►
From YouTube: Secrets Store CSI Community Meeting - 2021-03-04
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
hey
everyone.
Welcome
to
the
csi
secret
store
community
meeting
today
is
the
thursday
march
4th,
and
then
this
call
falls
under
the
cnc
of
code
of
conduct
and
the
video
will
be
published.
A
B
I
didn't
notice
that
I
was
muted,
so
this
is
him
from
uber.
So
the
question
I
have
when
I
try
to
look
at
into
this
project
is
right.
Now
it
seems
the
csi
security
star
support
for
months.
Qv
values
is
5..
B
A
Yeah
I
mean
today
it's
it's
generic
implementation
right,
so
I
most
of
all
the
providers.
I
think
what
they
do.
Is
they
parse
through
the
array
for
secret
objects,
and
then
they
get
the
key
value
pairs
and
then
they
just
write
the
value
into
the
file
name
with
the
key
as
the
name
and
then
means
some
providers.
We
also
provide
like
an
object,
alias
so
you
can
say
instead
of
the
default
object.
Name
just
change
this
to
a
custom
file,
name
that
I
want.
I
require
right,
but
at
least
for
the
azure
keyword
provider.
A
A
A
So
I
think
we
should
consider
this
option
with
that
proposal
as
well
and
make
it
possible.
So
I
think
we
should
extend
it
in
such
a
way
that
the
provider
can
return
all
the
contents
for
a
file.
So
it's
just
the
entire
blob
and
then
the
driver
should
just
be
able
to
write
that
with
whatever
the
file
name
is
and
whatever
data
is
provided
in
that.
B
So
the
question
is
so:
I
guess
the
answer
here
is
eventually
it'll,
be
the
provider
as
a
responsibility
to
you
know,
organize
the
content
and
return
to
the
driver
right.
A
Right
because
the
driver
today
is
very
it's
a
generic
implementation
right,
it
looks
at
the
secret
provider
class,
but
the
only
field
that
it
really
understands
in
that
is
the
provider
name,
because
it
knows.
Okay,
this
is
the
particular
provider.
So
this
is
who
I
need
to
call,
and
I'm
just
going
to
give
this
off
to
the
provider
and
the
provider
can
decrypt
it
and
see
what
they
want
to
do
with
it,
and
the
provider
is
the
one.
That's
also
going
to
respond
with
what
files
to
write
and
what
the
content
for
each
file
is.
A
B
Okay,
I
wonder
I
wonder
if
you
say
I
want
calculator,
plug-in,
say
a
small
plugin,
so
I
guess
the
answer,
but
it's
clear
like
I
probably
need
to
you
know
like
in
there
some
small
parking
or
like
put
some
getaway
in
front
of
the
provider.
I
guess
if
I
want,
like
you,
know,
customize
something
like
our
own
logic
to
to
convert
the
qb
into
some
block
right.
C
Right,
let
me
just
make
sure
I'm
summarizing
this
right.
Initially,
you
were
kind
of
saying
that,
like
right
now,
it's
the
plugins
responsibility
to
organize
secrets
into
like
files
in
their
contents
and
then
you're
asking
whether
or
not
like
it
should
remain
at
just
the
plugin
or
if
there
should
be
another
another,
more
common,
like
pluggable
way
of
of
formatting
the
files
between
kind
of
like
each
plug-in
implementing
its
own,
like
templating
system
versus
the
the
driver
having
kind
of
common
functionality
or
pluggable
functionality.
C
A
A
So
it
understands
what
the
file
name
is,
and
each
provider
does
the
file
name
in
a
different
way.
Right,
like
I
mean
azure
uses
the
key
name
whatever
is
stored
in
azure
keyword,
it
uses
the
same
thing
as
the
file
name,
but
we
also
provide
this
optional,
alias
object,
alias
which
other
plugins
might
not
have
so
in
this
case,
provider
is
the
only
source
of
truth,
which
tells
the
driver
that
these
are
the
contents,
and
then
these
are
the
file
names
and
based
on
the
secret
provider
class.
A
I
know
these
are
valid,
so
you
can
just
go
ahead
and
write
it.
So
what
we're
really
doing
is
shifting
the
functionality
from
the
provider
to
the
driver
only
for
the
last
bit,
which
is
writing
to
the
target
path.
Instead
of
the
provided
writing
to
the
target
path,
we
are
sending
the
contents
back
to
the
driver
so
that
the
driver
can
be
the
only
one.
That's
writing
to
the
target
path.
C
Yeah,
I'm
thinking
like
right,
like
the
mapping
of
secrets
to
files
right,
is
only
known
by
by
the
plugins,
but
the
driver
could
have
like
a
way
to
just
modify
files
like
like
to
just
operate
on
the
file
contents,
like
ignoring
what
secrets
are
there,
but
like
remap
file
contents
into
its
own
template
like
it
could
be
something
that
yeah,
I
think
it
seems
feasible,
but
I
think
yeah
we
probably
need
to
like
consider
a
design
there.
A
Yeah
and
I
think
if
we
also
assume
that
everything
every
object-
that's
there,
the
secret
provider
class,
so
everything
that's
written
back
if
all
of
that
falls
into
the
single
file.
