what
I
say
that
this
would
be.
G
Terry,
it's
James
here
on
the
on
the
contour
side.
Do
we
even
need
to
do
a
lazy
loading
because
contour
is
going
to
validate
that
it
receives
a
client
certificate,
that's
valid
according
to
its
custom,
contour
CA
and
it's
not
expired,
so
it
doesn't
control.
Isn't
this
isn't
checking
for
a
very
a
specific
certificate
by
hash
or
anything
like
that,
so
it
seems
like
unless
we're,
unless
were
planning
to
also
rotate
the
CA
certificate,
then
we
shouldn't
need
to
do
any
additional
runtime
configuration
reloading,
yeah.
H
C
I'd
like
to
step
back
a
little
bit
and
talk
about
step
away
from
the
implementation
it
up
and
talk
about
the
requirements,
the
use
cases.
Obviously
the
main
one
is
get
loose
for
a
year,
and
so
a
year
later,
we're
all
dead
someone
else
to
take
in
our
jobs.
They
get
surprised
this
certificate
expires.
So
the
goal
is
treatment,
frequent
rotation
of
certificate
signed
by
what
we're
going
to
assume
for
the
purpose
of
this
argument
to
be
affixed,
see
I
think
that
that.
H
There
is,
of
course,
there
is
CA
certificates,
and
then
there
is
server
certificate
and
client
certificate
when
it
comes
to
the
CA
certificate.
That
is
quite
often
I.
Also
added
some
references
here
too,
for
example,
in
e
state
they
are
issuing
party
for
the
10
year
CA
certificate.
The
same
same
is
true.
If
you
set
up
a
component
this
cluster,
it
cube
a
demoon
and
then
that
we
are
that
that
wouldn't
be
a
problem
that
doesn't
need
to
be
rotated.
H
As
a
reference
in
our
environment,
we
are
using
much
much
so
their
certificates
for
all
our
systems
accommodating
in
hours
and
and
anyway,
one
one
year
or
one
hour.
It
still
is
something
that
should
be
done.
A
mechanism
in
order
to
to
generate
these
certificates
before
they
expire
and,
of
course,
an
reloading,
and
then
this.
This
is.
C
Absolutely
chopped
and
whenever
his
statements
that
have
to
way
handing
them
my
my
my
design
brain
wants
to
split
those
two
parts
apart.
So
there's
the
reloading
part
which
I
think
we're
talking
about
now
and
keep
generation
which,
let's,
let's
be
very,
very
clear,
the
surgeon
we
include
it
with
contour
gets
people
started
yeah.
So
it's
not
and
it
to
be
a
full
feature
thing
like
really.
If
you're
your
environment
has
cares
that
deeply
especially
sounds
like
you
rotate
your
keys.
Very
often,
you've
probably
got
your
own
CI
in
your
own
exact
generation
system,
yeah.
H
And
when
it
comes
to
that,
from
from
my
perspective
from
my
interest
is
mostly
in
in
these
two
first
goals
that
I
stood
here,
so
it
is,
it
is
purely
about
the
mechanism
that
how
we
deliver
the
updated
certificate,
some
case
that
is
server
and
client
on
the
run
anyway,
and
then
how
they
take
them
into
use
without
having
any
kind
of
traffic
interruption.
And
then
there
is
a
completely
separate
issue:
what
to
say
how
these
certificates
get
generated.
Is
it?
Is
it
the
surgeon
or
is
it
something
completely
different?
B
H
Honor-
and
that
is
not
only
the
problem-
that's
a
that
is
not
only
the
the
reason
for
this
proposal
for
reloading
and
not
not
restarting
the
the
like,
like
I,
mentioned
that
the
how
how
it
works
with
this
feature
introduced
in
in
the
DNS
taco,
wonder,
Dalen
and
forward.
It
seems
so
elegant
that
they
can
do
this
more
easily
than
setting
up
a
monitoring
for
five
senses
and
then
kicking
off
very
start
from
that.
