►
From YouTube: Pinniped Community Meeting - April 1, 2021
Description
Pinniped Community Meeting - April 1, 2021
We meet every 1st and 3rd Thursday of the month at 9am PT / 12pm ET.
This week's topics included the release of v0.7.0 and the next project roadmap items for April 2021. Full details here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ
A
These
are
being
recorded
and
will
be
added
to
our
youtube.
Playlist
later
today,
we
do
have
some
pretty
exciting
announcements.
Today
we
are
cutting
a
release
0.7,
and
that
leads
us
to
the
update,
in
particular
for
impersonation
proxy,
since
the
release
covers
that-
and
I
will
kick
it
on
over
to
whoever
wants
to
lead
the
discussion
on
that
and
what
to
expect
with
this
release.
B
I
can
give
an
update,
so
this
has
been
something
that
we've
been
working
on
since
february.
The
last
release
was
february
11th.
I
think
so.
We
it's
a
solid
chunk
of
work.
Essentially,
what
we've
done
is
add
support
for
the
vast
majority
of
real
world
kubernetes
deployments
with
the
concierge.
So
before
this
release,
the
pinniped
concierge
worked
on
a
set
of
kubernetes
clusters,
basically
where
they
were
sort
of
self-hosted,
where
the
control
plane
runs
in
the
cluster.
B
That
includes
a
lot
of
clusters,
but
it
doesn't
include
any
of
the
managed
cloud
provider
services
and
so
in
o70,
we've
added
a
whole
second
backend
strategy
to
the
concierge
supports
those
environments.
So
now
we
cover
really
a
huge
huge
majority
of
clusters
that
people
care
about,
and
this
should
all
be
mostly
seamless,
like
the
installation
process
is
the
same.
B
It's
still
one
command
one
command
to
install
penfed
on
any
cluster,
one
command
to
get
a
coupe
config
and
that's
it,
and
so
we
made
sure
that
the
user
experience
continues
to
be
very
low,
touch
very
automatic
in
every
case
yeah.
So
hopefully
I
mean
in
some
ways.
This
is
a
very
small
change
to
like
the
user
experience,
but
we've
we've
brought
in
support
from
some
clusters
to
almost
every
cluster,
so
this
will
be
going
out
today,
along
with
a
blog
post.
A
A
C
D
D
D
D
This
is,
I
think,
bat
and
pablo
you've
never
seen
this,
so
this
is
going
to
be
a
real
live
discussion,
so
your
feedback
is,
of
course,
welcome.
Everyone's
feedback
is
welcome,
andrew
and
I
thought
one
possible
way
to
do
this.
That
might
be.
Nice
would
be
to
lean
on
the
oidc
issuer
to
use
the
all
ready,
publish,
discovery,
endpoint
and
add
some
custom
information
into
that.
D
So
issuers
and
the
supervisor
correspond
to
the
kubernetes
api
object
that
we
call
federation
domain.
Each
federation
domain
becomes
an
oidc
issuer
and
each
issuer
then
has
the
oidc
well-known
discovery
endpoint,
and
so
what
we're
proposing
is
that
each
issuer,
aka
federation
domain,
advertises
publicly
what
upstream
identity
providers
it
wants
to
advertise
publicly.
So
it
could
be,
for
example,
that
it
advertises
all
of
them
all
of
the
currently
configured
upstream
identity
providers
or
maybe
down
the
road.
We
have
some
features
where
an
administrator
can
say.
D
I
want
to
advertise
these
ones
publicly,
but
not
these
other
upstream
identity
providers
and
in
the
public
advertisement
it.
It
obviously
is
not
going
to
share
any
private
information.
So
it's
just
an
identifier,
a
type
to
tell
you
if
it's
oidc
or
ldap
and
if
it
is
ldap,
it's
very
common
to
allow
administrators
to
customize.
B
Question
about
that,
so
I
wonder
if
so
I
think
I
like
the
idea
of
advertising
the
idps
here.
I
wonder
if,
instead
of
actually
sort
of
keying
off
ldap
versus
oadc,
if
we
should
just
key
off
of
password-based
grant
flows
or
web
browser-based
grant
flows,
so
I'm
thinking
ahead
like
if
we
added
saml
support
as
a
browser-based
flow.
B
D
Yeah,
to
a
certain
extent,
our
login
cli
command
doesn't
really
care
right.
