►
Description
Azure Key Vault integration demo, new Azure services announcements, Microsoft joins the CNCF
A
All
right,
everybody
welcome
to
the
July
26th
public
meeting
of
the
azure
special
interest
group.
My
name
is
Jay
singer
Dumars
I
am
the
one
of
the
co
leads
for
this
group
and
I
work
for
Microsoft,
and
today,
we've
got
a
really
cool
demo,
be
a
short
demo
from
Khaled
hindi
AK
from
Microsoft,
and
he
will
be
showing
us
the
prototype
for
the
azure
key
vault
integration
that
we're
going
to
be
working
on
and
targeting
for
full
integration
within
the
1.10
release,
timeframes.
So
without
further
ado,
I'm
gonna
turn
it
over
to
Kel.
B
Okay,
let
me
just
on
screen.
B
How's
that
looks
good
to
me,
alright,
so
what
I
have
is
a
code
was
built
actually
a
few
months
back
to
allow
customers
to
use
secrets
beyond
what
kubernetes
offered
back
then
and
offered.
Now.
The
idea
is
give
old,
agile,
key
volt
is
one
of
those
services
where
people
can
save
pipe
secrets,
that
includes
secrets,
keys
and
certificates,
auto-rotate
them,
and
it
also
supports
hardware,
hsn's
and
so
forth.
B
The
secrets
that
when
we
talk
to
some
of
the
customers
or
planner
or
either
using
Copernicus
or
planning
to
use,
one
of
the
key
issue
has
been
secrets
and
Copernicus
and
the
fact
that
up
until
one
seven
two
I
guess
they
were
clear
text
saved
in
HCD
and
that
did
not
allow
them
to
use
them.
Although
they
really
really
loved
how
easy
they
are
to
use
inside
their
apps
or
they
cannot
use
them
because
of
the
fact
that
they
are
saved
as
clear
text
right
now,
there
is
when
we
wrote
this
code.
B
The
kms
integration,
the
coconut,
has,
was
not
out
so
I'm
just
going
to
walk
you
through
watching
what
we
have
right
now
and
walk
you
through
how
how
we're
planning
to
move
this
forward.
What
I
have
is
that
Cottle,
alias
there's
a
cluster
who
gets
up
nine
or
ten
thousand
mega
remember
what
I
have
done
is
a
volume,
that's
not
doing
anything
other
than
bringing
secrets
from
from
keyboard
other
people.
B
So
if
I
go
here
and
say
them,
so
what
we
had
in
mind
is
users
going
through
containers
need
to
find
a
port,
and
this
is
just
a
bitty
box
doing
a
loop
all
right
and
then
they
can
do
regular
volume
mum's.
The
secret
sauce
is
actually
here
what
they
can
say
right.
I
have
three
volumes,
give
them,
and
let
me
give
it
a
name,
give
it
a
pipe
which
is,
in
this
case
a
door
cable,
and
then
they
can
point
a
vote.
B
This
is
an
actual
as
of
keyboard
and
they
can
say
the
object
they
want
to
bring
in.
In
this
case,
it's
a
pipe
secret
and
it
has
an
s
0
as
a
name
inside
keyboard.
The
same
can
apply
for
keys,
o
click
on
key,
and
then
you
can
also
have
a
certificate.
Ok,
what
what
user?
What
users
will
do
is
they
can
just
create
it.
B
And
it
doesn't
take
much
as
you
can
see
it
just
three
seconds
to
mount
everything
and
then,
if
I
do
see,
exec
attached
to
this
guy
and
just
go
them
Sh
now,
I'm
inside
this
container,
what
you
will
see
is,
if
you
remember,
everything
was
mounted
/mnt.
So
if
I
go
empty
and
I
go,
this
is
my
two
volumes.
Basically,
these
are
three
volumes.
Then
I
can
go
CD,
secret
and
I.
Do
everything
is
a
file
name
as
the
object-
and
this
is
my
secret
same
applies
on
the
key
as
well.
B
B
One
of
the
things
that
this
volume
will
is
doing
and
what
one
of
the
things
that
we're
also
planning
to
do
is
once
the
body's
removed
everything
is
removed
from
the
notes,
because
you
really
don't
want
to
keep
secrets
on
on
the
note,
while
nobody's
using
them
planning
on
on
going
through
one
nine
and
one
kind.
