►
From YouTube: Contour Office Hours - August 6, 2020
Description
Agenda and notes: https://github.com/projectcontour/community/wiki/Office-Hours
A
I'll
just
share
and
you
can
see
what
I'm
doing
desktop
one
go
yeah,
so
we
had
set
up
some
schedules
for
things
to
talk
about,
so
I
think
one
was
if
you
go
to
the
project
contour
site
and
go
to
community
down
here.
Is
this
contour
office
hours
link
so
probably
where
you
all
found
this
link
last
week
or
last
time
we
talked,
we
were
going
to
talk
about
some
of
these
things
and
we
didn't
quite
get
to
them.
A
We
did
a
little
bit
about
how
to
contribute,
and
this
week
we
had
blue
green
deployments
and
canary
deployments.
So
we
can
run
through
that.
If
that
sounds
interesting,
so
I
have
some
old
school
demos
that
I've
done
sort
of
forever,
but
what
I
don't
have
was
seeing
how
my
clusters
looked
locally.
So
let's
go
ahead
and
take
a
look
at
that.
So
let's
just
destroy
everything
and
we'll
start
from
there.
So
I'm
using
kind
to
make
my
fonts
a
little
bigger
for
y'all
where's.
My
thing
there.
B
A
A
A
A
There
we
go
okay,
so
I
do
have
kind.
So
I
have
kind
cluster
which
is
I
use
for
local
development,
and
I
have
a
cap
v.
So
when
I
mess
around
with
cluster
api
for
vs
here,
which
is
kind
of
cool,
that's
why
I
have
two
of
them.
So
let
go.
A
A
And
then
what
I
do
is
when
I
dev
I
can
do
kind,
create
cluster
I'll,
run
this
and
then
I'll
show
you
what
it
looks
like.
So
in
the
repo
we
actually
have
the
sample
kind.
Config.
A
It's
under
examples
kind
move
this
out
of
the
way,
and
what
this
does
is
this
when
you
develop
in
kind
this
will
map
ports
from
basically
your
host
on
port
80
into
the
container,
which
is
port,
80.
and
our
examples
here
when
we
deploy
contour,
they
deploy
envoy
as
a
daemon
set,
and
we
map
port
80
on
the
daemon
set
to
host
sports
80.
80.
A
So
then,
therefore,
when
you
have
this
mapping
here
in
kind,
basically,
local
host
port
80
will
map
to
envoy
running
in
your
cluster.
So
now
we
can
do
fancy
things
with
curling
envoy
and
testing
out
ingress
without
having
to
port
forward
into
into
the
container
or
into
the
cluster
cool.
So
here's
our
cluster
coming
up
once
we
have
that
we'll
just
go
ahead
and
contour.
A
A
So
at
this
point
I
have
a
kind
cluster.
So
if
I
go
ahead
and
get
nodes,
I
should
have
two
nodes
and
again
I
have
the
control
plane
and
I
have
a
worker
and
just
to
demonstrate
this.
If
you
do
a
docker
ps,
what
you'll
see
is.
I
have
ports,
80
mapped
to
port
80
in
the
container
again
so
localhost
80
is
now
pointing
to
envoy
and
again
envoy's
our
datapath
component.
So
all
traffic
is
going
to
route
through
that,
so
we'll
go
ahead
and
apply
contour.
A
I
always
use
examples,
just
add
a
habit,
and
this
is
going
to
deploy
the
master
branch
so
for
good
or
bad.
That's
what
this
is
going
to
do.
So
again,
what
we
created
was
a
namespace
for
contour.
Some
service
accounts
to
run
under
all
the
crds
that
we
need,
which
are
basically
the
http
proxy,
as
well
as
the
certificate
delegations
which
would
be
a
good
one.
Jonas,
to
talk
about
certificate
delegations,
that's
kind
of
cool
yep,
and
then
let
me
deploy
all
the
other
bits.
A
A
So
things
like
the
ingress
status,
information
or
status
information
on
any
http
proxy.
You
only
want
to
have
one
of
those
do
that.
So
that's
what
lead
election
does
otherwise
they're
all
active,
active
servers
for
envoy.
So
so
they
can.
You
know,
be
that
xcs
server
for
any
envoy
running
in
the
cluster
out
of
the
gate.
2
we
have
this
default
search,
end
which
generates
certificates
and
those
certs
are
used
for
communication
between
contour
and
envoy
since
they
aren't
running
in
the
same
pod.
A
We
want
to
secure
that
connection
so
that
xds
traffic
is
secured.
So
again
we
have
a
sample
here.
You
can
absolutely
swap
in
your
own
if
you'd
like,
and
only
have
one
envelope
running,
because
I
only
have
one
worker
node
again.
If
I
get
nodes
you'll
see,
I
have
just
one
and
that's
there
cool.
So
at
this
point
I
should
be
able
to
curl
at
localhost
80.
