►
From YouTube: Contour Community Meeting - April 28, 2020
Description
April 28, 2020
What have we been working on?
New release!
https://projectcontour.io/client-cert-auth-ingress-improvements/
https://github.com/projectcontour/contour/releases/tag/v1.4.0
External Auth
https://github.com/projectcontour/contour/issues/2459
A
Hi
everyone
and
welcome
to
this
week's
meeting
the
contour
community
meeting
so
happy
to
have
you
all
here
today
is
April
28th
or
April
29th,
depending
on
where
you're
joining
from
and
yeah.
First
of
all,
we
we
get
a
few
things
that
we
want
to
talk
about
things
that
we're
working
on
here
and
yeah.
I'll
share
my
screen
and
then
I'll.
Let
the
team
talk.
A
So
the
the
first
thing,
of
course,
is
the
the
new
release.
I
put
up
the
blog
post
here,
I'm
gonna
share
that
in
chat
too,
so
you
all
can
see
it.
We
just
sent
that
out.
Here's
the
candy
first
and
then
here's
here,
the
blog
post,
where
the
the
major
new
enhancements
here
Steve
you
want
to
talk
about
these
enhancements,
yeah.
B
I
can
do
that
so
cool
yeah,
so
contour
1.4
is
out.
So
the
big
things
we
have
are
you
have
this
client
authentication
now,
so
you
can
specify
a
client
certificate.
So
when
new
client
goes
to
make
a
request,
contour
seriously
envoy
will
validate
that.
That's
a
valid
thing.
You
can
do
to
make
requests
back
to
that
V
host,
so
this
one
was
driven
a
lot
by
the
community.
B
So
thank
you
for
taro
for
a
lot
of
your
work
and
help
on
that
and
driving
this
force
was
know
one
of
those
things
that
seems
easy
on
paper,
but
the
implementation
can
get
tricky
yeah,
so
they're
in
the
virtual
host
of
a
proxy.
You
can
see.
There's
this
client
validation
struck.
Now
I
may
see
just
pass
it
this
cert
that
you
want
to
reference
and
then
that'll
it'll
set
it
all
up
from
there,
which
is
cool.
So
this
is
only
doing
sir
authentication.
B
The
next
one
is
I'm
happy
to
see
that
James
joined
for
whatever
time
it
is
with
him.
So
we're
gonna
talk
about
I,
think
next,
so
adding
different
authentication
mechanisms
for
for
Envoy
yeah.
But
this
is
pretty
cool,
so
this
is
neat.
If
you
need
to
have
this
client
auth
kind
of
functionality
for
contour.
That's
that
one
who's
going
on
a
little
bit,
Jonah's,
there's
some
more
things
with
ingress
that
we
changed
so
there's
some
things:
the
ingress
class
that
we
updated
so
before.
B
If
you
annotate
an
object,
excuse
me
with
an
ingress
class.
What
would
happen
was
contour
would
match
that
ingress
class.
So
you
look
in
the
cluster
and
if
an
object,
matched
the
class
that
you
specified
contour
would
process
it
like
it
should.
But
what
I
think
other
English
controllers
do
the
same
thing?
It
was.
B
It
also
process
any
record
that
did
not
have
a
class
defined,
and
this
is
a
problem
if
you
had
multiple
controllers
in
your
cluster,
so
each
controller
would
then
try
to
like
process
the
same
record,
and
this
actually
came
up
with
what
the
user
and
Slackware
they
were
trying
to
do
an
upgrade
from
one
version
of
contra
to
another.
So
we
thought
hey,
why
don't
we
just
set
ingress
classes
on
them
and
then
let
you
know
the
old
version
have
a
class
in
the
immersion.
B
Have
a
different
class,
but
if
you
don't
specify
every
object,
then
it
would
process
every
object.
I
guess
so
now
in
1.4,
if
you
specify
a
class
on
contour
contour,
we'll
only
process
that
class,
so
we'll
only
look
for
things
in
that
class.
So
if
there's
no
annotation
or
it
doesn't
match,
then
contour
won't
look
for
it.
I
mean
that
again,
there's
no,
there
it
says
applies
both
to
ingress,
as
well
as
the
proxy
objects.
So
that's
kind
of
cool,
that's
clear.
