►
From YouTube: Pinniped Community Meeting - August 19, 2021
Description
Pinniped Community Meeting - August 19, 2021
We meet every 1st and 3rd Thursday of the month at 9am PT. We'd love for you to join us live!
Full details on this week's meeting here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view#August-19-2021-Agenda
A
A
If
you
are
watching
this
from
home,
we
encourage
you
to
come
and
join
us
live.
We
do
meet
every
first
and
third
thursday
of
the
month
at
9
a.m.
Pacific
time,
if
you
would
like
to
get
updates
and
invites
to
these
meetings,
you
can
join
our
google
group.
All
these
details
are
found
within
our
agenda
for
this
particular
meeting.
A
If
you
have
anything
you
want
to
discuss
in
these
meetings,
we
ask
that
you
put
them
within
the
agenda
in
the
discussion
topic
section.
This
can
be
anything
from
you
needing
help
with
a
particular
piece
of
pinniped
how
to
get
started
or
if
you
have
any
feedback
for
the
team.
Regarding
this
we're
all
ears,
we'd
love
to
hear
what
you
have
to
say.
A
If
you
are
unable
to
join
us,
we
also
can
be
found
on
slack
and
twitter,
and
those
details
can
be
found
right
here.
If
you're,
not
part
of
the
kubernetes
select,
workspace
you'll
just
need
to
request
an
invitation
first
to
gain
access
and
which
is
a
really
simple
process.
You'll
just
submit
your
email
and
it's
pretty
pretty
quick
to
get
that
invitation.
Sent
back
to
you.
A
When
you
attend
these
meetings,
we
ask
that
you
read
and
abide
by
our
code
of
conduct,
which
is
listed
right
here
and
also
we
ask
that
you
add
your
name
and
any
organization
that
you
are
representing.
This
helps
us
to
keep
track
of
those
that
are
attending
our
meetings
and
see
who's
using
pinniped
are
interested
in,
pin
it
pad
and
keep
those
lines
of
communication
open
and
for
announcements.
In
this
meeting
we
have
a
big
announcement,
they're
really
excited
about.
We
had
a
talk
accepted
at
kubecon
colony
of
con
north
america.
A
The
speakers
will
be
mo
and
margo
two
of
the
maintainers
of
pinniped.
It's
the
title
is
everything
wrong
with
kubernetes
authentication
and
how
we
worked
around
it.
It'll
be
friday
october
15th,
2
30
to
305
pm
pacific
time,
and
you
can
either
register
to
attend
virtually
or
in
person.
So
we
would
love
for
you
to
attend
and
and
hear
what
we
have
to
say
there.
A
Additionally,
for
another
talk
that
we
have
on
their
horizon,
we
have
a
pinniped,
cncf,
webinar
and
all
the
details
can
be
found
here.
That'll
be
next
week
on
august
24th.
B
I
guess
we
can.
We
can
take
those
off
of
our
roadmap
now,
because
they
are
shipped
they
are
released.
We
did
release
a
remote,
odc
login
support
in
0.10.
This
lets
you
log
in
from
things
like
ssh
jump
posts.
We
also
released
a
way
to
use
the
ldap
login
functionality
with
no
prompting.
So,
let's
now,
let's
use
that
functionality
in
things
like
ci
tasks,
we're
working
right
now
we
have
an
open,
merge
request
for
the
non-interactive
password-based
oidc
logins.
B
You
can
now
use
that
through
the
pinpoint
supervisor
and
it
has
a
similar
client
where
client
flow
as
the
ldap
login,
where
you
type
in
your
password
we're
also
working.
We
have
unmerged
changes,
open
prs
for
active
directory
support
that
adds
like
a
great,
deep,
active
director
integration.
B
That's
sort
of
a
special
version
of
our
ldap
existing
ldap
support,
some
of
the
next
things
up
on
the
roadmap,
multiple
idp
support,
which
is
about
being
able
to
have
one
supervisor,
one
federation
domain
or
or
multiple
federation
domains,
but
multiple
different
idps
behind
that.
So
letting
you
say
things
like
I've
got
a
maybe
like
a
local.
A
B
And
then
also
my
main
idp,
I'm
going
to
build
a
login
through
either
of
them
ryan
has
a
design
document
that
we
discussed.
I
think
in
the
last
call,
if
you
have
any
ideas
or
comments
about
that,
we're
also
going
to
be
working
on
adding
more
cluster
type
support
to
the
concierge,
so
specifically,
that'll
probably
mean
openshift
support,
which
we
don't
support
today.
