►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Where
am
I
that's
a
fair
question?
So
my
name
is
homie
vandepal,
I'm
actually
a
french
speaker.
You
can
tell
me
rahm.
I
think
it's
going
to
be
easier
for
everyone,
and
I'm
currently
working
at
a
company
called
on
that
specialized
in
persistent
storage
on
communities,
I'm
working
as
a
principal
architect,
and
I
have
a
chance
to
meet
a
lot
of
good
customers
that
are
starting
or
are
really
in
the
middle
of
their
journey
with
communities.
A
Prior
to
this,
I've
been
working
in
red
hat
and
at
netapp,
giving
a
good
experience
around
open
source
about
automation,
open
shift.
Obviously
it's
storage
you
can
reach.
You
can
reach
me
at
rom
at
on
that
I
o,
if
you
wish
to
so
you
would
ask
actually
why
secrets
with
communities
and
it's
actually
another
fair
questions.
A
One
of
the
main
topics
that
we
always
have
when
we
discuss
with
customers,
whatever
is
currently
with
on
that
or
at
red
hat,
was
around
security,
and
some
topics
like
this
are
really
really
difficult
to
discuss
and
have
a
consensus
and
one
of
them.
It's
it's
quite
interesting
because
it's
part
of
security,
but
one
of
these
specific
topics,
it's
all
about
secrets
and
for
some
reasons,
secrets
are
often
forgotten.
A
So
what
I
mean
by
that
is
that
you
will
have
a
lot
of
work
around
security
storage,
networking
to
make
sure
that
your
solution,
your
community's
platform
and
creating
community
solution
is
definitely
in
a
good
place
in
terms
of
security,
and
you
are
not
exposing
an
environment
in
in
a
very
dangerous
way.
A
But
actually
the
part
of
secrets
is
something
that
comes
later
on
most
likely
when
you
start
deploying
in
production
or
maybe
actually
in
acceptance
when
you
start
needing
to
you
need
to
start
looking
into
credentials
for
databases
in
a
secure
way
or
any
other
type
of
tokens
where,
when
you're
in
development
or
testing,
you
might
just
try
some
environment
variables
and
don't
really
care
about
it.
A
So
obviously
a
secret
needs
to
stay
secret.
You
should
not
tell
your
secret
to
anyone.
Otherwise,
it's
news:
it's
not
a
secret
anymore
and
and
by
nature
communities
allows
you
to
have
a
way
to
deal
with
secrets,
but
the
the
reality
is
that
it's
not
really
secure.
It's
just
all
the
I
would
say,
primitives
and
all
the
framework
to
help
you
deal
with
secrets,
but
your
secret
will
be
encoded
in
base
64
and
then
well.
A
You
will
encode
your
your
secret
in
base64
and
then
you
will
store
it
in
the
communities,
each
cd
and
that's
the
moment
where
it's
not
a
secret
anymore.
It's
ready
to
be
news
actually,
because
it's
it's
accessible
by
anyone
who
has
access
to
your
cluster.
So
just
to
give
a
bit
of
an
example
of
what
is
actually
stored
there.
You
could
have
credentials
for
a
database
or
an
s3.
A
It
could
be
api
tokens,
it
could
be
also
configuration
files
and
and
and
certificates,
well,
ssl,
tls
certificates
and
and
another
step
that
can
come
out
along
so
a
lot
of
different
things
that
can
can
be
there
and
that
are
really
carrying
sensitive
information.
A
So
we
assume
that,
with
this
this
webinar,
you
have
a
bit
of
an
understanding
how
communities
are
working
and
the
different
type
of
object.
So,
let's,
let's,
let's
not
lose
too
much
time
on
on
defining
those
elements,
but
I
will
try
to
do
my
best
to
have
a
common
language
for
for
this.
So
let's,
let's
say
that
you
want
to
store
your
db
credentials
the
way
you
don't
want
to
do
it.
It's
basically,
as
I
was
mentioning
before
it's
to
use
the
standard
etcd
with
or
without
address
encryption.
A
It
doesn't
change
anything
and
then
there's
also
I've
seen
that
some
images
that
are
flying
around
on
docker
up-
and
I
can
tell
you-
there's
a
good
amount
of
them
where
the
the
image
was
built
with
some
credential
in
to
have
access
to
services,
and
it
could
be
db,
it
could
be
emails,
mail,
servers
or
network
configuration
for
for
switches
and
stuff,
and
it's
kind
of
scary.
