►
From YouTube: Contour Community Meeting - May 12, 2020
Description
May 12, 2020
What have we been working on?
Status Updates
Status Design
ExternalDNS
ExternalDNS w/HTTPPRoxy
Fallback Cert Updates
Design Update
PR #1 Impl
Repository Updates
API
Examples
Envoy bootsrap for xDS cert rotation update
PR updated after round of reviews, added test case
Issue discussion
Contour YAML Wrangling
Kustomize Draft PR
[Venki] SNI not being passed through: https://github.com/projectcontour/contour/issues/2517
A
Hi
everyone
and
welcome
to
this
episode
of
the
contour
community
meeting
today
is
a
twelve
twenty.
Twenty
I'll
be
your
host
today.
My
name
is
jonas
Rossmann
and
we
got
a
bunch
of
people
here
and
we're
gonna
go
through
some
status
updates
and
then
some
issue,
discussions
main,
as
I
said
earlier.
If
you
have
anything
to
add,
please
do
so.
I'll
share
my
screen
as
well,
so
we
can
go
through
everything.
B
So
so
thanks
Evan
for
coming
yeah,
please
please
bring
your
ideas.
Some
of
the
stuff
I
just
threw
in
there
to
have
some
updates
as
to
kind
of
what
we're
looking
at
working
on.
You
know
by
no,
but
by
no
means
is
this
like
a
priority
or
anything
I
said
some
of
this
stuff
was
interesting.
So
the
first
thing
we
talked
about
was
sort
of
like
I
know.
This
can
have
been
the
last
community
meeting
if,
unless
you
missed
it
and
they've
talked
about
some
of
the
status
design,
things
we're
updating.
B
So
we
added
status
to
ingress
resources.
So
whenever
you
spin
up
the
envoy
service
type
load
balancer,
it
gets
an
external
IP
address
if
you're
in
some
sort
of
cloud
environment.
So
we
added
that
now
to
the
ingress
resource.
So
now,
when
you,
you
know,
get
status
of
your
ingress
resource,
you'll,
see
that
external
DNS
name
or
entry
or
whatever,
depending
how
you
spin
up
load
balancers
we're
looking
at
adding
this
as
well
to
our
HTTP
proxy
resources
right
and
then
this
way
you
can
get
the
same
information
from
if
using
proxies.
B
Now
the
one
of
the
big
things
that
opens
up
when
you
have
the
status
is
now
you
can
use
the
external
DNS
project,
which
is
a
way
to
tie
together
that
that
information
from
the
server
side
load
balancer
with
your
DNS
provider
of
choice.
So
if
you're
running
an
AWS
and
using
seis
route
53,
you
can
have
it
automatically
tie
together.
Dns
records
from
you
know:
public
dns
records
to
that
information.
Now
that
we
have
from
from
the
service
load
balancer
so
concert
and
the
interesting
thing
someone
ping
me
about.
B
There
was
an
update
here
for
ok,
so
this
is
yeah.
This
is
the
issue
here
for
adding
DNS
support
for
proxy,
but
I
did
know
it.
But
I
should
last
Friday
someone
paying
me
and
said
there
was
actually
support
for
ingress
route
in
this
external
DNS
project,
which
is
interesting,
so
it
still
uses
the
old
hep
do
repository
and
stuff,
so
I
have
a
PR
and
it
gets
linked
in
there.
Jonas,
though,
maybe
that
one
yeah
to
just
update
depths
right.
B
This
is
this
doesn't
add
the
proxy
support
yet,
but
this
was
just
a
just
a
push
forward.
All
the
depth
changes
that
we
we
applied,
so
this
just
kind
of
brings
it
back
to
current
status
and
I
think
once
we
get
the
proxy
information
and
we'll
leave
this,
this
implementation
alone
for
ingress
route
and
then
we'll
add
more
for
for
proxy
and
then
we'll
have
a
proper.
You
know
external
DNS
implementation,
so
just
forward-looking
things.
If
that's
helpful
for
folks,
that's
all
yeah.
C
B
Sure
yeah,
we
had
a
little
discussion
last
night
about
that
and
that's
just
kind
of
how
we
want
to
do
that
in
contour.
Just
to
follow
up
make
it
a
little
bit
so
we're
trying
to
figure
out
the
best
spot
in
the
contour
codebase
to
do
that,
because
now
we
have
two
places
where
status
gets
updated,
so
yeah.
So
again
this
was
just
stuff
again.
