►
From YouTube: Pinniped Community Meeting - April 1, 2021
Description
Pinniped Community Meeting - April 1, 2021
We meet every 1st and 3rd Thursday of the month at 9am PT / 12pm ET.
This week's topics included the release of v0.7.0 and the next project roadmap items for April 2021. Full details here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ
A
All
right
welcome
everyone
to
the
pinniped
community
meeting,
the
first
one
of
april
2021,
just
a
reminder
to
please
adhere
to
the
code
of
conduct
when
attending
these
meetings,
which
is
listed
right
out
here
in
the
agenda.
A
These
are
being
recorded
and
will
be
added
to
our
youtube.
Playlist
later
today,
we
do
have
some
pretty
exciting
announcements.
Today
we
are
cutting
a
release
0.7,
and
that
leads
us
to
the
update,
in
particular
for
impersonation
proxy,
since
the
release
covers
that-
and
I
will
kick
it
on
over
to
whoever
wants
to
lead
the
discussion
on
that
and
what
to
expect
with
this
release.
B
I
can
give
an
update,
so
this
has
been
something
that
we've
been
working
on
since
february.
The
last
release
was
february
11th.
I
think
so.
We
it's
a
solid
chunk
of
work.
Essentially,
what
we've
done
is
add
support
for
the
vast
majority
of
real
world
kubernetes
deployments
with
the
concierge.
So
before
this
release,
the
pinniped
concierge
worked
on
a
set
of
kubernetes
clusters,
basically
where
they
were
sort
of
self-hosted,
where
the
control
plane
runs
in
the
cluster.
B
That
includes
a
lot
of
clusters,
but
it
doesn't
include
any
of
the
managed
cloud
provider
services
and
so
in
o70,
we've
added
a
whole
second
backend
strategy
to
the
concierge
supports
those
environments.
So
now
we
cover
really
a
huge
huge
majority
of
clusters
that
people
care
about,
and
this
should
all
be
mostly
seamless,
like
the
installation
process
is
the
same.
B
It's
still
one
command
one
command
to
install
penfed
on
any
cluster,
one
command
to
get
a
coupe
config
and
that's
it,
and
so
we
made
sure
that
the
user
experience
continues
to
be
very
low,
touch
very
automatic
in
every
case
yeah.
So
hopefully
I
mean
in
some
ways.
This
is
a
very
small
change
to
like
the
user
experience,
but
we've
we've
brought
in
support
from
some
clusters
to
almost
every
cluster,
so
this
will
be
going
out
today,
along
with
a
blog
post.
A
Hopefully,
awesome
thanks
matt
super
exciting
to
see
that
happening
on
to
the
next
item
on
here,
which
would
be
the
road
map
for
april
2021.
I
take
it
well,
I'm
assuming
not
too
much
has
been
worked
on
that,
but
I
don't
want
to
say
anything
further.
A
C
D
We're
we're
still
in
the
technical
design
phase.
I
guess
you
would
call
it
and
so
actor
and
I
have
updated
the
kind
of
proposed
technical
design,
and
I
put
that
as
a
possible
discussion
topic.
If
we
want
to
go
over
that
more
detail
today,.
D
D
D
It's
part
of
a
bigger
technical
design
document
for
ldap,
so
the
andrew
and
I
have
been
working
on
yesterday-
is
specifically:
how
does
the
cli
talk
to
the
supervisor
to
enable
cli
based
login
through
ldap,
where
the
cli
prompts
for
your
username
and
password
and
never
needs
to
open
a
web
browser,
which
is
what
it
would
do
for
an
oidc
login
open
a
web
browser
in
the
web
browser
your
otc
provider
would
prompt
you
for
your
username
and
password.
D
This
is,
I
think,
bat
and
pablo
you've
never
seen
this,
so
this
is
going
to
be
a
real
live
discussion,
so
your
feedback
is,
of
course,
welcome.
Everyone's
feedback
is
welcome,
andrew
and
I
thought
one
possible
way
to
do
this.
That
might
be.
Nice
would
be
to
lean
on
the
oidc
issuer
to
use
the
all
ready,
publish,
discovery,
endpoint
and
add
some
custom
information
into
that.
D
So
issuers
and
the
supervisor
correspond
to
the
kubernetes
api
object
that
we
call
federation
domain.