B
I
may
also
mean
adding
a
back
end
that
uses
the
new
kubernetes
122
csr
api
improvements,
which
is
that's
great
because
that's
actually
portable
and
standard
and
built
into
kubernetes,
and
then
some
of
the
next
items
that
are
a
little
get
a
little
fuzzier
the
road
map.
This
identity
transforms
feature
which
again
ryan,
has
a
prototype
up
and
working.
There's
a
draft
pr
for
that.
This
is
about
basically
giving
making
penaped
programmable
and
pluggable
internally.
B
A
B
B
A
Is
that
something
that
you
want
to
discuss
later
on
in
this
meeting,
or
do
you
think
that
it's
something
that
warrants
even
a
longer
period
of
time
for
discussion.
B
I
mean,
I
guess,
I'll,
throw
kind
of
a
straw
person
argument
out
there
that
we
should.
We
could
start
with
just
supporting
starlark
transformation
in
the
oidc
identity
provider.
That
would
be
like
the
the
first
place.
I
would
put
it,
I
guess,
and
they
would
let
you
do
the
things
that
I
think
ryan
has
as
perfect
concept
already,
which
is
just
take
some
claims
and
then
output
some
claims.
A
B
About
starting
something
smaller
without
designing
the
rest
of
it
is,
I
would
like
it
to
be
coherent
as
we
as
we
get
this
feature
wired
into
all
of
our
apis.
It
should
be
coherent,
it
should
kind
of
work
the
same
way
everywhere,
and
we
had
these
sort
of
like
ideas
about
how
how
we
might
even
take
some
of
the
existing
features
that
we've
built
and
re-contextualize
them
into
this
new.
B
This
new
feature,
basically
so
things
like
picking
the
username
claim,
picking
the
group's
claim,
those
api
fields
might
actually
kind
of
go
away,
or
they
might
become
an
a
simple
as
more
simplistic
layer
that
that
it's
just
like
syntactic
sugar
for
the
the
starlark
functionality,
but
I'm
I'm
talking
too
much.
I
don't
know,
I
don't
know
if
this
is.
We
didn't
come
prepared
to
talk
about
this.
B
Maybe
maybe
it's
not
a
good
topic
for
today,
but
I'm
excited
to
start
this
work
as
soon
as
we
can,
it
seems
like
we
have
a
lot
of.
We
have
a
lot
of
other
things
to
finish
first,
but
if
anybody
has
thoughts
about
how
we
might,
I
would
love
to
like
find
a
way
to
basically
merge
ryan's
proof
of
concept
in
this
release.
If
we
could,
even
if,
even
if,
there's
only
a
limit
really
limited
place
where
we
actually
can
start
to
support
it.
C
The
star
alert
transformations
are
part
of
the
multiple
idp
gundog
proposal.
Maybe
we
could
go
over
that
together
sometime
soon,
maybe
not
now,
because
we
didn't
prepare
for
it,
but
maybe
later
later
this
week
or
next
week,
good
call
out.
I
forgot
about
that.
A
Okay
on
to
discussion
topics,
I
put
this
in
here
just
wanting
to
start
a
discussion
with
the
community.
Anyone
outside
of
the
maintainers
I'm
just
wanting
to
extend
this
out
to
everybody
who
is
using
pinniped.
We
want
to
know
and
want
to
hear
from
you
are
you
using
pen
and
pad?
How
are
you
using
it?
A
B
A
Your
organization
or
company
link
to
your
website,
your
country
contact
information.
So
how?
How
can
we
reach
you?
What
is
your
scenario
for
using
pin
ipad?
Are
you
running
your
application
and
testing
or
production
and
then
attach
an
svg
version
of
your
logo
to
that
comment,
so
that
we
can
add
that
to
the
adopters
page?
A
B
I
would
actually
love
feedback
on
my
proposed
demo
flow
for
the
webinar.
If
anybody
would
like
to
see
what
I'm
planning
to
do
there,
I
can
just
talk
through
it,
so
I
was
trying
to
break
this
into
stages,
stages
of
demo,
that
kind
of
go
up
in
complexity
and
start
to
tell
the
story
about
why
you
need
the
different
pieces
of
penitent.
B
So
I
was
going
to
start
with
a
kind
cluster
install
the
concierge
show
talk
about
what
an
admin
coupe
config
means
like.
What
do
we
mean
by
admin,
coop
config
and
show
how
the
credential
issuer
status
shows
you
that,
like
benefit,
is
running.
That's
like
layer,
one
layer.
Two
then
is
wiring
your
concierge
and
configuring
a
jot
authenticator
against
an
odc
provider.
So
I
was
gonna
use.
