►
From YouTube: Pinniped Community Meeting - June 17, 2021
Description
Pinniped Community Meeting - June 17, 2021
We meet every 1st and 3rd Thursday at 9am PT. We'd love for you to join us live!
This week the team discussed the design doc for remote OIDC login support, AD support, and design for non-interactive LDAP logins. Full notes and details here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view#June-17-2021
A
A
You
can
find
these
recordings
of
these
meetings
on
our
youtube.
Playlist,
we
record
everyone,
and
so,
if
you
aren't
able
to
attend
these
in
person,
you
could
catch
up
on
youtube,
but
we
would
love
for
you
to
join
us
at
our.
Our
community
meetings
are
offered
every
first
and
third
thursday
of
the
month
at
9
a.m.
A
B
B
If
there's
things
that
we
don't
understand,
so
the
way
that
the
impersonation
proxy
works
is
it
authenticates,
the
user
it
connects
to
it,
and
then
it
passes
the
request
upstream
to
the
kubernetes
api
and
it
sets
some
headers
and
so
that
any
kind
of
bug
again
we
don't
know
about
these
kind
of
bugs,
but
any
kind
of
bug
that
you
know
would
cause
those
headers
to
be
missing
from
their
requests.
You
know,
basically,
we
want
to
mitigate
the
scenarios.
So
a
couple
things
we
did.
B
B
We
also
now,
when
we
do
the
upstream
impersonation,
we
do
it
as
a
privilege,
a
service
account
that
doesn't
have
any
other
privileges,
so
it
can
only
it
can
only
do
impersonation
can't
directly
do
anything
else
on
the
cluster
and
then
we
also
added
code
to
detect
when
the
underlying
cluster
has
anonymous,
auth
disabled,
so
the
common
one.
That's
that
we
found
is
aks,
but
any
cluster
that
has
a
kubernetes
api
flag
turned
to
disable
anonymous
auth.
B
We
also
now
reflect
that
behavior
at
the
proxy,
so
we
refuse
any
request.
That's
not
authenticated,
so
those
are
hardening
stuff.
Think
some
mo
for
helping
put
all
this
together.
We
we
had
a
we
have.
We
have
some
more
items
that
we
we
may
tackle
later,
but
these
were
sort
of
the
highest
highest
value.
Quickest
wins.
We
could
find.
A
B
B
Okay,
the
the
basic
the
basic
trick
is
we're
going
to
use
this
standard
standard
part
of
oidc
called
response
mode,
and
so
this
is
a
parameter
that
the
client
sets
when
it's
starting
an
authorization
request,
and
normally
you
would
specify,
like
response
type
equals
code,
which
means
at
the
end
of
the
flow.
I
want
to
get
an
authorization
code
back.
B
B
This
is
the
only
thing
that
we're
kind
of
doing
that's
a
little
extra
beyond
the
spec
is
to
take
that
html
form
that's
rendered
at
the
end
and
have
it
have.
It
have
two
two
cases,
one
case
where
the
form
post
succeeds
automatically,
which
gets
you
basically
the
current
behavior
in
in
most
cases.
So
if
you're
running
the
cli
on
the
same
machine
as
your
web
browser
it'll,
just
post,
the
results
and
you'll
see
the
success
message
and
you're
done
logging
in.
B
But
if
that
post
fails,
you
can
fall
back
to
showing
a
screen
that
contains
the
auth
code
to
copy
paste,
and
then
the
cli
can
wait
for
that
code
to
be
copy
pasted
and
you
can
sort
of
finish
the
login
out
of
band
anyway.
This
is
what
I'm
working
on.
If
anybody
has
comments,
it's
not
too
late
to
change,
of
course,
but
I
think
this
is
still
looking
good.
So
far,.
A
D
The
intention
here
is
to
create
specific,
active
directory
support
by
validating
that
it
works
against
active
directory
kind
of
having
an
active
directory
test
environment
set
up
and
creating
a
different
identity
provider
object
with
defaults
and
configuration.
That
makes
sense
specifically
for
active
directory.
D
B
I
don't
think
so.
We
decided
to
bring
this
into
the
backlog.
I'm
gonna
work
on
it,
for
I
think
the
next
release
and
yeah
we'll
have
you
know
this
would
be
a
small
change.
