►
From YouTube: Contour Community Meeting - April 21, 2020
Description
April 21, 2020
What have we been working on?
Fallback Certificate Design #2428
SNI for clusters #2442
Timeout settings #2225 #2247
Contour Donation to CNCF
A
Hi
everyone
and
welcome
to
this
week's
contour
community
meeting
today
as
April
21st
or
April
22nd,
depending
on
where
you
live
and
yeah.
We
get
a
few
things
that
we
want
to
talk
about
today
and
let's
get
to
it,
link
to
the
MV,
of
course,
and
the
chat.
So
if
you
want
to
add
something
to
it,
please
do
and
I'm
gonna
share
my
screen.
B
You
know
an
IP
address
tied
to
my
specific
vhosts
statically
that
way
so
some
users,
so
that
so
that's
what
contoured
us
today.
We
use
s
and
I
to
implement
this
disability.
But
again
some
you
just
had
some
problems
where
they
didn't
applications
couldn't
or
wouldn't
send
the
sni
header,
and
this
one
this
happens.
B
So
the
idea
here
is
that
we're
gonna
have
a
new
arg
to
contour,
as
well
as
a
configuration
file.
I
guess
I
haven't
decided
on
both
or
one
of
the
other,
so
we
scoped
this
a
little
bit
Jonas
up
to
the
the
other
way.
I
still
have
two
parameters
in
the
high-level
design
there,
so
there's
a
fallback
certificate
and
then
there's
a
configuration
file
that
matches
so
that
does
that
will
define
that
will
pass
the
the
secret
name.
B
You've
got
configured
in
your
cluster
and
then,
if
you
scroll
a
little
bit
and
then
idea
is
to
enable
a
specific,
be
host
to
allow
this,
this
fallback
certificate,
and
that's
that
done
in
a
telestroke,
that
fallback
certificate
enabled
so
I'm
still
struggling
a
little
bit.
I
thought
I
had
this
figured
out
no
envoi
so
that
there's
that
parameter
that
says
fallback
certificate
enabled
an
idea
is
that
we
wanted
to
only
allow
specific
V
host
to
do
this
right.
So
maybe
he
was
an
operator.
B
B
B
We
have
that
point
to
a
route,
so
we'd
have
to
build
a
whole
new
set
of
route
tables
that
have
basically
those
that
map
to
these
and
those
that
don't
because
you
can't
have
multiple
filter
chains
that
match
the
same
thing
right,
because
in
this
this
example
we're
gonna,
say
we're
not
gonna
match
on
a
server
sni
host
we're
gonna
match
on
any
request.
That's
TLS!
Basically,.
B
B
No
I
mean
the
contour
side
that
drives
the
Envoy
configuration
so
when
we
build
out
the
filter
chain
match
so
we'll
have
to
look
at
that
and
I
just
want
you
to
solve
it
today
and
this
community
called
it
yeah
to
me.
It
looks
like
we
build
a
whole
new
set
of
routing
tables,
but
maybe
I'm
overlooking
I've
been
looking
in
some
place.
I
thought
I
had
it
today
and
I
thought
about
it.
B
I
was
eating
dinner,
I
was
thinking
about
it,
some
more
and
then
it
didn't
didn't
make
sense
after
I
thought
about
it
earlier.
So
I
look
at
that
and
see
cool,
so
yeah
I've
did
this
James.
So
if
you
wanna
take
a
look
again,
anyone
has
any
ideas
or
thoughts
on
this.
You
know
please
poke
that
through
it.
E
Really
quickly,
how
do
you
plan
to
test
this
so
I
know
that
some
of
the
some
of
the
customers
and
some
feedback
we
had?
Basically
what
they
do
is
that
they
put
a
load
balancer
in
front
of
contour
and
they
basically
use
it
to
run
two
centers
and
I
health
checks.
It's
not
a
scenario
that
we
plan
to
support,
but
maybe
you
can
you
see
so
as
a
front-end
load,
balancer
and
just
I,
don't
know
if
Caesar
supports
its
anti
health
checks,
but
maybe
that's
something
you
might
know
to
test
this.