Each
federation
domain
becomes
an
oidc
issuer
and
each
issuer
then
has
the
oidc
well-known
discovery
endpoint,
and
so
what
we're
proposing
is
that
each
issuer,
aka
federation
domain,
advertises
publicly
what
upstream
identity
providers
it
wants
to
advertise
publicly.
So
it
could
be,
for
example,
that
it
advertises
all
of
them
all
of
the
currently
configured
upstream
identity
providers
or
maybe
down
the
road.
We
have
some
features
where
an
administrator
can
say.
D
I
want
to
advertise
these
ones
publicly,
but
not
these
other
upstream
identity
providers
and
in
the
public
advertisement
it.
It
obviously
is
not
going
to
share
any
private
information.
So
it's
just
an
identifier,
a
type
to
tell
you
if
it's
oidc
or
ldap
and
if
it
is
ldap,
it's
very
common
to
allow
administrators
to
customize.
B
Question
about
that,
so
I
wonder
if
so
I
think
I
like
the
idea
of
advertising
the
idps
here.
I
wonder
if,
instead
of
actually
sort
of
keying
off
ldap
versus
oadc,
if
we
should
just
key
off
of
password-based
grant
flows
or
web
browser-based
grant
flows,
so
I'm
thinking
ahead
like
if
we
added
saml
support
as
a
browser-based
flow.
B
D
Yeah,
to
a
certain
extent,
our
login
cli
command
doesn't
really
care
right.
It
just
needs
to
know
if
it's
web-based
or
not
web-based,
I
think
maybe,
when
we
get
into
the
get
coop
config
command,
that's
where
it
might
be
helpful
to
know
the
specific
idp
type,
let's
maybe
jump
into
that
next
and
yeah.
Of
course,
we
could.
We
could
change
that
or
we
could
add
an
additional
field
to
say
if
it's
web
or
password-based,
so
piniped
get
coup
config.
So
a
reminder
for
people
who
might
be
watching
the
video.
D
This
is
the
command
that
you
use
after
you
install
you
use
it
as
the
administrator,
and
it
gives
you
back
a
cube
config
that
you
can
then
hand
out
to
your
users,
so
you
get
one
coupe
config,
there's
no
identity,
encoded
in
it.
It
has
no
passwords
encoded
in
it.
It's
safe
to
give
it
to
all
of
your
users.
You
know
all
of
your
users
can
use
it
to
log
in
so
today.
D
The
way
that
that
works
is
it
typically,
you
would
use
it
against
a
workload
cluster
that
workload
cluster
has
the
concierge
software
installed
on
it,
and
the
key
thing
is
that
piniped
get
coop.
Config
doesn't
even
know
that
there
is
a
supervisor
cluster
or
a
put
a
pen
supervisor
app
running
elsewhere
in
the
world.
It's
unaware
of
it
blissfully
agreement.
D
D
It
can
know
that
there
is
an
issuer
which
would
be
specified
in
there
and
it
can
do
discovery
against
that
issuer
without
knowing
whether
it's
a
supervisor
or
just
some
generic
idc
provider,
which
means
it
can
look
for
this
custom
fields.
In
that
response,
and
based
on
that
custom
field,
it
can
choose
to
act
differently.
D
So
what
we
were
proposing
is
two
new
fields.
When
you
do
excuse
me
new
flags,
when
you
do
pitifully
get
a
cube
config,
you
can
specify
either
none
of
these
new
flags
or
both
of
these
new
flags
or
just
one
of
these
new
flags.
D
So
you
can
say
my
upstream
idp
is
this
name
and
or
my
upstream
idp
is
this
type,
so
you
can
say.
Basically
I
want
a
coupe
config
and
I
want
it
for
my
ldap
idp
or
I
want
to
keep
config
and
I
want
it
for
my
idp
called
corporate
idp
and
it
would
give
you
back
that
good
config
through
a
kind
of
best
effort
discovery
and
comparing
what
you
asked
for
versus
what's
available
and
if
you
ask
for
nothing,
the
idea
is.
D
B
When
we're,
when
we're
running
this
gatekoop
config
command,
we
sort
of
assume
that
we
have
access
to
the
workload
cluster
where
the
concierge
is
running,
we
don't
necessarily
have
any
access
to
where
the
supervisor
is
running
so,
like
the
discovery,
docket
seems
like
a
really
natural
place
to
put
that,
and
it
it's
a
existing
api.
