owned this note
owned this note
Published
Linked with GitHub
---
tags: notes
---
# Pinniped Community Meeting 🦭
_This doc is meant to serve as the "one doc to rule them all" for Pinniped community meetings and open discussions._
:::info
:information_source: **Community Meeting Details**
:::
- Community meetings are held every **first and third Thursday** of each month at 9AM PT([Convert to your time zone](http://www.thetimezoneconverter.com/?t=09:00&tz=PT%20%28Pacific%20Time%29)): [Zoom Link](https://go.pinniped.dev/community/zoom)
- Join our [Google Group](https://go.pinniped.dev/community/group) to get updates on the project and invites to community meetings.
- Previous community meeting recordings: [Pinniped YouTube Playlist](https://go.pinniped.dev/community/youtube)
- **Need help or have an issue to discuss with the team?** Add your item to **Discussion Topics** for the next meeting's agenda. :point_down:
:::info
:information_source: **Join us on Slack and Twitter**
:::
The Pinniped team can be reached at:
* The Kubernetes Slack workspace within the [#Pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA)
* If you aren't already a member on the Kubernetes Slack workspace, please first [request an invitation](https://slack.k8s.io/) to gain access.
* Twitter: [@projectpinniped](https://twitter.com/projectpinniped)
:::warning
_Please read and abide by our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md) when attending these meetings._
:::
# June 16, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Margo Crawford (VMware)
### Status Updates
* [Pinniped Release v0.18 is out](https://twitter.com/projectpinniped/status/1534933882231050243)
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* Open Source Summit NA in Austin next week!
### Discussion Topics
Open Technical Proposals need community feedback:
* [Proposal for Dynamic OIDC Client](https://github.com/vmware-tanzu/pinniped/pull/1126)
* [Proposal for Audit logging](https://github.com/vmware-tanzu/pinniped/pull/1142)
Have a question or need help with something?
Reach out to us:
- [#Pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA)
# May 5, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (Vmware)
### Status Updates
* [Upcoming!] Pinniped Release v0.17 Update
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* See you at Kubecon EU in May!
* Open Source Summit NA in Austin in June!
### Discussion Topics
Open Technical Proposals need community feedback:
* [Proposal for Web UI for LDAP/AD](https://github.com/vmware-tanzu/pinniped/pull/1116)
* [Proposal for Dynamic OIDC Client](https://github.com/vmware-tanzu/pinniped/pull/1126)
* [Proposal for Audit logging](https://github.com/vmware-tanzu/pinniped/pull/1142)
Have a question or need help with something?
Reach out to us:
- [#Pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA)
# April 21, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Nigel Brown (VMware)
2. Anjali Telang (Vmware)
3. Margo Crawford
### Status Updates
* New Pinniped Release v0.16 Update
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* See you at Open Source Summit in Austin!
### Discussion Topics
Have a question or need help with something? Please input below:
- [#Pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA)
# April 7, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Nigel Brown (VMware)
2. Anjali Telang (VMware)
3. Mo Khan (VMware)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* [Supervisor HTTP listener disabled by default and may only bind to loopback interfaces](https://github.com/vmware-tanzu/pinniped/pull/1094) (Ryan)
### Discussion Topics
Have a question or need help with something? Please input below:
- [#Pinniped channel](https://kubernetes.slack.com/archives/C01BW364RJA)
# March 17, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Nigel Brown (VMware)
2. Margo Crawford (VMware)
3. Anjali Telang (VMware)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
### Discussion Topics
Have a question or need help with something? Please input below:
---
# March 3, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Ryan (VMware)
3. Mo Khan (VMware)
4. Scott Rosenberg (TeraSky)
### Announcements
* [Updated Governance](https://github.com/vmware-tanzu/pinniped/blob/main/GOVERNANCE.md)
* [NEW! Pinniped Proposal Process](https://github.com/vmware-tanzu/pinniped/blob/main/proposals/README.md)
* [Pinniped TGI Kubernetes](https://www.youtube.com/watch?v=g6WQvF0shZY)
* Community Manager Update
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* Upcoming v0.15.0 soon™️ - group refresh functionality
* Great [how-to guide](https://pinniped.dev/docs/tutorials/) now on website
### Discussion Topics
Have a question or need help with something? Please input below:
* [Margo] - What to expect with v0.15.0
* Bringing LDAP refresh up to parity with OIDC by checking whether groups have changed upon refresh.
* Might need to use a flag to tweek your LDAP search params
* [Mo] We started doing investigative work in regards to Pinniped auth against dashboards
---
# February 17, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Mo Khan (VMware)
### Announcements
* We released [v0.14.0](https://github.com/vmware-tanzu/pinniped/releases/tag/v0.14.0). Pinniped now responds to CORS pre-flight calls against the CLIs localhost listener. This fix was released as browser logins were failing with Google Chrome v98+ which was released on Feb 1, 2022
* [Community Feedback Survey](https://forms.gle/L5jZKhwJu5CTR4x28)
* Pinniped is hiring! Check out this open [Staff Engineer Kubernetes Security and Authentication role](https://careers.vmware.com/main/jobs/R2120931) for more details. Reach out to us in #pinniped in the Kubernetes Slack workspace or on Twitter @projectpinniped if you have any questions!