So
it's
kind
of
different
I
think
nginx
will
still
process
the
old
way.
B
I
looked
at
their
Docs
and
there
was
a
big
like
red
box,
saying
it'll
still
process.
Anything
doesn't
have
anything.
So
the
other
thing
that
we're
doing
with
ingress
is
the
status.
So
there
are
an
uptick
now
so
contour
has
never
set
the
status
of
an
of
an
ingress
object.
So
if
you
expose
it,
let's
say
I
type,
load,
balancer
or
something
we
just
over.
The
last
two
years
of
contours
existed.
We
haven't
ever
set
that
status
so
now
contour
will
actually
set
the
status
properly
from
the
service
type
that
envoy
uses.
B
So
contrib
look
at
the
the
envoy
service,
it'll
it'll,
introspect,
that
the
address
on
that
resource
and
then
it'll
set
that
status
on
the
ingress
object.
You
can
also
specify
a
flag
to
contour,
which
is
that
ingress
status
flag,
and
what
that
will
do
is
that
you
specify
the
ingre
that
should
be
placed
onto
that
resource
right.
So
maybe
you
have
your
in
AWS
and
you
have
some
sort
of
crazy
EOB
name
what
you
don't
want
to
put
on
your
objects.
B
B
So
that's
helpful
on
that
also
opens
up
the
idea
of
using
like
the
external
DNS
work
now.
So,
if
you
wanted
to
have
it
do
some
things
automatically
now
that
that
status
is
getting
said,
that
integration
should
work
now,
for
you
and
I
believe
I
only
did
that
for
ingress
objects.
I
think
we're
looking
add
that
to
the
proxy
objects
as
well
having
the
same
status
block
so
then
you
can
also
apply
external
DNS
to
proxy
or
something.
B
So
that's
the
ingress
stuff
I
think
there
was
one
more
thing:
new
Don,
oh
the
one,
I
guess.
The
one
thing
we
talked
about
was
this:
in
1.3
we
had
a
flag
to
say:
use
the
V
1
beta,
1,
ingress
flag,
so
kubernetes
had
ingress
was
in
the
what's
the
name,
space
I'm
blanking,
that
on
it.
It's
now
in
networking
decades,
that
IO
extensions
I
think
was
in
extensions
group
and
they
removed
that.
So
now
the
object
lives
in
the
networking
decades
that
IO
group
and
kubernetes.
B
So
we
had
a
flag
to
let
us
process
the
old
version,
as
well
as
the
new
version
and
1.3
that
that
got
removed,
because
now
we're
far
enough
ahead
where
that
flag
shouldn't
matter
as
much
so
so
we
guess
we
call
this
out
was
because
if
you
had
that
flag
still
referenced
on
a
new
version
of
contour
contour
wouldn't
start
up,
it
would
fail
because
that
slide
doesn't
exist.
So
just
a
big
another
call-out
to
make
sure
that
folks
are
aware
of
that
change.
A
B
Absolutely
yeah
I
know
Peter
added
a
few
things
for
there's
an
ALICE
status
or
a
version
in
contour
that
gets
written
and
that's
on
the
command
line
as
well
as
expose
through
prometheus
metrics.
You
can
get
to
the
version
that
contour
is
running
to
that,
which
is
good.
So
you
can
you
have
to
you
have
to
you
know
grep
for
the
image
name,
new
deployments
anymore.
That's
helpful,
yeah.
C
D
Thanks
for
the
update
Steve,
this
was
indeed
a
pretty
big
release
for
us
and
had
significant
contributions
from
a
lot
of
folks.
So
that
was
awesome.
It
looks
like
this
time
is
working
fairly
well
or
seeing
more
and
more
folks
joining
our
control
community
meeting.
So
you
know
very
glad
to
see
more
folks
involved
in
in
control.
That's
that's
awesome.
E
D
If
you
don't
mind,
let
me
put
it
live
a
preface
to
that.
So
so
we
want
to
make
a
few
big
bets
for
contour
moving
forward,
and
these
are
items
basically
are
gonna
improve
contour
at
large
scale,
enterprise
deployments,
as
well
as
allow
contour
to
better
interoperate
to
some
of
the
needs
of
our
users
and
customers.