That's
meant
to
be
extensible
for
this
kind
of
thing.
B
C
D
Yeah,
that's
that's
a
great
point
pueblo,
so
usually
the
pinniped.
Yet
config
would
be
done
by
the
administrator
who
created
the
cluster,
and
so
hopefully
they
because
they
created
the
cluster.
They
would
have
configured
the
multiple
idps
or
maybe
they
would
be
closely
related
to
the
team
that
runs
the
supervisor
and
configured
the
multiple
idps.
D
B
D
Yeah,
we
should
think
about
that.
I
don't
think
we
wrote
that
down.
Maybe
you
can
add
a
comment
to
the
doc
here,
while
we're
talking
about
it
think
about
how
that
would
work,
because
that
would
be
nice
as
a
feature,
I
think
potentially,
but
thanks
pablo
for
mentioning
multiple
idps
today,
pinniped
doesn't
support
having
multiple
idps
configured
in
your
supervisor
at
the
same
time,
but
it's
something
that
we've
been
planning
to
do
and
we've
always
kind
of
danced
around
it.
D
All
right
so
assuming
that,
then
you
have
a
coupe
config
generated
by
what
we
talked
about
pinpoint
get
coop
config,
then
that
coupe
config
is
going
to
have
in
it
embedded
a
piniped
login
oitc
command
with
all
the
flags
already
specified.
D
D
One
of
those
two
choices
you
can't
just
this
command
meant
to
be
a
little
less
automatic,
self-discovering
and
more
just
told
exactly
what
to
do.
D
So.
If
you
specify
both
flags,
then
the
cli,
the
cli,
is
going
to
do
discovery
anyway,
because
it's
an
oidc
login.
So
it's
always
going
to
do
discovery
anyway.
So
since
it's
going
to
do
it
anyway,
it
might
as
well
take
the
idp
name
and
the
idp
type
that
you
asked
for
and
make
sure
that
they
appear
in
the
discovery
document
and
to
matt's
point
earlier.
Maybe
it's
okay!
If
they
don't
appear
so
we
have
to
think
about
that
and
then,
when
the
those
new
flags
are
not
specified.
D
You
could
hit
the
discovery
endpoint
and
not
get
any
of
this
custom
field
back,
which
means
you're,
probably
not
talking
to
a
supervisor
you're
talking
to
like
google
or
somebody
else,
in
which
case
we
can
just
do
what
we
used
to
do
otherwise
for
backwards
compatibility
if
it
sees
that
there
is
exactly
one
idp
listed
and
that
idp
is
of
type
oidc.
D
Okay,
now
once
it's
decided
that
the
input
is
correct
and
it
knows
what
idp
it
wants
to
log
into,
how
does
that
work
andrew
and
I
did
a
spike
or
actually
implement
3d
version
of
this,
my
prototype,
and
so
what
we're
suggesting
is
that
we
now
that
the
cli
knows
that
it's
a
an
idp
of
type
ldap.
D
D
Starting
that
whole
idc
flow,
it
can
hit
the
authorized
endpoint,
which
is
the
first
endpoint
in
the
normal
oidc
flow,
and
it
can
post
some
custom
query
parameters
to
say.
I
would
like
to
log
in
to
an
idp
of
this
name
of
type
ldap,
and
I
could
also
post
some
custom,
http
headers.
To
say
this
is
my
username.
D
This
is
my
password
that
authorized
endpoint
would
then
be
able
to
verify
all
those
inputs
make
sure
that
that
username
and
password
match
the
ldap
system,
and
then
it
can
complete
your
login
by
just
immediately
redirecting
with
the
auth
code
to
your
requested.
Redirect
uri
cli
can
get
that
re
that
302
response.
That
is
the
immediate
response
to
its
first
request,
and
then
it
can
just
do
what
it
normally
does
to
complete
the
odc
auth
code
flow.
Get
all
your
tokens
get
you
logged
in
the
rest
of
that
sort
of
change.
B
Was
there
because
there's
one
more
topic
after
this,
so
this
means
that
even
even
this
local
password-based
flow
still
requires
opening
of
the
the
listening
port.