A
I'll,
get
nothing
because
there's
nothing
in
envoy,
yet
we
haven't
put
any
configuration
into
there.
Contour
doesn't
ship
with
any
listeners
by
default
until
you
deploy
a
some
resource
which
has
some
debate
on
the
past.
Should
we
do
that
or
not?
We
almost
should
have
something
there.
It's
just
to
fail
health
checks.
A
I
guess
it's
gonna
fail
as
it
is
now,
but
so,
if
I
look
at
not
that
I
was
just
going
to
port
forward
and
show
you
the
config
record
project,
contour
envoy
9001.,
so
the
admin
port
for
envoy
is
by
default
is
9001
and
that's
what
contour
will
configure
again
by
default
and
you
can
override
that
in
the
config
it's
only
running
on
localhost,
so
it's
not
exposed
to
the
to
anything
else,
other
than
port
forwarding
in
that
pod.
A
A
On
the
controversy
it's
8r
vpj,
that's
the
name
of
the
pod.
We
match
that
with
the
service
name.
Excuse
me
for
the
the
pod,
so
in
here
there
should
be
yeah
a
surface
cluster
which
we
call
project
contour,
and
then
we
have
the
service
node
and
there's
that
eight
rv
pj.
So
that's
how
you
can
map
understand
what
instance
you're
connected
to.
If
you
didn't
know
what
local
sport
porting
was
going
on
again,
so
so
the
reason
why
we
got
the
failure
there.
A
So
if
we
go
out
to
our
listeners
you'll
see,
all
we
have
is
the
stats
listener.
So
there
are
no
listeners
on
port
80
or
443
until
we
deploy
something.
So
let's
go
ahead
and
deploy
something.
So
what
I
have
is
I
have
this
demo
app
that
I
use
for
lots
of
things
and
what
this
does
is.
This
will
deploy
basically
a
sample
app
here,
which
is
this
deployment
and
then
we'll
deploy
a
proxy
to
do
some
things.
So
let's
go
ahead
and
take
out
some
of
this
stuff.
A
A
A
A
So
what
we
have
is
we
have
this
domain
name
set
up
and
it
points
back
to
localhost.
So
if
you
ever
want
to
like
demo
in
kind
or
anything
locally,
you
can
use
that
domain
name
because
envoy
wants
to
forward
l7
traffic,
which
is
using
using
domain
names
for
all
that
for
for
for
the
routing
bits.
So
you
can
use
that
if
you
like
so
we'll
demo
that
so
let's
go
ahead
and
apply
this
one
too.
So
we
will
apply
the
o2.
A
A
Think,
okay,
now
we're
valid,
and
you
can
see
here
we
have
this
local
project
contour
to
io.
So
if
I
curl
that
one
now,
what
I
should
get
is
that
app
respond,
and
this
is
a
sample
a
little
like
echo,
app,
it's
helpful
for
these
kind
of
demos
for
knowing
what
requests
you
passed
and
then
excuse
me,
the
headers.
I
guess
that
on
there.
So
if
I
pass
something
like
you
know,
steve
chris
is
wearing
a
hats.
A
You'll
see
that
it
replies
back
with
the
request.
You
sent
it
so
again,
it's
helpful
in
in
defining
or
figuring
out
where
you
are
in
the
requests,
because
you
can
define
this
message
that
gets
set
here
and
it
tells
you
the
pod
or
the
deployment
name
that
that
did
it
and
then
the
headers.
So
again,
it's
just
helpful
for
playing
on.
A
And
that
worked
too,
because
this
is
a
path
prefix
just
to
make
things
clear
so
right
now,
contour
only
handles
path
prefixes,
so
because
we
gave
this
this
service,
basically
slash
so
conditions
define
the
the
path
right.
So
I
can
have
conditions
here
and
when
you
define
the
the
prefix
you
get
this
by
default.
If
you
don't
define
it
and
because
it's
slash
it
matches
everything
right.
So
I'm
gonna
have
that
big
long,
url
it
matched
because
steve
is
that
pat
prefix
cool.
So
we
have
that
it's
not
not
terribly
exciting.
A
Let's
go
ahead
and
pass
off
some
more
things.
So
contour
has
this
idea
of
inclusion,
and
the
way
to
do
this
is
this
is
a
way
that
you
can
have
multiple
namespaces
manage
their
own
ingress
resources
without
having
to
redefine
things
over
and
over,
like
you
would
with
ingress
today
so
with
ingress.
A
Today,
you'd
have
to
define
you
know
the
domain
name
and
everything
over
and
over
in
each
namespace,
where
someone
wanted
to
handle
that
there's
also
some
some
issues
where
folks
can
kind
of
collaborate
each
other
in
terms
of
paths
and
domains
and
stuff.
So
this
theory
that
we
wrote
is
kind
of
one
way
around
getting
around
that
those
issues
with
this,
the
team
management.