B
D
B
E
And
I
wonder
if,
if
it
makes
sense
for
us
to
also
test
this
a
little
bit
scale,
not
huge
scale,
but
like
something
reasonable
on
what
the
expectations
will
be
for
for
environment
right
if
people
are
using
it
for
a
variety
of
reasons
like
if
they're
using
for
health
checks,
you
know,
maybe
there
are
semi
frequent.
So
that's
why
I'm
bringing
the
issue
of
scale.
E
B
Yeah
I
mean
I,
do
I
think
we
can.
We
can
have
this,
you
have
integration
test
and
you
test
all
those
sort
of
things
have
this
lean
on
master
here
in
1.5
once
we
ship
1.4,
and
it
will
have
enough
time
to
have
anyone
who
wants
to
play
with
it,
use
the
master
tag
and
then,
as
well
as
adding
additional
testing,
if
you
like,
before
1.5
woodchip,
I,
guess.
B
This
one
came
up
so
again:
it's
a
nest
and
I
kind
of
a
couple
days,
so
we
used
I'm
gonna,
use
s
and
I
to
do
routing
and
we
had
a
user
who
was
using
an
external
name
service
to
send
requests
to
a
different
place.
So
in
kubernetes
you
can
have
a
service
right
and
then
the
request
will
hit
a
set
of
pods.
You
can
also
have
a
different
service
type
of
external
external
name.
B
One
of
the
does
is
lets
you
define
a
dns
name
that
has
tells
you
where
the
request
should
go,
so
the
request
isn't
going
to
hit
or
necessarily
hit
a
pod
inside
of
the
cluster.
It's
going
to
hit
some
an
external
name,
and
this
is
kind
of
useful
for
a
bunch
of
different
reasons.
But
the
problem
is
is
when
you
did
the
request
routing
out
to
that
external
name.
We
were
setting
the
the
wrong
sni
on
the
requests,
so
when
it
went
to
go
hit,
the
second
hop
the
request
would
fail.
B
So
this
is
setting
the
the
correct
hierarchy
of
S&I.
So
if
you
set
our
request,
header
policy,
which
means
you're
going
to
rewrite
the
request
header,
whenever
you
send
that
request
out
just
lets,
you
define
what
what
the
sni
should
be.
So
it's
gonna
use
the
service
first,
then
the
route
and
then
the
external
name,
if
defined.
C
F
He
was
reluctant
to
just
expose
a
whole
bunch
of
knobs
without
talking
about
why
each
of
the
knobs
needed
to
be
exposed,
and
then
so
pins
are
opened
to
247,
which
was
just
about
most
connection
Eurasian.
We
had
a
bit
of
a
back-and-forth
and
discussion
and
you
the
he
has
a
so
pimps
I.
Don't
think
he's
on
the
call,
but
the.
F
He
does
have
a
fair
point
that
that
yet,
in
his
use
case
and
being
able
to
configure
machination
generation
is
important
because
you
can't
use
an
idle
time
out
because
there's
keeper
lives
at
high
layers.
This
is
a
discussion
that
we've
had
a
lot,
especially
for
a
lot
of
parameters
in
envoy,
but
especially
around
timeouts.
So
what
I
am
going
to
do
is
I
think
what
we're
gonna
do
here
is
I
wanted
to
have
a
conversation
today
about
changing
our
hey.
F
F
Contour
defaults
instead
are
configurable,
probably
by
the
config
file,
and
also
as
HTTP
proxy
timing
out
policy
fields
so
that
you
can
override
the
default.
If
that's
what
you
want,
the
reason
for
this
is
just
that
there
are
a
bunch
of
use
cases
that
that
really
do
need
it
and
I
think
the
the
reason
that
I
historically
been
reluctant
is
that
the
Envoy,
the
Envoy
timeouts,
are
really
confusingly
named
it
like
dude
their
name.
They
make
a
lot
of
sense
when
envoy
is
running
as
a
service
mr.