For
now,.
D
But
but
actually
we
can
it's
an
implementation
choice,
yeah.
We
can
either
client
report
and
let
the
code
do
what
it
does
today
or
the
client
could
not
open
the
port,
get
the
callback
response,
the
302
response,
look
at
the
location,
url
parse,
the
auth
code
out
of
the
location,
url
and
just
use
it
immediately
without
ever
opening
the
listening
port.
That's
obviously,
when
you
think
about
the
code
that
would
branch
the
code
so
that
the
ldap
code
shares
less
code
with
the
oidc
in
the
cli.
B
D
B
D
Yeah,
so
we
wanted
to
make
sure
that
in
the
future,
it
should
be
possible
to
also
perform
this
style
of
ldap
login
from
other
clients
other
than
our
first
party
cli
based
flow.
D
This
would,
for
example,
this
would
be
like
third-party
dashboard
web
uis
that
are
running
in
your
kubernetes
cluster
log
into
these
dashboard
web
uis,
using
their
own
identity
with
their
own
rpec
permissions
and
then
perform
whatever
actions
they
want
in
their
cluster
through
web
ui.
That
web
ui
would
presumably
become
an
oauth
client
to
pinniped
and
would
want
to
do
the
traditional
web-based
oauth
author
or
the
auth
code
flow.
D
In
fact,
if
a
third-party
client,
if
they're
when
I
say
client,
immediate
oauth
client,
if
an
oauth
client
other
than
the
pinpoint
cli
client
tries
to
send
those
custom
headers,
we
should
probably
error
because
we
don't
want
to
encourage
third-party
clients
to
ever
handle
a
user's
password
themselves.
D
So
that
would
be
first
of
all,
a
browser
wouldn't
send
custom
headers
in
the
first
place,
so
it's
very
unlikely
that
they
would
do
that.
But
just
in
case
somebody
tried
to
write
a
client
to
do
that.
We,
the
putting
the
idp
name
and
idp
type
as
query
parameters,
means
that
a
third
party
client
could
specify
them
if
it
wants
to.
So
it
could
be.
D
That
and
then
we
could
redirect
to
a
custom
login
page
posted
by
the
supervisor,
so
the
supervisor
has
a
web
form
that
way,
only
the
supervisor
is
handling
your
password
and
the
third
party
app
is
not
so
the
third
you
submit
your
using
your
password
through
the
web
form
for
the
supervisor,
and
then
it
can
complete
the
lidc
flow.
It's
kind
of
standard
way
to
hand
the
tokens
back
to
the
client
and
sketch
down
here
all
the
technical
detail
of
what
that
might
look
like.
B
B
My
question
is
so
this
I
like,
I
like
the
design
like
says.
After
after
doing
this
spike
on
design
and
a
little
bit
of
the
prototyping,
did
it
make
your
estimate
of
the
level
of
effort
here
for
ldap
go
up
or
down.
D
D
That
was,
I
put
a
little
bit
more
burden
on
the
client
to
make
a
couple
of
extra
redirects
and
follow
those
redirects
that
earlier
version
meant
that
there
was
only
going
to
be
a
single
way
to
log
into
ldap
whether
it
was
web-based
or
cli,
based
and
based
on
whether
you
asked
for
a
json
flow
or
html
flow.
It
would
act
differently,
but
still
the
same
underlying
code
would
implement
both
the
webflow
and
the
client
flow.
D
D
So
I
think
this
proposal
that
we
just
went
over
together
simplifies
the
work
that
we're
gonna
do
now
simplifies
the
client
side
a
little
bit
a
couple
of
less
redirects
to
follow,
which
is
what
we're
going
to
do
now.
So
that's
simpler,
so
it
feels
like
it
shouldn't
be.
Very
hard-
and
it
defers
the
slightly
harder
version
for
later,
which
is
probably
a
good
thing.
F
I
feel
like
the
most
difficult
part
and
ryan-
and
I
were
talking
about
this
yesterday-
I
feel,
like
the
most
difficult
part,
is
just
to
be
fighting
with
ldap
dependencies
so
like
getting
an
active
directory
up
to
test
with
and
trying
to
hook
into
that
and,
like
those
complexities,
still
exist
in
this
design.
So.