So
what
you
do
is
from
the
root
you
can
delegate
or
include
different
different
proxies
into
this
this
this
proxy
here.
A
So
that's
what
I
had
commented
out
here,
so
what
this
is
going
to
do?
If
I
add
this
includes
here,
this
is
going
to
say:
hey
the
the
proxy
in
named
blog
site
and
the
name
space
marketing
is
going
to
get
slash
blog
right,
so
we're
going
to
give
them
permission
to
own
slash
blog
in
their
namespace.
Once
we've
done
this,
it's
kind
of
like
dns,
like
they
own
that
whole
path,
they
can
do
whatever
they
want
with
it.
A
Unless
something
else
comes
along
and
changes
these
set
of
conditions
and
again
this
this
is
a
set.
This
is
an
array
here,
so
you
can
have
other
things
like
headers
as
well.
You
can
pass
off
header
things
which
we
can
look
at,
and
this
us
opens
the
door
for
other
things
if
we
wanted
to
in
the
future.
A
A
Second,
it's
invalid
now
and
it's
invalid
because
we've
said
hey:
let's
go
include
this
other
http
proxy,
but
we
don't
even
have
the
market
namespace.
I
don't
believe,
let's
get
namespaces
yeah,
I
don't
have
a
marketing
namespace,
so
it
doesn't
exist.
So
it
gives
you
an
error,
so
we
go
ahead
and
create
that
so
in
here
I
have
this
marketing
thing
so
I'll
go
ahead
and
apply
that
marketing
and
we'll
go
to
o1
use
your
namespace
and
we
can
do
the
apps.
A
A
We
created
some
sample
apps
in
that
namespace,
and
we
created
this
proxy
in
here
called
blog
site,
and
what
we've
done
is
from
the
root
which
we
call
the
root
proxy,
which
is
the
one
that
has
the
domain
name
on
it
again.
We
have
that
inclusion
method
here.
So
in
here
we've
said
it's
in
here,
we've
said
again:
the
blog
site
proxy
gets
slash
blog.
A
What
you
get
is
the
blog
site
here
and
you'll
see
that
we
have
the
name
here.
It
says
the
blog
site
again,
because
we've
given
permission
to
that
now
again
in
in
our
proxy's
namespace
marketing
you'll
see
that
we
have
just
that
one
proxy
in
that
namespace.
So
the
idea
here
is
that
the
marketing
team
can
self-manage
their
own
resources
right,
because
now
we've
delegated
that
permission
off
to
them,
they
can
manage
it
themselves.
A
And
the
route
will
still
work
too,
so
let's
go
ahead
and
prove
that
so
blog
is
done
by
the
marketing
team.
If
we
hit
slash,
that's
owned
by
the
root
and
again
because
these
are
prefixes.
A
If
I
do
slash
blog
steve,
chris
you'll
see
that
the
the
blog
site
still
owns
it
because
they
have
we've
included
that
that
path
to
them,
so
they're
they're,
managing
that
whole
path,
prefix
blog
and
then,
if
we
hit
just
the
root,
we'll
get
the
root
app
here
the
default
site
or
if
we
do
stage
loca
any
other
kind
of
path
that
doesn't
match
blog,
then
the
root
is
going
to
get
it
right
cool.
So
let's
go
ahead
and
deploy
something
else.
So,
let's
see
what
we
have
in
the
marketing
space
for
pods.
A
Right
we
just
have
one:
let's
go
ahead
and
create
a
second
thing
in
there
looks
like
I
got
a
blue
green
thing
here:
let's
go
and
deploy
these
two
things,
so
I
have
a
blue
deployment
and
a
green.
A
A
A
I
guess
they're
all
valid,
which
is
great.
Let's
do
a
quick
curl
to
slash
blog.
We
should
get
blue
now,
yep
cool,
so
we
get
blue.
A
A
Cool
this
one's
using
a
little
hashicorp
pod,
which
is
kind
of
cool
works
similar
to
the
echo
server,
but
all
it
does
is
echo
out
text
you'll
see
why
it's
kind
of
nice
for
this
kind
of
demo,
so
we'll
set
this
over
here,
maybe
cool.
So
again,
that's
curling,
the
blue
site
or
the
slash
blog
every
half.
Second.
A
So
if
you
want
to
do
a
blue
green
deployment,
there's
a
couple
ways
you
can
do
this,
you
can
do
it
with
swapping
out
the
service
under
the
hood.
Let's
go
ahead
and
clean
this
up
a
little
bit
so
now
we're
pulling
to
blue
in
theory.
I
could
just
change
this
to
green
right
and
if
I
apply
this
again,
what
you'll
see
here
is,
as
this
is
curling
it's
out
of
the
way.
A
If
I
apply
this,
I
should
just
switch
over
and
then
we'll
get
the
green
site,
and
here
we
are,
it
says,
switch
to
green.
