►
From YouTube: Secrets Store CSI Community Meeting - 2023-01-05
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
If
you
already
haven't
added
yourself
to
that
Indie
list,
please
go
ahead
and
do
it.
I
can
help
moderate
the
meeting
today
and
then
we
can
write
down
notes
as
we
progress.
The
gender
is
pretty
small.
I
think
the
first
item
was
added
by
Nelly,
but
he's
not
on
the
call
yet
so
we
can
probably
go
to
the
second
one
and
then
see
if
Miller
joins
by
then
okay,
so
for
the
second
one.
A
Basically
me
and
Tommy
me,
Tommy
and
Rita
are
the
maintainers
for
the
repo
today
so,
which
means
we
can
cut
tags
and
only
we
have
been
the
ones
to
cut
releases
and
then
we've
been
trying
to
get
more
folks
to
help
out
with
the
release.
If
me
and
Tommy
are
not
available
so
for
that
I
think
I
opened
this
PR
to
adminate
and
Xander
to
the
maintenance
list.
A
So
once
this
is
done,
they
will
basically
have
access
to
create
tags
on
the
GitHub
repo
and
then
also
be
able
to
Milestone
some
of
the
issues
that
we
have.
A
I'm
I
opened
it
for
lazy
conferences
once
if
all
the
maintenance
things
it's
lgtm,
then
we
can
merge
it.
But
if
there
are
any
concerns
that
you
have
please
feel
free
to
post
on
the
issue
and
then
we
can
go
from
there,
but
I
just
wanted
to
bring
it
up
for
attention.
A
Okay,
I
think
the
lake
is
it
I
mean
like?
Do
you
want
to
talk
about
the
issue
that
you
added.
B
B
About
the
the
last
topic,
so
this
is
Broad
and
kind
of
General.
You
know,
as
part
of
say,
a
lot.
You
know
I've
been
thinking
about
how
we
you
know
have
like
long-term
health
of
our
community
and
maintainers.
You
know
we
we're
a
small
set
of
people,
so
I
I
totally
understand
you
know
trying
to
build
up
maintainers
and
others
that
can
do
things
like
releases
and
just
help
in
general.
B
That's
a
bit
more
formal
for
how
someone,
if
they
were
interested,
they
would
do
the
work
needed
to
become
a
maintainer,
and
then
I
say
this
while
having
no
no
idea
because
I
I
I've
kind
of
just
let
you
all
do
your
thing
and
it
seems
to
be
working
fine,
so
I,
don't
feel
the
need
to
meddle
in
something.
That's
working,
fine.
C
C
Worth
exploring
I
I
can
say
as
a
member
of
of
the
kubernetes
code
of
conduct
committee,
this
has
been
one
of
the
things
that
we've
been
encountering
in
the
last
six
months.
More
than
anything
else
is
folks
feeling
frustrated
by
sigs
in
particular,
lacking
like
actual
official
ladders,
for
people
to
move
up
and
so
I
think
going
forward
that
actually
maybe
it
is
a
good
idea
to
like
have
a
solid,
oh
looks
like
we
do
have
that
here:
yeah.
B
Right-
and
you
know
like,
for
example,
Xander
you
and
like
you
know,
all
currently
work
at
Microsoft,
so
you
know
it.
B
So
it's
just
something
that's
on
my
mind
in
general,
like
both
for
like
Sagat
and
our
like
sub-projects,
but
just
sort
of
in
general
too,
because
it's
maybe
it's
a
little
bit
more
difficult
with
the
cigar
stuff,
because
we
tend
to
have
like
all
sorts
of
security
considerations.
So
it's
not
just
like
code
quality
and
testing.
It's
like
did
you
break
something
in
some
horribly
subtle
way
that
we
didn't
notice
so
but
yeah
I?
A
Yeah
but
I
mean
I
think
because
we
started
this
dog,
so
I
had
added
this
initially
taking
some
of
the
stuff.
That
was
there
for
kubernetes,
reviewers
and
approach,
but
we
also
toned
it
down,
because
that's
not
the
level
of
PR
reviews
and
code
that
we
required
for
you
to
be
on
board
as
maintenance.
But
that
is
one
thing
and
then
for
the
maintenance
of
the
project.
A
I
think
we've
been
doing
Lazy
consensus
and
then
we've
tried
to
get
not
just
the
maintenance
of
the
project,
but
also,
like
other
supported
providers
that
we
call
out
today.