So
that
is
why
why
I
proposed
this
for
Portland
OR?
It
is
easier.
It
is
like.
C
Yeah,
so
this
looks
like
a
good
solution
to
put
into
words
the
concerns
I
think
some
people
in
this
around
this
call
are
having
is
that?
How
do
we
test
this?
The
current
behavior,
which
is
it
reads
the
certificate
on
startup
and
never
eats
it
again,
he's
very
easy
to
know
that
that
works.
This
will
have
a
testing
cost.
It's
unknown
could
be
small
could
be
big.
That's
why
they're
all
sitting
on
the.
H
C
B
H
H
Here
we
then
point
out
the
certificate,
files
and
response,
and
what
is
modest
and
imagined
to
the
happen
is
that
we
will
have
the
certificate
a
key
files
mounted
in
in
a
secret
volume
mount
somebody
comes
and
updates.
The
secret
Hewlett
will
have
this
sinking
and
details
cash
from
occasioned
delay
after
one
or
two
minutes
to
write.
H
The
new
contents
of
the
files
into
the
file
system
anyway
has
because
of
these
SDS
file
system
subscription,
and
we
has
set
up,
I,
notify,
watches
and
it
should
get
notified,
and
it
already
has
the
logic,
as
you
know
when,
when
you
update,
while
at
the
XTS
interface
certificates
in
keys
for
for
the
data
plane.
If
the
authority
has
the
capability
of
reloading
and
taking
the
new
certificate
and
key
into
using
an
existing
TLS
context,
yep
that.
C
It's
kind
of
intermediary
yamo,
but
we
need
to
need
to
admit
we
can
change
bootstrap
to
do
that,
check
out
all
the
files
that
will
mean
that
bootstrap
will
block
on
secret
generation.
That's
that'll
be
new,
but
that's
probably
not
the
worst
thing
in
the
world,
and
so
this
implantation
is
similar
to
the
one
that
I
was
thinking
of
which
again
is
to
use
SES.
H
C
B
Said
so
the
said
the
flow
he
would
be.
You
update
the
secret.
The
same
secret
is
used
for
there's
two
separate
secrets:
one
for
contour
one
for
envoy
when
you
update
the
sequence,
you're,
probably
going
to
update
them
about
the
same
time.
So
there
is
a
slight
risk
of
a
race
condition
there
between
contour
having
its
updated,
and
this
is
also
why
you
need
to
order
a
reloading,
a
contour,
because
if
on
voice.
C
B
H
C
B
B
B
A
you
know:
if
you're,
if
you
push
that
in
men
anytime,
you
push
that
in
then
like,
we
will
happily
make
the
bit
yeah.
Thank
him.
If
you
want
like
it,
I
was
accepted,
you
know
it's,
then
all
we
need
to
do
is
change.
The
all
we
being
contour
need
to
do
is
change
the
boost.
Your
configuration
to
generate
the
two
extra
secret
files
to
reference,
those
suits
and
and
Robert
issue
father's
brother
as
they
say,
but.
G
H
B
H
Yes,
and
of
course,
there
is
also
when
one
thing
that
I
I
was
experimenting
that,
if
I
put
that
there
is
a
DFS
in
in
the
ticket
how
it
works
today
that
I
can
get
this
to
work,
for
example
by
sharing
the
directory
so
that
the
TLS
seek
at
the
r-mo
and
validations
you
get.
Llamo
are
in
the
same
directory
as
the
certificates
and
keys
and
I
notify
watch
mechanism.
In
this
response
terms
of
richness,
very,
very
expensive,
yeah.
H
And
when
one
one
thing
is
like
likes
it
today,
this
already
birds
for
the
English
downloading
and
the
watch
mekinese
will
be
something
that
currently
doesn't
doesn't
work.
So
so
the
the
bootstrap
configuration
could
as
well
be
changed
today
into
this,
and
it
would
have
exactly
the
same
functionality
as
actually
after
day,
but
it
wouldn't
be
able
to
reload.