It
just
needs
to
know
if
it's
web-based
or
not
web-based,
I
think
maybe,
when
we
get
into
the
get
coop
config
command,
that's
where
it
might
be
helpful
to
know
the
specific
idp
type,
let's
maybe
jump
into
that
next
and
yeah.
Of
course,
we
could.
We
could
change
that
or
we
could
add
an
additional
field
to
say
if
it's
web
or
password-based,
so
piniped
get
coup
config.
So
a
reminder
for
people
who
might
be
watching
the
video.
D
This
is
the
command
that
you
use
after
you
install
you
use
it
as
the
administrator,
and
it
gives
you
back
a
cube
config
that
you
can
then
hand
out
to
your
users,
so
you
get
one
coupe
config,
there's
no
identity,
encoded
in
it.
It
has
no
passwords
encoded
in
it.
It's
safe
to
give
it
to
all
of
your
users.
You
know
all
of
your
users
can
use
it
to
log
in
so
today.
D
The
way
that
that
works
is
it
typically,
you
would
use
it
against
a
workload
cluster
that
workload
cluster
has
the
concierge
software
installed
on
it,
and
the
key
thing
is
that
piniped
get
coop.
Config
doesn't
even
know
that
there
is
a
supervisor
cluster
or
a
put
a
pen
supervisor
app
running
elsewhere
in
the
world.
It's
unaware
of
it
blissfully
agreement.
D
It
can
know
that
there
is
an
issuer
which
would
be
specified
in
there
and
it
can
do
discovery
against
that
issuer
without
knowing
whether
it's
a
supervisor
or
just
some
generic
idc
provider,
which
means
it
can
look
for
this
custom
fields.
In
that
response,
and
based
on
that
custom
field,
it
can
choose
to
act
differently.
D
D
So
you
can
say
my
upstream
idp
is
this
name
and
or
my
upstream
idp
is
this
type,
so
you
can
say.
Basically
I
want
a
coupe
config
and
I
want
it
for
my
ldap
idp
or
I
want
to
keep
config
and
I
want
it
for
my
idp
called
corporate
idp
and
it
would
give
you
back
that
good
config
through
a
kind
of
best
effort
discovery
and
comparing
what
you
asked
for
versus
what's
available
and
if
you
ask
for
nothing,
the
idea
is.
D
B
When
we're,
when
we're
running
this
gatekoop
config
command,
we
sort
of
assume
that
we
have
access
to
the
workload
cluster
where
the
concierge
is
running,
we
don't
necessarily
have
any
access
to
where
the
supervisor
is
running
so,
like
the
discovery,
docket
seems
like
a
really
natural
place
to
put
that,
and
it
it's
a
existing
api.
That's
meant
to
be
extensible
for
this
kind
of
thing.
C
D
Yeah,
that's
that's
a
great
point
pueblo,
so
usually
the
pinniped.
Yet
config
would
be
done
by
the
administrator
who
created
the
cluster,
and
so
hopefully
they
because
they
created
the
cluster.
They
would
have
configured
the
multiple
idps
or
maybe
they
would
be
closely
related
to
the
team
that
runs
the
supervisor
and
configured
the
multiple
idps.
D
B
D
Yeah,
we
should
think
about
that.
I
don't
think
we
wrote
that
down.
Maybe
you
can
add
a
comment
to
the
doc
here,
while
we're
talking
about
it
think
about
how
that
would
work,
because
that
would
be
nice
as
a
feature,
I
think
potentially,
but
thanks
pablo
for
mentioning
multiple
idps
today,
pinniped
doesn't
support
having
multiple
idps
configured
in
your
supervisor
at
the
same
time,
but
it's
something
that
we've
been
planning
to
do
and
we've
always
kind
of
danced
around
it.
D
So.
If
you
specify
both
flags,
then
the
cli,
the
cli,
is
going
to
do
discovery
anyway,
because
it's
an
oidc
login.
So
it's
always
going
to
do
discovery
anyway.
So
since
it's
going
to
do
it
anyway,
it
might
as
well
take
the
idp
name
and
the
idp
type
that
you
asked
for
and
make
sure
that
they
appear
in
the
discovery
document
and
to
matt's
point
earlier.
Maybe
it's
okay!
If
they
don't
appear
so
we
have
to
think
about
that
and
then,
when
the
those
new
flags
are
not
specified.
D
D
Starting
that
whole
idc
flow,
it
can
hit
the
authorized
endpoint,
which
is
the
first
endpoint
in
the
normal
oidc
flow,
and
it
can
post
some
custom
query
parameters
to
say.