I
was
doing
stuff
on
here.
Just
because
thought
it
was
interesting
just
to
chat
about
and
see
if
that's
interesting
for
folks
but
I.
C
I'm
in
the
status
once
that's
visible,
then
h-2b,
then
external
DNS
can
be
updated
so
that
external
DNS
can
key
off
that
value
and
create
DNS
records
for
you
upstream,
in
some
object
in
a
variety
about
trendiness
places.
Oh
okay,
yeah
yeah,
so
external
did
it
just
manages
DNS
for
you,
you
know
sort
of
semi
magical
way.
So
if
you're
already.
C
B
Yeah,
so
we've
been
talking
about
this
for
a
few
weeks
now
so
I
have
on
the
round
of
changes,
I
think
to
get
the
meat
of
the
PR
done,
but
we
did
some
chatting
about
kind
of
how
this
should
get
implemented.
There
were
two
things
that
came
up
in
terms
of
not
permissions,
but
just
designee
things
right.
So
one
of
the
things
that
we
use
is
when
we
create
a
TLS
listener,
you're
able
to
define
the
minimum
TLS
protocol
to
use
right.
So
you
can
define
that
in
two
ways.
B
One
is
on
the
v
host
for
the
the
HTTP
proxy
resource
and
it's
also
a
config
file.
You
can
configure
it
to
be
like
a
kind
of
a
global
setting
to
say
you
know
across
the
whole
deployment.
This
is
the
minimum
TLS
version
you'll
support,
but
when
you
adding
the
fallback
certificate,
we're
essentially
creating
another
sort
of
listener
in
a
sense
because
we
have
another
way
to
accept
GLS
connections.
B
So
there
was
a
field
there
for
this
minimum
protocol
and
we
were
discussing
where
should
that
come
from
I
guess
should
be
specified
for
the
fallback,
a
minimum,
but
we're
gonna.
Do
it
for
now,
for
the
initial
release
is
just
have
it
use
that
global
value?
So
if
you
configure
a
global
minimum,
the
fallback
will
utilize
that
that
minimum
protocol
there,
so
that.
D
D
B
Yeah
and
you
won't
be
able
to
be
a
so.
This
is
the
setting
that's
on
in
the
config
file
for
contour,
when
you'd
actually
deploy
contour
so
as
to
find,
once
and
and
in
the
actual
V
host.
You
can't
configure
the
the
value
right.
There
is
what
we're
opposing
right
now.
So
you
just
say:
I
want
the
fall
back
and
then
then
it'll
use
that
configurable
default
as
the
minimum.
C
There's
a
quick
note:
they're
just
about
configurable
things
in
general,
Michael
that
one
of
the
things
that
I'm
going
to
be
making
sure
we
do
go
forward.
Is
that
if
Li,
when
we
you,
because
we're
going
to
be
adding
more
configurability
in
general,
when
we
add
more
configure
really
the
first
place
we'll
do
it
will
be
in
the
config
file
so
that
cluster
operators
can
can
have
the
configurability.
C
If
we
add
configurability
in
the
downstream
in
HTTP
proxy,
then
the
other
thing
that
would
that
I
want
to
make
sure
we
add,
is
a
way
to
limit
the
configurability.
So
the
example
was
a
request
timeout.
When
we
had
other
request
timeout.
There
was
no
way
that
limit
the
quest
time
that
you
can
do,
and
some
people
had
problems
that
you
know.
People
who
work
equation,
developed
as
immediately
change.
C
They
request
timeouts
to
infinity
yeah,
yeah,
so
yeah
so,
and
so
the
idea
is
that,
as
we're
gonna
clean
up,
I'm
gonna
clean
up
some
timeout
stuff
in
future.
One
of
the
things
that
we
will
do
is
put,
like,
probably
I
mean
in
a
max
anytime.
We
add
a
configurable
dial
they'll.
Also
be
a
way
that
the
operator
can
set
a
min
and
a
max
that
will
be
developed.
Sorry,
sorry
to
derail
that
conversation.
We're
just
want
to
make
sure
I've
mentioned
that.
B
B
This
is
actually
a
good
point
that
James
brought
up
was
some
folks,
so
when
you
enable
there's
an
option
in
the
vhosts
to
enable
this
fallback,
sir
right,
so
it's
like
fallback
cert,
enabled
it's
a
true
or
false
boolean
value,
but
there's
no
way
to
define
like
should
a
user
be
able
to
enable
the
fallback
right.