A
Another
way
would
be
also
to
use
a
config
app
or
any
kind
of
different
configuration
file
that
you
would
mount
from
a
storage
perspective
into
your
pod,
which
still
the
same.
It's
it's
really
bad
practice
and
and
and
yeah
so
coming
back
to
the
ecd
itself,
there's
a
couple
of
solutions
that
allows
you
to
try
to
fix
this
and
we
will
look
into
this.
But
it's
not
really
helpful.
So
let's
not
do
any
of
this
solution
here.
A
So
after
this
you
have
a
couple
of
things
that
you
can
imagine
to
do
and
those
are
the
good
things
and
all
those
elements
here
have
an
open
source
offering
most
likely
they
might
have
also
a
commercial
offering.
A
If
you
want
to
go
enterprise
and
make
sure
that
you
have
support
like
with
ash
core
volts,
you
definitely
have
a
national
enterprise
version
that
help
you
to
make
sure
that
when
you
have
any
issues
with
your
vaults,
you
have
someone
that
can
help
you
so,
but
let's,
let's
have
a
look
at
it.
So
if
you
want
to
use
one
of
those
solution
called
kms,
so
key
management
service,
you
have
a
a
good
amount
of
different
options.
A
You
have
a
ship
of
walls,
you
have
cyber
art
of
ginger
kiwis,
and
then
you
have
some
a
more
exotic
solution.
I,
like
skill,
secrets
and
external
secrets
and
we'll
we'll
look
into
this,
so
so
just
to
wrap
up
everything.
We
will
discuss
here
and
kind
of
give
a
good
understanding
of
where
we
are
with
this.
A
A
If
you
don't
have
any
solution
to
protect
your
hcd,
because
by
default
it
is
not
protected,
you
will
basically
have
the
ability
to
read
what
is
available
in
the
key
value
store
or
on
the
data
store
of
ecd
and
it's
there.
So
I
will
show
you,
after
in
a
demo
that
it's
quite
easy
to
get
all
the
info
there.
A
So
if
you
don't
have
any
of
the
solution
we
discussed
before
the
red
zone,
there
is
definitely
the
cd
that's
not
the
way
or
the
place.
You
want
to
store
your
secrets
after
you.
You
have
some
some
kind
of
interesting
installations
where
you
would
have
an
address,
address
encryption
of
your
cd,
so
basically
what
what
it
means
that
you
will
have
a
solution
that
encrypts
the
actual
data
store
so
that
you're
you're
making
sure
that
everything
there
is
safe
and
secure.
A
Well,
it's
a
partial
solution,
because
actually
you
can
still
have
access
with
some
some
trickeries
and
it's
it's
proven
that
it's
a
good
first
step,
but
it's
not
the
best
way
to
do
it.
A
Then
we
have
interesting
project
and
that's
what
I
was
mentioning
before
like
seal
secrets.
A
A
Although
there
there's
some
usage
of
the
api
manager,
but
still
it's
a
bit
different
in
the
way
it's
working
and
what
it
does
is
that
you
will
need
to
have
git
somehow
somewhere
in
your
environment,
and
you
will
have
to
deploy
a
controller
on
your
kubernetes
and
the
controller
basically
will
act
as
a
solution
to
encrypt
your
to
seal.
Your
secrets.
A
The
way
it
works
is
that
it
is
a
key
pair
approach
where
you
have
a
public
key
and
a
private
key,
and
using
those
two
elements,
you
will
be
able
to
encrypt
your
secrets,
seal
your
secret
and
store
your
secret
in
git,
and
when
you
need
to
have
access
to
your
secrets
via
the
creation
of
the
seal
secret
crd,
you
will
be
able
to
actually
decrypt
your
your
secret
and
have
access
to
that
secret
for
your
application.
A
It's
quite
complicated
right.
It
is,
and
one
other
thing
that
it's
quite
complicated
it's
to
make
sure
that,
from
a
usage
perspective,
you
have
a
good
understanding
of
what
you're
doing
and
you
don't
introduce
a
human
usage
of
it.
And
the
reason
why
I'm
saying
this
is
because,
during
the
implementation
of
the
solution,
we
have
seen
many
many
many
situations
where,
when
people
were
committing
their
secrets
into
git,
they
were
creating
both
the
secret
that
the
ammo
and
the
seal
secret,
the
travel.