D
Some
of
those
big
bets
are
are
basically
gonna,
be
things
that
that
both
have
been
requested
by
the
community
and
things
that
we
also
think
that
our
strategic
move
forward,
authentication
and
that's
the
one
that
James
is
gonna
talk
about,
is
one
of
those
large
bets.
Other
items
in
that
same
pocket
or
prioritization
include
rate
limiting
and
our
ability
to
basically
provide
a
key
piece
of
functionality
that
that's
that
others
have
asked
for,
as
well
as
things
like
supporting
to
the
axis
lock
service
and
in
items
like
that.
D
Also
another
big-ticket
item
they
were
looking
forward.
Is
this
ability
to
almost
operate
contour,
we're
in
a
self-service
capability
and
we're
gonna
deep
dive
on
that
in
a
future
community
meeting,
so
stay
tuned?
For
that?
So
the
reason
why
I'm
saying
that
is
were
every
release
is
going
include
a
whole
lot
of
small
fixes
that
kind
of
address
pressing
issues,
but
we
also
want
to
start
making
some
big
bets
on
items
that
are
really
important
to
us
in
making
control
better
and
better
suited
for
your
scenarios.
James
floor
is
yours.
D
E
E
First,
we
have
some
goals
and
non
goals,
so
these
are
things
that
I've
extracted
from
talking
to
people
and
from
the
issues
and
by
comparing
their
feature,
sets
of
other
ingress
controllers
and
API
gateways,
which
you
know
people
could
use
instead
or
in
conjunction
with
with
contour,
so
I
think
we
need
to
support
multiple.
This
is
primarily
sorry
I
rated
around
external
authentication
service,
which
is
one
of
our
goals
later
on
so
I,
think
we
need
to
support
multiple
external
authentication
services,
so
a
contour
sort
of
has
a
model
of
sophomore.
E
You
can
say
we
assume
that
there's
multiple
teams
in
in
the
same
cluster,
with
both
with
you,
know,
different
applications
and
what,
if,
as
we
make
that
assumption,
it
follows
that
a
different
application
might
have
a
different
authentication,
type
or
or
mechanism.
So
we
probably
need
to
probably
read
some
way
for
different
virtual
hosts
or
different
applications
in
a
cluster
to
specify
that
they
have
a
different
kind
of
authentication.
E
E
This
one
I
would
say
number
three:
external
authentication
servers
is
kind
of
a
stretch
goal
that
might
be
something
that
we
don't
deliver
in
and
the
initial
release.
It
might
add
it
later.
They
think
my
thinking
there
is
that
we,
when
you're
running
a
north
server,
you
don't
necessarily
always
want
to
run
an
instance
of
it
in
the
same
cluster
that
you're
running
that
you're
providing
ingress
through
contour.
So
you
might
have
a
separate
cluster
where
you
have
the
authentication
service,
because
it
has,
you
know
particular
operational
needs
or
something.
E
We
want
to
interoperate
with
existing
authentication
servers.
You
know,
external
authentication
is
a
thing
in
the
ingress
world
and
the
API
gateway
world.
Today
we
want
to
provide
access
to
those
services
from
contour.
We
don't
want
to
invent
our
own
protocols.
We
don't
want
to.
We
don't
think
we
should
in
I
think
we
should
expect
people
to
write
authentication
servers
specifically
for
contour.
You
should
better
use
the
ones
that
you
already
have.
E
Because
we're
in
the
envoy
world
envoy,
it
has
an
external
earth
protocol
for
G,
RPC,
education
and
HTTP.
So
if
we
say
we're
not
going
to
attach
a
protocol,
then
clearly
it
probably
follows
that
we'll
use
the
the
Envoy
one
in
which
case
existing
service
out
there
support
both
geo,
PC
and
HTTP.
My
protocols
say
we
should
expose
the
ability
to
have
both
or
either
of
those
in
the
contour
API.
E
We
always
want
to
number
six.
We
always
want
to
talk
to
off
the
dication
servers
over
TLS
number,
seven,
it's
sort
of
a
general
principle.
If
we
have
additional
configuration,
I
suspect
we
will.
Then
we
want
to
read
then
that
API
service
needs
to
look
and
feel
similar
to
HTTP
HTTP
proxy.