C
H
Then
then
I
had
one
last
slide,
so
this
is
now
the
item
number
tree,
the
periodic
certificate
and
key
generation-
and
here
I
just
list
some
some
ideas.
As
I
mentioned
in
my
environment,
we
we
are
not
using
search
search
and
because
we
have
we
have
worked
and
we
generate
our
own
own
certificate.
So
so
this
is
not
my
like
primary
interest,
but
but
I
listed
here
some
some
items
that
could
be
discussed.
So,
firstly,
of
course,
there
is
this
problem
that
we
need
to
design
the
time
to
regenerate
the
certificates.
H
H
H
B
Actually
think
I
think
that's
that's
awesome.
Work
man
I
actually
think
that
building
that
ourselves
is
is
silly.
When
there's
a
window
manager
is
a
thing
I'm
set
manager
can
issue
self-signed
sorts.
You
know,
if,
if
contour
and
on
voice
support
automated
rotation
of
the
search
that
are
stored
in
secrets
without
us
needing
to
do
anything.
B
C
Yeah
I
think
because
we
wanted
to,
we
wanted
to
move
to
split
deployment
so
always
and
contours
running
a
separate
pods,
so
we
needed
to
have
that
traffic
secure
as
the
default
rather
than
something
you
opting
to
previous
deployment
models
we
had,
and
so
we
needed,
we
needed
a
solution
that
would
generate
generate
the
keys
with
a
reasonable
length
so
that
people
get
going
with
that.
I
agree
would
think
that
contour
should
not
be
getting
into
the
certificate
generation
game.
We
should
not
be
reimplemented
involved
or
set
manager,
and
just
this
this
is
great
work.
F
B
In
this
case,
having
social
and
search
is
actually
desirable,
because
the
if
you
use
a
publicly
saw
insert
then
because
there's
no,
we
don't
verify,
we
only
have
one
side
verify
anything
about
the
certificate
other
than
that
it's
a
valid
certificate.
If
you
have
user
public
CA,
then
anybody
could
get
an
a
that.
Anybody
with
a
valid
client
certificate
from
any
trusted
root
would
be
able
to
connect
envoy
and
pull
anything
out
of
it
and
say
anything
signed
by
Verisign.
Can.
C
B
H
Is
no
author
I
like
to
look
Rios
a
practical
problem
that
normally
DLS
client
and
I
believe
anyway,
will
do
also
validation
of
the
subject
alternative
name
in
the
server
certificate?
It
should
be
the
DNS
name,
the
host
name
of
the
server,
so
you
couldn't
get
the
publicly
trusted
certificate
with
the
DNS
name
of
Condor.
Yes,.
B
Do
you
want
to
scroll
back
to
the
control
one,
and
we
can
talk
about
that
again
given
given
the
context
of
the
whole
boy,
1
yeah,
I,
see
what
you're
saying
I
like
I
agree
that
it
is.
It
does
look
like
a
really
nice
solution,
where
you
don't
have
to
touch
anything,
but
I
think
that
the
for
this
to
be
viable,
as
dave
says
like
there
needs
to
be
a
good
test
plan
that
sort
of
checks
that
you
checks.
What
happens
in
there
in
the
happy
path
where
everything
works
and
also
what
does
happen.
B
You
know
in
the
configuration
error
case.
What
happens
like?
How
does
you
know
just
contour
just
died.
You
know
just
what
what's
the
best,
what's
the
best
way
to
handle
that
case,
my
opinion
would
probably
be
that
if
there
is
a
configure,
this
conduit
should
die
yeah,
because
then
you'll
notice
that
something
is
wrong,
whereas
if
you
don't,
what
will
happen?
B
Is
that
envoy
won't
be
able
to
reach
contour
if
it
fails
reaching
contour
envoy,
you
can
get
itself
into
a
state
where
it's
like,
hey
I,
can't
talk
to
my
XDS
server
and
you
it's
possible,
but
I'm
going
to
get
itself
into
a
stay
words
like
I
can't
talk
to
my
server
to
get
updates.