A
We
usually
have
at
least
one
folk
from
one
of
them
from
every
provider
show
up
on
the
call,
so
we
basically
show
all
these
to
them
and
make
sure
that
they
are
all
on
board
with
us
doing
this
so
like
once
after
this
call,
I
will
still
post
this
issue
on
GitHub
on
slack
and
then
tag
one
from
each
provider
and
then
make
sure
that
they
are
also
okay
with
us,
adding
this,
but
other
than
that.
If
you
want
to
formalize
this
a
little
bit
more,
we
can
definitely
do
that
too.
B
Yeah
I
think
I'm
gonna,
like
so
I've,
been
having
conversations
with
Jordan
and
others
on
the
cigar
leadership
around
this
topic.
So
I
I
think
what
my
hope
is
to
like.
If
we,
if
we
get
something
a
little
bit
more
specific
nailed
down
for
the
overall
Sig,
then
we
can
use
that
as
guidance
and
I'm
totally
fine.
If
you
guys
are
like
the
the
Global
guidance
is
like
strict
but
and
you
all
want
to
be
more
relaxed
because
maybe
the
bar
is
a
little
less
higher
or
whatever
you.
B
However,
you
want
to
Define
it
so
we'll
see
how
that
goes.
I
I
just
started
these
conversations
like
end
of
last
year
with
some
folks
so
like
it's.
It's
still
just
sort
of
noodling
around
right
now.
D
So
I
think
this
is
sort
of
doubling
up
against
I.
Think
a
few
folks
are
We've
started.
Asking
me
a
second,
so
this
is
basically
I
mean
a
little
bit
scroll
down
right.
He
has
given
an
example:
no,
no
just
just
a
little
bit
of
where
you
have
that
Jason
right
here.
So
basically
what
they're?
What
people
want
is
like?
D
If
we
have
like
a
Json
object
in
the
in
the
keyboard
as
a
secret,
then
they
want
to
extract
it
and
then
mount
it
as
an
individual
circuit,
and
we
already
have
a
PR
for
it.
I
believe
so.
I
I
just
wanted
to
sort
of
bubble
it
again
so
that
we
can
sort
of
revisit
that
PR,
which
I
keep
forgetting
the
name.
Sorry
then
so
yeah
so
I
think
we
should
revisit
and
make
it
to
the
take
it
to
the
completion.
Basically.
A
Yeah
Dane's,
not
on
the
call
we
can
follow
up
with
him,
but
I
think,
apart
from
that
Mo
also
added
a
couple
of
comments
to
it.
I
think
maybe
doing
it
with
cell.
A
We
can
check
if
Dane
is
still
interested
in
working
on
the
pl
that
he
has
opened,
but
if
not
then
I
think
we
can
prioritize
this
in
one
of
the
upcoming
releases
and
investigate
What
mo
mentioned
here.
If
that's
a
feasible
option
and
see
what
we
can
do.
D
Yeah
makes
sense
yeah,
that's
it
I
just
wanted
to
sort
of
surface
this
back
so
that
we
can.
This
will
be
in
our
bank
of
mind.
E
Yeah
I
think
we
also
on
the
Google
provider,
got
more
comments
on
us
lately
too,
about
having
this
functionality
and
I.
Think
I
think
it's
possible
to
go
into
the
driver
instead
of
the
just
all
the
individual
providers,
but
I'm
not
against
individual
providers
like
implementing
it
right
like
themselves,
but
I
think
it
would
help
kind
of
all
of
the
providers.
If
we
had
this
kind
of
like
mutation
layer
between
fetching
the
secret
and
presenting
it
in
the
file
system,
wow.
D
Yeah
totally
yeah
and
I
think
Mo
also
suggested
the
same
thing
like
it
would
be
better
if
we
have
at
the
driver,
level
and
and
and
I
think
the
what
Dean
started
with
is
exactly
the
sense
like
I
think
this
is
I'm,
not
I
think
this
is
I'm.
Sorry
driver
level.
A
A
Yeah,
but
let
me
ping
Dane
and
see
if
he
still
has
time
to
work
on
this.
If
not,
then
we
can
see
what
it
does
sure.
A
D
A
Think
he
needed
some
initial
reviews.
I
think
Tommy
has
looked
at
it
and
then
I
also
ran
through
the
code
with
Dane
once
on
a
call
so
I
think
just
waiting
for
Dane
to
respond
to
the
comments
and
see.
