Pinniped Community Meeting 🦭

This doc is meant to serve as the "one doc to rule them all" for Pinniped community meetings and open discussions.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Community Meeting Details

  • Community meetings are held every first and third Thursday of each month at 9AM PT(Convert to your time zone): Zoom Link
  • Join our Google Group to get updates on the project and invites to community meetings.
  • Previous community meeting recordings: Pinniped YouTube Playlist
  • Need help or have an issue to discuss with the team? Add your item to Discussion Topics for the next meeting's agenda.
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Join us on Slack and Twitter

The Pinniped team can be reached at:

Please read and abide by our Code of Conduct when attending these meetings.

June 16, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Margo Crawford (VMware)

Status Updates

Discussion Topics

Open Technical Proposals need community feedback:

Have a question or need help with something?
Reach out to us:

May 5, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (Vmware)

Status Updates

  • [Upcoming!] Pinniped Release v0.17 Update
  • Project Roadmap
  • See you at Kubecon EU in May!
  • Open Source Summit NA in Austin in June!

Discussion Topics

Open Technical Proposals need community feedback:

Have a question or need help with something?
Reach out to us:

April 21, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Nigel Brown (VMware)
  2. Anjali Telang (Vmware)
  3. Margo Crawford

Status Updates

  • New Pinniped Release v0.16 Update
  • Project Roadmap
  • See you at Open Source Summit in Austin!

Discussion Topics

Have a question or need help with something? Please input below:

April 7, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Nigel Brown (VMware)
  2. Anjali Telang (VMware)
  3. Mo Khan (VMware)

Status Updates

Discussion Topics

Have a question or need help with something? Please input below:

March 17, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Nigel Brown (VMware)
  2. Margo Crawford (VMware)
  3. Anjali Telang (VMware)

Status Updates

Discussion Topics

Have a question or need help with something? Please input below:

March 3, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Ryan (VMware)
  3. Mo Khan (VMware)
  4. Scott Rosenberg (TeraSky)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? Please input below:

  • [Margo] - What to expect with v0.15.0
    • Bringing LDAP refresh up to parity with OIDC by checking whether groups have changed upon refresh.
    • Might need to use a flag to tweek your LDAP search params
  • [Mo] We started doing investigative work in regards to Pinniped auth against dashboards

February 17, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Mo Khan (VMware)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? Please input below:
*

February 3, 2022 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Nanci Lancaster, VMware
  2. Margo Crawford, VMware
  3. Mo Khan, VMware

Announcements

Status Updates

  • Project Roadmap
    • LDAP/AD Group information support
    • Documentation changes
    • Multiple IDPs - currently trying to plan out
    • In the future we'd like to support dashboards that plug into Kubernetes and make that experience easier

Discussion Topics

Have a question or need help with something? Please input below:
*

December 2, 2021 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Margo Crawford (VMware)
  3. Scott Rosenberg (TeraSky)
  4. Mo Khan (VMware)
  5. Nanci Lancaster (VMware)

Announcements

Status Updates

  • Project Roadmap
    • Lots of items still being actively worked on. Once some errors are figured out, the next release will happen with a detailed blog post to accompany it. Stay tuned!

Discussion Topics

Have a question or need help with something? Please input below:

  • none.

November 18, 2021 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Margo Crawford (VMware)
  3. Ryan (VMware)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? Please input below:
*

