►
From YouTube: Secrets Store CSI Community Meeting - 2021-01-07
Description
Kubernetes bi-weekly Secrets Store CSI project meeting.
A
All
right
welcome
everyone.
It
is
thursday
july
7th
welcome
to
the
csi
secrets,
community
call
and
just
as
a
reminder,
this
call
is
governed
by
the
cncf
code,
the
conduct
so
just
be
nice
and
kind
to
each
other.
You'll
be
okay.
A
We
got
a
pretty
decent
agenda
and
again
happy
new
year,
everyone.
Hopefully
everyone
had
enjoyed
the
holidays
and
or
time
off
and
recharge
the
batteries.
A
Okay,
thank
you
finish
and
if
there's
anyone
new
to
the
call,
if
they
want
to
introduce
themselves,
I'm
not
sure.
A
C
I'm
a
contributor
for
set
manager
and
I
might
work
there
at
jet
stack
next
week,
probably
and
I'm
interested
in
knowing
the
sick
oath.
Like
things
you
do
yeah,
that's
pretty
much.
Why
I'm
here
awesome.
A
And
I
want
to
make
sure
I
pronounce
it
is
it?
Is
it
mal
or
male
yeah
either
way?
I
would
say
mile,
okay,
now,
okay,
all
right!
Well,
thanks
for
joining
us,
you
know
we
look
forward
to
working
with
you
on
this
project.
Thank
you
all
right.
Let's
go
ahead
and
dive
in
and
let's
see
first
topic
here
is
credentials
used
for
driver,
proud
jobs.
B
Yeah,
I
actually
added
that,
after
some
discussion
with
rita
and
tommy,
so
last
week
we
saw
the
gcp
jobs
were
failing,
so
I
had
created
the
github
issue,
418
to
basically
list
out
the
pr's
where
it
was
failing
and
then
tommy
was
able
to
take
a
look
at
it
and
found
out
that
the
credentials
are
expired.
So
now
we
have
rotated
the
credentials
for
the
gcp
provider,
but
again
one
the
other.
One
thing
is
it'll
expire
again
in
three
months,
so
I
think
I
just
added
it
to
the
agenda.
B
So
we
can
see
what
is
a
more
sustainable
manner,
how
we
can
rotate
these
credentials
because
even
for
azure,
we
use
service
principles
which
could
potentially.
D
Expire,
yeah
I'll
I'll
speak
to
the
google
thing,
but
the
credentials
that
are
used
in
the
integration
testing
are
governed
by
a
google
policy.
That
right
now
is
exported
service
account
credentials.
The
max
lifetime
is
90
days.
I
think
so.
D
I'm
looking
internally
to
see
if
I
can
get
exemptions
for
credentials
like
this,
because
90
days
is
kind
of
a
weird
spot
between
not
frequent
enough
to
automate
and
but
like
yeah
it.
It
is
we're
like
difficult
to
automate,
especially
since
we
have
to
put
it
into
the
kubernetes
infra
infrastructure
which,
like
I
don't
have
you
know
any
permissions
to
that.
D
So
right
now
I
think
it's
toil
for
gcp
and
I
just
need
to
make
bugs
for
us
every
90
days
to
do
it,
but
yeah,
I'm
not
sure.
B
D
So
on
gcp
there's
things
that
are
like
exported
credentials
that
you
can,
you
know,
take
and
put
on
your
laptop
or
you
know,
put
anywhere
and
then
there's,
like
instance,
metadata
or
you
know,
like
the
gce
instance-
will
have
an
identity,
I'm
not
too
familiar
with
how
the
proud
clusters
are
configured.
But
if
we
have
access
to
the
base
jobs
identity,
I
could
just
grant
that
the
necessary
permissions
over
the
secrets
for
the
integration
test.
D
There
may
also
be
a
way
I
think
asher
has
a
way
to
translate
like
gcp
or
other
like
arbitrary
oauth
identities,
into
gcp
or
into
azure
identities.
Maybe
if
we
can
access
just
the
base
pro
identity,
that
might
be
a
way
there
to
avoid
exported
kind
of
credentials
or
requiring
secrets
for
these
tests.
E
The
were
you
thinking,
like
maybe
just
reuse
like
some
of
the
other
jobs
that
that
are
running
like
say,
testing,
kubernetes
kubernetes,
on
gcp
yeah.
I
think
ben
alder
and
and
the
sig
test
team
probably
would
know
way
more
about
that
than
any
one
of
us,
so
you
may
want
to
reach
out
to
them.
Tommy
do
you
know
an
elder.
D
I
do
not,
I
can
okay.
E
E
Cool,
so
if
you
do
have,
if
like
gcp,
has
something
like
that,
then
potentially
someone's
already
rotating
that
every
90
days,
maybe
then
you
don't
have
to
worry
about
it
right,
so
you
just
have
to
like
consume
it.
Cool
yeah.
E
Or
stick
testing
you,
you
can
send
a
message
there,
they're
they're,
pretty
active
there.
Okay.
A
So
I
think
we're
done
with
that
topic
yeah
this
next
one.
This
is.
This
is
simple
this
you
know.