D
D
A
A
The
image
scan
was
failing
at
the
time
of
the
release
because
of
vulnerability
in
the
cube
CTL
binary
that
we
use
in
driver
crds,
but
we
are
not
scanning
the
binary,
so
I
think
that
is
also
green.
Now,.
A
So
I
think
this
one
was
is
specifically
for
the
Azure
Arc
provider
and
I
think
they,
like
you,
said
with
this.
You
are
working
with
this
user
already
for
RTE.
D
Yes,
so
yeah,
that's
true,
so
I
think
for
rke
I
mean
we
hadn't
have
I
mean
we
haven't
tested
it
before.
So
my
first
step
is
to
sort
of
set
up
an
environment
and
test
it.
So
I
got
the
sort
of
instruction
so
how
to
set
it
up
from
our
internal
folks.
So
we'll
do
it,
but
it
should
be
in
the
provider
like
Azure
right.
A
A
I
think
there
is
so
this
one
I
opened
at
the
time
of
the
release,
because
the
cube,
secure
binary
we
updated
to
0.26,
but
tacon
still
has
this
new
CV
and
once
you
have
a
patched
version,
we
can
update
that
and
then
re-enable
the
image
scan
on
the
binaries
as
well.
A
This
one
was
I,
think
specific
to
the
Vault
provider.
I
have
been
working
with
this
person
on
Slack,
where
they
said
the
mount
is
working.
Mount
is
not
working.
Fine,
it's
an
empty
file,
but
secret
sync
is
working,
but
that
is
not
possible
because
we
use
the
value
from
the
mount
for
secret
things,
so
it's
not
possible
for
the
second
one
to
work
without
the
first
one
and
I
think
it
might
just
be
some
issue
with
their
cluster.
A
So
I'm
already
working
with
this
person
on
Slack
and
if
there
are
any
updates
I'll
post
here,
so
we
can
close
out
later.
But
this
one
is
with
the
snap,
the
cluster
so.
A
Yeah
this
one
I
think
that
this
issue
comes
up
in
different
ways,
not
just
for
CSI
but
for
other
add-ons
as
well.
Like
I.
Think
I
had
a
summary
issue
before
where,
if
a
workload
needs
to
use
the
CSI
driver
and
it
gets
created
before
CSI
driver
is
installed,
then
it
keeps
getting
volume,
Mount
failed,
but
that
code
path
self-healed,
because
cubelet
keeps
retrying
the
volume
Mount
and
then
with
the
unmount.
A
E
E
A
Yeah
so
so
he
says
the
new
CSI
Revel
part
wanted
to
come
up,
but
couldn't
because
the
node
is
full,
so
I
think
they
basically
residued
all
the
pods
in
the
North
and
then
they
also
say
because
the
CSI
Driver
part
has
a
higher
priority.
A
It
try
to
evict
other
pods
and
try
to
put
itself
so,
like
other
parts,
is
lower
priority
to
get
evicted,
but
those
pods
with
lower
priority
we're
using
the
CSI
driver
so
for
them
to
terminate
basically
the
volume
onbound
request
has
to
succeed.
E
A
And
this
was
something
that
I
had
also
I
mean
I.
Think
me
and
Xander
had
gone
to
a
signaled
call
to
talk
about
it,
because
there
was
a
gap
which
mentioned
having
priorities
in
terms
of
saying,
like
hey:
B
is
a
critical
add-on
part,
so
you
mark
a
note
ready.
A
Only
members
add-on
pods
are
running
just
so
that
you
can
ensure
workloads
are
not
scheduled
because
before
these
parts
are
running
and
then
I
think
Sig
node
was
a
receptor
to
that
like
that
cap
got
closed
because
there
was
not
a
lot
of
folks
to
work
on
it,
but
they
were
receptive
to
it.
They
said,
if
we
add
our
use
case
and
have
more
conversations
with
them,
they
would
be
open
to
trying
to
implement
that
game.
D
A
Oh
yeah,
this
was
the
issue.
I
think
came
out
of
the
slack
thread,
so
this
particular
user,
so
we're
using
klog
today
and
then
this
particular
user
wanted
to
see
the
log
level
also
as
part
of
the
logs
and
if
they're,
using
Json
format.