What
we
will
do
is
will
also
support
the
ability
to
proxy
secrets
outside
SCD
and
two
cables,
so
the
secrets
that
you're
currently
using
and
love
and
copper
netis,
you
will
be
able
to
keep
using
them
over.
C
I
have
a
question:
this
is
Louise
from
Korres
hi,
okay.
My
question
is
that
I,
like
the
simplicity,
I,
like
the
usability
of
this
and
it
seems
to
be
very
well
implemented
and
integrated
with
kubernetes.
My
question
is
around
not
really
the
technology
around
this,
but
the
the
integration
with
the
rest
of
the
ecosystem
of
communities.
So
if,
for
example,
we
have
an
azure
specific
way
of
storing
secrets,
are
we
going
to
manage
this
across,
like
AWS
OpenStack
on-premise
and
the
other
models
that
we
have
for
deploying
so
I
I?
C
Definitely
like
it
I
just
want
to
see
you
wait
a
weekend
not
expose
this
all
the
way
off
to
the
consumer.
I
hope,
both
in
storage.
We
have
TVs
and
PVCs
right
yeah,
it's
an
abstraction
of
the
internal
fuel
storage,
glasses,
and
things
like
that.
So
I
was
wondering
if
there's
a
I
would
like
to
say
this,
but
I
would
like
to
see
it
in
a
way
that
he
could,
because
the
user
doesn't
see
be
exact.
Every
every
dial,
I
think
it
is
gone.
C
B
To
answer
this,
it's
twofold:
the
first
fold
is
I,
absolutely
agree
with
you.
There
has
to
be
a
way
where
users
don't
need
to
get
entangled
with
the
cloud
details
and
right
now,
its
secrets,
and
by
110
you
will
be
able
to
do
exactly
what
you're
saying
you
can
use
secrets
and
the
cloud
provider
will
be
configured
to
store
them
outside
HCD,
okay,
so
that's
part
of
it.
That's
that
gonna
happen
in
110.
The
second
full
to
that
is,
let's
see
if
it
every
cloud
has
its
own
thing
right.
B
B
There
has
to
be
a
way
moving
forward
like
to
get
this
unique
features
from
a
cloud
into
copper
netted
in
a
way
that
only
the
users
are
interested
in
Azure,
for
example,
can
use
or
the
users
are
interested
in
AWS
can
use
it
and
that's
not
something
that
can
be,
but
that
should
not
be
an
upstream.
If
you
know
what
I
mean
it
shouldn't
be
a
code
for
upstream
containing
that
that
should
be
something
some
tooling
around
think
of
agile
as
a
part
of
the
ecosystem.
B
Think
of
agile
as
a
core
OS
company,
the
fish
it
will
stuff
that
allows
that
allows
it
to
work
only
on
agile
and
that
that's
that
port
for
regards
to
secrets
on
110
will
have
to
wait
until
110
is
out
switches,
I'm
thinking
six
months
out
now.
Until
we
see
this
happening
and
then
we
can
say
all
right,
the
secrets,
the
way
they
are
and
the
way
they
are
going
into
110
and
Beyond
will
cover
60%
of
what
keyboard
can
do.
Do
we
want
people
to
use
a
40%
without
having
to
code
against
them?
B
Not,
and
that's
not
a
decision
I
can
make
right.
Now,
to
tell
you
the
truth,
and
nobody
can
we
have
to
wait
until
1:10,
but
for
now
between
1/8
and
1:10.
If
somebody
wants
to
use
HSM
hardware
HSN
for
authoritative
certificates
on
Azure
it
already
paying
for
somehow,
we
should
be
able
to
allow
them
to
use
it
basically,
without
impacting
everybody
else.
Ok,
so.
D
B
A
Again,
Cal,
thank
you
for
the
great
demo
moving
along.
I,
if
you
follow
along
in
the
agenda
which
I
you
can
get
it
bit
dot
ly
/
cig
azure.
A
You
can
see
what
I
will
be
referring
to
now,
which
is
work
in
progress.
There's
pull
requests
out
there
for
adding
an
option
for
v-net
resource
group
and,
as
your
configuration
it
looks
like
it
needs
a
rebase,
and
this
work
that
Cal's
going
to
be
doing
on
the
azure
key
ball
integration
moving
forward,
we're
defining
that
work
and
we're
also
from
an
azure
implementation
standpoint
working
on
getting
the
great
work
that
was
done
with
managed
disks
into
Azure
container
service
and
that
work
will
be
rolling
out
in
the
nearest
future.