So
it's
so
if
your
users
are
self
managing
their
own
route
proxies
then,
should
there
be
a
way
that
they
should
be
allowed
to
do
this
or
not
so
the
one
way
we
come
up
came
up
with
doing
this.
B
Was
you
have
a
feature
called
certificate
delegation
right
and
this
lets?
You
have
a
secret
live
in
one
namespace
and
you
can
delegate
it
to
another
name:
space
through
contour.
So
this
way
a
user
can
consume
that
secret
from
a
different
name
space,
but
the
secret
doesn't
have
to
actually
exist
there
in
that.
In
that
other
users
namespace
right,
so
you
can
still
keep
them
apart.
So
the
idea
is
that
if
you
want
to
allow
it,
so
this
is
the
pr
number
two
we're
gonna
do.
B
C
And
I
think
the
key
part
there,
the
other
cape
are
there
states
or
to
say.
Is
that
part
as
part
of
the
documentation
around
installing
it
will
say?
If
you
just
want
this
to
be
available
everywhere,
then
you
can
delegate
that
secret
to
everywhere
using
a
wall
card
stupid
delegation
yeah
and
you
can
lock
it
down.
But
but
you
know,
the
idea
here
is
that
that
that
that
binding
of
that
secret
must
be
explicit.
So
if
you
want
to
well
out
everywhere,
then
you
need
to
specifically
say
you
want
to
allow
it
everywhere.
B
We
had
a
similar
setting
with
the
permit
insecure
right.
So
if
you
have
a
a
HTTP
proxy
which
serves
TLS
and
you
want
a
route
to
serve
a
non
TLS,
endpoint
just
apply
an
HTTP,
you
can
add
a
permit
in
secure
to
that
route
and
that'll.
Let
it
you
know,
serve
on
the
non
TLS
listener,
but
there's
a
security
issue
there
with
someone.
You
know
an
operator
may
not
want
their
users
to
be
able
to
do
that
so
that
we
had
a
global
flag.
B
That
says
you
know
disabled
permit,
insecure,
which
I
know
is
a
great
great
word
for
that,
but
they
essentially
that
just
let
it
operate
or
disable
that
key
from
being
used
with
them
within
the
proxy.
So
this
is
a
way
to
get
to
implement
the
same
kind
of
idea
without
having
to
have
less
like
crazy
global
flags
to
enable
or
disable.
B
B
Cool
next
one's,
not
really
big
one
again,
I
was
just
looking
for
more
content
to
chat
about
there's
lots
of
folks
to
talk,
but
we
did
some
some
API
updates.
One
was
adding
a
dummy
file
to
the
example
Co
or
the
example
file,
or
example
directory,
and
this
is
so.
You
could
vendor
out
the
examples
ya
know
file,
and
this
was
for
the
customized
folks,
but
this
might
be
beneficial
to
other
as
well.
We
saw
some
chatting
about
to
do
about
what
to
do
with
1.5
and
future
I
know.
B
James
has
a
PR
open
about
customized
and
how
we
can
leverage
that
and
if
folks
have
asked
about
helm,
charts
and
that
sort
of
thing
so
I
know
we're
not
gonna
have
a
solution
to
fit
everyone
specific
needs
fully,
but
I
guess
we
don't
want
to
come
up
with
a
good
way
to
do
that
so
I'm
again,
this
is
just
calling
us
out
in
case
you
were
ven
during
these.
In
this,
this
was
a
solution
that
we
dumped
into
the
wound
up
for
release.
B
So
you
can
mod
that
and
the
other
link
was
the
link
to
James's
customized
PR.
So,
if
folks
have
deployment
ideas
or
can
share
in
that
issue,
the
customized
issue,
how
they're
doing
things
are
what
would
be
helpful?
That
would
be
great
for
us
to
have
that
feedback
as
to
what
people
are
doing
out
in
the
community.
D
D
E
I
was
just
curious,
so
Michael
in
about
two
weeks
is
when
we're
gonna
shape
the
next
release
of
contour.
Let
you
know
I'm
giving
you
a
ballpark
right.
It's
not
an
exact
date,
but
it'd
be
great.
If
your
new
team
give
this
a
spin,
because
if
there's
anything
else,
you
need
to
fix
or
adjust,
then
we
have
enough
time
to
actually
do
it.
Otherwise,
we're
gonna
have
to
wait
another
month
right
so
sure,
okay,
yeah
yeah,
we
we
tell
the
ship
monthly.