I
would
like
to
log
in
to
an
idp
of
this
name
of
type
ldap,
and
I
could
also
post
some
custom,
http
headers.
To
say
this
is
my
username.
D
This
is
my
password
that
authorized
endpoint
would
then
be
able
to
verify
all
those
inputs
make
sure
that
that
username
and
password
match
the
ldap
system,
and
then
it
can
complete
your
login
by
just
immediately
redirecting
with
the
auth
code
to
your
requested.
Redirect
uri
cli
can
get
that
re
that
302
response.
That
is
the
immediate
response
to
its
first
request,
and
then
it
can
just
do
what
it
normally
does
to
complete
the
odc
auth
code
flow.
Get
all
your
tokens
get
you
logged
in
the
rest
of
that
sort
of
change.
B
D
But
but
actually
we
can
it's
an
implementation
choice,
yeah.
We
can
either
client
report
and
let
the
code
do
what
it
does
today
or
the
client
could
not
open
the
port,
get
the
callback
response,
the
302
response,
look
at
the
location,
url
parse,
the
auth
code
out
of
the
location,
url
and
just
use
it
immediately
without
ever
opening
the
listening
port.
That's
obviously,
when
you
think
about
the
code
that
would
branch
the
code
so
that
the
ldap
code
shares
less
code
with
the
oidc
in
the
cli.
B
D
B
D
This
would,
for
example,
this
would
be
like
third-party
dashboard
web
uis
that
are
running
in
your
kubernetes
cluster
log
into
these
dashboard
web
uis,
using
their
own
identity
with
their
own
rpec
permissions
and
then
perform
whatever
actions
they
want
in
their
cluster
through
web
ui.
That
web
ui
would
presumably
become
an
oauth
client
to
pinniped
and
would
want
to
do
the
traditional
web-based
oauth
author
or
the
auth
code
flow.
D
So
that
would
be
first
of
all,
a
browser
wouldn't
send
custom
headers
in
the
first
place,
so
it's
very
unlikely
that
they
would
do
that.
But
just
in
case
somebody
tried
to
write
a
client
to
do
that.
We,
the
putting
the
idp
name
and
idp
type
as
query
parameters,
means
that
a
third
party
client
could
specify
them
if
it
wants
to.
So
it
could
be.
D
That
and
then
we
could
redirect
to
a
custom
login
page
posted
by
the
supervisor,
so
the
supervisor
has
a
web
form
that
way,
only
the
supervisor
is
handling
your
password
and
the
third
party
app
is
not
so
the
third
you
submit
your
using
your
password
through
the
web
form
for
the
supervisor,
and
then
it
can
complete
the
lidc
flow.
It's
kind
of
standard
way
to
hand
the
tokens
back
to
the
client
and
sketch
down
here
all
the
technical
detail
of
what
that
might
look
like.
B
B
D
That
was,
I
put
a
little
bit
more
burden
on
the
client
to
make
a
couple
of
extra
redirects
and
follow
those
redirects
that
earlier
version
meant
that
there
was
only
going
to
be
a
single
way
to
log
into
ldap
whether
it
was
web-based
or
cli,
based
and
based
on
whether
you
asked
for
a
json
flow
or
html
flow.
It
would
act
differently,
but
still
the
same
underlying
code
would
implement
both
the
webflow
and
the
client
flow.
D
So
I
think
this
proposal
that
we
just
went
over
together
simplifies
the
work
that
we're
gonna
do
now
simplifies
the
client
side
a
little
bit
a
couple
of
less
redirects
to
follow,
which
is
what
we're
going
to
do
now.
So
that's
simpler,
so
it
feels
like
it
shouldn't
be.
Very
hard-
and
it
defers
the
slightly
harder
version
for
later,
which
is
probably
a
good
thing.
F
I
feel
like
the
most
difficult
part
and
ryan-
and
I
were
talking
about
this
yesterday-
I
feel,
like
the
most
difficult
part,
is
just
to
be
fighting
with
ldap
dependencies
so
like
getting
an
active
directory
up
to
test
with
and
trying
to
hook
into
that
and,
like
those
complexities,
still
exist
in
this
design.
So.
B
B
D
D
B
B
F
I
was
pretty
pleased
with
the
breakdown
that
y'all
did.