I
think
everyone
knows
this
has
been
kind
of
an
uptick
in
meeting
zoom
bombs.
I
was
actually
on
one
it's
pretty
crazy
to
experience
that.
So
what
we're
gonna
do
I
mean
from
the
community
side,
simple,
we're
just
going
to
add
a
password
to
this
meeting
and
that
will
kind
of
stop
some
of
the
bots.
A
But
the
big
key
here
is
we're
going
to
disable
the
ability
for
anyone
to
just
be
able
to
share.
So
if
you
do
need
to
share
just
ask
the
host
and
then
they
will
promote
you
to
be
able
to
share,
and
then
by
default
we
are
going
to
disable
the
whiteboard
feature.
We,
I
don't
think
we
draw
anything
here
anyway.
So
not
a
big
deal
there
so
just
know.
Next
meeting
there
will
be
a
pass
pasco
to
the
meeting,
we'll
update
the
doc.
A
Obviously
and
it'll
be
something
like
all
sevens,
it's
something
very
similar,
it's
simple,
but
that
that
helps
a
little.
That's
any
questions
about
that.
It's
pretty
standard
stuff.
E
A
Yeah
yeah
so
we'll
add
the
the
passcode
here.
All
this,
this
stuff
will
be
perfect,
updated.
I
don't
think
you
can
do
like
an
inline
uri
with
the
passcode.
I
think
you'll
still
have
to
copy
and
paste
that
when
you
when
it
asks
when
you
enter
the
meeting.
A
All
right,
so
next
up
anish
talking
about
v.o.19
latest
release,
that'll
support
some
backwards
compatibility.
B
Yeah
so
before
the
holidays
I
released
0.18,
so
it
had
quite
a
few
improvements
and
stability,
so
I've
created
a
small
milestone,
0
0.19,
which
is
for
the
next
two
weeks.
But
this
particular
item
is
for
the
grpc
supported
providers
right.
So
we
added
support
for
grpc
in
0.0.14
and
right
now
we
have
four
releases
from
that.
B
So
the
plan
is
a
v0.19
will
be
the
last
release
that
supports
backward
compatibility
with
the
all
provider
in
working
format
and
also
having
the
grpc
format
and
starting
from
0.0.20
we're
going
to
deprecate
the
old
way
of
doing
it,
which
means
all
providers
should
have
a
release
that
works
with
grpc
changes
so
implementing
the
grpc
server.
B
So
I
wanted
to
bring
this
up
because
I
think
right
now
our
two
out
of
the
three
providers
already
have
the
support
for
grpc.
So
I
think
we
just
have
to
make
sure
that
the
other
provider
also
gets
the
support
and
there's
already
a
work
in
progress
pr.
So
hopefully
we
can
get
that
merged
and
having
it
till
the
0.020
release
gives
the
provider
the
time
to
get
it
merged
and
also
have
all
the
tests
updated
to
use
the
new
format.
A
B
Yeah,
so
I
think,
last
year
we
went
through
the
stability
dot,
so
it's
also
a
little
bit
work
in
progress,
because
I'm
looking
at
another
link
that
the
rita
had
shared
and
I'm
going
reviewing
that
to
add
more
criteria
that
we
can
add
for
the
list,
but
probably
for
the
next
few
months.
B
I
think
what
we
want
to
do
is
we
have
a
stable
milestone,
so
we
want
to
go
through
the
items,
pick
issues
from
the
stable
milestone
and
start
working
on
those
so
that
we
can
get
the
driver
to
the
stable
release
and
the
same
applies
to
the
providers
as
well,
and
I
think
one
thing
that
is
probably
missing
is
security
review.
We
probably
also
want
to
add
that
to
the
milestone,
because
I've
had
some
users
ask
about
security
review
so.
E
I
think
for
that
maybe
we
should
maybe
let
me
ping
one
of
the
save
off
people
to
see
what
what
we
should
do
there.
I
like
it
to
see
if
they
have
a
process
for
sub
projects,
let's
start
there
and
if
it,
depending
on
what
kind
of
answer
we
get,
we
may
have
to
also
work
with,
like
just
c
and
cf
to
fund
it.
But
let's,
let's
start
with
sega,
since
it's
a
sig
off
sub
project.
E
Yeah
makes
sense,
yeah,
okay,
because
I
I
think
it
does
take
some
time
to
get
funding
and
and
and
get
like
vendors.
So
we
may
as
well
kick
off
sooner
rather
than
later,.
D
E
Is
there
something
a
bit
more?
Maybe
can
we
break
up
these
into
maybe
more
attainable
milestones
like
like
smaller
chunks?
Are
there
one
some
of
these
that
that
are
lower
hanging
fruits
that
we
can
do
sooner
rather
than
later?
I'm
just
trying
to
organize
this
so
that
we
can
sort
of
have
like
tiny
milestones
before
we
hit
the
big,
stable,
milestone.
B
It
is
so
the
way
I
have
it
right
now
is
all
the
issues
in
general
are
in
stable,
milestone,
pool
and
then,
as
we
create
the
next
smaller
milestones
like
when
I
created
zero
19,
I
moved
some
of
them
from
stable
to
the
next
milestone.