B
B
D
D
That
makes
that's
actually
really
easy
to
implement
and
I
honestly
haven't
done
that
in
kubernetes,
but
I
think
it
should
be
easy
to
containerize
open
ldap,
because
it's
just
a
unix
statement.
There
probably
is
already
a
containerized
version
out
there
somewhere
that
we
can.
B
B
F
I
was
pretty
pleased
with
the
breakdown
that
y'all
did.
I
think
that
kind
of
still
makes
sense
just
kind
of
incrementally
adding
to
the
api,
which
is
the
ldap
identity
provider,
and
then
hopefully
the
integration
tests
will
just
mostly
stay
the
same.
I
do
agree
matt,
I
feel
like
I
envisioned
in
the
first
story
that
really
big
story.
F
You
have
like
10
tasks
that
fall
out
and
one
of
them
is
is
maybe
setting
up
some
test
infrastructure
and
the
other
tasks
are
like
writing
the
controller
and
writing
the
off
hand
and
point
and
writing
the
cli
necessary.
So
I
feel
like
y'all's
breakdown
is
still
good.
I
don't
know
if
ryan
you
have
other
opinions.
D
Yeah,
I
think
so
that
that
first
story
is
a
bit
of
a
beast,
because
it's
the
get
the
basic
version
of
everything
working
all
at
the
same
time,
but
as
we
discussed
before,
we
couldn't
think
of
a
better
way
to
break
it
down
and
have
that
first
story
still
deliver
user
value.
B
Yeah,
I
think
we-
and
maybe
this
is
a
little
bit
of
a
reaction
to
how
we
built
the
ldap,
the
impersonation
proxy,
where
we
did
break
it
down
more
and
then
it
turned
out.
We
just
kind
of
like
kind
of
keep
iterating
on
all
of
the
stories
at
once,
until
kind
of
they
were
all
acceptable.
At
the
same.
D
D
But
it
didn't
actually
help
us,
we
might
be
able
to
learn
from
that
and
we
could
make
the
first
story
of
feature
branch.
A
pr
branch
finish
the
first
story
and
then
merge
it
because
it
will
be
a
very
incomplete
implementation,
but
the
way
we
wrote
the
first
story.
I
think
it
will
be
a
a
secure
usable
implementation.
F
One
other
thing
I
was
going
to
add:
I
this
is
a
no-op.
I
think
for
us
on
the
call
right
now,
but
mo
is
out
right
now
and
he
gave
feedback
about
the
api
endpoint
that
is
used
for
discovery,
and
so
maybe
there
will
be
more
discussion
on
that,
but
I
wanted
to
give
him
space
to
like
give
his
feedback
once
he
gets.
Her
get
back,
gets
back
from
his
time
off.
B
Yeah,
I
think
that's
fine.
We
well
at
some
point
it's
just
too
late
and
we'll
just
build
the
thing
and
ship
it
that's
okay,
too,
but
that
I
did.
I
didn't
think
like
that.
That
is
a
that
is
another
new.
The
discovery
document
is
another
new
api,
like,
I
think,
a
relatively
low
stakes
api,
because
when
we
own
both
sides
of
the
connection-
and
we
can
tweak
it
in
the
future,
it
might
be
nice,
though,
to
put
a
version
in
there.
B
So
maybe
we
could
have
a
subfield
of
the
discovery
document
that
then
contains
something
that
looks
like
a
kubernetes
type
that
has
a
kind
and
an
api
group
and
version
that
way.
If
we
needed
to
change
it,
we
could
change
it
using
kubernetes
style,
api,
schema,
migration
and
advertise.
You
know
basically.
D
D
It's
a
standard.
We
can't
change
it
it
does
that
standard
does
not
allow
for
versioning
the
path
we
could.
If
we
wanted
to
add
query
parameters,
so
you
could
say,
like
question,
mark
v
equals
two.
If
you
wanted
to
get
version
two
of
the
custom
fields
of
our
discovery,
dock
or
we
could
build
it
in
into
the
json
response
into
the
custom
part
of
the
json
response,
like
you
were
suggesting
that
I
suppose.
D
Also
use
like
content
type
negotiation,
technically
yeah
yeah.
Absolutely.
I
think
what
andrew
suggested
yesterday
was.