So
if
it
doesn't.
F
About
this
surgery,
rotation
or
XTS,
so
this
is
the
changing
in
the
control
booth
command.
That
makes
it
possible
to
generate
the
configuration
for
for
anyway
in
order
to
watch
the
updates
of
the
certificates
and
those
interviews
and
I
got
very
good
comments
from
from
James
and
I
fixed
after
a
short
delay.
I
fix
those
those
today
and
I'm
pushed
a
new
version
of
this
PR
here
and
unbroke
the
tests
that
I
had
pending
the
year
two
to
fix.
F
When,
when
changing
the
bootstrap
comment,
so
now
it
passes
the
tests
one
one
thing
that
I
was
wondering
that
testing
this.
Of
course,
the
urate
test
will
validate
that
the
configuration
files
look
like
they
are
expected
to
look
but
actually
testing.
This
would
be
very
nice,
not
ideally
having
in
the
integration
integration
test
framework,
so
that
we
could
really
really
see
that
anyways
is
reloading
these
rectification.
F
C
E
C
B
A
H
Thank
you
guys.
So
what
we
are
trying
to
do
is
use
case
man.
We
have
a
east-west
cluster,
east-west
traffic
in
two
clusters
are
we
are
doing
a
project
for
PCI
compliance
for
in
order
to
have
a
meet
the
compliance.
Some
of
these
micro
services
needs
to
decide
on
its
own
cluster,
while
others
are
in
a
different
cluster
for
isolation
purposes.
H
So,
while
we
are
doing
that,
I
was
testing
with
the
HTTP
HTTPS
and
WebSocket,
and
everything
and
most
of
the
things
seems
to
work
except
for
TCP,
and
what
happens
is
when,
when,
when
the
chavÃn
app
traffic
moves
from
cluster
a
to
cluster
b,
we
have
two
gateways,
one
in
cluster
a
and
then
it
has
to
be,
and
the
traffic
hits
as
soon
as
the
traffic
hits.
The
first-class
plastic
first
gateway
it.
H
It
hits
the
proper
8
section
in
HTTP
proxy.
It
goes.
It
follows
the
you
know,
virtual
host,
if
key
B
and
no
problem,
but
when
the
traffic
gets
forwarded
to
the
next
subsequent
cluster,
it
loses
the
SN
I.
We
had
a
similar
issue
when
we
try
to
do
that
in
HTTP
protocol,
but
we
had
a
Mork
around
by
statically,
adding
the
host
header
in
the
history
reg
policy.
We
are
able
to
get
that
done,
but
for
TCP
we
won't
be
able
to
do
it
because
TCP
doesn't
look
at
the
HTTP
headers,
so
we
won't
look.
H
F
B
B
I
guess
host
name:
what's
that,
what's
the
what's
just
the
s
and
IV,
is
that
the
same
or
is
it
different?
It's
the
same
right
now!
Oh
my
god.
If
you
need
to
be
changed,
we
can
make
the
changes
right
now
same
okay,
cuz,
so,
inter
using
external
service
car
external
name
service
from
from
the
edge
cluster,
okay,
I'm
sure
I,
think
of
like.
B
H
H
D
C
The
the
trick
is
that
external
name
services
are
kinda
are
like
a
dummy
record.
Essentially
that
that
point,
it's
like
a
Cuban
Eddy's
object
that
points
to
a
thing
that
doesn't
exist
in
the
cluster,
so
there's
not
actually
a
service
backing
and
external
name
service
I'm
inside
the
cluster.
It's
like
a
pointer
out
to
something
that's
not
running
in
the
same
cluster
sure
but
like
why.
C
Using
that
to
using
that
here
to
say
in
in
the
edge
cloth,
so
there's
two
clusters
doesn't
it
and
that
one
of
the
cost
is
like
an
edge
cluster
and
then
in
the
edge
cluster.
The
external
name
thing
says
this:
this
service,
the
in
the
kubernetes
sense,
is
backed
by
something
that
exists
in
another
cluster,
and
you
know
you
should
go
to
this.
You
should
go
over
here
to
get
to
it.
It's
like
it's
like
a
sentence.
C
It's
a
little
bit
like
a
pointer
or
a
redirector
than
the
best
ways,
I
think
to
explain
it,
and
so
because
of
that
there's
no,
the
the
inside
the
edge
cluster.