Git
lab
as
an
example
show
how
you
go
to
gitlab
when
you
register
a
client
show
how
you
create
the
job.
B
Authenticator
show
how
you
get
a
coop
config
and
show
how
the
login
flow
works
and
show
how
the
session
caching
works.
So
that's
kind
of
like
using
the
concierge
with
get
lab.
It's
kind
of
clear,
too
layer.
3,
then,
is
doing
the
same
thing,
but
against
a
second
cluster.
So
I
was
going
to
probably
pick
a
gke
cluster
install
the
concierge
can
go
to
gitlab
and
configure
another
client
set
up
another
job
authenticator
and
have
two
clusters
running
the
concierge
but
separate
and
show
that
basically
like
show
the
downsides
of
that.
B
So
show
that
you
have
to
go
register.
A
second
client
show
that
you
have
to
login
in
your
browser
twice
and
then
move
on.
So
that's
kind
of
like
the
third
stage,
then
move
on
to
what,
if
you
bring
in
the
supervisor,
so
install
the
supervisor
set
up
ingress,
which
I'm
going
to
probably
gloss
over
a
little
bit.
B
But
I'll
set
up
set
up
like
a
real
ingress,
go
back
to
gitlab
and
register
another
client
for
the
supervisor
and
then
reconfigure
those
kind
and
gke
clusters
to
now
point
at
the
supervisor
and
show
basically
how
the
login
flow
changes
with
the
supervisor
and
show
that
you
only
need
to
log
in
once
and
that
we
only
needed
one
client
and
so
on
then
take
that
same
flow
and
also
show
that
it
works
from
the
jump
post.
B
But
this
reminder
this
demo
is
roughly
an
hour
long.
So
we
have
a
lot
of
time,
show
the
jump
post
case
and
how
that
flow
works
and
then
then
go
through
the
whole
setup
again
and
set
up
an
ldap
provider
and
show
how
the
ldap
login
works
and
how
you
can
do
the
non-interactive
ldap
login
and
do
this
for
mica
anyway,
that's
kind
of
the
demo
that
I've
got
planned.
I
don't
know
if
anybody
has
thoughts
about
what
I'm
missing
or
too
much,
not
enough.
C
That
sounds
awesome
to
me
sounds
like
you're,
hitting
the
main
features
and
the
main
benefits
it'd
be
super
cool.
If
we
had
when
is
this,
this
is
like
a
month
from
now
tuesday,
oh
okay,
never
mind,
I'm
gonna,
say
it'd
be
cool
if
we
had
multiple
idps,
so
you
could
demo
that
too,
but
we're
not
to
have
that
on
tuesday.
B
Yeah
like
when
I
switch
from
like
the
oidc
one
to
the
ldap
bottle
I'll
have
to
make
sure
I
delete
the
oidc
identity
provider,
but
yeah
it's
tuesday,
I'm
planning
to
basically
do
this
all
live.
I
think
I
assume
the
webinar
will
be
recorded
as
we
can.
We
can
post
that
afterwards
and
share
it.
B
A
A
Yeah,
I
I'm
always
for
plan
b
in
case
things
go
awry
with
a
live
demo,
and
I
also
like
the
idea
of
having
those
as
pieces
of
content
that
we
could
use
on.
Maybe
potential
blog
posts.
I
could
you
could
turn
the
demo
into
a
blog
post.
C
It
sounds
like
that's
already
chock
full
of
great
stuff,
but
maybe
if
you
have
left
over
time,
you
could
throw
in
some
active
directory
too.
That
is
effectively
finished.
B
D
I
was
going
to
ask
as
you're
going
through
this
demo
software.
Do
you.
D
I
was
thinking
about
this
like
earlier
this
week
when
I
was
reviewing
ryan's
pr
for
the
password
grant
stuff,
and
I
was
thinking
to
myself.
I
really
don't
like
that.
This
pivot
pad
login
oidc
command
has
like
80
flags
hanging
off
of
it
and
just
every
time
we
change
the
thing.
We
just
add
more
flags.
I
was
like
okay.
What
would
it
take
to
have
a
command
that
only
had
two
flags
and
the
two
flags
were?
What
is
the
url
for
your
supervisor
and
the
second
flag?
D
It
should
almost
never
be
set,
which
is
what
is
the
ca,
bundle
and
verify
that
connection?
So
basically,
it's
got
one
one
parameter,
which
is.
I
would
like
to
log
into
this
supervisor,
and
I
realized
that
command
is
effectively
impossible
to
make
today,
because
once
you
lock
like
you,
could
theoretically
make
a
command
that
lets
you
log
into
a
supervisor.