A
I'll
probably
update
everybody
once
that's
happening,
but
again
that
has
some
really
nice
improvements
in
terms
of
azure
discs.
I
PRS
meeting
review.
There
are
a
couple
of
cherry
picks
for
the
work
that
was
done
for
MSI,
which
is
the
managed
service
identity
and
these
should
be
pulled
into
1.73
or
what
about
7.4,
depending
on
timing?
I,
we're
probably
going
to
get
somebody
to
do
that
internally,
Microsoft,
that
if
somebody's
feeling
adventurous
and
wants
to
start
those
cherry
picks
go
for
it.
A
C
This
is
actually
Rob's
refuges
online
pull
request,
while
notes
going
away
and
when
they
go
into
stop
mode.
So
I
just
wanted
to
bring
it
up,
because
there
is
already
a
a
discussion
or
a
PR
for
discussing
this
in
the
AWS,
specifically
where
we
have
a
new
stakeholder
wanted
to
bring
it
up
to
the
sick.
As
your
to
see
if
you,
if
we
had
the
same
issue
and
what
do
you
guys
feel
about
a
stop
state
for
a
node.
E
E
E
C
Talk
discussion
yeah,
it
says:
what
do
you
guys
feel
about
this
coffee
and
ice.
A
Was
I'd
have
to
review
the
TR
to
really
understand
what
the
with
the
notion
of
what
a
stops,
no
means
I
mean
obviously
an
a
sure
we
can
stop
a
note
and
it's
still
affiliated
with
a
cluster.
In
fact,
I
believe
it
even
still
is
counted
as
a
billable
instance
at
that
point.
So
it's
definitely
if
you
reach,
if
you've
stopped
a
an
instance
and
restart
it,
it
comes
back
as
it
was
in
the
prior
role
versus
like
an
AWS.
A
If
you
stop
an
instance,
it
actually
mean
basically
comes
back
with
all
new
information
which
is
kind
of
disruptive
to
clusters.
So,
as
your
the
azure
implementation
of
the
stop
instance
or
stopped
VM
doesn't
have
the
same
disruptive
quality
and
in
communities
clusters.
It
doesn't
make
up
us.
So
all
I
said
it
all
has
to
assess
this,
but
I
don't
know
that
this
is
really
an
issue
in
measure
yeah.
B
If
there
is
a
Candida
room,
that's
that
top
node
stuff,
it's
a
kind
of
rooms
and
really
need
to
be
careful
disco.
Absolutely
yeah!
I
do
I
doubt
that
we
can
do
this
in
in
in
you
know
what
every
ten
minutes,
especially
when
we
have
some
folks
who
didn't
read
the
pl
I
know
the
P.
Are
you
referring
to
yeah.
C
B
That
shape
of
the
shape
of
strata
that
M
referring
to
so
it's
a
kind
of
rooms
but
I
completely
agree
with
you.
It
needs
to
be
on
our
door
just
to
confirm
Jase
Jase
is
view.
I.
Think
Jesus
has
a
spot-on
view
of
how
this
will
work
on
Azure,
but
we
need
to
like
come
to
a
conclusion,
all
of
us
that,
yes,
it's
not
impacting
us
right.
E
In
kubernetes
they're,
their
interfaces
communities
is
filtering
out,
and
you
know:
that's
not
active.
So
in
a
node
could
stop
the
native
us.
It
disappears
from
kubernetes
right
and
that's
not
happening
that
and
Azure.
Now,
whether
or
not
that
should
happen
in
Azure.
Is
you
know
that
kind
of
the
some
way,
something
that
that
we
keep
talking
about
needing
the
cloud
provider
type
of
a
sig
to
decide
how
that
kind
of
a
situation
should
happen?
A
Yes
now
this
is
a
fantastic
discussion
in
this
cow,
so
very
eloquently
said
it
if
they
can't
warm
so
dumb
I
will
keep
my
eye
on
this
PR
and
and
I
would
encourage
every
else
here
to
do
that
as
well.
So
just
stand
top
of
that
cool.
Thank
you
all
right.
Moving
on
release
updates,
1.8
release
team
is
formed
mostly
there's
an
asterisk,
and
that's
because
we've
not
necessarily
100%
finalized.