I,
therefore,
I
can't
get
updates.
Therefore,
I
need
to
be
restarted
before
before
I
can
will
accept
new
changes.
B
That's
happened
to
us
before
with
half
open
TCP
connections
that
have
closed
their
connections
and
it's
something
that
we
really
need
to
be
really
careful.
Careful
about
is
making
sure
that
homeboy
can't
get
itself
into
a
state
where
it's
given
up
on
talking
to
court
or
because
that
means
that
you
will
lose
changes
as
they
as
they
roll
out
and
you'll
have
to
kick
Envoy
to
fix
it.
So
that's
that's.
Why
that's?
Why
I
do
that's?
H
Yeah
I
agree
and,
of
course,
I
mean
the
same
kind
of
errors
could
also
happen
in
the
case
of
just
loading
the
certificate
again.
The
initial
start,
of
course,
that
the
first
can
can
can
be
not
there
or
miss
formatted
and,
in
that
case
I
believe
it
restart.
Also,
it's
calling
that
yeah
various
research
I.
B
Guess
it's
more!
It's
more
that
right
now
we
haven't
said
that
even
if
I
can't,
if
I
can't
get
the
tailor's,
config,
it'll
restart
so
you'll
notice,
because
contour
will
crash
loop.
But
in
the
case
of
it's
just
that
we
need
to
have
tests
to
assert
that
you
can
pass.
You
know
that
the
behavior
will
work
the
way
we
think
it
does
it
if
it
can't
read
those
files
for
some
reason,
yeah.
B
That's
fine,
it's
just
work
right,
like
you
know
it's
just
if
you
that
means
whoever
works
on
this
just
need
to
ensure
that
there's
good
test
coverage
of
these
features,
specifically
because
it's
it's
a
little
not
risky
really
but
risky
is
not
the
word,
but
like
it's
a
little
tricky
to
make
a
hundred
percent
sure
that
you've
got
to
write
a
look
without
tests.
The.
H
C
Okay,
so
wrapping
up
on
the
third
on
the
third
side,
which
is
rotation,
are
the
actual
rotation
if
Achatz
I'm
interpreting
the
discussion,
as
that
might
just
be
wishful
thinking,
but
to
be
more
be
more
concrete,
I,
don't
think
that
the
golf
of
contoured
should
be
to
continue
to
invest
in
search
in
like
it.
It's
done.
It
does
as.
E
C
It
needs
to
do
for
the
use
case.
We
imagined
for
more
complicated
use
cases.
The
answer
is
not
to
extend
it.
It
is
to
use
a
better
tool.
Well,
and
perhaps
perhaps
that
means
we
actually
just
remove
such
an
entirely
and
just
say
we
use
we
use
certain
manager.
So
my
experience
from
the
past
insert
manager
is
not
the
easiest
thing
to
install
like
when,
when,
when
I
wanted
to
do
a
demo,
I
wanted
to
write
demo
script
of
contour
and
so
manager.
Installing
contour
was
line.
C
C
B
I
H
But
I
I
mean
that,
from
from
the
perspective
of
those
users
who
are
are
using
a
search,
end,
I
think
that
it
wouldn't
be
that
big
problem
for
those
and
I'm
not
really
any
kind
of
immediate
security
issue
for
them
to
not
have
rotation
at
all.
It
is
then,
of
course,
they're
more
like
a
production,
great
environments,
where
you
really
don't
think
about
these
problems
more
and
then
you
probably
want
to
have
something
other
than
search
in
any
event.
Anyways.
C
B
No
I,
just
when
I
was
reading
the
certain
manager
Doc's
a
little
while
ago
I
saw
that
it
is
possible
to
do
self-signed
cert.
We
would
need
to
write
them,
but
you
know
that's
doable,
say
yeah.
Basically,
it
would
just
be
figuring
out
how
to
issue
that,
how
to
generate
the
certificate
of
the
correct
certificate
object
and
do
all
the
issuers
and
stuff
that
so
manager
would
need
to
do
to
end
up
with
those
secrets
being
managed,
as
certificates
by
the
manager.