But
then
you
couldn't
do
anything
because
you
would
be
logged
into
a
supervisor,
but
you
would
have
no
knowledge
of
what
clusters
to
do
anything
with.
D
B
I've
talked
I
I
brought
this
up
actually
in
like
that
call.
We
were
on
yesterday,
right
after
you
left
about
having
an
api,
infiniped
or
adjacent
dependent
pet.
That
was
like
a
list
of
clusters
on
the
supervisor
and
lets
you
say,
like
oh
show
me
a
list
of
clusters.
I
can
log
into
give
me
a
config
for
one
of
them.
D
But
to
me
the
fact
that
three
distinct
different
implementations
exist
and
are
effectively
required
for
those
products
to
be
functional
to
me
would
say
that
this
would
be
functionality
that
should
exist
in
our
code
base
and
not
three
different
code
bases
in
suddenly
different
ways.
But
just
I
know
it's
not
on
our
roadmap,
but
I
feel
like
it
should
be
on
our
roadmap
just
because
we
we
wouldn't
ship
our
commercial
products
without
it.
So
I
don't
see
why
we
ship
the
open
source
thing
without
something's,
going
on.
D
I
well
I
was
thinking
they
would
probably
have
to
hang
off
the
supervisor.
Some
supervisor
specific
api,
like
yeah.
B
D
Api
when
I
my
my
response,
was
like,
if
I
type
in
like
a
command,
that's
called:
pin
pet
supervisor
login,
I
I
don't
have
any
idea
where
the
supervisor
is
running
like
anything
about
the
kubernetes
runtimes
at
the
super
running
against
right
and
I
shouldn't
care
so
yeah,
just
kind
of
like
I'm
fine
trying
to
write
a
design
for
this.
D
I
just
I
I
feel
like
we
kind
of
cheated
on
this,
because
we
had
sort
of
foundational
stuff
from
other
bits
and
pieces,
but,
like
I
feel
like
also
like
your
demo,
would
probably
be
simpler
if
you
could,
if
you
started
off
with,
I
would
just
like
to
log
into
the
supervisor
cool
now.
It
shows
me
that
I
have
these
four
clusters:
tkg
gke
aks,
whatever,
like
you
know
this.
B
Is
the
this
is
part
of
the
value
it
would
also?
I
mean
we
could
also
build
the
other
ui
sort
of
experiences
around
that
like
we
could
have
we'd
have
a
landing
page,
so
I
imagine
that
you
host
a
supervisor
at
like
login.mycompany.com.
B
And
when
I
visit
that
in
my
browser
I
maybe
I
get
authenticated-
maybe
I
don't
even
get
authenticated.
Maybe
it
just
shows
me
an
install
page
that
says
hey
to
use
kubernetes
at
this
company
download
the
pinopetsyli
from
here
and
then
run
this
login
command
and
you'll
get
a
list
of
clusters
you
can
log
into
and
you
can
generate
like
map.
You
know,
sort
of
a
super
cube
config
that
has
all
your
clusters
or
you.
B
Subset
of
clusters
by
tag
or
by
which
feder,
which
clusters
are
maybe
go
with,
which
federation
domain
and
we
can
sort
of
have
like
that,
would
be
an
easy
user
onboarding
story
for,
if
I'm
an
admin
I
set
up
an
event.
All
I
have
to
do
to
tell
someone
how
to
log
in
is
send
them
a
link
to
this,
where
the
supervisor
is
running,
and
it's
like
self
documenting.
D
Yeah
and
I
think,
to
a
certain
degree,
we
saw
that
experience
from
like
the
tkgs
folks
right
like
they
effectively
built
that
into
their
product,
like
as
a
like,
a
like
a
tightly
coupled
integration
into
their
stuff,
but
nothing
says
that
we
couldn't
have
something
sort
of
similar.
D
B
Did
we
take
notes
about?
Did
somebody
I
didn't
see
the
notes
somebody
sounds
like
mo.
You
should
write
a
design
talk.
A
All
right
anything
else
to
be
discussed
before
we
leave.
A
Nope,
okay!
Well
thanks
everyone
for
joining
today
and
again,
if
you're
watching
this
from
home,
we
encourage
you
to
come
and
join
us
live
we
meet
every
first
and
third
thursday
of
the
month
at
9,
00
a.m,
pacific
time
and
again,
if
you're,
using
pen
and
pad.
We
want
to
hear
from
you.
Please
add
your
comment
into
that
discussion
item
and
feel
free
to
reach
us
reach
out
to
us
on
slack
or
twitter,
with
anything
that
you
may
need
from
us.