A
So
in
this
case
you
just
have
you
you
just
record
it
in
you'll.
Get
your
secret
and
git
is
a
revision
solution
so
service?
Sorry,
so
it
means
that
it's
going
to
be
there
forever.
A
You
will
need
to
get
rid
of
the
branch
or
maybe
even
the
master,
have
already
committed
to
master
and
and
then
to
to
make
sure
that
you
don't
have
access
to
that
fight
anymore,
so
that
that's
quite
a
dangerous
thing,
although
it's
an
interesting
one,
but
it
only
if
are
using
a
pipeline
so
make
sure
to
make
sure
that
you
don't
have
that
error-prone
situation
so
good
but
kind
of
complex.
A
Then
you
have
the,
I
would
say,
the
kind
of
solution
based
on
kms,
so
the
key
management
service,
which
is
perfect
when
it
comes
to
applications
and
what
I'm
seeing.
The
reason
why
I'm
saying
this
is
because
it's
a
bit
like
also
the
new
installation,
it
doesn't
look
into
leveraging
the
communities
api,
it
doesn't
look
in
into
the
hcd.
A
It
has
its
own
engine
where
you
can
store
different
secrets
and
different
type
of
secrets.
You
can
have
key
value
stores.
You
can
have
tokens,
you
can
have
cred
typical
credentials.
Yeah
in
that
case
would
be
more
like
a
key
value
store,
but
so
you
have
multiple
different
engines.
A
Gwg,
for
example,
would
be
one
also
so
you
you
can
create
based
on
this
a
different
type
of
authentication,
and
the
way
it
works
is
that
when
your
application
wants
to
have
access
to
the
secrets
in
the
vault,
you
would
have
like
a
sidecar.
So
it's
like
a
tiny
container
that
will
live
with
your
application,
that
is
trusted
by
the
actual
kms
and
will
all
and
that's
the
only
entity
with
your
application
that
will
be
able
to
fetch
the
secret
and
feed
that
secret
to
the
application.
A
That's
the
only
way
to
do
it
from
from
that
standpoint,
obviously,
there's
other
approaches,
but
the
best
way
and
the
best
way
to
do
it.
It's
there
and
a
good
example
for
this:
it's
it's
the
vault
agent
for
for
action
vault
and
it
works
like
this.
So
the
engines,
it's
gonna,
be
the
side
car.
A
It
will
live
in
the
sidecar
connect
to
the
the
hashicorp
vault,
retrieve
the
secret
for
the
application
and
feed
the
secrets
to
the
application
to
access,
maybe
a
database
or
pedestrian
point
or
whatever
the
application
requires.
A
I
want
just
to
do
a
shout
out
to
ashley
corp.
By
the
way
we
had
a
pleasure
to
have
a
good
discussion
around
crusoe
in
the
project
and
they
gave
us
a
good
good
feedback
around
how
to
use
the
sidecar
for
our
truso
project
too.
So
we'll
we'll
have
that
in
the
next
implementation.
That's
gonna
be
fantastic.
A
So
speaking
of
the
devil,
crusoe
is
a
pretty
good
approach.
If
you
want
to
keep
using
your
communities
api,
the
native
way-
and
you
don't
want
to
have
an
extra
set
of
cli-
and
you
don't
want
to
come
up
with
the
need
of
learning
a
new
thing
or
creating
new
workflows
or
having
multiple
solutions,
because
the
kms
will
be
perfect
for
applications.
A
So
it's
it's
a
it's
it's
a
situation
and
that's
why
I
put
I
put
on
this
diagram.
Both
I
put
the
usage
from
a
low
level,
communities,
resources
and
also
you
can
still
leverage
your
kms
for
your
applications
for
that
support,
sidecar
approach.
So
this
is
a
pretty
versatile,
a
giant
way
of
doing
things
and
it
really
reduced.
The
amount
of,
I
would
say,
constrain
from
a
technical
standpoint
that
you
might
have
when
you
deal
secrets.
A
Well,
it's
really
yeah
easy
think
about
it,
like
every
a
simple
usage
of
a
cube,
cube
color
to
apply
a
configuration
file
like
a
secret
here
that
will
go
through
the
api
and
when
you
hit
the
api,
what
happens
is
that
the
api
has
a
specific
configuration
that
says
you
need
to
talk
first
with
truso
before
registering
your
secret
in
its
city,
the
values
of
that
the
the
secret
itself.