If
we
make
this
blue
again,
you
can
go
back
to
blue.
That's
one
way
to
do
it
right.
One
way
is
just
to
swap
out
the
services.
Some
teams,
like
this
some
teams,
don't
another
cool
feature
of
of
http
proxy-
is
that
you
can
actually
have
multiple
services
here.
A
This
is
something
that,
if
you
did
this
with
ingress,
say,
you'd
have
to
do
like
label
selectors
and
certain
things
label
selectors
against
services
to
kind
of
make.
This
work,
which
can
totally
can
totally
be
a
thing.
The
problem,
then
is,
is
the
weights
are
difficult
to
manage
because
you'd
have
to
manage
replicas
of
the
service.
A
So
here
what
we
can
do
is
we
can
pass
multiple
services
here
and
this
is
kind
of
getting
into
a
canary
deployment.
But
again,
if
we
want
to
look
at
a
blue
blue
green
deployment,
we
will
add
weight
here
and
I
could
say:
hey
blue
gets
100
or
100
weight
of
the
traffic
and
green
gets
zero
right.
So
if
we
apply
this
one
nothing's
going
to
change
right
because
we
essentially
have
the
same
thing-
these
weights
are
defined
based
on
your
own
arbitrary
numbers.
A
A
A
So
if
we
apply
that
one
that
will
swap
us
over
to
blue
green
again
there's
another
way,
and
the
last
thing
you
get
into
doing
is
things
like
canary
deployments,
which
you
can
kind
of
see
here.
So
again,
let's
swap
back
to
our
food
deployment.
A
A
A
A
A
Cool,
so
that's
canary.
The
last
way
I
actually
didn't
describe
actually
was,
if
you
wanted
to
swap
out
blue
green
another
way
to
do
it
would
be
to
swap
the
inclusion.
A
You
can
swap
it
here
so
say
you
have
your
marketing
marketing
name
space
as
your
production,
and
maybe
you
have
like
a
marketing
dev
or
something
as
your
dev
site.
If
you
wanted
to
swap
that
you
could
swap
out,
you
know
the
where
the
inclusion
points
to
in
your
cluster
and
that's
how
you
switch
name
spaces.
A
I've
heard
a
folks
want
to
manage
new
versions
and
whole
new
name
spaces,
so
you
could
swap
that
with
the
inclusion
model
there,
it
doesn't
have
to
be
in
the
root,
because
you
could
actually
include
the
root
here
and
you
can
include
it
yourself.
I
guess
so.
What
I
mean
by
that
is.
I
can
leave
this
inclusion
here,
but
then
in
the
marketing
spot.
A
Here
yeah,
I
could
have
an
inclusion
to
myself,
so
I
could
take
off
the
marketing
namespace.
You
know
and
call
this.
You
know
the
site
and
then
create
my
own
inclusion
within
myself
and
pass
off
things
once
I
have.
You
know
what
I've
included
in
this
case.
This
would
be
slash.
A
A
Yeah,
so
you
can
do
things
you
can
add
more
to
this
too
as
well.
So
if
you
want
to
add
more
things
like
you
know,
the
more
fancy
things
come
or
conditions,
so
you
can
add,
you
know
things
like
header
conditions
and
such
to
make
these
more
interesting,
depending
on
what
you'd
like
to
do
again,
so
you
saw
it
on
here.
I
pulled
off
some
of
these
things.
D
A
On
I
forget
this:
spacing
it's
in
okay,
so
here
we
can
do.
Is
we
could?
We
could
update
the
marketing
one
in
slash
blog
and
say
that
it
has
the
match,
so
the
conditions
of
slash
blog
as
well
as
the
user
agent
has
to
be
firefox.
A
A
A
What
I
get
is
not
what
I
thought
again
did
I
apply
that
oh
not
contains
there,
you
go
so
I
thank
myself
out
so
yeah,
so
this
one,
you
can
do
different
options
with
the
headers
right,
so
you
can
say
contains
or
do
reverse
if
it
not
contains.
So
this
is
actually
saying
the
user
agent
is
not
firefox,
so
my
user
agent
here
is
curl,
but
if
we
pop
to
open
firefox.
A
Firefox
is
right
here
and
the
user
agent
header
we
hit
the
root
one
because
that's
the
default
one
that
matched
right
because
we
didn't,
we
were
too
specific,
but
curl
works
and
chrome
should
work
as
well
I'll
do
a
new
window.
A
A
So
yeah
depends
on
again
what
you
all
need
to
do
in
your
environments
to
make
this
work.
Yeah,
that's
how
you
can
do
conditions.
This
is
kind
of
gets
kind
of
powerful.
Let
me
get
it
all
set
up.
The
only
downside
we've
seen
folks
come
up
with
is
that
you
can
only
have
one
of
these
roots,
and
something
we've
kind
of
been
talking
about
is
how
we
can
maybe
allow
this
kind
of
model,
but
allow
multiple
routes
or
allow
people
to
self-manage
their
own
resources.