C
H
A
F
Everybody
so,
as
you
guys
are
aware,
we've
kind
of
talked
in
the
past
about
VMware
being
willing
to
open
up
contour
to
to
governance,
so
governance
body,
that's
basically
more
inclusive
of
everyone
and
make
it
available
under
CMC
F,
in
a
similar
way
that
envoi
is
being
governed
well.
That
process
has
already
taken
has
started.
F
We
are
in
the
middle
of
technical
investigations
by
the
different
CNC
have
special
interest
groups
that
are
chartered
to
both
investigate
contour
for
compatibility
with
CMC
f,
its
bylaws,
its
code
of
contact,
its
version
history,
the
way
that
you
produce
quality
software
and
and
all
of
those
things
that
come
in
a
in
an
engineering
project
that
work
is
underway.
Right
now
we
had
our
first
review
last
Thursday
with
the
signal
working
group
and
the
technical
oversight
committees
already
aware
of
contour
going
for
graduation.
F
It
looks
like,
or
already
approved,
for
the
sandbox
stage
in
CN
CF
and
right
now
we're
basically
targeting
incubation.
It
looks
like
probably
have
more
news
in
about
a
month's
time.
The
process
doesn't
really
have
a
timeline
to
it.
I'm
just
giving
that
estimate
based
on
my
experience,
working
with
CN
CF
and
then
we'll
know
we're
contour
stunts,
but
if
any
of
you
guys
are
interested
in
learning
more
about
the
process,
seeing
work
on
Taurus
or
voice,
your
your
+14
contour
graduating
sorry,
no
graduate
for
contour
being
done
at
incubation
stage.
F
We
will
send
you
guys
the
link
when
contour
is
up
for
a
vote,
so
you
can
provide
non-binding
vote
so
we'll
really
encourage
the
community
and
the
users
of
contour
to
come
and
and
tell
their
story
why
contour
is
important
to
them,
how
you're
using
it
and
why
you
think
it
should
incubate
and
be
governed
by
CN.
Cf
now
have
one
more
request
for
you
all
and
that
we
actually
have
an
open
issue
today
in
contour
that
asks
users
to
tell
us
their
use
case
of
you
know.
A
C
E
E
So
internally,
we
basically
have
an
ingress
like
abstraction,
and
we
use
an
annotation
similar
to
the
ingress
class
in
kubernetes
to
basically
distinguish
which,
which
implementation
of
our
network
a
networking,
abstraction
handles
that,
and
so
there's
a
little
controller
that
basically
bridges
from
that
to
HTTP
proxies
and
with
a
couple
of
the
features
in
one
one.
We
now
have
enough
to
basically
implement
all
of
the
semantics
of
the
that
we
need
in
order
to
pass
effectively
all
of
the
end-to-end
tests
in
candidate
and
so
yeh.
F
E
Your
help
so
right
now
there's
some
preliminary
docs
that
at
some
time
it
usually
takes
a
day
or
two
and
to
publish
the
actual
release
Docs.
But
there
are
some
Docs
pages
that
should
be
landing
on
Canadian
shortly.
They
sort
of
take
you
through
it.
Now
it
uses
a
sort
of
customized
install
of
contour,
because
we
actually
are
running
two
contours,
one
that's
exposed
externally
and
one
that's
exposed
internally,
so
that
we
can
do
plus
your
internal
l7
stuff
but
I'm
hoping
to
put
together
some
more
docks.
E
Now
that
it's
out
there
to
talk
about
how
you
can
use
it
with
an
existing
contour
install
or
how
you
might
mint
your
existing
contour
install
to
just
use
the
bits
that
layer
on
top
of
that
installation,
as
opposed
to
using
what
we're
testing
at
once
and
I'm,
going
to
shut
up,
because
we're
short
on
time
also
I
invited
that
Nia
can
join
and
he
did
a
lot
of
the
refactoring
on
the
cam
native
serve
excite.