F
The
reason,
the
reason
that
I
think
we
should
do
that
is
that
a
large
part
of
the
utility
of
contour
is
that
we
want
to
make
it
so
that
you
don't
have
to
understand
everything
about
envoy.
You
know
you
shouldn't
need
to
read
the
Envoy
documentation
to
use
contour,
and
so,
if,
basically,
if
we
use
the
Envoy
names,
then
almost
certainly
people
will
have
to
go
and
read
the
Envoy
documentation
to
understand
what
the
timeouts
do.
F
We
should
do
a
bunch
of
the
timeout
settings
and
add
them
as
configurable
defaults
with
overrides
in
hey
in
per
setting
overrides
in
an
HTTP
proxy,
possibly
with
different
names
and
a
whole
bunch
of
documentation
and
the
timeouts.
Now
the
other
thing
that's
important
to
say
is
I.
Don't
feel
that
this
is
this,
doesn't
change
my
position
on
other
envoy,
config
I.
Don't
think
that
we
should
ever
allow
direct
on
work
configuration
because
of
the
stated
goal
that
I
said
before
of
you
should
need
to
understand
envoy
to
use
contour
and
I.
Don't
and
I.
F
B
Not
agree
having
more
configuration
is
good.
I
have
worked
in
places
where
you
know
minutes
for
an
application
to
respond
was
acceptable
and
then
over
the
places
where
seconds
was
acceptable.
You
know
I
mean
so.
What
may
work
for
one
person
is
not
gonna
work
for
somebody
else.
So
having
those
knobs
I
think
these
Pacific
things
would
be
useful.
E
F
And
that's
the
other
thing,
that's
the
other
thing
that's
relevant
here
to
just
mention
is
that
in
the
case
of
some
config
that
we
could
talk
about
this
in
a
similar
way
to
I'm
thinking
about
the
configuration
of
third-party
services
like
external
orphan
rate
learning
in
those
cases,
I
think
that
the
the
the
important
burden
on
us
is
that
contra
accepts
the
configuration.
Contour
needs
to
be
able
to
surface
information
about
whether
or
not
that
configuration
is
working
I'm.
F
So
you
shouldn't
need
to
have
to
talk
to
envoy
to
find
out
if
the
thing
that
you
told
contoured
to
configure
is
work.
Yes,
so,
in
the
event
that
you
have
read
limiting
you
should
be
able
to
know
what
the
rate
limiting,
what
rate
limiting
is
doing
on
the
objects
that
rate
limiting
is
operating
on
and
in
the
same
text
and
laws
and
the
same
for
any
other
third-party
services.
F
We
do
so
yeah
I
just
think
it's
important
just
to
call
that
out,
but
yeah
I
think
in
this
case
the
timeout
settings
there's
no
way
for
you
to
service
information
really
about
about
them.
The
behavior
will
be
obvious
from
the
client,
yeah
and
and
the
last
the
last
concern
that
I
originally
had
was
that
the
that
we
do
need
to
just
keep
an
eye
on
the
number
of
settings
that
we
expose.
You
know
the
you
PIMs
has
a
has
a
fork
of
contour.
F
It
currently
has
43
extra
flags
then
currently
does
in
contour
already
has
on
the
order
of
20
to
30
flags,
so
you're
talking
almost
80
different
flags
that
you
can
pass
the
contour
to
configure
things
like
that
feels
like
too
many
flags
to
me,
yeah
and
so
the
you.
The
thing
that
I'm
worried
I
think
that
I'm
worried
about
is,
you
know
like
it's
easy
to
add
flags
and
it's
hard
to
take
them
away,
because
you
have
to
do
a
full
deprecation
cycle.
F
You
need
to
deprecate
engineer
to
give
people
time
to
get
move
away,
because
if
you
have
company,
Flags
and
they're
no
longer
present,
you
all
deploy
a
whole
non-stop.
So
that's
that's
the
reason
why
I'm
reluctant
to
just
to
just
add
lots
of
things
because
you
it
adds
to
the
product
support
and
for
us
to.
