►
From YouTube: Pinniped Community Meeting - February 4, 2021
Description
Pinniped Community Meeting - February 4, 2021
This meeting dove deep into api design and the upcoming release of v0.5.0, featuring multiple pinnipeds.
Notes and meeting information can be found here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view
B
And
so
I
think
matt's
also
probably
gonna
talk
about
some
of
the
other
stuff,
but
one
one
of
those
pieces
was
detecting
cloud-hosted
environments
so
like.
If
we
can
tell
that
you're
running
on
gke
or
eks,
then
we
can
use
that
information
to
spin
up
an
impersonation
proxy
for
you
and
if
you're
running
on
kind,
then
we
don't
need
to.
D
C
E
C
F
E
C
C
C
C
C
Okay,
so
so
this
blog
post,
I
think,
is
not
quite
it
doesn't
quite
fit
the
pattern
that
we
might
have
in
other
releases,
where
we
we
write
a
blog
post,
announcing
the
release
and
talking
about
all
the
cool
new
features
that
we
shipped
in
the
release,
because
the
feature
that
we're
shipping
in
this
release
is
pretty
small,
and
it's
only
interesting
to
some
niche
cases
like
most
pen.
Pet
users
won't
care
about
this
feature
at
all.
C
D
C
D
A
C
E
C
D
Yep
thanks
I'm
glad
to
be
back
like
it's
day-
three,
I
guess
so
mostly
catch
up
with
the
team
and
trying
to
get
a
sense
of
what's
going
on
with
like
in-flight
work,
as
well
as
how
the
team
has
been
thinking
about
upcoming
initiatives.
I
got
some
of
that
information.
I
think
we
have
some.
I
scheduled
some
meetings
with
the
team
over
the
next.
D
I
guess
two
weeks
that
will
help
us
make
some
decisions
that
will
inform,
when
I
say
a
short-term
roadmap,
I'm
thinking
like
roughly
six
iterations
and
then
those
will
also
be
foundational
for
a
longer
term
roadmap.
Also,
as
I
work
a
little
bit
more
closely
with
dan
to
understand
some
of
the
specific
outcomes,
we
believe
that
we're
trying
to
drive
specifically
with
pinniped
as
it
exists,
kind
of
in
a
broader
umbrella
of
stuff.
I
know
that's
rather
ambiguous.
A
C
Yeah,
okay,
so
I
posted
this
earlier
in
the
week,
so
maybe
folks
had
a
chance
to
read
it.
This
is
this
is
a
proposal
about
the
api
changes
that
go
along
with
the
new
impersonation
proxy
feature.
I
don't
think
it
necessarily
changes
that
much
about
actually
how
the
the
code
works
to
implement
the
impersonation
proxy.
It's
mostly
about
how
do
you
configure
and
describe
the
status
of
of
the
impersonation
proxy?
C
So
this
is
a
departure
from
what
we
have
filed
as
sort
of
stories
right
now,
in
github
goals
were
to
make
the
concierge
work,
with
no
configuration
in
as
many
cases
as
possible.
I
think
that's
like
been
our
goal.
Since
we
started
was
like
most
cases
should
work
with
no
config,
you
just
install
penpad
and
it
works
correctly.
C
I
also
wanted
to
leave
room
in
the
leave
room
in
the
api
so
that
we
can
eventually
configure
everything
that
might
ever
need
to
be
configured
about
how
it
behaves
even
if
right
now,
we
don't
have
all
those
knobs
yet
and
then
I
also
really
wanted
to
get
rid
of
the
credential
issue
or
resource,
and
I
don't
know
if
I
justified
very
well
why
I
want
to
get
rid
of
it.
But
it's
mostly
because
it's
I
don't
like
having
a
singleton
api
like
it's,
it's
kind
of
a
weird
api
pattern.
C
C
So
the
changes
I
broke
down
here,
the
first
one
you
can
scroll
down
a
little
the
first
one
here
is
basically
the
change
that
marco
talked
about,
which
is
start
adding
some
auto
detection
of
when
the
impersonation
proxy
is
needed,
and
we
can
make
this
fancier
later
on,
but,
like
the
simplest
place
to
start
is
just.
Are
we
running
on
one
of
the
three
major
hosted
cloud
provider,
cluster
types
and
they're?
All
marker?
I
hope
I'm
not.
C
I
hope
I'm
not
wrong,
but
they're
all
relatively
easy
to
detect
because
they
all
use
like
labels
on
on
the
node
object,
since
you
can
just
make
a
little
api
call
and
tell
if
you're
on
one
of
those,
so
in
the
next
version
of
pinniped
after
the
one
we
shipped
today,
we
would
detect
that
we
were
in
one
of
those
environments.