These
are
networking
working
group
lead
and
so
got
to
introduce
yourself,
Hey.
E
E
E
You
know,
keep
certain
integration
sort
of
at
arm's
length
and
we
run
different
controllers
as
different
deployments
to
make
it
easier
to
exclude
functionality
that
you
don't
want,
and
so,
if
you
want
to
exclude,
for
instance,
yes
do
integration,
you
just
drop
the
deployment
and
a
few
other
things
that
are
labeled
and
you
can
install
the
you
know
the
contour
integration,
but
you
end
up
with
sort
of
a
sprawl
of
components
that
are
running
on
your
cluster
and
and
so
meet
with
sort
of
a
proof
of
concept.
We
we're
eight
controllers
in
a.
I
E
Week,
yeah,
like
a
whole
bunch
of
different
reconciles
together
in
two
different
processes.
If
you
want
a
package
altogether
so
make
is
basically
a
glorified
bash
script
that
writes
the
configs
ven
during
in
the
other
repos
and
a
single
go
file
that
basically
links
together.
All
of
the
controllers
that
you
know
it
makes
them
sort
of
curated
okay-
choices
for
you
like,
for
instance,
it
uses
contour,
you
can't
swap
out
contour
will
always
be
installed.
E
You
can
configure
it
to
use
issue
of
it,
that's
not
sort
of
included
in
the
box,
and
so
basically
what
it
does
is.
It
removes
some
of
the
optionality
and
you
know
it
provides
basically
a
yam
all
that
self-contained.
So
you
can
go
from
just
a
straight
communities
cluster.
You
install
the
Gamal
Gamal
wool
in
Spokane
native,
a
contour
that
runs
in
the
same
namespace
and
and
it
runs
a
little
job
that
basically
sets
up
a
default
domain
for
you
using
x8
King.
E
Do
so
that
it
once
it's
done
once
that
jobs
run,
you
have
a
installation
of
Candida
survey
that
you
know
is
you
DNS
that
works
when
you
deploy
it?
A
new
service
and
whatnot
and
it
runs
on
pretty
small
footprints
right
now
and
I
was
able
to
get.
It
was
stretching
the
limits
of
a
single
nude
single
core
gke
cluster,
but
it
was
able
to
basically
fit
you
so
like
GK
uses,
66
percent
to
that
core
by
default,
and
so
it
fits
sort
of
on
top
of
that.
E
And
then
you
have
a
tiny
bit
left
to
run
a
trivial
app,
but
so
yeah.
Overall,
it's
a
pretty
small
footprint
on
small
node
and
then
it's
running
the
envoys
and
our
activator
component,
which
sits
on
the
data
path
to
buffer
requests
when
we
scale
to
zero
as
in
humans
as
well
as
your
cluster
grows.
You
know
that'll
scale
out
nicely
and
hopefully
keep
up
with
traffic,
but
again
proof
of
concept
that
wouldn't
use
it
in
production.
Yet.
J
A
B
B
So,
for
my
thing,
I
put
some
notes
in
the
inner
hack
MD.
Please
read
those.
There
is
a
branch
proof
of
concept
in
some
of
the
stuff.
It's
just
about
using
that
you
can
see,
having
control
continually
ingress
be
to
things
it
requires
some
reasonably
substantial
changes
to
some
of
the
internal
contour,
which
is
what
I
wanted
to
talk
to
people
about.
Please
comment
on
there's
a
there's,
a
PR
with
the
covers.
B
A
Awesome
Thank,
You,
Nick
and
yeah
again.
Thank
you
everyone
for
joining
today.
This
was
a
really
really
awesome.
Call
Congress
again
to
the
the
K
native
team
for
the
the
new
release
Congrats
to
the
contour
team,
for
the
one
to
one
release:
lots
her
release
is
happening
and
with
that
have
an
awesome
rest
every
week,
everyone
and
see
you
next
month.
Okay,
thank
you.
I.