Without
this,
like
you
know,
inclusion
model,
but.
D
A
This
is
just
cool,
so
this
one
is
one
that
I
wrote
I
can
share
with
you.
It's
just
a
silly
app
that
I
wrote
the
other
one
I'm
using
for
the
blue
green
deployment
is
one
from
hashicorp.
D
D
I
want
to
try
and
encourage
people
to
start
trying
to
use,
because
people
in
in
our
company
are
still
in
the
mindset
that
they
need
to
introduce
a
separate
api
gateway
to
do
things
like
you
know,
load
balancing
like
50,
50
or
60
40
type
stuff,
which
they
don't
need
to
do,
and
you
know
being
able
to
put
this
sort
of
blue
green
into
the
ingress.
Also,
it
makes
sense
yeah
so
yeah
it'd
be
interesting
to
write
this
up
internally
and
do
a
demo.
D
A
D
A
A
D
Yeah,
that's
cool,
I
mean
the
the
the
rust
one
that
I
wrote
pulls
a
little
bit
more
metadata
about
actually,
where
it's
running
as
well,
which
can
be
you
can
sort
of
show.
You
know.
What's
the
pod
name
type
thing.
A
Yeah
that'd
be
actually
cool
to
use
yeah
to
add
yeah.
We
used
to
use
the
chordy
one
for
a
lot
to
do
that,
but
it
sort
of
has
some
windows
and
iframes
and
things
that
make
it
hard
to
demo.
D
Yeah
and
then
some
some
of
the
other
ones
like
is
it
I
can't
remember
the
name
of
it
now:
q,
q,
uat
or
something
or
q
app.
I
can't
remember
it's
like
a
hello
world,
but
but
it's
enormous,
like
it
pulls
in
this
massive
dependency
tree
and
it's
like.
A
A
A
Cool,
so
I
don't
know
what
else
the
chat
about
we
can
keep
going
or
we
can.
What
did
I
have
blue,
green
and
canary,
which
I
just
did
all
that
I
guess.
B
I've
got
none.
I
just
got
off
another
call
with
a
peer
who
is
doing
spring
cloud
gateway.
That
has
some
of
those
same.
You
know
the
predicate
prefix
path,
one
of
the
other
interesting
parts.
There
is
a
rate
limiting
and,
as
I
was
watching,
I
was
like
well.
There
is
a
lot
of
overlap
here,
but
it
depends
right.
It
depends
on
how
you're
deploying
where
you
want
the
developer
to
have
control
yeah
and
all
the
other
compliance
things.
A
Yeah,
no
for
sure
yeah,
yeah
spring
cloud
gateway
is
pretty
cool.
I
have
some
friends
that
are
big
spring
spring
nerds
and
they
use
that
for
all
their
stuff,
just
because
it
fits
in
their
tool
chains
and
things.
You
know
I
used
to
be
a
net
engineer
a
while
ago
and
when
you're
on,
like
you
know,
windows
and
windows,
server
and
sql
server
and
all
those
sort
of
things
it
all
just
works
together
with
visual
studio,
and
you
know
that
whole
ecosystem
fits
which
is
nice,
so
yeah.
Now
there's
lots
of
cool
things
there.
A
We
do
have
rate
limiting
out
on
our
roadmap.
So
if
you
come
out
here
to
community,
we
probably
should
update
this
roadmap
a
little
bit,
but
some
things
that
we're
looking
at
looking
ahead
is
so
we're
gonna,
add
to
contour
but
rate
limiting
was
on
this
list
somewhere.
I
can't
find
it
now
there.
It
is
all
right
lending
support.
A
So
I
know
I'm
the
the
big
thing
we're
looking
at
doing
was
securities
adding
an
off
service
to
this,
which
is
sounds
simple
in
practice,
but
in
reality
it's
much
more
involved
with
that.
So
james
peach
has
done
a
lot
of
good
work
with
defining
some
of
the
design
around
how
off
should
work
and
the
cool
part
about
that
is
that
it
matches
a
lot
of
the
auth
design
will
map
how
we
can
do
rate
limiting
right,
so
you've
got
to
define
and
envoy
this
external
server.
A
A
So
this
there's
some
design
in
here
this
one
here,
it's
worth
a
good
read
to
figure
out
how
how
we're
looking
at
doing
and
deploying
deploying
or
implementing
these
different
services,
but
with
this
work
this
is
the
hardest
part,
is
getting
the
design
down.
Once
we
have
that
design
down,
then
we
can
kind
of
just
implement
it,
which
is
sort
of
the
easier
part.