So
we
don't
want
to
read
some
completely
new
way
of
referencing
services,
for
example.
Maybe
we
should
try
and
reuse
the
service
concept
and
API
surface
from
HTTP
proxy
in
in
this
new
context.
E
The
final
I
think
goal
requirement
is
that
applications
do
need
to
disable
author
on
specific
paths.
So
if
you
have
a
application
which
which
is
authenticated,
then
there's
almost
certainly
some
specific
path,
so
that
which
are
going
to
be
authenticated.
You
money
deserve
some
specific
assets
or
a
login
page
or
some
other
other
specific
pages
which
for
which
you
need
to
turn
off
off.
So
it's
not
just
say
I,
don't
think
it's
sufficient
for
us
to
say
you
can't
J.
First
to
say
this
application
is
authenticated
you
to
be
able
to
say
this.
E
D
Interesting,
how
do
other
competitors
do
that,
for
example,
how
I
looked
at
into
you
know
how
other
folks,
to
this
disable
effect
or
for
specific
paths,
because
one
way
to
achieve
it
is
to
have
micro
services
infrastructure
where
there's
a
specific
medical
services.
Micro
service
are
serving
the
non
auth
paths
right.
That's
one
yeah.
E
E
Fun
yeah,
so
what
you
could
do
so
one
way
to
do
I
mean
is
if
you're
in
a
Microsoft
architecture,
I
guess
there's
two
ways:
you
could
do
that
or
at
least
two
ways.
One
one
way
is
to
say
you
have
different
host
names,
so
it
come
to
a
would
view
that
as
different
applications,
different
proxies
different
proxy
objects
and
you
could
say
money.
One
proxy
object
is
often
one
isn't.
Another
way
to
do
is
to
say
that.
E
F
This
is
Venki
from
UDP.
I
have
worked
on
column
before
and
we
have
done
similar
to
this.
So
what
the
way
they
implement
a
is
income
you
can
have
a
multiple
pad
and
then
each
pad
this
attached
to
a
plugin,
so
you
can
can
create
a
plug-in
authentication
plug-in
and
then
attach
to
the
each
pad.
So
if
you
do
not
have
a
lot
that
then
occasion
plug-in
for
a
specific
pad,
you're,
not
you're,
not
indication.
Won't
click
on
it'll
be
like
unprotected.
E
D
F
This
is
you,
I
mean
there's
no
opt-in
or
opt-out
or
exception
based
model
in
there
in
that
model.
That
model
is
you
if
you
want
to
include
everything
you
just
put
a
slash
and
then
add
regular
expressions
in
the
path
itself.
We
can
do
that
that
way
too,
so
they,
you
know
whatever
or
whatever
the
regular,
accept
regular
expression
catches.
The
authentication
will
kick
in
for
those
paths.
D
B
Baby,
like
maybe
mix
off
models,
if
that's
a
use
case
for
folks,
like
maybe
these
paths
use
oh
I
DC,
but
these
use
basic
off
and
that's
getting
I
was
waiting
for
someone
to
us
for
that.
No
I,
guess
that
was
that's
in
my
head.
That
I
was
thinking.
We
just
may
be
saying:
hey,
there's
like
these
different
kind
of
like
configurations.
You
attach
this
austere,
these
paths
and
this
type
of
off
to
these
paths.
B
E
That's
really
tricky
I
think
I.
Think
that
I
think
logically,
that
makes
sense.
I
think
the
implementation
of
that
is
tricky.
Oh
there's
a
section
further
down
where
I
discussed
the
envoy
represents
all
see
external
LC
and
we'll
see
why
that
well,
we'll
see
why
implementing
that
particular
semantics
is
gonna,
be
tricky.
E
Sorry,
James
keys
go
back
up
for
a
second
to
the
non
goals
covered
that
quickly
to
non
goals.
I,
don't
want
to
do.
I
said
for
a
couple
lines
in
the
sand.
We
shouldn't
we
shouldn't
do
excellent
orthe
in
contour
itself.
We
want
to
focus
on
external
or
both
service,
that's
more
general
I!
Think
and
let's
just
focus
on
the
general
case.
Rather
than
devoting
resources
into
specialized
cases,
we
we're
not
going
to
do
in
secured
all
server
attachments.