There
is
actually
nothing
running
that
that
that
you
can
talk
to
to
have
it
like
munch,
there's
a
knife
or
you
like
that,
that
the
external
service
directive
tells
envoy
to
connect
to
the
outside
of
the
client
cluster
yeah.
D
C
So
it
sounds
like
it's
just
it's
just
a
redirect
isn't,
like
kind
of
you
know
that
says
envoy,
please
connect
to
the
this.
The
outside
of
this
cluster,
which
may
or
may
not
be
another
envoy.
In
this
case
it
is,
you
know,
to
send
the
traffic
and
the
problem
is
that
the
the
yeah
as
I
think
you
said,
the
the
SNR
is
not
propagated.
When
envoy
makes
that
extra
request.
The
envoy
in
the
edge
cluster
makes
the
request.
The
sni
is
not
added.
D
What
I'm
worried,
what
I'm?
What
I'm
thinking,
though,
is
that
in
this
scenario,
why
even
use
the
external
name
at
all,
because
you're
pointing
at
on
another
contour
ingress,
which
must
have
a
URL?
So
why
not
just
go
from
your
pod
using
s
and
I
directly
to
that
point,
without
going
through
the
external
name,
but.
C
C
F
G
F
B
Think
that
the
use
case
is
that
have
this
external
routing
cluster,
so
all
traffic
hits
that
and
decisions
are
made.
Where
should
go?
Should
I
go
to
this
cluster?
There's
many
clusters
behind
it,
so
it's
kind
of
like
having
an
a
load
balancer
in
front
of
the
other
clusters.
I
think
so
they
can
switch.
You
know
go
count
gimble.
If
your
motive
Gimple,
like
you
know
all
traffic
hits
a
routing
cluster
and
then
traffic
can
then
be
routed
to
where
it
needs
to
go
behind
the
scenes.
But
I
see
your
point
yeah.
B
H
I,
don't
think
that
is.
That
is
a
plan
for
us
right
now.
Yeah,
we
need
to
have
mean,
because
the
edge
is
the
controller
for
many
things,
not
more
business
decisions
are
happening.
We
don't
so
the
the
the
plan
plan
tenant
clusters
are
not
just
a
single
entity.
That'll
be
like
a
number
of
time
clusters,
but
that's
only
one
edge
cluster
yeah.
C
Yeah
I
think
I
think
that
part
is
pretty
clear,
I
think,
assuming
that
the
there
is
a
way
to
do
the.
Please
take
that.
Please
add
this
as
an
iron,
then
that
seems
reasonable
to
just
do
it
by
default,
and
you
know
if
you,
if
you're,
if
you
are
like,
if
the
TCP
proxy,
if
it's
being
stripped
by
onwards
and
it
should
not
be
stripped
yeah
and
assuming
that
there
is
a
way
to
do
that
in
ovoid
them.
We
should
just
do
that.
C
A
G
C
G
B
Oh,
maybe
maybe
it
won't
do
that
because
so
you
have
so
in
the
edge
cluster
you're,
accepting
a
TCP
connection
right
via
S&I,
alright
and
then
from
that
cluster.
Then
it's
a
TCP
connection
to
the
second
contour
correct,
but
on
the
can
be
outbound
passed
s
and
I
again,
because
it's
already
TCP
that
makes
sense
right.
B
B
H
H
G
H
G
D
C
C
H
C
H
C
I
think
so
I
think
could
I
ask
you
Vicki.
Please
update
the
name
of
the
issue
to
say
like
that:
it's
about
the
s
and
I.
Oh
yeah,
sure
the
SN
is
not.
We
passed
through
and
sort
of
make
make
that
part
sort
of
clear
that
that's
the
real
that's
sort
of
the
real
thing
that
that's
the
problem
mean
okay
and
because
I
think
that's
that's
the
thing
that
you
should
be
working
in,
isn't
and
then
after
that,
then
then
we
can
try
and
figure
out
how
we're
gonna
get
we'll
get
to
the
bottom
of.
H
C
H
A
B
Was
just
I
added
that
that
was
just
my
call
to
ask
if
folks
have
ideas
of
how
they
want
to
do
their
our
deployments
I'm
just
curious
about
feedback
of.
Do
you
use
helm
to
use
customized?
Do
you
use?
You
know
said
with
bash
whatever
you
know,
that
means
whatever
kind
of
tools
you
use
to
help
get
feedback
as
to
what
we
should
have
support.
That's
all
there's
no
real
discussion,
yet
I,
don't
think.
Okay.