The
release.
A
A
Nice
integration
on
spark
of
these
features
that
is
correct
and
I,
will
be
personally
working
on
that
particular
Lauren
and
I'll,
actually
coordinating
with
you
on
that
ad
Cal
to
make
sure
that
we
get
the
right
descriptions
in
all
right.
Thank
you
and
there's
no
ETA
that
I'm,
aware
of
on
173
I-17,
went
out
with
some
great
code
in
it.
A
A
Great
announcements
at
CD
to
support
deprecation
is
being
proposed,
doesn't
necessarily
have
a
strong
impact
for
us,
but
is
something
that
we
want
to
keep
an
eye
on,
especially
for
legacy
clusters
and
in
the
upgrade
path
and
all
that
stuff.
So
it's
just
one
of
those
to
be
aware
of
things
right
now
that
the
proposal
has
not
been
ratified
or
approved,
but
that's
something
that
I
believe
will
get
some
attention
and
the
corollary
discussion
around.
This
is
simply
what
versions
are
officially
supported
by
the
the
project.
A
Obviously,
there's
version
skew
support
for
two
versions,
but
what
is
the
actual
mechanics
look,
look
like
around
supporting
I,
say
an
upgrade
from
1.4
to
1.7,
and
is
that
even
a
supported
upgrade
path,
even
if
it's
possible.
So
this
is
something
that
probably
will
get
escalated
to
steering
committee,
because
it
is
a
fairly
wide
impacting
decision
about
how
many
versions
we
support
when
the
when
push
comes
to
shove.
A
Ultimately,
this
decision
comes
down
to
who's,
supported
in
the
release
teams,
because
right
now,
if
there's
no
patch
manager
for
1.5,
then
ostensibly
cherry-picks
back
to
1.5
are
not
possible
at
the
moment,
it's
complicated
and
just
something
for
everybody
to
kind
of
stay.
Aware
of
the
snick,
as
your
select
channel
I
would
love
to
see
more
involvement
from
everybody
here
and,
just
generally
speaking,
there's
an
amazing
amount
of
good
questions
and
concerns
are
coming
up
in
that
slack
channel
and
it's
definitely
a
lot
of
operational
concerns
and
interest.
A
A
Some
real
exciting
news
coming
out
of
MS
central
today,
we
have
launched
as
your
container
instances,
which
is
a
really
revolutionary
way
to
think
about
container
workloads
and
running
continual
clothes
in
a
cloud
environment.
I
would
encourage
everybody
to
look
at
that
link
and
read
the
release
on
it
and
there's
two
corollary,
so
that
one
is
that
Microsoft
is
joining
the
CN
CF,
which
is
I,
think
a
fantastic
step
forward
for
our
integration
and
support
of
all
the
great
projects
that
are
under
the
CN
CF
umbrella.
A
Cuneta
is,
of
course,
being
the
one
we're
talking
about
today,
but
there's
a
lot
of
other
great
things
there
too,
and
this
repo
that's
linked
in
there,
the
azure
slash
a
CI
connector
gates,
I
is
so
cool.
The
demo,
that's
in
the
release
on
the
ACI
stuff
has
is
actually
using
leveraging.
The
CI
connector-
and
it
is,
is
so
amazingly
cool,
so
check
that
out
and
it's
going
to
blow
your
mind
and
last.
A
There
is
a
report
in
the
azure
channel
this
morning
regarding
a
change
somewhere
in
a
imagers
SDK
or
something
I
haven't
fully
investigated.
But
some
some
API
is
been
deprecated.
That
is
currently
badly
impacting
terraform
installations,
the
core
Core
ASEC,
tonic
installations
and
whatnot.
There's
a
link
to
the
issue
in
the
notes
and
I
would
encourage
everybody
to
take
a
look
at
that
and,
let's
see
if
we
can
figure
out
how
to
to
get
that
taken
care
of.
D
Like
I,
remember
that
sort
of
thing
I
can
find
it
and
paste
it
in
I'm
on
my
phone
right
now.
Okay,.
D
A
You,
okay,
without
without
any
other
objections,
I
think
we'll
go
ahead
and
adjourn
and
I
again
appreciate
everybody
for
showing
up
and
thanks
for
your
valuable
time.
Welcome
to
you
thanks.