If
we
are
in
one
of
those
environments,
generate
and
persist,
a
ca
which
we
have
code
to
do.
C
C
C
I
think
the
if
you
could
go
back
up
for
just
a
second,
the
there's,
a
bunch
of
cloud
provider,
specific
annotations
that
could
be
useful
in
certain
scenarios,
but
I
don't
think
we
need
any
of
them
to
make
the
feature
work
in
this
version.
It
just
would
just
be
a
just
a
load,
balancer
service,
okay
and
then
the
next
thing.
C
Second
change
is:
take
the
status
information
that
currently,
we
kind
of
keep
in
the
credential
issuer
api
and
start
putting
it
in
these
in
a
new
status
field
of
the
authenticator
objects.
Instead,
so
we
already
have
like
some
common
types
between
the
jot
authenticator
and
the
token
web
hook
authenticator.
C
C
The
the
slightly
awkward
thing
about
this
is
that
it
is
basically
the
same
information
on
each
authenticator
object.
So
if
you
had
a
hundred
authenticator
objects,
that
would
be
pretty
wasteful,
but
in
most
scenarios
you
have
like
one
and
even
in
more
complex
scenarios,
you
probably
have
like
two
or
three
or
five,
so
it
doesn't
that
doesn't
feel
that
bad
to
me.
I
have
an
example
of
what
I
think
the
api
should
look
like
here.
E
If
I,
if
I
could
make
a
comment,
yeah
yeah,
please
copy
the
same
information.
A
thousand
times
is
a
kubernetes
pattern.
Note
the
root
ca
publisher.
There
is
no
global
config
map
that
has
this
singleton
object
is
copied
via
controller
into
a
known
location
in
every
single
namespace,
so
totally
totally
fine.
This
is
well
within
exactly
what
cube
would
tell
you
to
do.
C
Yeah
so
in
this
object
the
the
spec
and
the
metadata
and
everything-
that's
that's!
That's
what
our
api
looks
like
today.
Already
the
new
part
in
the
status
field.
Is
this
concierge
strategies
field
which
tells
you
for
each
type
of
of
strategy
that
we
support,
and
that's
that's
the
name
that
we
use
right
now,
I'm
open
to
changing
that
name.
I
think
strategy
is
a
little
bit
generic
word.
C
But
again,
that's
that's
the
information
that
you
need
to
connect
to
the
impersonation
proxy
in
a
coup
config
and
then
for
backwards
compatibility.
We
can
take
the
status
information
and
we
can.
We
can
continue
to
maintain
the
credential
issuer
for
another
release
or
two
just
in
case
anybody's,
depending
on
it.
We
can
mark
it
deprecated
in
o60.
C
And
then,
finally,
this
is
basically
the
space
that
I
want
to
add
the
space
that
I
want
to
reserve
for
future
configuration
is
then
in
the
config
map
configuration
of
the
of
the
concierge.
So
I
think,
almost
all
of
the
things
that
you
would
want
to
configure
about
how
the
concierge
works
are
things
that
you
would
know
when
you
installed
it.
So
I
like
that,
for
example,
on
the
supervisor
I
like
that
you
can
come
back
and
dynamically
reconfigure
it
with
a
new
idp.
I
think
that's
really
powerful
and
useful.
C
I
don't
think
it's
necessarily
useful
to
dynamically
reconfigure,
the
concierge
to
operate
in
some
different
mode,
because
it's
it's
a
component
that
you
would
probably
deploy
like
as
a
cluster
add-on,
and
you
would
kind
of
know
when
you
installed
it
kind
of
the
parameters
that
you
wanted
to
use.
So
the
the
initial
in
in
060
this
section
would
just
be
empty.
C
We
wouldn't
actually
have
any
new
config
some
point
after
o60,
we
would
add
some
config
and
some
things
we
could
configure
are
this
mode,
which
would
be
either
forcing
the
impersonation
proxy
to
be
on
or
forcing
it
to
be
off
or
the
default
could
be
the
o60
behavior,
which
is
detect
cloud
providers.
Basically,
I
think
it
detects
cloud
providers
or
something-
maybe
maybe
I
think,
maybe
a
fancier
heuristic
than
just
detecting
cloud
providers.
Maybe
we
can
find
another
another
heuristic
that
gets
us
to
like
be
correct.
In
more
percentage
of
cases,.
E
E
C
C
C
Future
future
api
work,
the
example
here
I
gave
oh
something
else
important
in
the
config.