D
Maybe
we
don't
need
to
worry
about
that
now,
because
by
not
mentioning
a
version
in
any
of
those
places,
any
of
those
possible
places.
It's
implicitly
saying
this
is
version
one,
and
then
you
still
have
room
to
add
on
a
query,
parameter
or
version
in
the
json
or
anything
you
want
later.
If,
if
you
ever
need
a
version
too,
as
long
as
the
json,
the
future
changes
that
you
want
to
make
to
the
json
are
backwards
compatible.
D
F
A
Before
we
part
ways
I
did
want
to
welcome
scott
to
the
community
meeting.
I
know
he
showed
up
just
a
little
bit
past
some
of
the
stuff
we
already
covered,
but
I
would
love
to
hear
more
about
about
you,
scott,
if
you
want
to
share
with
the
group
where
you're
based
so
what
you're
using
pinniped
for
and
anything
else,
you
want
to
share.
E
Definitely
so
hi
everyone,
I'm
scott
rosenberg
based
in
israel.
E
I
work
for
terra
sky,
which
is
a
professional
service
organization,
dealing
with
a
global
partner
of
vmware's
and
dealing
a
lot
with
also
public
cloud
and
very
strong
in
the
devops
and
kubernetes
world,
and
I'm
leading
the
cloud
techno,
I'm
the
practice
leader
for
cloud
technologies
and
automation
and
leading
the
whole
tanzu
portfolio
for
all
of
our
customers.
So
dealing
a
lot
with
pinniped
these
days,
looking
into
it,
was
using
decks
and
gangway
have
a
lot
of
tkg
projects
by
customers
so
very
happy.
E
Now
that
piniped
is
integrated
there
and
been
testing
it
rigorously
and
definitely
seeing
the
use
cases
for
a
lot
of
our
customers
with
the
impersonation
proxy,
especially
with
their
gkn
eks
customers,
us
that
we
have
as
well
so
just
wanted
to
join
here
and
yeah
and
meet
the
guys
here
and
happy
to
join
in
future
community
meetings
as
well
and
learn
about
this
project
and
hopefully
contribute
in
the
future.
E
G
D
D
F
F
B
Yeah,
my
name
is
matt.
I've
also
been
working
on
the
project
since
around
june
yeah
I
mean
my
previous
kubernetes
identity
contribution.
Was
the
aws
im
authenticator
its
authentication
flow
on
eks?
B
I
came
in
from
peptio
anyway.
Super
excited.
E
Yeah
great
to
meet
you
guys
and
definitely
have
used
your
work
in
eks
before
so.
It's
always
nice.
Hopefully.
B
E
Exactly
pinniped
so
far
has
been
one
of
the
easiest.
So
definitely
looking
forward
to
the
ldap
integrations
as
well
and
to
see
what
happens
with
the
product.
G
Hey
scott,
I'm
anjali
telang
I
just
joined.
This
is
my
first
meeting
as
well,
and
I
am
a
security
pm
working
with
pablo
who,
who
is
a
member
of
the
project
so
x,
red
hatter.
You
know
been
with
openstack
openshift
working
on
security
for
a
while.
Now.
E
Great
well
great,
to
meet
you
all
and
look
forward
to
meeting
with
you
guys
in
the
future
as
well.
A
Great
thank
you
for
sharing
and
thanks
everyone
for
introducing
yourself
and
for
the
lovely
discussion
topics.
Scott
was
there
anything
in
particular
that
you
wanted
to
talk
to
the
team
about
today
or
you
just
wanted
to
kind
of
join
and
listen
in
for
the
first
one.
E
Just
lying
and
just
join
and
listen
in
today,
I've
actually
watched
all
of
the
community
meetings
that
have
happened
till
now
on
youtube
as
well.
I
just
haven't
been
able
to
join
and
hopefully
should
be
able
to
join
in
the
future.
A
A
Okay,
so
does
anyone
else
have
anything
they
wanted
to
discuss
before
we
say.
A
All
right,
so
the
next
meeting
will
be
april
15th.
We
do
meet
every
first
and
third
thursday
of
the
month
at
11
a.m:
pacific
time,
2,
p.m.
Eastern
time.
A
Oh,
my
god,
11
a.m.
Central
time,
all
right
with
that,
we
hope
to
see
you
at
the
next
meeting
and
thanks
for
joining
bye.