I
think
we'll
probably
support
this
in
parallel
with
also
offering
plain
ammo
to
download.
If
that's
what
you
still
want,
so
you
could
still
use
kubectl
to
install
as
we've
as
we've
made
the
project
more
complex,
it's
getting
harder
and
harder
to
install
it
with
like
a
single
coupe
ctl
command.
B
So
we
have
a
bug,
that's
open
right
now
as
well.
That's
has
to
do
with
the
fact
that
we
have
a
single
yaml,
manifest
where
we
define
a
crd,
so
we
define
the
credential
issuer
crd
and
then,
at
the
end
of
that
yaml
we
have
an
instance
of
that
crd
custom
resource.
That's
the
initial
credential
issuer
and
cap
handles
that
just
fine,
I
believe,
helm
handles
that
just
fine
coup
ctl
doesn't,
and
so
you
can
make
it
work,
but
you
sort
of
have
to
hack
around.
B
You
have
to
run
the
command
twice
or
you
have
to
split
the
yaml
up
anyway.
It's
kind
of
annoying
what
it
points
to
is
like
it
would
be
nice
if
you
had
a
nice
suite
of
tools
for
managing
all
these
configurations,
like
the
carvel
suite,
so
we'll
probably
start
to
switch
to
referencing
the
carvel
tools
as
our
default
installation
method
on
the
website,
but
probably
still
offer
the
ammo
with
some
caveats.
As
a
fallback.
C
B
B
And
it's
you
know
useful
to
people
who
are
invested
in
the
rest
of
the
carvel
suite.
So
you
could.
You
could
install
pendant
head
with
cap
controller,
for
example,
really
easily
things
like
that,
and
even
though,
even
though
your
package
might
be
different
from
our
package
upstream,
if
we're
building
them
with
the
same
tools,
it
should
be,
we
should
be
able
to
catch
things
right
away.
If
there's,
if
there's
any
issues.
B
B
Yeah
sorry,
I
always
end
up
talking
too
much.
We've
had
this
issue
open
for
a
little
while
and
it
has
a
proposal
for
kind
of
the.
What
the
future
should
look
like
here
in
the
in
the
issue-
and
we
talked
about
this
last
week
as
a
team
and
we
weren't
confident
that
this
is
exactly
what
we
wanted
to
build.
So
I
thought
we
could
take
a
few
minutes
to
discuss
what
we
want
to
build.
B
So
the
goal,
the
goal.
Actual
goal
of
this
feature,
stepping
back
a
little
bit
from
what's
in
the
dock
right
now,
is
that
if
I
have
a
active
ldap
based
identity
provider
and
I've
got
it
peniped
all
configured
against
it,
and
then
I
have
a
client.
That's
like
a
ci
cd
job
like
a
jenkins
job,
for
example,
that
wants
to
run
a
coupe
ctl
command
to
do
a
deploy.
This
would
be
a
pretty
common
scenario.
B
We
want
to
have
a
way
to
give
that
job.
An
ldap
service
account
it's
like
username
and
password
in
the
ldap,
and
let
that
be
wired
into
the
pinup
head
command,
with
no
interaction,
no
user
interaction.
So
right
now
what
would
happen
is
you
your
job
would
try
to
run
the
coop
cdl
command.
It
would
exec
our
cli
and
then
we
would
show
username
password,
prompt
and
jenkins
can't
type
a
username
and
password
prompt.
So
you
would
just
block
and
it
wouldn't
work.
B
I
think
some
other
alternatives,
maybe
just
to
open
up
the
discussion
and
then
I'm
gonna
mute
is.
We
could
just
pick
specific
variables,
so
we
could
say
like
pinpoint
username
pendiped,
password
or
pen,
pet
ldap,
username
penpadl.password,
or
we
could
not
use
environment
variables
at
all
and
specify
a
file
with
credentials
which
is
a
little
less
convenient,
but
maybe
has
some
security
benefits,
because
environment
variables
are
well
passing
environment
variables
through
command
lines,
and
then
shells
can
be
can
be
tricky
in
some
cases
anyway.