If
we
scroll
back
up
for
a
second
something
that
I
think
we'll
want
to
be
able
to
do
in
the
future
is
disable
the
automatic
creation
of
that
load,
balancer
service
and
let
the
user
configure
that
out
of
band
so
say
like
maybe
load
balancing,
doesn't
work
in
my
cluster,
but
I
have
a
host
port.
I
forwarded
correctly,
and
I
know
the
external
name
of
that
host.
C
C
Okay,
so
the
first
example
this
would
be
on
a
cluster
where
the
like,
on
a
kind
cluster,
where
the
token
credential
request
api
works.
So
you
can
see
that
it
has
a
success
status
and
then
the
impersonation
proxy
would
be
disabled
because
it
would
be
in
this
auto
mode
where
it
detected
that
it
wasn't
on
a
cloud
provider
cluster,
and
so
it
just
turned
itself
off.
C
C
Would
start
up
and
it
would
have
this
connection
information
and
then
yeah.
One
alternative
api
idea
is
just
a
structural
thing
about
how
that
strategy
status
information
is
laid
out.
I
think
this
is
like
a
style
question.
I
don't
really
know
what
the
right
answer
is
in
the
in
the
first
exam.
In
the
the
main
examples,
each
of
the
strategies
has
its
own
status
type.
C
I
mean
this
example
like
they
share
a
common
strategy
status
object.
That
then
has
like
some
specific
information
under
it.
I
don't
know
what
the
right
answer
is.
Okay,
sorry,
that
was
a
long
read
through.
I
wanted
to
make
sure
there's
some
comments
that
I
wanted
to
get
to
that
are
further
up
in
the
dock
nancy.
If
you
want
I'm
happy
to
share
too,
if
you
want
to
either
way.
D
C
Oh,
I
think
I
think
I
kind
of
addressed
this
the
example
at
the
bottom.
We
can.
We
can
talk
more
about
that.
The
implementation,
I
think,
essentially
we
just
need,
like
some
in-memory
cache
of
like
what
the
status
of
each
of
the
strategies
is
and
then
in
our
authenticator
controller
we
can
have
a
controller
that
copies
that
into
the
status
of
each
authenticator.
C
I'm
not
I'm
not
sure
exactly
what
the
implementation
would
look
like,
but
I
try
to
mostly
focus
on
the
api
design
in
this
dock,
but
it
seems
feasible
to
me
that
you
would
have
some
piece
of
code
that
when
the
when
the
status
of
one
of
the
strategies
changes
it
broadcasts
that
out
and
applies
it
to
all
the
current
authenticators
and
then
maybe
in
the
authenticator
controller.
When
a
new
authenticator
is
created,
it
needs
to
go
pull
that
in
I,
it
might
be
a
little
bit
complicated
like.
C
E
C
We
could
start
with
just
a
really
basic
config
that
just
forces
it
to
be
on,
and
that
would
be
enough
for
testing.
I
think
we
could.
Even
I
think
I
mentioned
we
could
even
do
that
with
like
an
environment
variable
that
we
really
don't
expose
as
an
api
at
all.
Yet
because
we
even
even
though
load
balancer
services,
don't
work
in
kind.
The
service,
the
cluster
ap
part
of
the
load
balancer
service
does
work.
You
can
actually
talk
to
it
through
squid,
so
I
think
we
could.
C
F
C
C
C
C
F
F
A
E
F
C
Yeah,
this
is
an
array
where
each
entry
of
the
array
describes
the
status
of
a
particular
strategy,
and
all
of
these
fields
are
all
like
one
type
here
and
here
you're
looking
at
like
the
same
type
and
then
there's
because
each
strategy
has
some
strategy
specific,
like
configuration
status,
there
has
to
be
this
extra
little
sort
of
tagged
union
field
inside
there.
That
has
the
specific
data
for
if
the
impersonation
proxy
is
working,
here's
here's
how
to
connect
to
it
and
there
would
be
a
similar
little
tagged
union
field
for
the
cons.
C
G
I
mean:
isn't
the
isn't
the
client
just
gonna,
so
I'm
thinking
about
a
client
of
this
authentication
thing
and
isn't
the
client
just
gonna
wanna
know.
Where
do
I
make
my
http
connection
and
like
maybe
what
do
I
use
for
a
proxy?
What
do
I
use
for
a
ca
bundle?
What
do
I
use
for
a
api
path,
something
like
that.
C
So
you
and
when
you
run
piniped
get
coop
config,
you
would
say
which
authenticator
do
you
want
to
use?
It
would
go
read
that
authenticator
status
and
say:
oh.