Also,
we
will
always
want
to
configure
both
external
servers
over
HTTP
and
at
least
for
v1.
E
We
don't
want
to
support
this
in
ingress
and
egress
round.
I
think
we
would
never
do
it
in
ingress
were
out
it's
deprecated.
No
one
should
be
using
it.
Ingress
is
kind
of
less
clear
just
for
scoping.
I,
don't
want
to
do
it
in
the
first
version,
but
it
is
a
supported
API
and
it
will
continue
to
be
supported.
E
Basically,
all
these
are
HTTP
filty
specified
as
a
field
on
on
the
connection
manager
and
the
connection
manage
behind
the
connection
manager
object.
You
can
have
you
know
one
virtual
host
or
many
virtual
hosts.
It
depends
on
how
you
configure
envoy
what
contour
does
since
one
point.
Four
is
for
HTTP
on
port
80,
contour
configures,
a
single
connection
manager
where
all
the
clear
text
virtual
hosts
are
attached.
So
the
corollary
of
that
is
that
everything
on
that
one
HTTP
connection
manager
gets
the
same
or
three
server
right.
E
But
since
1.4
on
TLS
contour
constructor
configuration
tree
with
an
extra
filter
chain
match
on
the
TLS
sni
name,
because
we
started
to
strongly
by
and
sni
names
to
virtual
hosts
to
virtual
host
routes.
So
we
actually
have
a
HTTP
connection
manager
per
that
route,
proxy,
so
per
fqdn
in
T
in
the
TLS
world,
so
that
lets
us
that
lets
each
contour
application,
h,
HTTP
route
proxy,
have
its
own
or
sit
or
Z
server
in
the
TLS
world.
So
that's
great
so
that
kind
of
gets
better
in
the
TLS
world.
E
E
E
E
Information
from
our
API
that
kind
of
removes
these
limitations,
so
the
approach
here
would
be.
You
have
that
you
have
like
a
two
hop
external
service,
so
the
first
one,
the
first
hop
is
everything
goes
to
that
one
has
add
some
ateb
and
configuration
which
knows
how
to
apply
or
that
a
finer
granularity
than
the
default
in
boy
external
z,
filter
so
make
sense.
B
E
Yeah
and
so
that
filter
would
then
you'd
have
some
outer
band
policy.
Okay,
so
you
can
configure
any
more
at
the
path
granularity
for
example,
and
so
that's
that's
a
mechanism
so
Steve
talked
earlier
about.
You
know
a
use
case
where
you'd
have
different
all
servers
or
different
mechanisms
for
paths
within
an
application,
and
this
is
a
mechanism
by
which
you
could
but
by
which
you
could
implement
that.
B
Yeah
I
think
focusing
on
the
use
cases
of
what
you
want
to
do
with
it
versus
how
we
can
make
it
envoy
do.
What
we
want
it
to
do
is
are
two
different
things.
You
know
I
that
the
technical
side
of
it
we
can
help
figure
that
out,
but
more
of,
like
the
your
use
case,
to
actually
consume
these
things
and
then
we'll
work
out
the
details,
yep
how
to
make
that
happen.
You
get
caught
in
the
weeds
of
how
envoy
works
and
stuff
you
know
like.
E
E
E
What
I
would
like
to
do
is
take
advantage
of
any
existing
external
or
sam'l
service
ever
listing
I'm,
not
sure.
If
there
is
one
out
of
the
box
that
I
know
of
that
speaks
Cemil
I
don't
have
one
listed
that
speaks
sam'l
natively,
but
yes,
mo
I
think
should
be
a
supportive
symbol
should
be
a
supported.
Yes,.
D
In
folks
we're
out
of
time
James,
thank
you
for
the
discussion
on
the
inside
into
the
external
off
like
Jones
mentioned
everyone.
If
you're
interested
in
this,
please
go
and
add
your
scenarios.
Add
your
comments
and
feedback
there.
I
want
to
design
and
start
executing
it's
always
harder
or
a
lot
more
costly
to
go
change
things
so
put
in
feedback
early
is
exactly
what
they're
looking
for
alright.
Well,
everybody
have
a
great
rest
of
your
day
or
week
and
we'll
see
you
in
a
couple
of
weeks.