E
The
end
user
is
going
to
want
probably
automate
this
if
they
can
right
or
or
something
right
like
you
can
imagine
some
float
where
they're
like
yeah.
I
just
don't
feel
like
typing
my
username
and
password.
I'm
like
this
is
my
little
box.
I
just
want
to
work,
so
it
would
be
weird
for
the
I.t
admin
to
pick
the
environment
variables
for
them,
but
they
could,
I
suppose,
that's
I
guess
a
valid,
very
valid
thing
to
do.
E
But
let's
say
the
ik
admin
didn't
do
that
and
so
now
their
cube
config
is
set
up
to
prompt
them
right.
I
don't
really
expect
users
to
like
know
how
to
change
these
flags,
because,
like
the
the
the
pin
pet
cli
is
effectively
opaque
to
them,
they
should
hopefully
not
even
know
it
exists
other
than
the
fact
that
at
some
point
they
were
told
to
install
it
or,
in
the
really
nice
case,
the
it
admin
just
pushed
it
to
their
box,
using
the
agents
that
are
probably
installed
on
their
laptop
right.
E
E
B
Once
you
have
your
initial
good
config,
even
if
it's
a
piniped,
coupe
config,
I
forget
what
default
our
back
we
set
up,
but
I
think
most
users
do
have
permission
to
run,
get
coop
config
again.
So
you
could,
you
could
say,
like.
Oh,
I
gave
you
a
user
coupe
config,
but
if
I'm
trying
to
set
up
a
jenkins
job,
I
could
say:
okay,
re-run,
the
git
config
command
to
generate
jenkins
coupe
config.
B
E
F
F
So
that
way
like
maybe
the
defaults
are
piniped
username,
something
something
so
that
way.
If
the
administrator
wants
to
override
them,
when
they're
running
get
good
config
they
can,
but
if
they
don't,
then
the
end
user
still
has
some
environment
variable
names
that
they
can
set
without
having
to
edit
their
config.
E
It's
not
a
bad
idea.
I
think
I
think
moyer
had
pointed
out
a
concern
in
that
flow
which
was
or
sort
of
relate
to
that
flow
is
by
making
you
opt
in
to
the
value
of
the
environment
variables
like
if
you
don't
set
like,
if
you
don't
have
the
and
like,
if
you
don't
specify
which
nmrs
to
use
there's
no
way
for
like,
like
the
I
guess,
eli
to
try
to
consume
something.
It's
not
supposed
to
like,
like
you
effectively
have
to
like
very
hard
opt-in
to
this
functionality.
E
So
like
we're
not
trying
to
force
you
into
a
particular
path,
I
don't
know
necessarily
if
that
matters
like
it's
really
hard
to
do
like
post-level
security,
stuff
right,
like
all
the
stuff
that
you're
normally
executing,
is
running
as
your
user
can
like
read
your
entire
home
directory.
So
it's
like
go
to
read
your
credentials
off
the
disk
if
it
really
wanted
to
like
it
doesn't
have
to
like
wait
for
you
to
type
your
password
in
there's.
Also.
E
B
F
F
B
Yeah
the
trick
so
environment
variables,
like
the
actual
environment
for
each
process,
is
pretty
well
protected.
On,
like
every
modern
machine,
you
have
to
be
root.
To
read
that
the
thing
that's
not
protected
is
the
process
list
like
if
I
take
you
know,
ps,
aux
or
whatever,
and
I
list
out
running
processes
and
see
the
command
lines.
Those
are
not
always
protected
across
user
boundaries.
B
B
We
can't
we
can't.
So
we
can't
like
stop
anybody
from
ever
doing
any
insecure
thing.
I
just
want
to
make
sure
that,
like
we're
setting
people
up
to
succeed,
one
other
one
other
thought
I
had
about
this
is
I
wonder
if
it's
a
mistake
for
us
to
use
the
word
ldap
in
this
cli
flag,
because
right
now
the
only
kind
of
username
password
logins
we
support
are
ldap
logins,
but
we're
about
to
add
ad
support.
I
don't
know
if
we'll
we'll
use
the
word
ade.