E
Make
I
agree
with
you
100%,
but
at
the
end
of
the
day
and
boy
you
know,
obviously,
that's
a
lot
more
things
than
just
ingress
for
our
scenarios,
but
it
has
those
config
for
a
reason
right.
They
didn't
just
hide
them
either,
so
we
should
be
judicious
about
what
we
had
and
what
we
had
I
completely
agree
with
you,
but
you
know,
obviously
we
listen
to
our
users
and
make
those
decisions
on
a
one-off
basis
as
needed.
Yes,.
F
In
terms
of
the
timeouts,
I
am
gonna,
go
back
to
Kim's
on
to
2
to
5
and
say:
okay,
we're
going
to
do
a
more
broad
work
here
to
add
a
bunch
of
timeouts,
probably
those
four
that
he's
got
that
that
you
can
see
on
the
screen.
There
would
be
where
I
started
mate
and
with
maybe
with
max
connection
timeout
Maxo
connection
generation
as
well.
So
that's
five
yeah
yeah
I
think
those
those
five
are
probably
a
good
place
to
start
being
able
to
set
the
and
see
the
the
request.
F
E
By
the
way,
if
you
remember
we
had
one
of
the
issues
of
someone
had
was
their
Connect
timeout
right
that
was
issued
to
264.
If
you
can
open
that
really
quickly
Jonas,
there
was
a
prime
example
of
someone
that
wanted
something
to
be
changed,
but
it
wasn't
really
the
right
thing
and
it
turned
out.
They
had
much
freaking
environment
problems
than
basically
changing
a
time
out.
It
would
have
fixed
it.
So,
yes,.
F
H
F
Is
there
is
that
point,
but
I
think
yeah
I
do
that's
one
of
the
things
that
I
worry
about
is
that
people
might
be
building
themselves
for
cons.
They
don't
know
about
piper
tuning
things
when
they
don't
like
when
they're,
not
when
I
haven't
carefully,
read
the
onboard
documentation
and
that's
why
it's
really
important
for
us
to
make
sure
that
we
document
there
is
time
ounce
how
they
work
in
the
contour
case
and
not
just
any
one
boy
documentation.
F
A
F
F
Slightly
different
from
the
envoys
internal
defaults,
while
they
said
there
wasn't
there's
an
issue
on
that.
One
boy,
repo
that
that
sort
of
says
hey
when
you're
using
contour
when
using
envoy
in
a
reverse
proxy
kind
of
way,
rather
than
as
a
mesh
proxy,
then
there's
some
settings
that
you
should
do
differently.
We
based
some
of
the
we
based
on
the
things
on
on
that
issue,
and
then
we
I
think
there's
a
few
of
them
with
mess
with
since
then
so
contours
defaults
are
not
a
hundred
percent
the
same
as
on
voice
defaults.
F
Some
of
the
some
of
the
timeouts
have
no
values
and
by
default
in
envoy,
and
we
do
set
a
value
and,
conversely,
some
of
them
you
some
of
them.
We
don't
set
a
value
and
I'm
like
and
just
use
the
default
envoy,
one
yeah
so
and
it's
different
on
a
per
timeout
axis,
because
they
all
have
very
specific
mesh
meanings
that
don't
necessarily
translate
to
the
less
boxy
mini
so
yeah
that
that's
why
we
need
to
documentation.
Does
that
answer
your
question?
Yeah.
A
It
does
I
mean
I,
think
if
you
know
if
it
aligns
with
upstream
envoy
defaults
and
as
you
mentioned
it's
with
the
caveat
of
the
upstream
envoy
for
reverse
proxy
or
ingress.
However,
the
envoy
documentation
states
that,
if
that's
kind
of
like
the
standard
and
then
you
know
any
deviation
from
that-
is
minimized
with
a
strong,
a
use
case
to
change
defaults
from
upstream,
at
least
that's
yes,
what
I've
always
seen
is
kind
of
a
successful
long-term
approaches.
If
you
could,
you
know,
align
with
with
upstream
as
much
as
possible
limit.