So
if
it's,
if
they
have
five
secrets
and
all
of
them
have
to
be
in
a
json
file
or
a
java
property
or
something
like
that,
then
I
think
the
driver
can
still
do
it
because
it
basically
just
passes
through
all
the
contents.
It
gets
back
from
the
provider
and
then
it's
a
single
file
format.
A
But
I
think
if
we
have
to
support
like
a
heterogeneous
case
where
some
secrets
in
the
secret
provider
class
need
to
be
in
a
json
and
some
can
just
be
key
value
pairs,
and
that
is
not
something
that
we
can
support.
But
if
it's
just
a
secret
provider
class
mapped
to
a
single
file,
then
yeah.
I
think
that
can
be
a
driver.
Implementation
going
forward.
E
And
I
also
want
to
add
the
like
the
different
types
like
if
users
want
to
map
to
certain
kubernetes
secrets,
especially
like
the
cert
types
right.
I
wonder
how
this
is.
This
is
probably
going
to
introduce
bugs
so
something
this
is
something
I
would
think
the
provider
would
have
to
think
about
like
here
are
the
different
secret
types
that
I
support.
A
A
E
Yeah,
thank
you
and
I
wonder
if
this
specific
scenario
you
want,
would
it
also
be
helpful
to
open
a
corresponding
issue
in
the
hashicorps
provider
to
get
feedback
from
like
tom,
who
may
have
some
thoughts
around
how
that
should
be
introduced
in
that
provider?.
B
Yeah
sure
I
think
the
goal
here
is
like
I
guess
the
code
here
is
something
like
the
right
way
to
to
move
forward
and
understand
the
rumor
of
csi.
As
you
can
see,
thank
you.
A
A
Okay,
did
you
have
anything
else,
jim.
A
A
A
Also,
the
pr
and
see
if
it
looks
valid.
A
A
So
one
way
of
to
get
around
that
was
to
basically
render
in
the
cache
package.
That's
there
in
the
controller
on
time
and
then
add
option
to
use
a
field
and
the
label
selector,
while
creating
a
cache
informal.
So
that
way
we
could
do
filtered
watch
for
all
the
resources
and
when
I
say
filtered
watch
I
think
the
part
is
for
the
pods.
We
can
use
the
pod
name.
A
So
that
means
each
csi
driver
part
only
watches
for
pods
within
the
same
node
as
the
csi
driver
and
then
for
the
secret
provider
class
part
status.
When
we
introduced
this
custom
resource,
we
also
added
a
custom
label
with
the
node
name,
so
we
can
do
a
filtered
watch
only
for
the
part
status
that
belong
to
the
same
node
as
the
csm
and
the
last
part
is
enabling
filtered
watch
for
the
kubernetes
secret
right.
A
So,
with
the
v0.014
of
the
driver,
we
introduced
a
label
called
managed
by
secret
store,
so
we
put
that
label
for
every
kubernetes
secret,
that's
created
by
the
csi
driver
and
the
only
other
reason
we
want
to
watch
on
secrets
is
probably,
if
users
provide
their
credentials
so
for
azure,
they
provide
service
principal
credentials
and
I
think
for
the
gcp
plugin
also
they
can
provide
the
credentials
for
the
secret
manager,
so
those
secrets
will
also
need
to
have
the
label
so
that
we
can
include
that
as
part
of
the
filtered
watch
it's.
E
A
Need
to
explicitly
enable
it
if
they
want
to
run
it
on
load
clusters
and
then
in
all
our
documentations.
We
will
recommend
using
that
label
when
they
create
the
secret
to
the
credentials
and
after
n
plus
2
releases
or
v
1.0.
Whichever
comes
first,
we
will
make
that
default
so
that
by
default
we
don't
exit
too
much
load
on
the
api
server
but
yeah.
I
have
detailed
all
of
those
changes
and
the
reasons
for
it
in
the
dark
and
then
the
changes
are
in
the.
A
A
Okay,
I
think
that's
all
we
have
for
the
agenda.
I
was
hoping
to
finish
the
other
dog
that
I
was
working
on,
but
I've
been
mostly
focused
on
load
testing,
so
I
haven't
had
a
chance
to
complete
that,
but
hopefully
I'll
try
to
finish
it,
because
I
started
with
the
disconnected
scenarios
doc.
But
then
I
was
also
looking
at
the
sync
secrets
without
the
mount
options
and
then
I
think
I
just
I
wanted
to
write
like
a
single
dog
for
both
of
it.
So
I've
just
been
doing
that
and
then
discussing
with
tommy
offline.
A
C
I'm
also
a
little
delayed
on
the
I
o
consolidation
implementation,
but
making
some
progress
on
it.
So
hopefully,
next
time
we'll
have.
F
Sorry
about
the
security
audit
is
that
the
new
kubernetes
security
audit.
A
A
They
actually
didn't
send
the
rfp.
They
had
a
question,
but
the
question
was
more
about
the
generic
one.
They
just
wanted
to
know
who
are
the
members
and
stuff,
but
I
don't
think
they've
really
received
any
pictures
from
the
vendors
they're
actually
going
to
contact
windows
directly.
A
F
F
A
Okay,
I
think
that's
it.
Those
are
the
items
that
we
have
in
the
agenda.
If
you
don't
have
any
other
questions,
then
we.