A
But-
and
this
will
change
I'm
sure,
as
we
think
as
we
get
through
it,
it's
sort
of
like
how
you
you,
you
think
in
the
front
how
it
should
all
work,
then
you
start
doing
it
and
you
realize
reality
doesn't
match
what
you
thought
that
you
thought
it
was
so
but
right
now
this
is
what
it
is
and
it
centers
around
having
this
external
or
extension
service,
crd,
so
being
able
to
define
kind
of
what
that
grpc
service
will
look
like
and
kind
of
the
the
information
around
it,
and
you
can
use
that
to
inject
that
into
contour,
and
you
know
basically
envoy
and
then
that
sets
up
envoy
to
then
communicate
with
that
service.
A
So
we
should
have
that
soon.
I
would
think
rate
limiting
is
a
little
a
little
more
tricky
just
because
it
has
or
potentially
could
have
so
much
more
configuration
per
route
and
per
domain.
That
sort
of
thing
and
then
things
you
want
to
you-
know
rate
limit
on
so
we'll
get
there
and
that's
coming
soon.
Again,
that's
why
I
wanted
to
call
out
this
roadmap
here
that
was
off
here
and
then
we're
gonna
obviously
match
with
ingress
v1.
So
I
know
we
demo
a
lot
of
http
proxy.
A
That
sort
of
thing,
but
contour
still
supports
you,
know
v1
beta
1
ingress
today,
as
well
as
ingress
v1,
which
is
coming
and
that
just
changes
a
few
things
in
the
spec
one
is
adding
an
ingress
class
and
then
one
and
then
I
think,
a
path
type
into
there.
So
we're
going
to
do
that
stuff
as
well
yeah.
This
is
sort
of
our
finger
to
the
wind
kind
of
road
map.
What
we're
going
to
work
on,
and
also
obviously
to
the
services
api
work
is
going
to
come
into
this
play,
which
is
down
here.
A
I
think
yeah
this
one,
so
services,
api
or
service
apis.
I
keep
making
it
plural,
it's
sort
of
the
next
version
of
ingress
and
and
larger
schemes
as
services
in
general
and
kubernetes,
so
that
that
work.
I
know
that
contour
team
has
been
a
big
part
of
james
and
nick,
as
well
as
other
folks
in
the
community.
So
we'll
see
support
for
that.
As
well,
we
actually
have
support
we're
watching
the
objects
today.
If
they
exist,
we
just
haven't
done
the
implementation
bits
of
it.
Yet
so
that's
coming
out.
A
Cool
some
new
folks
enjoying
I'm
not
sure
if
you
have
any
questions
so
we're
just
talked
about
some
blue
green
deployments
and
some
carrier
deployments
and
such
they're
happy
to
take
questions.
You
know,
throw
it
in
chat
or
awesome.
F
No,
I
just
wanted
to
say
thank
you
guys
for
doing
these
things.
It's
awesome
to
you
know,
work
with
this
community.
It's
definitely
one
of
the
most
active,
vibrant
and
helpful.
So
it's
really
important
that
proxying,
you
know
works
and
that
we
can
do
what
we
need
to
do,
and
this
is
this
is
good.
So,
thanks
for
hosting
us
yeah
no
worries
hey
steve.
I
did
have
one
question
real
quick,
so
I
think
was
it.
I
was
actually
had
a
question
about.
F
I
think
I
was
asking
yesterday.
So
one
of
the
issues
we're
having
is
with,
like,
I
think
it's
x-board
http
like
https
right
so
like
if
we
have
services
on
the
back
end
that
are
running
http
and
we've
got
contour.
F
That's
managing
our
search
when,
when
they
do
like
a
redirect
right,
like
the
application,
will
tell
my
browser
to
redirect
to
http
and
then,
but
the
problem
is:
is
that
I'm
getting
some
security
errors
because
there's
like
a
protocol
mismatch
right
and
from
what
I
understand
the
proxy
protocol
there's
like
an
exported
proto
header
that
can
get
attached
to
the
request
that
the
internal
web
server
is
supposed
to
know
hey
everything
is
actually
over
https
instead
of
over
http.
F
So
I
I
don't
mean
to
be
confusing.
I
just
was
wondering
like
this
is
like
a
common
thing
that
people
face
if
that's
how
they
solve
that
or.
F
Yeah,
so
the
request
comes
in
through
we're
on
aws
the
request
comes
into
the
earliest
load
bouncer,
and
then
it
gets
routed
to
one
of
the
I'm
guessing
contour
or
envoy
deployments
in
the
damon
set,
and
then
that's
where
tls
stops
right
and
when
it
hits
that
daemon
set
the
app.
So
so
then
that
gets
forward
to
the
actual
application
itself
right
through
http
right.
So
tls
termination
is
at
the
contour
onward
level.
Right,
I'm
sorry
hold
on.
Let
me
shut
my
door
all.