A
So
what
happened
at
that
stage
is
that
truso
will
communicate
with
the
kms
in
this
example
and
the
demo
it's
actually
volts
and
we
will
look
for
transit
key.
The
reason
why
we
do
this
is
because
we
don't
want
the
secret
to
go
back
and
forth
through
the
network
to
the
wire.
We
don't
know
where
the
vault
is.
A
It
could
be
one
of
the
volts
running
in
aws
from
the
actually
control
the
action
cloud
platform,
and-
and
in
that
case
you
don't
want
to
have
too
much
information
transiting
back
and
forth
in
over
there,
especially
if
you
didn't
put
any
vpc
inside,
so
we
fetch
the
transition
and
the
transit
key.
We
verify
that
we'll
we
are
allowed
to
do
all
the
transactions,
and
at
that
stage
we
do
what
we
call
it
encryption
using
envelope
scheme.
A
So
basically,
we
will
take
this,
the
the
actual
secret
that
we
have
those
those
value
there,
we'll
envelop,
that
into
a
capsule
and
protect
it.
With
that
token,
that
just
got
the
transition
key,
actually
that
we
got
from
vault
and
when
we
have
everything
together,
we
will
store
that
in
hcd
and
make
sure
that
it's
available
for
every
application
that
needs
to
have
access
to
it.
A
So
this
is
the
high
level
overview,
it's
quite
actually
just
how
it
works
and
nothing
trickery
around
this,
this
this
framework
and
actually
it's
a
well-known
framework
from
communities,
communities
implemented
the
the
community's
ms
provider
framework
to
load
that
usage
and
to
leverage
the
communities
api.
A
While
you
can
still
have
access
to
a
kms
to
to
have
that
encryption
of
your
secrets
and
make
sure
that
everything
is
secure
and
available
in
its
city.
The
good
thing
also
is
that
you
will
make
sure
that
you
can
always
use
the
very
same
tooling
and
you
don't
need
anything
extra.
It's
just
perfect
for
that
solution
and
still,
if
you
want
to
continue
using
your
sidecar
for
your
application
and
retrieving
secrets
in
actually
vault
or
any
other
cameras,
you
can
still
do
it.
A
That's
the
beauty
of
the
solution,
also,
for
the
moment
we're
looking
into
securing
only
the
secret
as
a
a
resource
in
in
communities
that
that
is
stored
in
each
city.
In
theory,
we
can
basically
secure
everything
every
type
of
resources
in
the
city,
with
this
approach
all
right.
Let's
plan
for
a
demo,
let's
see
so.
First
of
all,
I
just
want
to
show
you
the
web
page
very
simple.
A
We
are
all
about
simplicity,
it's
true
so
that
io
truso
is
the
the
french
word
for
keyring
actually,
and
we
have
a
nice
git
repo
here
with
everything
in
there
and
there's
a
wiki
to
explain
you
how
to
deploy
the
solution.
It's
quite
straightforward.
A
I
will
invite
you
to
go
through
this
and
have
a
look.
It's
not
really
trivial
to
do
that.
So
then,
what
you
need
is
a
vault,
in
this
case
we're
using
a
development
environment
from
the
actually
cloud
offering
deployed
on
aws,
and
we
have
actually
this
vault
available
here
and
we're
using
the
namespace
yeah
we're
supporting
namespace
too
for
enterprise
solutions,
the
enterprise
offering
of
vault-
and
we
have
a
transit
key
to
here,
and
if
we
look
into
this,
we
have
a
couple
of
them
that
we
created
all
right.
A
So
now,
let's
have
a
look
here.
First
of
all,
if
we
want
to
look
at
the
how
it
looks
like
it's
quite
easy,
I
just
need
to
do
this
and
we
have
actually,
as
you
can
see,
we
can
have.
We
have
three
parts
and
the
three
parts
are
from
a
demon
set.
So
if
I
do
all-
and
I
do
a
grab
of
vault-
you
would
see
that
it's
deployed
as
the
demon
set
so
demon
set,
allows
you
a
good
thing
here.
A
A
So
the
way
it's
working
as
I
was
mentioning
earlier,
we
need
to
have
a
configuration
file
that
says
to
the
api
manager
and
here
we're
running
a
wrencher.