November 4, 2021 Agenda

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

Attendees - Add Your Name + Company/Organization

  1. Nanci Lancaster [VMware]
  2. Mo Khan [VMware]
  3. Margo Crawford [VMware]
  4. scott rosenberg [TeraSky]

Announcements

Status Updates

  • Project Roadmap
    • Supervisor token refresh fails when the upstream refresh token no longer works for OIDC
      • [Margo] The basic work of checking through is done.
    • Supervisor token refresh fails when the upstream user is in an invalid state for LDAP/AD
      • [Margo]
        • Done with the work that the LDAP user still exists when you refresh supervisor, still in code review.
        • Still working getting Active Directory upstream working. Figured out integration tests for password last set.
      • [Mo] What are we doing about locked/disabled passwords?
        • [Margo] Inactive directory works in 5-minutes of user logging out
        • [Mo] I agree - let's tell Anjali so she is aware. Make folks aware of ways to revoke access to users.
    • Set stricter default TLS versions and Ciphers
      • [Mo] In the same line of hardening our upstream refresh, working on hardening our TLS configuration. Relatively going well. Kubernetes code we use has put up a fight, but I think I've forced it to behave. I'm at commit 60-something, so many revisions to get it to work Going well, though. The default security posture of Pinniped will support ciphers that were considered state of the art 8 years ago - ie 11 on Windows 7. You can put Dex in between us and the OIDP and also have the same downgrade of TLS if you insist.
        • Minimum TLS Pinniped would support: 1.2

Discussion Topics

Have a question or need help with something? Please input below:

October 21, 2021 Agenda

Attendees - Add Your Name + Company/Organization

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

  1. Nanci Lancaster [VMware]
  2. Anjali Telang [VMware]
  3. Margo Crawford [VMware]
  4. Mo Khan [VMware]

Announcements

Status Updates

  • Project Roadmap
    • Improving Security Posture - Supervisor token refresh fails when the upstream refresh token no longer works for OIDC
    • Updated roadmap with recent focus for Security hardening features
  • Helm chart discussion on slack
    • Any updates from Scott / Bitnami?
      • Anjali has reached out to Bitnami and has started those discussions.

Discussion Topics

Have a question or need help with something? Please input below:

October 7, 2021 Agenda

Attendees - Add Your Name + Company/Organization

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

  1. Anjali Telang [VMware]
  2. Ryan Richard [VMware]
  3. Mo Khan [VMware]
  4. Nanci Lancaster [VMware]
  5. Margo Crawford [VMware]
  6. Scott Rosenberg [Terasky]

Announcements

Status Updates

  • Project Roadmap
    • Supervisor token refresh fails when the upstream refresh token no longer works for OIDC - Expect closer to end of October

Discussion Topics

Have a question or need help with something? Please input below:

September 16, 2021 Agenda - Margo: Guest Emcee

Attendees - Add Your Name + Company/Organization

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

  1. Anjali Telang (VMware)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:
*

September 2, 2021 Agenda

Attendees - Add Your Name + Company/Organization

If you are using Pinniped, please add details on your usage in this GitHub Discussion: Are you using Pinniped?

  • Anjali Telang(VMware)
  • Matt Moyer (VMware)
  • Margo Crawford (VMware)
  • Nanci Lancaster (VMware)
  • Mo Khan (VMware)
  • Andrew Keesler (VMware)
  • Ben Petersen (VMware)

Announcements

  • Farewell to Matt Moyer
  • v0.11.0 released!
    • Thanks to Anjali and reviewers for the blog post

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

  • .

August 19, 2021 Agenda

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Margo Crawford (VMware)
  3. Ryan Richard (VMware)
  4. Nanci Lancaster (VMware)
  5. Matt Moyer (VMware)
  6. Mo Khan (VMware)

Announcements

Status Updates

  • Project Roadmap
    • Remote OIDC login support: SHIPPED
    • Non-Interactive Password based LDAP logins: SHIPPED
    • Non-Interactive Password based OIDC logins: In Progress
    • Active Directory Support: In Progress
    • Multiple IDP Support: (design doc)
      • Discuss doc in next community meeting
    • Identity transforms: Discussion needed
      • Starlark everywhere?!
        • Start with OIDC Identity Provider

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

  • Are you using Pinniped? - Add your details to this discussion :) (nanci)
  • Feedback on CNCF Webinar demo flow (matt)

August 5, 2021 Agenda

Meeting Canceled - Company Holiday

July 29, 2021

Occurred on the 5th Thursday of the month vs the usual schedule of 1st and 3rd Thursday due to team being out next week.