You
know,
deviation.
F
That's
definitely
what
I
want
to
do
that
I
mean
that's
why
the
position
up
till
now
has
been
how
you
can't
configure
the
to
get
the
defaults
that
we've
set,
which
are
based
on
our
best
knowledge
of
you
know.
What's
available
upstream
and
now
you
should
tune
that,
for
you
know,
reverse
proxy
context,
and
so
those
will
still
be
the
defaults.
I,
don't
I'm,
not
suggesting
changing
the
defaults,
I'm
just
saying
that
hey
you
in
in
the
case
of
timeouts
I'm
willing
to
allow
people
to
override
the
defaults.
F
F
Yeah
but
I'm,
if
that's
all
I,
have
intended
to
say
on
this
one
I
all
I've
got
some
comments
to
type
up
on
those
issues,
but
I
wanted
to
have
talked
about
it
in
the
meeting
first
yeah
and
yeah,
and
then
once
that's
done,
I'll
generate
some
I'll,
get
some
further
issues
to
sort
of
cover
the
work
and
then
we'll
get
them
prioritized.
I
would
say,
and
it's
they're
not
gonna
make
it
into
one
point
four,
because
one
point
four
is
due
out
at
the
end
of
this
week
and
but
yeah.
A
So
as
a
newbie
just
trying
to
get
familiar
familiarize
myself
with
kind
of
the
workflow,
so
if
the
community
says
yeah,
this
is
something
that
we
needed
tackle,
which
sounds
like
that's
the
case
and
then
is
the
next
step.
Typically,
you
know
create
an
enhancement
that
documents
how
any
API
changes
and
plans
for
implementation.
F
Because
it's
a
reasonably
straightforward,
like
thing
to
describe
I,
would
I'll
do
it
in
an
issue
I'm,
but
in
the
case
of
something
a
bit
more
complicated,
I'm
the
usual
flow
that
we
have
is
that
you
propose
it.
You
make
a
design
Fiat,
there's
a
design,
there's
an
MD
template
for
sort
of
you
contour
with
it.
Yes,
thank
you.
Jonas,
there's
a
big
a.
G
E
Have
a
proposal
yeah
I
mean
okay,
either
or
I
mean
there's
a
proposal
folder.
So
there's
a
template
there.
You
can
submit
a
proposal
and
then
you
can
sit
down
and
discuss
it.
You
can
bring
it.
The
general
guideline
is:
if
someone
has
a
proposal,
that's
something
that's
MIDI
is
file
it
in
give
people
in
a
few
days
to
kind
of
digest
this
and
add
some
questions
and
then
show
up
at
the
community
meeting,
and
you
can
discuss
it
yeah
perfect
and
then
who
can
figure
it
out
from
there?
E
F
Thanks
yeah,
so
in
the
in
the
case
of
these
timing,
changes
like
it
is
a
policy
change,
but
it's
not
a
big
like
actual
architectural
change
or
anything
is
what
it's
yeah,
so
I
yeah
in
this
case,
I'll
just
documented
in
an
issue,
a
checklist
of
things
that
need
to
be
done,
but
yeah
in
the
case
of,
for
example,
Steve
has
been
doing
a
design
proposal
for
for
how
the
fallback
certificate
works
that
he
mentioned
earlier.
That's
what
we
sort
of
work
around!
F
E
F
Sure,
okay,
well
I'll,
just
quickly
run
through
run
through
what
we've
got
in
there.
So
far
so
far
we
have
the
TLS
client
authentication,
so
you
can
configure
HTTP
rocks
objects
to
request
validation
of
client
certificates.
This
is
for
between
the
browser,
client
and
avoid
essentially
not
upstream
at
this
one.
We
will
learn
that
later,
but
it's
not
over
yet
and
there's
a
bunch
of
talk
associated
documentation
and
there's
been
a
lot
of
talk
from
that
and
that's
all
been
done
by
Tara.
So
we
really
appreciate
that
work
from
Tara.