They
wanted
the
log
level
also
to
show
up
there
so
that
they
can
filter
specific
logs
and
then
they
also
wanted
to
know
if
it's
an
error,
log
information,
log
and
stuff
like
that
line
and
I
think
MOA
had
engaged
with
them.
A
On
the
slack
parade
then
mentioned
pretty
paid
uses
like
a
version.
No,
it's
called
p-log
and
then
maybe
we
can
use
that
and
that
we
are
recommend
the
user
to
create
an
issue.
So
I
think
this
is
one
thing
we
can
evaluate
and
then
see.
If
we
want
to
do
this
use
P
log,
something
similar
for
the
CSI
driver
just
so
that
we
can
get
around
the
limitations.
That
klog
has.
B
Yeah,
so
for
some
context,
p-log
is
just
a
layer
on
top
of
klog
that
uses
Zap
for
the
structured
logging,
but
so
it
does
a
bunch
of
like
terrible
hacks,
basically
to
make
Kellogg
behave,
usually
just
around
startup
of
the
process.
So
like
nothing
like
continuous,
it's
just
getting
a
bunch
of
global
state
to
behave
in
a
specific
way,
and
then
it
presents
you
with
this
interface
and
it
gives
you
a
global
implementation
of
it.
B
So
if
you
just
want
to
do
logging-
and
you
don't
care-
you
just
use
that,
but
it
also
gives
you
a
fully
mockable
implementation.
So
if
you
do
want
to
have
like
test
assertions
or
anything
about
your
logs
like
because
the
logs
are
in
some
set
in
some
for
some
definition,
critical
to
your
feature,
you
can
also
do
that.
B
So
this
makes
it
nice
to
have
basically
whatever
approach
that
you
want,
and
it
supports
all
of,
like
the
sort
of
nesting
and
stuff
like
with
values
with
names.
All
those
things
that
you
would
want
with
like
a
nice
logging
Library
and
like
the
tests
assert
like
the
exact
bytes
that
are
going
to
get
logged.
So
you
like
you,
can
assert
that
at
runtime
the
logs
will
look
in
the
way
that
you
expect
them
to
look.
B
So
it
yeah
so
like
that
one
there
that
I
think
tests
the
non-global
one.
So
you
can.
It
purposely
has
some
of
the
sort
of
the
lines
kind
of
stubbed
out,
whereas
there's
a
separate
test
that
tests
the
global
logger
and
like
it,
it's
Global.
So
it
like
it's.
B
Actually,
you
know
hitting
the
like
the
the
real
sync
and
everything
but
I
I
had
problems
in
pinniped,
where
we
like
would
want
our
logs
to
look
like
a
certain
way,
because
it's
a
security
product
and
then
the
production
implementation
just
happened
to
look
off
and
you'd
be
like.
Oh
there's
like
no
way
to
notice
but
yeah.
So
this
includes,
like
level
time
stamps
the
color
all
the
way
down
to
the
specific
method
that
they
were
calling.
Whatever
message
you.
B
Like
I,
basically
like
spent
like
two
weeks
building,
this
dumb
thing
like
I,
was
really
really
frustrated
by
it,
but
like
I
I
did
it
it's
done
like.
If
you
do
this
like
you
would
probably
never
have
a
need
from
a
log
thing
and
go
so,
but
it
is
just
like
an
internal
package
to
the
repos.
You
just
probably
have
to
copy
it
out.
It's
not
really
a
I
mean
we
could
put
it
somewhere
shared,
but
at
the
end
of
the
day,
you're
still
you're
still
kind
of
copying
it
out.
A
Yeah
I
think,
if
you
have
consensus
on
this
one,
then
we
can
definitely
do
that
like
it
could
make
the
experience
a
lot
more
better
and
we
can
prioritize
into
this
one
in
the
next
milestone.
A
I
think
the
other
issues
saw
the
green
triaged
and
then
I
think
we've
been
responding
to
the
customer
around
that
to
the
user
on
it
and
then
in
terms
of
pull
requests.
I
think
Tommy,
you
open
this
one.
Is
this
one
just
to
remove
the
token
generation
course.
E
Yeah
I
was
just
playing
around
with,
like,
because
I
think
we
still
have
a
little
bit
of
work
to
do
to
fully
get
off
of
our
token
generation
and
onto
using
the
cubelet
provided
tokens,
because
everything
now
supports
the
required
republish
and
so
I
was
trying
to
see
what
was
needed
there,
but
I
I
haven't
picked
it
up
in
a
while.