I
think
that
kind
of
still
makes
sense
just
kind
of
incrementally
adding
to
the
api,
which
is
the
ldap
identity
provider,
and
then
hopefully
the
integration
tests
will
just
mostly
stay
the
same.
I
do
agree
matt,
I
feel
like
I
envisioned
in
the
first
story
that
really
big
story.
F
You
have
like
10
tasks
that
fall
out
and
one
of
them
is
is
maybe
setting
up
some
test
infrastructure
and
the
other
tasks
are
like
writing
the
controller
and
writing
the
off
hand
and
point
and
writing
the
cli
necessary.
So
I
feel
like
y'all's
breakdown
is
still
good.
I
don't
know
if
ryan
you
have
other
opinions.
B
D
D
But
it
didn't
actually
help
us,
we
might
be
able
to
learn
from
that
and
we
could
make
the
first
story
of
feature
branch.
A
pr
branch
finish
the
first
story
and
then
merge
it
because
it
will
be
a
very
incomplete
implementation,
but
the
way
we
wrote
the
first
story.
I
think
it
will
be
a
a
secure
usable
implementation.
F
One
other
thing
I
was
going
to
add:
I
this
is
a
no-op.
I
think
for
us
on
the
call
right
now,
but
mo
is
out
right
now
and
he
gave
feedback
about
the
api
endpoint
that
is
used
for
discovery,
and
so
maybe
there
will
be
more
discussion
on
that,
but
I
wanted
to
give
him
space
to
like
give
his
feedback
once
he
gets.
Her
get
back,
gets
back
from
his
time
off.
B
Yeah,
I
think
that's
fine.
We
well
at
some
point
it's
just
too
late
and
we'll
just
build
the
thing
and
ship
it
that's
okay,
too,
but
that
I
did.
I
didn't
think
like
that.
That
is
a
that
is
another
new.
The
discovery
document
is
another
new
api,
like,
I
think,
a
relatively
low
stakes
api,
because
when
we
own
both
sides
of
the
connection-
and
we
can
tweak
it
in
the
future,
it
might
be
nice,
though,
to
put
a
version
in
there.
B
So
maybe
we
could
have
a
subfield
of
the
discovery
document
that
then
contains
something
that
looks
like
a
kubernetes
type
that
has
a
kind
and
an
api
group
and
version
that
way.
If
we
needed
to
change
it,
we
could
change
it
using
kubernetes
style,
api,
schema,
migration
and
advertise.
You
know
basically.
D
D
It's
a
standard.
We
can't
change
it
it
does
that
standard
does
not
allow
for
versioning
the
path
we
could.
If
we
wanted
to
add
query
parameters,
so
you
could
say,
like
question,
mark
v
equals
two.
If
you
wanted
to
get
version
two
of
the
custom
fields
of
our
discovery,
dock
or
we
could
build
it
in
into
the
json
response
into
the
custom
part
of
the
json
response,
like
you
were
suggesting
that
I
suppose.
D
D
Maybe
we
don't
need
to
worry
about
that
now,
because
by
not
mentioning
a
version
in
any
of
those
places,
any
of
those
possible
places.
It's
implicitly
saying
this
is
version
one,
and
then
you
still
have
room
to
add
on
a
query,
parameter
or
version
in
the
json
or
anything
you
want
later.
If,
if
you
ever
need
a
version
too,
as
long
as
the
json,
the
future
changes
that
you
want
to
make
to
the
json
are
backwards
compatible.
D
F
A
Before
we
part
ways
I
did
want
to
welcome
scott
to
the
community
meeting.
I
know
he
showed
up
just
a
little
bit
past
some
of
the
stuff
we
already
covered,
but
I
would
love
to
hear
more
about
about
you,
scott,
if
you
want
to
share
with
the
group
where
you're
based
so
what
you're
using
pinniped
for
and
anything
else,
you
want
to
share.
E
I
work
for
terra
sky,
which
is
a
professional
service
organization,
dealing
with
a
global
partner
of
vmware's
and
dealing
a
lot
with
also
public
cloud
and
very
strong
in
the
devops
and
kubernetes
world,
and
I'm
leading
the
cloud
techno,
I'm
the
practice
leader
for
cloud
technologies
and
automation
and
leading
the
whole
tanzu
portfolio
for
all
of
our
customers.
So
dealing
a
lot
with
pinniped
these
days,
looking
into
it,
was
using
decks
and
gangway
have
a
lot
of
tkg
projects
by
customers
so
very
happy.