If
I
want
to
use
that
authenticator,
I
can
tell
that
it's
running
in
impersonation
proxy
mode,
so
the
kind
of
coupe
config
I
need
to
target.
That
is
one
where,
for
example,
the
server
and
the
ca
and
the
coop
config
point
at
the
proxy
and
then
the
command
that's
embedded
inside.
There
is
the
version
of
the
command
that
wraps
up
the
token
for
the
proxy.
F
C
That's
true,
I
would
almost
think
we
would
still
have
it
there
and
have
it
say,
disabled
by
config,
or
something
like
that.
So
it's
obvious
one
other
thought
I
had
is
that
with
the
with
this
shape
of
api.
This
is
this
is
a
really
trivial
thing,
but
in
this
shape
of
api
we
could
pull
out
the
status
fields
of
each
of
the
strategies
and
actually
pull
them
up
into
the
the
column
output
of
get
the
the
coupe
ctl
output.
C
C
C
I
don't
know.
Also
I
mean
something
else
to
note
about
the
api
here
is
that
it
doesn't
prevent
a
particular
authenticator
from
having
both
strategies
working,
which
I
think
is
something
we
want
in
case.
We
add
in
the
future
a
new
strategy.
We
want
to
keep
one
of
these
old
strategies
around
for
existing
clients,
but
have
something
new.
That's
that's
newer
and
better.
That
should
work.
Okay,
I
think.
B
C
C
C
A
strategy
maybe
a
future
strategy
that
did
some
transport
level
credential
binding,
so
meaning
like
a
client
certificate
that
wouldn't
work
over
this
api.
It
wouldn't
work
with
this
strategy,
but
it
would
work
on
the
impersonation
proxy,
and
so
we
could
actually
say
hey
that
this
future,
like
cert,
authenticator
client.
Third
authenticator,
is
publishing
a
different
set
of
strategies
than
the
token
authenticator.
On
the
same.
C
D
F
D
C
Both
of
the
the
current
strategies
working,
we
actually
don't
really
want
to
use
the
impersonation
proxy
unless
we
have
to
like.
So
if
the
token
credential
request
api
works,
it'd
be
better
to
not
even
run
the
impersonation
proxy
at
all
and
that's
awkward
because
of
how
kind
of
eventually
consistent
all
of
our
logic
for
creating
this
is.
F
C
B
C
C
D
C
Api
work,
the
work
so
far,
so
there's,
I
think,
there's
sort
of
two
pieces
of
work
so
far.
One
is
just
the
the
runtime
behavior,
the
one
runtime
implementation
of
running
the
proxy,
which
is
actually
independent
of
all
of
this.
This
is
all
just
like
how
we
tell
how
to
run
the
proxy
or
when
to
run
the
proxy
or
whether
to
run
the
proxy
in
the
case
where
we
do
run
the
proxy.
We
have
that
code
now.
Essentially,
maybe
it's
not
completely
done,
but
it's
there.
C
C
Another
thing
is
looking
at
the
node
objects
and
finding
the
nodes
that
are
labeled
as
control
plane
nodes,
and
if
you
don't
find
nodes,
labeled
control,
plane
nodes,
then
you
know
you're
you're,
probably
on
a
cluster,
that's
not
self-hosted
anyway,
I
yeah,
maybe
maybe
we
need
to.
We
do
need
to
so
what
I'm
looking
at
the
issues
here.
C
C
B
Yeah,
I
think,
that's
a
separate
issue.
Those
last
two
stories
are
there's
already
like
work
for
those
on
the
impersonation
proxy
branch.
I
anticipate
that
changing
with
the
implementation
of
the
new
authenticators
back,
but
there's
already
like
stuff
in
flight
there.
I
think
the
branch
is
like
kind
of.
B
D
C
Can
turn
it
back
over
to
you
if
you
want,
or
I'm
happy
to
just
finish
this
out?
The
last
agenda
item
is
about
this
story
or
that
this
pr,
which
might
we
may
we
may
or
may
not
want
to
ship
today
in
the
release
and
we
may
or
may
not
want
to
emerge.
I
haven't
I've,
read
this
issue
and
I
feel
like
I
didn't,
really
understand
it
and
I
don't
really
have
an
opinion.
C
C
A
No
all
right!
Well
thanks
everyone
for
joining
the
community
meeting
if
you're
watching
this
from
home
after
it's
been
recorded.
Please
join
us
live
for
the
next
pinniped
community
meeting.
That's
happening
happens
every
first
and
third
thursday
of
the
month.
So
today
is
the
first
thursday
and
we
will
meet
again
on
the
third
thursday
of
february.
So
we
will
see
you
then,
hopefully
than
that.
Thank
you.