B
E
I
would
personally
lean
towards
username
and
password,
or
something
like
not
including
the
word
ldap,
for
the
simple
case
of
we're
about
to
add
active
directory
at
some
point
in
the
near
future,
and
I
wouldn't
want
to
add
two
more
flags
that
just
simply
exist
to
distinguish
between
ldap
and
80.
Even
though
there's
no
conceptual
difference.
E
Client
id
and
client
secret
are
a
little
bit
fuzzier
and
like
I'd,
also
thought
about
like
if
it
would
be
possible
for
like
if
we
had
like
github
support
in
the
future,
if
it
would
be
possible
for
us
to
like
use
like
some
kind
of
personal
access,
token
based
flow.
So
that
way
you
could
theoretically
do
github
login
without
a
browser
as
well.
E
B
B
All
right
well,
I
can
consider
that,
like
at
least
one
change
here,
I
I
am
also
maybe
leaning
now
towards
let's
just
pick
a
variable
name
and
use
that
we
can
always
add
files
like
file
path,
support.
Later
too,
we
don't
have
to
it
can
coexist
with
this.
But
let's
just
pick
a
name.
That's
like
peniped
underscore
username
pin
a
pet
underscore
password.
I
mean
we're
lucky
that
we
have
a
project
name,
that's
very
unique,
there's
not
that
many
other
things
called
pen
and
pad.
So
I
don't
think
that's
going
to
conflict.
B
Yeah,
in
fact,
we
we
have
another
story:
open,
that's
about
refactoring
our
client
to
be
a
more
usable
as
a
as
a
go
library,
and
that
that
basically,
the
hard,
the
the
actual
name
that
we're
hard
coding
here
might
be
on
the
cli
side
of
that
api
so
like
it
might
be
literally
part
of
just
what
the
pinniped
cli
does
and
if
you
repackage
the
client
into
another
binary,
you
choose
a
different
name.
If
you
want.
C
B
E
Yeah,
I
think
margaret
is
right.
I
think
what
this
boils
down
at
the
code
level
is,
I
think,
moyer
wrote
this
code
where
the
there's
like
a
concept
of
a
cache
key,
and
these
would
need
to
be
considered
in
that.
So
that
way,
when
you
do
the
lookup
in
the
cache,
if
these
are
different,
you
get
a
different
key
and
you
don't
hit
the
cache
threads.
B
So
the
way
that
cache
key
works
right
now
is
just
a
plain
shot:
256
hash,
that's
very
fast,
and
this
the
thing
that
it's
hashing
over
doesn't
have
a
lot
of
entropy
other
than
your
password,
so
it
may
not
be.
We
may
want
to
find
a
safer
way
to
compute
the
cache
key
like
with
the
with
a
password
hash.
B
F
F
So
wouldn't
you
think
of
the
environment
variable
in
a
similar
way,
like
I
present
the
environment
variable
once
my
resulting
tokens
get
cached
and
then
I'm
not
presenting
the
environment
variable
again
I
could,
or
I
could
not
it
doesn't
matter
like
you
can
have
environment
variables,
set
that
aren't
read
by
any
system
and
that's
okay
and
you
can
also
unset
them
and
if
no
system
tries
to
read
them,
that's!
Okay!
F
B
I
always
want
to
reuse
that
cache.
If
it's
available,
I
don't
want
to
like
ask
the
user
hey.
Do
you
still
want
to
log
in
as
that
user
again
like
that
username?
So
maybe
in
this
case
we
could
either
just
completely
ignore
it,
or
maybe
we
could
just
cache
cache
based
on
the
username
header,
so
the
username
environment
variable
not
the
password.
So
if
you
logged
in
once
with
one
username
and
then
you
logged
in
a
second
time
with
a
different
username
that
would
correctly
like
this.
B
So
the
bug
that
we'd
want
to
avoid
is
I
set
the
username
to
you
know
jenkins.
I
run
a
command,
then
I
set
the
user,
the
username
environment
variable
to
moyer
and
I
run
another
command
thinking
it's
going
to
happen
as
me,
but
actually
it
runs
as
jenkins
because
the
pet
cli
incorrectly
reuses
the
cash.
E
Whereas
previously,
I
think
we
just
mostly
lied
on
cli
flags
like
you
could
say
that
the
prompting
of
ldap
and
username
was
like
hidden
like
it
wasn't
stored
anywhere.