So
if
I
look
at
the
configuration
file
from
dude,
live
preventure,
rk2,
server,
credential
and
then
I
have
a
configuration
file
here,
which
is
basically
telling
the
api
server.
A
When
you
see
this,
when
you
see
this
kind
of
resource,
the
secret
resource
go
through
a
kms,
and
here
are
the
information
how
to
access
this.
This
is
basically
linked
to
the
pod
here,
those
pods
and
it's
a
second
a
socket.
It's
a
network
socket
and
the
transaction
occurs
there
from
a
usage,
a
configuration
perspective.
What
we
have
is,
we
have
also
a
configuration
file
here
that
says:
here's
my
demo
token
test
key
name,
the
address
of
my
vault
and
the
token
for
those
who
want
to
try.
A
A
One
thing,
though,
that's
where
the
sidecar
is
interesting
is
because
in
this
case
we
would
remove
that
concept
of
having
a
configuration
file
but
having
just
a
sidecar
attached
to
all
the
different
parts
that
would
fit
those
information
before
the
need
to
expose
the
configuration
file.
So
thank
you
ashiko
for
this.
We'll
definitely
look
into
this
all
right
so
and
then,
and
then
obviously,
and
I'm
just
going
to
mention.
First
of
all,
this
this
cluster
currently
is
not
having
any
encryption
set.
A
It's
using
the
the
basic
one,
and
if
we
look
at
the
actual
file
and
bear
with
me
right
here,
because.
A
Here
we
go,
you
can
see
that
there's
a
zero
identity,
it's
totally
different
than
what
we
have
here.
We
don't
have
the
kms
part
inside
so
in
this
situation.
If
I,
if
I
just
do-
and
I
have
some
scripts
here-
I
have
two
secrets
that
I
can
create
here.
A
If
I
do
echo
dash
n
of
my
secrets,
yeah,
it's
it's
the
secret
that
we're
using
for
on
that
for
our
storage
os
offering
oh,
I
did
not
have
oh
yeah
bury
me
with
this.
So.
A
That's
the
pleasure
of
doing
a
demo,
it's
minus
d,
as
you
can
see,
the
the
actual
secret
is
storage
address.
That's
the
default
api
secret
for
our
on
that
offering
so
anyway,
it's
not
the
most
important
part
here.
A
So
what
I'm
gonna
do
here
is
again,
I'm
gonna
just
execute
this,
and
what
it
does
is
that
it's
creating
a
secret
as
you
can
see,
we're
creating
a
namespace
called
secret1
and
we're
creating
a
secret
called
secrets,
and
then
I'm
fetching
from
the
city,
the
information
in
the
registry,
so
I'm
just
targeting
the
registry
for
that
that
part
and
as
we
can
see,
this
is
the
basic
information
when
it's
not
encrypted,
and
I
have
information
about
everything
I
can
see.
Also
that
I
have
my
value
here.
A
This
is
the
value
that
we
used
right.
So
if
I
recall
this,
as
you
can
see,
it's
exactly
the
same
and
just
to
make
sure
that
it's
the
same,
I'm
just
going
to
copy
paste
it
and
see
that
it's
indeed
a
storage
os.
So
this
is
this
is
bad.
So
the
way
we
can
change
this
is
to
say
I'm
going
to
do
this
here.
A
A
A
The
api
just
stopped
at
some
point:
the
api
manager
and
it
restarted
with
the
api
server.
It
restarted
with
our
configuration
file
in
this
case,
if
I
execute
my
second
use
case-
and
I
do
this
so
I'm
going
to
create
now
a
secret
name-
secret,
2
in
secret
in
namespace
secret
2.
So
that's
what
I
created
and
I
want
to
fetch
the
information
about
it.
A
So
that's
how
you
can
easily
secure
your
secrets
without
too
much
difficulties
without
too
much
of
a
hassle
and
using
standard
api.
A
All
right,
so
demo
is
done.
It's
straightforward!
It's
not
shiny!
It's
just
working
and
what
I'm
gonna
look
forward
is
a
call
to
action.
So
keep
your
secret
secrets
join
us
on
the
truso
project
to
contribute
the
repo
is
over
there.
So
just
well,
not
the
repo,
but
the
organization
is
over.
There.
Just
come,
have
fun
we're
looking
into
implementing
many
many
other
kms,
because
we
want
to
have
it
universal
and
available
for
as
much
solution.