Okay,
do
you
already
have
an
implementation
of
it
that
works
yeah.
A
But
I
mean
I
think
on
the
very
high
level
side
and
but
with
the
token
generation
part,
but
at
least
what
I
had
done
was
simplify
the
controller
so
that
we
can
do
node
publish,
even
though
we
are
called
for
the
same
pod
over
and
over
again.
So
if
it's
already
mounted,
we
just
say
it's
mounted
not
errored
out
and
then
the
second
thing
was
also
once
we
moved
to
requires
republish.
A
We
can
stop
using
that
Standalone
controller
to
like
watch
for
changes,
so
I
think
I
had
included
that
change
too
and
then
I
think
I'd
done
a
demo
of
this,
maybe
like
six
seven
months
back
but
I
haven't
cleaned
this
up
to
open
a
pi,
but
I
can
see
what
is
in
your
PR
and
then,
if
it's
part,
one
with
the
token
generation
code,
then
I
can
open
this
as
a
part.
Here.
E
Yeah
I
just
wanted
to
see
like
when
we
ripped
out
all
of
that
stuff.
What
all
like
there's
a
lot
that
can
be
deleted,
like
I,
think
the
entire
controller,
if
like.
If
we
are
in
a
world
where
everything
is
using
our
choirs
to
republish
right,
we
can
rip
out
I,
think
a
full
controller,
and
we
can
remove
a
bunch
of
permissions
that
right
like
that.
The
CSI
driver
can
act
as
any
service
account
in
the
cluster.
E
We
can
remove
that
so,
like
I
was
just
trying
to
see
what
was
needed
to
do.
The
full
delete
but
I'm
yeah
I'm,
not
quite
sure,
if
we're
ready
to
do
the
full
delete
or
if
there
needs
to
be
like
an
intermediate
step.
But
I
was
yeah.
Just
investigating
that,
because
I
think
all
supported
versions
of
kubernetes
have
all
of
the
features
in
like
okay
that
we
need
now.
A
E
I'm
not
sure
if
a
user
has
to
do
something
specific
to
use
the
requires
republish
though
so
we
we
may
have
it
working,
but
there
may
be
like
little
to
no
users
actually
using
that
code.
Path
on
the
syncing
is,
is
my
guess:
yeah.
A
E
But
someone
would
need
to
know
to
add,
like
the
extra
field
to
the
CSI
driver,
to
enable
requires
republish
right,
like.
A
Yeah,
it's
been
started
with
Helm.
We
would
automatically
do
it,
but
if
they
don't
do
that
odd,
if
they
installed
yeah
with
our
yammers,
then
we
would
do
it,
but
if
they
don't
do
that,
yeah,
okay,.
A
Yeah
and
then
this
also
makes
one
of
that
behavior
more
consistent.
That
I
had
open
an
issue
for
where,
if
they
upgrade
updates,
you
could
provide
a
class.
They
want
to
update
the
kubernetes
secret
with
the
newer
value
I
think
with
requires
republished.
We
can
handle
that
better,
because
every
time
we
get
called,
we
basically
go
and
update
it
with
the
latest
contents,
which
is
nice,
like
I,
think
it
makes
the
behavior
more
consistent,
but
I
think
we
can
prioritize
this
for
the
next
Milestone.
The
1.4.
E
Yeah
and
some
some
movement
in
the
next
level
is
about
about
that,
but
I.
A
Haven't
looked
at
all
yours
yet
so
yeah
okay
sounds
good
and
then
this
one
I
am
working
with
the
cloud
provider
so
with
value
of
a
cloud
and
slacks,
and
they
reached
out
to
me
because
they
wanted
to
set
up
credentials.
So
they
have
opened
a
PRN
testing
plan
and
I'm
working
on
this
with
them.
I
think
once
we
enable
this
test,
it's
what
we
have
done
before.
A
Basically,
once
the
tests
are
green
for
the
provider,
we'll
go,
do
a
code
review
of
their
provider
code
and
if
everything
looks
good,
I
think
we
can
add
them
as
a
supported
provider
for
the
driver.
A
Okay,
yeah
I
think
we
tried
to
show
the
spears
I
think
as
anyone
wants
to
talk
about
before
we
drop
off.
D
A
Okay,
so
that
was
it
for
the
community
called
thanks
stadium
for
joining.
The
next
call
will
be
in
two
weeks
on
Jan
19th,
so
see
you
all.
Then.