So
I
think
whenever
we
decide
that
this
is
something
that
we
can
get
it
done
in
the
next
release.
So
we
just
moved
from
stable
to
the
new
one
and
stable
is
basically
just
a
pool
for
everything
that
we
really
want
to
do
for
stable.
E
Right
and.
A
A
A
E
Understanding,
I
would
imagine
we
could
potentially
cut
a
v
1.0
release.
A
E
It's
a
it's
a
good
signal
to
the
community
that
hey
it's
gone
through
a
lot
of
vetting,
and
you
know
stability,
testing
and
and
all
of
that.
E
A
All
right
that
is
the
last
item
on
the
agenda:
I'll
open
the
floor.
If,
if
there's
any
anything
else,
anyone
wants
to
chat
about.
E
I
do
want
to
come
back
to
our
new
member
on
the
on
the
call
just
to
just
to
see
if
there's
any
questions
or
any
anything
that
that
maybe
we
can
help
clarify
or
or
is
there
anything
that
you
you
think
we
can
collaborate
on?
It
is
another
way
to
ask.
I
guess.
C
Yeah
so
yesterday
we
mentioned,
like
we
said
in
one
of
our
meetings,
that
we
we
had
to
go
to
the
sequel
oath
group,
but
I
can't
remember
exactly
why.
C
And
yeah,
I'm
sorry,
I'm
not
really
prepared.
Oh,
but.
C
I
promise
next
like
next
next
time,
so
in
two
weeks
I
will
probably
have
more
like
real
questions.
Okay,.
C
There
is
some
interesting
things
that
search
manager
would
be
interested
in
working
on.
I
guess
what.
E
E
Oh
no,
I
just
figured
we
come
back
to
this,
but
yeah.
Definitely,
you
know
feel
free
to
discuss
this
at
a
later
call.
By
the
way,
are
you
on
slack
on
the
kubernetes
slack?
Okay,
can
you
find
you.
C
E
No,
the
kubernetes
sock,
but
it's
okay.
I
guess
I
can.
C
A
A
All
right,
so
that
brings
us
to
the
end.
Oh
sorry
was
someone
chiming
in.
D
I
was
just
gonna
ask
one
other
thing
previously
at
during
the
the
few
like
vulnerabilities
that
we
found
like
I
threw
out
an
idea
about
like
what,
if
the
driver
was
the
one
that
wrote
to
the
file
system
rather
than
the
plugins
like
in
expanding
the
grpc
interface
to
to
allow
that
to
happen,
I'm
wondering
if
it's
worth
it
for
me
now
to
put
like
effort
into
writing
a
proposal
for
that.
D
Like
do,
that
sounds
like
a
direction
we
might
want
to
go
or
or
not,
yeah,
because
I
can
write
up
like
you
know
more
of
a
design
doc
on
it.
If
we
think
it
would
help
with
help
plug-ins,
but
if
not
then.
B
Yeah,
I
think
that
makes
sense
so
that
the
idea
that
you're
referring
to
is
basically
the
provider
fetching
the
contents
from
the
external
secret
store
and
then
sending
it
back
to
the
driver
and
then
the
driver
being
the
only
one.
That's
writing
to
the
file
system
right,
correct,
yes,
yeah!
I
think
that's
definitely.
D
Okay,
then
I'll
write
a
more
complete
duck
and
like
look
more
into
the
pros
and
cons
of
that.
E
Yeah
and
I
think
if
if
we
do
go
down
that
route,
it
could
minimize
privilege
on
the
provider
side
which,
which
is
always
a
good
thing,.
D
Yeah,
I
think
some
of
the
downsides
is,
I
don't
know
how
many
secrets-
people
usually
fetch
at
a
time
and
like
the
size
of
those
and
the
feasibility
of
kind
of
like
passing
those
over
the
grpc
thing.
But.
B
So
one
thing
is:
we've
been
seeing
github
requests
where
users
want
to
use
a
regular
expression,
so
they
basically
want
to
fetch
all
the
secrets
that
they
have
in
their
external
secret
store.
So
my
guess
is
they
have
quite
a
few.
I
mean
at
least
one
user
that
I
talked
to
on
slack
said
they
have
about
100
150
secrets
and
they
don't
want
to
add
each
individual
one
to
the
array.
So
they
just
want
to
have
a
regular
expression
and
every
secret
that
matches
on
the
drag
x
is
fetched
by
the
csi
driver.
D
Okay,
all
right
thanks
I'll
write
up
a
doc
on
that
and-
and
we
can
discuss
it
more
there
in
other
use
cases.
A
There
all
right
thanks
to
tommy.
I
think
that
brings
us
to
the.
I
guess
I
got
one
other
question:
are
we
okay
with
the
cadence
bi-weekly?
Is
that
good,
I'm
seeing
some
head
knots?
Okay,
just
want
to
throw
that
back
out
there
all
right.
So
if
that's
the
case,
then
we
will
see
everyone
in
a
couple
of
weeks
january
21st
for
our
next
call
thanks.
Everyone
have
a
good
day,
happy.