A
F
Yeah,
so
ssl
termination
is
at
the
yep
at
the
envoy
flash
contour
and
I'm
not
sure
how
that
relationship
between
onboard
contour
works
exactly
okay,
it's
envoy,
that's
actually
handling,
you
know
the
the
proxy
and
then
that
gets
essentially
forwarded
via
ingress
right
into
our
kubernetes
pod.
F
F
And
the
problem
is
so:
that'll
be
https,
yep
yep,
the
other
one
will
be
http,
and
the
problem
is:
is
that
so
the
kate's
pod
thinks
it's
running
http,
so
when
it
tells
the
browser
to
do
like
a
like
a
login
like
redirect
to
a
login
page,
it's
actually
telling
the
browser
it's
sending
the
browser
like
a
302
with
the
location
of
an
http,
and
I
think
the
way
to
get
around
that
is,
there's
a
standard
exported
proto
header
for
it's
like
the
proxy
protocol
yeah
that
should
be
set
by
envoy
to
tell
our
application
the
web
server
and
the
pod
hey
we're
actually
running
https
as
an
upstream
protocol,
and
then
that
way
it
would
tell
it
would
tell
the
web
browser
to
redirect
to
an
https
site,
not
an
http,
because
right
now
we're
having
the
browser's
blocking
it
because
of
it's
saying:
oh
you've
loaded
this
from
https,
but
now
it's
requesting
http,
and
it's
essentially
blocking
that
request.
F
So
you
know
I
I
don't
know
if
this
is
like
a
common
thing,
I
would
assume
it
would
be
because
we're
using
iframes
to
embed
and
that's
where
that
security
issue.
You
know
comes
into
play
so
like
if
I
load
it
just
in
a
browser,
it's
fine,
but
if
in
the
iframe,
it's
being
blocked
because
of
this
mismatch
of
protocols,
essentially
so,
okay.
C
F
And
we
don't
have
to
answer
that
now.
I
just
yeah.
A
A
A
I
have
some
gke
cluster
here.
I
think,
which
I
think
is
stevesloco.dev.
A
A
I
should
get
that
yeah,
here's
the
exported
proto,
so
so
this
is
so.
This
is
the
same
echo
server.
We
were
looking
at
for
the
demos
before
okay,
so
so
this
is.
This
should
be
your
scenario,
so
this
this
pod
is
deployed
here
in
the
backend
and
it's
not
tls
and
we're
terming.
This
is
the
exact
same
setup
and
it
does
so
that
the
pod
will
get
the
header,
but
the
response
back
to
the
client
won't.
A
F
F
Going
to
know
to
oh
actually
set
the
redirect
to
https
sure,
and
so
one
of
my
thoughts
was
well.
You
know
how
we've
got
an
add
and
remove
as
part
of
like
the
functions
for
request
and
response.
Headers.
F
A
1.10
feature
or
something
like
that
or
1.10
or
I
don't
know
it
was
back
in
january.
I
think
it
was
so
my
thought
was
well
if
what
if
we
added
like
an
add,
remove
and
also
maybe
like
a
replace-
and
maybe
one
thing
we
could
do-
is
say,
okay
for
every
response
that
we're
you
know
forwarding
on
back
to
the
browser
for
a
location,
replace
http
with
https,
and
you
know
wondering
if,
like
maybe
there's
other
use,
cases
where,
like
a
replace
function,
may
be
useful.
F
You
know
in
the
proxy,
essentially
right
so
like
if
people
wanted
to,
like
you
know,
be
able
to
like
really.
You
know
edit
headers
that
were
forwarded
on
you
know
if,
like
if
they
yeah
and
we've
looked
at
the
code
a
little
bit.
You
know
to
kind
of
see,
and
I
didn't
see
any
sort
of
like
edit.
So
yes
yeah,
you
have
the
set
in
the
remove
yeah.
F
See
any
sort
of
edit
function
available,
so
I
it
may
not
exist,
but
I'm
not
sure
so.
A
Yeah
I
thought
set
would
would
do
that.
I
thought
set,
would
either
set
it
or
overwrite
it.
Let's
just
try
it
real
quick.
So
if
I
do
we'll
just
do
it
on
that,
the
one
I
have
here
so
if
I
edit.
A
Let's
go
in
here
and
make
this
hopefully.
A
No,
no,
this
is
total.
This
is
100.
What
this
is
for
just
to
come,
hang
out
yeah.
I
had
some
things.
We
were
talking
about
just
to
kill
time
in
case
folks.
You
know,
didn't
have
anything
to
talk
about
just
you
know,
so
we
don't
just
stare
at
each
other
blindly.
A
A
F
Yeah
I
mean
it
definitely
works.
I
mean
we're
we're
doing
some
setting
of
some
stuff.
The
reason
I
I'm
not
sure
if
a
set
would
work
is
because
we
actually
need
the
information,
because
we
don't
know
where
we
don't
know
the
full
value
right.
It
could
be
app.example.
It
could
be
app
one
dot
example
app.