It
was
just
like
we
typed
it
into
a
buffer
and,
like
nothing,
really
recorded
the
ins
that
occurring
now.
We
got
this
weird
state
where
we,
I
think
what
moyer
said,
is
a
scenario
we
want
to
be
careful
of,
because
I
think
we've
all
been
standing
beside
a
person
or
known
of
a
person.
E
F
B
So
if
you
change
the
token,
so
I
change
from
like
the
jenkins
token,
to
a
moyer
token,
like
I
can,
I
can
one
other
use
case
is
like
I've
got
two
terminal
windows
open
one
where
I'm
interacting
with
the
system
as
as
jenkins
and
another
we're
interacting
with
it.
As
me,
we
just
want
to
make
sure
that
those
correctly
share
the
cache
anyway.
I
think
we
get
around
this
by
just
hashing
the
username.
B
We
don't
have
any
of
the
problems
that
are
related
to
like
a
password,
because,
basically
with
the
property
that
we
know
is,
if
you
have
a
username,
let's
say
jenkins
and
I
changed
my
password.
I
changed
the
password
that
could
cause
my
login
to
fail
or
succeed,
but
it's
really
unlikely
to
log
me
in
as
a
different
user
based
on
which
password
I
choose
right.
B
F
B
B
Having
multiple
concurrent
sessions
and
like
it's
like,
maybe
a
different
different
terminal
windows
on
the
same
machine
should
also
work
correctly.
So
I
think
we
want
to
what
we
want
to
avoid
is
having
a
command
that
you
run
in
one
terminal
affect
an
environment
in
a
negative
way
that
you're
running
in
another
terminal
right
like
there
shouldn't
we
shouldn't,
be
commands
that
assume
a
single
shared
global
current
current
user
session
as
much
as
possible.
B
I
think
we
have
that
right
now
with
ldap
and
I'm
not
sure
we
want
it,
I'm
not
sure
how
to
get
around
that
or
if
we
need
to
support,
maybe
like
multiple
session
cache
profiles
or
something
like
that,
it's
a
logout
is
one
one
factor
of
that
one
one
element
of
that,
but
think
there
might
be
other
commands
in
that
same
category,
that
we
want
to
think
about
at
the
same
time
like
switching
switch
user
or
things
like
that.
I
don't
know
I
I
not
that
happy
with,
like
the
kubernetes
style.
B
E
E
Now
I
do
think
that
would
be
relatively
easy
to
implement,
because
I
think
there's
an
rfc
that
fossid
already
supports.
We
just
have
to
like
wire
it
some
in
some
way
and
give
ourselves
like
an
end
point.
I
do
think.
Well,
I
think,
last
time
I
checked,
it
is
actually
something
that
you
can
expose
in
the
oic
discovery,
so
it
wouldn't
even
have
to
be
like
hard
coding
like
the
supervisor
logout
or
something
that's
the
magical,
logout.
B
E
E
But
if
you
imagine
you
revoke
this
singleton
upstream
refresh
thing,
then
you
kind
of
get
in
this
weird
state
where
it
like
hoses
a
bunch
of
stuff
that
maybe
wasn't
supposed
to,
or
maybe
it
is.
I
don't
know
like
I
I
I
certainly
don't
mind
the
capability
of
saying
log
out,
like
all
like
just
nuke
all
my
sessions
everywhere.
E
E
E
A
A
A
Pacific
time,
that's
just
an
opportunity
for
you
to
listen
in
on
what
the
team
is
working
on
and
also
provide
your
own
feedback
on
what
they're
working
on
or,
if
you're
interested
in
helping
out
with
any
of
these
items
or
if
you
have
anything
that
you
wish
to
discuss
with
the
team
on
on
your
end
regarding
pinniped
this.
This
is
just
a
great
opportunity
for
for
all
of
that.
A
Additionally,
we
are
available
on
the
kubernetes
slack
workspace
in
the
pinniped
channel
and
we
are
on
twitter
at
project
pinniped,
so
there's
just
various
opportunities
for
you
to
engage
with
the
maintainers,
and
we
do
hope
that
you
do
reach
out
to
us.
We'd
love
to
hear
from
you
and
with
that.
Thank.