F
Now,
there's
been
a
couple
changes
to
ingress
to
the
ingress
document.
Behavior
one
of
them
which
was
Steve
has
made
is
that
the
English
class
annotation
previously
worked
in
a
bit
of
a
weird
way.
If
you
don't,
if
you
specified
an
English
class
to
contour
and
basically
said,
please
only
watch
this
English
class
contour.
What
would
watch
that
English
class
plus
object
ingress
objects
with
no
ingress
class
which,
on
reflection,
yeah?
We
all
thought
it
was
a
bug.
F
So
we've
changed
that
so
that
now,
if
you're,
specifying
English
class
contour
will
only
watch
that
there
are
a
couple
of
backwards,
compatibility
behaviors
that
are
a
little
bit
weird.
If
you
don't
specify
an
English
class,
contour
watch
ingress
objects
with
no
annotation,
but
also
ingress
on
objects
with
an
English
class
set
to
the
string.
Contour,
that's
for
backwards
compatibility
reasons,
but
yet
so
that
that's
sort
of
the
the
important
part
there
is
that
you
know,
if
you
send
an
English
class,
only
objects
with
that
ingress
class
will
take
effect.
F
That
applies
across
it's
mainly
for
the
English
document,
but
it
also
actually
applies
to
the
HTTP
proxy
document
as
well.
F
The
other
change
for
ingress
is
that,
where
the
we're
going
to
write
a
status,
load-balanced
or
addresses
block
to
ingress
objects,
which
gives
you
the
address
that
the
ingress
object
should
be
reachable
on,
this
is
useful
for
external
DNS
and
the
conformance
testing.
The
basic
can
ones
testing
that
someone
do
a
little
while
ago
and
I'm
sure
there
are
other
ways
that
it's
useful.
It's
it's
actually
an
important
part
of
the
ingress
contract
that
we've
just
never
fulfilled.
So
this
this
is
sort
of
announced
and
old,
outstanding
request
that
is
now
done.
F
F
James
has
also
done
a
pi/2
to
pi
s,
ni
more
closely
to
the
host
header,
so
that
you
can't
use
contour
for
domain
fronting
where
you
supply
one
sni
and
then
supply
a
different
host
header
at
the
higher
protocol
layers,
which
in
most
cases
is
going
to
be
a
security
problem,
especially
if
you're
doing
client
certificate
authentication
like
in
the
first
picture
and
then
there's
a
few
other
there's
a
bunch
of
other
changes
that
will
be
detailed
more
in
the
in
the
change
node.
But
those
are
sort
of
their
headline
features.
A
F
Right
now,
right
now
we're
still
at
where
we
were
before
the
objects
are
supported
in
their
current
state.
In
that
you
contour
will
watch
them
and
knows
how
to
watch
them.
But
that's
all
that
we
don't
know
we
have
an
implement
any
behavior
I
think
the
behavior
of
I've
been
waiting
for
us
to
sort
of
shake
out
the
behavior
of,
especially
if
there's
some
pretty
fundamental
things
being
talked
about
with
gateway,
class
and
Gateway,
and
still
like
that.
F
So
with
you,
I've
been
waiting
for
that
to
shake
out
a
little
bit
as
soon
as
as
soon
as
I
feel
more
confident
that
that's
a
little
bit
more
stable.
Then
then
I'm
going
to
look
at
implementing
you
know,
sort
of
gateway,
class,
defines
gateway
relations
and
have
you
know,
have
the
Gateway
across
and
the
Gateway
sort
of
be
some
of
that
initial
way.
I
got
it,
don't
make
sense
yep.
F
A
With
that
closed
out,
thank
you
all
for
joining
today
and
yeah
next
week.
We'll
have
this
meeting
at
1:00
p.m.
Eastern
u.s.
time.
So,
if
you
want
to
go
in
during
that
time,
that's
that's!
You
are
more
than
welcome.
Otherwise,
we'll
see
you
back
here
in
two
weeks
during
this
time
have
a
fantastic,
fantastic,
weary
day.
Thank
you.