C
A
Yeah,
a
lot
of
this
is
is
static
things,
it's
not
dynamic.
That's
what
folks
have
asked
for
like
lua
filters
and
such
where
you
can
actually
write
dynamic
code
which
you've
kind
of
shied
away
from
just
because
you
can
get
in
a
lot
of
trouble
quickly
with
that.
F
Yeah,
so
we're
just
kind
of
you
know
throwing
around
you
know
on
our
side
like
I
said
this
isn't
something
we
have
to
solve
now,
but
I
just
wanted
to.
Maybe
you
know
throw
it
out
there.
You
know
see
guys.
Maybe
you'd
see
like
oh
yeah,
we've
actually
solved
this
or
somebody
else
or
you're
thinking
about
it
wrong
and
there's
actually
a
protocol
for
this,
because
we
were
looking
at
the
proxy
protocol.
F
You
know
hoping
that
you
know
it
would
be,
but
you
know
my
concern
is
not
all
web
servers
are
smart
enough
right,
like
we
may
deploy
apps
where
people
have
created
their
own
kind
of
mini
web
server.
You
know
that
doesn't
handle.
C
F
Like
a
lot
of
the
standard
protocols
for,
like
you,
know,
layer,
seven
proxies
and
stuff
like
that,
so
but
anyways
yeah,
we
and
you
know
we'll
we'll
carry
on
and
you
know
in
the
slack
channel
and
and
stuff
but
just
wanted
to.
You
know.
A
Yeah
for
sure
yeah.
It
would
be
great
if
you
wouldn't
mind
if
you
could
open
an
issue
out
in
contour
on
the
site,
and
that
helps
us,
because
slack
is
great
for
that
for
this
kind
of
chatting,
but
then
I
feel
like
we
lose
track
of
it.
Yes,.
A
F
I
think
we're
I
was
gonna
do
it.
I
just
wanted
us
to
do
a
little
bit
more
investigation
on
our
side
to
make
sure
that
we're
you
know
approaching
it
correctly
before
you
know
filing
an
issue,
but
we
have
some
ideas.
We've
been
looking
at
the
source
code
for
for
contour
and
you
know
trying
to
look
at
some
standard
protocols
and
stuff
like
that,
but
anyways
yeah.
So
that's
that's.
You
know
one
of
our
one
of
our
things.
We're
working
on
so.
A
Yeah,
no
very
cool
yeah,
that's
interesting
yeah
and
that's
a
place.
We've
seen,
you
know
contour
fulfilling
those
needs
for
folks.
You
know,
like
even
with
author,
looking
to
add
not
some
sort
of
stuff
where
you
know
folks,
operators
don't
have
control
over
that
back-end
app
or
can't
force
them
into
certain.
You
know
support
certain
things
so
yeah,
you
know
this
middle
proxy
layer
has
to
do
that.
Work
for
them
to
help
help
manage
that.
So.
F
Exactly
exactly
that's
why
it's
like
so
important,
but
it's
it's
super
great.
I
mean
we've
been
absolutely
just
loving
contour.
So
far,
so
it's
been,
it's
been
wonderful,
very
cool.
Thank.
A
I
did
not
see
that
yeah,
so
if
you
go
to
the
cncf
store,
there's
contour
and
you
can
get
your
hoodie
your
face
mask
some
stickers.
Although
I
have
stickers
here,
I
meant
to
give
out
at
some
sort
of
place.
I
have
a
whole
pack
of
them,
but
we
haven't
left
anywhere
in
a
while
and
then
t-shirts.
A
A
A
Sweet
well,
that
was
fun,
yeah,
here's,
the
listeners
we
talked
about
before
so
now.
We
have
that,
since
we
created
an
object,
we
have
that
http
listener
yeah.
So
we
started
this
whole
thing.
We
were
talking
about
how
there
were
no
listeners
created
and
there's
that
listener
there.
So
I
got
created.
A
A
C
C
A
Yeah
absolutely
yeah,
so
this
is
a
good
diagram
here
to
kind
of
walk
through
the
architecture
of
contour,
so
so
contour
is
actually
doesn't
handle
any
traffic
at
all.
We
let
envoy
do
all
that
work,
but
what
contour
does
in
this
in
this
world?
Is
it's
the
configuration
server
for
envoy,
so
it's
the
xds
server
yeah,
so
contour's
job
is
to
go.
Watch
the
cluster
for
endpoints
and
services
and
secrets,
and
all
this
information
that
it
needs,
and
then
it
kind.
A
A
A
A
E
A
So
I
missed
chat
totally
yeah,
so
I
I
struggle
with
it.
I
think
one
of
the
things
that
james
did
it
was
he
wanted
to
have
like
each
test
were
to
be
self-contained
so,
like
the
test
will
contain
the
deployment
manifest
and
all
those
sort
of
things
all
in
one,
but
I
still
can't
get
my
head
wrapped
around
it
either.