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Margo Crawford (VMware)
  3. Ryan Richard (VMware)
  4. Andrew Keesler (VMware)
  5. Nanci Lancaster (VMware)
  6. Matt Moyer (VMware)
  7. Mo Khan (VMware)

Announcements

  • Reminder: Register to attend the Pinniped CNCF Webinar
    • August 24, 2021, 10am PT
  • Releasing v0.10.0 today!
    • Remote OIDC login support (jump host support)
    • Non-interactive LDAP login flowz

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

July 15, 2021

Attendees - Add Your Name + Company/Organization

  1. Mo Khan (VMware)
  2. Anjali Telang (VMware)
  3. Margo Crawford (VMware)
  4. Ryan Richard (VMware)
  5. Andrew Keesler (VMware)
  6. Nanci Lancaster (VMware)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

  • We are still learning the semantics of AD to better understand what configuration we can default for end-users. Hopefully we can provide updates in regards to this on the next meeting.

July 1, 2021

Attendees - Add Your Name + Company/Organization

  1. Anjali Telang (VMware)
  2. Matt Moyer (VMware)
  3. Margo Crawford (VMware)
  4. Andrew Keesler (VMware)
  5. Nanci Lancaster (VMware)
  6. Scott Rosenberg (Terasky)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

June 17, 2021

Attendees - Add Your Name + Company/Organization

  1. Mo Khan (VMware)
  2. Matt Moyer (VMware)
  3. Anjali Telang (VMware)
  4. Margo Crawford (VMware)
  5. Andrew Keesler (VMware)
  6. Ryan Richard (VMware)
  7. Ben Petersen (VMware)
  8. Nanci Lancaster (VMware)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

  • Design for non-interactive LDAP logins

    • Could keep this, but choose defaults for the env var names
    • Using "LDAP" in the name might be limiting?
      • Just use "username" and "password" without "ldap"
    • Consider this story to include documentation
    • Be careful with caching
      • If we need to hash over the password, we might need a different type of hash
      • We might only hash over the username

  • Logout command support

    • Might also include "switch user" or other session-related commands
    • Logout might trigger server-side logout as well

June 3, 2021

Attendees - Add Your Name + Company/Organization

  1. Matt Moyer (VMware)
  2. Mo Khan (VMware)
  3. Anjali Telang (VMware)
  4. Ryan Richard (VMware)
  5. Ben Petersen (VMware)
  6. Nanci Lancaster (VMware)
  7. Andrew Keesler (VMware)
  8. Scott Rosenberg (Terasky)

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

May 20, 2021

Attendees - Add Your Name + Company/Organization

  1. Nanci Lancaster, VMware
  2. Matt Moyer, VMware
  3. Andrew Keesler, VMware
  4. Anjali Telang, Vmware
  5. Margo Crawford, VMware
  6. Ben Petersen, VMware
  7. Mo Khan, VMware
  8. Ryan Richard, VMware

Announcements

Status Updates

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

May 6, 2021

Attendees - Add Your Name + Company/Organization

  1. Nanci Lancaster, VMware
  2. Matt Moyer, VMware
  3. Mo Khan, VMware
  4. Margo Crawford, VMware
  5. Scott Rosenberg, Terasky

Announcements

Status Updates on Project Roadmap

  • April 2021
    • Device Code Flow (v0.9.0)
      • Pushed to "exploring/ongoing" pending more user feedback
  • May 2021:
    • LDAP Support (v0.8.0)
      • Main PR is nearly ready to merge
    • Improved Documentation

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

  • Refresh flow issues in v0.4.x? (Margo)
    • File this as a bug
    • PR to reduce supervisor token lengths
    • PR to lengthen the lifetime of the GC for access tokens
    • Consider whether we can stop caching access/ID tokens in the CLI
      • Breaks some non-Supervisor OIDC use cases
  • Impersonation proxy deployments on private EKS/AKS/GKE clusters (Matt)
    • File an issue tracking this
    • Could add a list of annotations to add on the created LoadBalancer
    • Default for main install YAML can probably remain the same

April 15, 2021

Announcements

Status Updates on Project Roadmap

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below:

  • LDAP connection options for #441
    • StartTLS support (not exactly one-liner, but should be easy)
    • Custom CA support (already built, needed for testing)
    • Automatic detection of StartTLS?
    • TLS min version? Should we require an "insecure" annotation to set this lower than TLSv1.2?
    • Server name to validate on the cert (separately from the hostname/endpoint)?
    • Timeouts? (can probably pick good universal defaults)
    • Connection pool sizes? (likely no connection pooling due to stateful nature of LDAP)
    • Keepalives? (can probably pick good universal defaults)
    • TLS client certificates (not yet)
    • Other non-password bind types (not yet)
  • Open questions for LDAP
    • Special custom resource for AD to make configuration easier with good defaults
    • Nested group support is desired, especially for AD, and limiting the depth of search for performance reasons
    • "Forest of domains" support for AD
      • Global Catalog in AD, used where there is a forest of domains to search across the forest (maybe best to use when you have more than ~3 domains in your forest). Responses from Global Catalog can be a bit different.

April 1, 2021

Announcements

  • v0.7.0!

Status Updates on Project Roadmap

  • March 2021: Impersonation Proxy
  • April 2021: LDAP Support and Device Code Flow

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below

March 18, 2021

Announcements

Status Updates

March 2021 Roadmap Issue: Impersonation Proxy

  • @margocrawf
    • Worked with @ankeesler on impersonation proxy integration tests
    • Wrote some documentation for the new impersonation proxy behavior
  • @ankeesler
    • Worked with @margocrawf on impersonation proxy integration tests
    • Research weird behavior with proxy HTTP handler
    • Attempting to do manual testing on GKE
  • @cfryanr
    • Worked with @enj and others on impersonation proxy implementation
  • @enj
    • Finished re-implementing the front end of the proxy to a better design with @cfryanr
    • Attempting to do manual testing on GKE
  • @mattmoyer
    • GKE env on PRs?
  • @pabloschuhmacher
    • internal strategy bits
    • customer interviews

Discussion Topics

Have a question or need help with something? You can ask in the Discussion Q&A or input below

  • Impersonation proxy design change: the proxy now accepts the credentials issued by the usual Pinniped TokenCredentialRequest API, which allows a client (e.g. the pinniped CLI) to treat it like the "real" API server.
  • What is there left to do on impersonation proxy? Fix test flakes? Manual testing?

March 4, 2021

Status Updates on what you've been working on - any blockers?

  • @ankeesler
    • Mostly been working with Mo on Pinniped-related Kubernetes 1.21 stuff this week
  • @cfryanr
    • Implementing the Impersonation Proxy feature with @margocrawf
  • @enj
    • WhoAmIRequest API
    • Kube 1.21 code freeze activities (mostly code review, issue triage)
    • Upstream CSR improvments
      • 1.21 (backdating fixes, signer performance)
      • 1.22 (short lived certs)
  • @margocrawf
    • Impersonation proxy with @cfryanr and @mattmoyer
  • @mattmoyer -
    • Update on v0.7.0 release plans
    • Hacked on CLI caching a bit (more thoughts below)
  • @pabloschuhmacher
    • How's roadmap coming along?

Discussion Topics

Have a question? You can ask in the Discussion Q&A

  • CFP submissions?
    • Real user stories would be a good submission
  • Working on "enablement" for Pinniped
  • How should caching work?
    • Action item: write this up as an issue (@mattmoyer)
    • Action item: file an issue about encrypting session data using keychain APIs (@mattmoyer)

Community Shoutouts

February 18, 2021

Status Updates

  • @ankeesler

    • Working with @margocrawf and @cfryanr on Concierge impersonation proxy implementation
    • Specifically working through some feedback that @enj gave

  • @cfryanr

    • Working with @margocrawf and @ankeesler on Concierge impersonation proxy implementation
    • Working with @enj and team on planning support for Supervisor upstream LDAP IDP support

  • @enj

    • All concierge APIs are cluster scoped now
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →

  • @margocrawf

    • Working with @ankeesler and @cfryanr on Concierge impersonation proxy implementation

  • @mattmoyer

    • Dependabot is working again, mostly
    • Working on the website and docs this week
    • We hit 100 GitHub stars on Wednesday!
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →

  • @pabloschuhmacher

    • Working with team + stakeholders on scoping/planning upcoming work
    • Catching up on architecture updates while I was out
    • Thinking through longer term, but iterative roadmap to share

Discussion Topics

Have a question? You can ask in the Discussion Q&A

  • LDAP identity provider design (@cfryanr + @enj)
  • What should we do to handle multiple IDPs? (@mattmoyer)
    • Rough proposal:
      • Some way to wire together multiple IDPs and FederationDomains
      • A parameter to select an IDP during login
      • A way to advertize which IDPs exist on a FederationDomain
    • What is the relation between FederationDomain and IDPs?
      • Many to many?
        • We might need to decouple the OIDC callback from the FederationDomain issuer endpoint, so that the callback is always the same even when a new FederationDomain is introduced
      • Many to one?
        • Each IDP is attached to a single FederationDomain
        • Might have to duplicate IDP configurations
      • One to many?
    • Use cases for multiple IDPs
      • Multiple IDP layers over the same backing user store, but with different functionalities
      • Different IDPs for different pools of users
      • Different IDPs over time (migrating from one IDP to another)
    • What use cases are there for multiple FederationDomains?
      • Multiple tenants
      • Dev/prod isolation
      • Different token lifetimes or other downstream configuration parameters
      • Different sets of valid IDPs
    • Should we enhance the FederationDomain to support validating allowed audiences?
      • Consensus: yes
      • Could be a static list of allowed audiences, this list could be managed by an addon controller
      • Current model is safe because you should only get kubeconfig from a trusted place
  • Should we deprecate local-user-authenticator in favor of some "local user" IDP in the supervisor? in the concierge? (@mattmoyer)
    • Notes: some discussion, but not consensus, need to discuss more another time
  • Should we consider making the brainstorm document the team worked on in January available on git as opportunity areas for contributors? (@pabloschuhmacher)
    • Consensus: yes
  • Should we try merging the supervisor and concierge binaries into subcommands of one binary? (@mattmoyer)

Community Shoutouts

February 4, 2021

Status Updates

  • @ankeesler
  • @cfryanr
  • @enj
  • @margocrawf
    • Worked on implementing impersonation proxy features:
      • Detection of cloud hosted environments
  • @mattmoyer
    • Hooked up test coverage tracking, what do we think?
    • Attempted to design impersonation proxy feature with Margo's help (see design doc below).
    • Wrote a blog post (with help): vmware-tanzu/pinniped#387
    • Have been working on roadmap with Pablo (welcome back!)
  • @pabloschuhmacher
    • first week back; mostly catch up with team
    • some review of short term roadmap and starting to plan for longer term initiatives over the coming weeks

Discussion Topics

Have a question? You can ask in the Discussion Q&A

Community Shoutouts

January 21, 2021

Status Updates

Discussion Topics

  • What is in v0.5.0 besides multiple-Pinnipeds-one-cluster?
    • Schedule?
    • Why multiple Pinnipeds (Mo)?
    • Matt - if we get this working, blog post worthy
  • Rajat Goyal - Public Roadmap
    • Matt: Need to categorize milestones and documentation page needs attention
    • https://pinniped.dev/docs/scope/
    • Matt: We should all try to add the “good first issue” label where appropriate, along with writing clear issue descriptions
    • Point various documentation issues to Rajat
  • Why build an impersonation proxy in the concierge (Moyer)?
  • CI Transparency
    • Idea: split public CI task/job definitions into a public repo?

Action Items

Community Shoutouts

January 6, 2021

Action Items

  • How we can combine this meeting with our iteration planning meetings, for more transparency

November 5, 2020

Announcements

  • Our first community meeting!

Demos

  • Initial supervisor + CLI flow
Select a repo