* Check out this comprehensive [Pinniped tutorial](https://pinniped.dev/docs/tutorials/concierge-and-supervisor-demo/)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
### Discussion Topics
Have a question or need help with something? Please input below:
*
___
# February 3, 2022 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Nanci Lancaster, VMware
2. Margo Crawford, VMware
3. Mo Khan, VMware
### Announcements
* [Community Feedback Survey](https://forms.gle/L5jZKhwJu5CTR4x28)
* Pinniped is hiring! Check out this open [Staff Engineer Kubernetes Security and Authentication role](https://careers.vmware.com/main/jobs/R2120931) for more details. Reach out to us in #pinniped in the Kubernetes Slack workspace or on Twitter @projectpinniped if you have any questions!
* Released [v0.13.0](https://pinniped.dev/posts/secure-tls-idp-refresh/)!
* Quick Demo - OIDC Upstream Group Refresh by Margo
* Thank you, [@siddhant94](https://github.com/siddhant940), for submitting a PR ([#875](https://github.com/vmware-tanzu/pinniped/pull/875)) to add the `--install-hint` flag to the `pinniped get kubeconfig` command!
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* LDAP/AD Group information support
* Documentation changes
* Multiple IDPs - currently trying to plan out
* In the future we'd like to support dashboards that plug into Kubernetes and make that experience easier
### Discussion Topics
Have a question or need help with something? Please input below:
*
___
# December 2, 2021 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Margo Crawford (VMware)
3. Scott Rosenberg (TeraSky)
4. Mo Khan (VMware)
5. Nanci Lancaster (VMware)
### Announcements
* Pinniped is hiring! Check out this open [Staff Engineer Kubernetes Security and Authentication role](https://careers.vmware.com/main/jobs/R2120931) for more details. Reach out to us in #pinniped in the Kubernetes Slack workspace or on Twitter @projectpinniped if you have any questions!
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* Lots of items still being actively worked on. Once some errors are figured out, the next release will happen with a detailed blog post to accompany it. Stay tuned!
### Discussion Topics
Have a question or need help with something? Please input below:
* none.
---
# November 18, 2021 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Margo Crawford (VMware)
3. Ryan (VMware)
### Announcements
*
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
### Discussion Topics
Have a question or need help with something? Please input below:
*
___
# November 4, 2021 Agenda
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
#### Attendees - Add Your Name + Company/Organization
1. Nanci Lancaster [VMware]
2. Mo Khan [VMware]
3. Margo Crawford [VMware]
4. scott rosenberg [TeraSky]
### Announcements
* Pinniped talk recordings from KubeCon + CloudNativeCon North America 2021 now on YouTube!
* [Pinniped: A Unified Framework for User Authentication to Kubernetes Cluster- Mo Khan & Anjali Telang](https://youtu.be/2fI_XOGEoIU)
* [Everything Wrong with K8s Authentication and How We Worked Around It - Mo Khan & Margo Crawford](https://youtu.be/OCkTnElNE9M)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* `Supervisor token refresh fails when the upstream refresh token no longer works for OIDC`
* [Margo] The basic work of checking through is done.
* `Supervisor token refresh fails when the upstream user is in an invalid state for LDAP/AD`
* [Margo]
* Done with the work that the LDAP user still exists when you refresh supervisor, still in code review.
* Still working getting Active Directory upstream working. Figured out integration tests for password last set.
* [Mo] What are we doing about locked/disabled passwords?
* [Margo] Inactive directory works in 5-minutes of user logging out
* [Mo] I agree - let's tell Anjali so she is aware. Make folks aware of ways to revoke access to users.
* `Set stricter default TLS versions and Ciphers`
* [Mo] In the same line of hardening our upstream refresh, working on hardening our TLS configuration. Relatively going well. Kubernetes code we use has put up a fight, but I think I've forced it to behave. I'm at commit 60-something, so many revisions to get it to work... Going well, though. The default security posture of Pinniped will support ciphers that were considered state of the art 8 years ago - ie 11 on Windows 7. You can put Dex in between us and the OIDP and also have the same downgrade of TLS if you insist.
* Minimum TLS Pinniped would support: 1.2
### Discussion Topics
Have a question or need help with something? Please input below:
* [Slack discussion on removal of supervisor http port 8080](https://kubernetes.slack.com/archives/C01BW364RJA/p1635775073081100), will break:
* https://linuxblog.xyz/posts/pinniped-kubernetes-single-sign-on / https://github.com/Kerwood/pinniped-chart/blob/340f49e9a4bc91763c172b8c38bb7060c4ae7ec1/supervisor/templates/Service.yaml#L11
* https://github.com/getupio-undistro/undistro/blob/4af14c8fdc86a3344e4d5233c8c6abd95fd7d4e1/charts/pinniped-supervisor/templates/service.yaml#L16
* maybe https://github.com/jvanzyl/pinniped-charts/blob/64a1fd5578a85c0d58d9519eaf50c5440911869d/supervisor/values.yaml#L41
* [From meeting] Watch recording starting at 32:55 for in-depth discussion
___
# October 21, 2021 Agenda
#### Attendees - Add Your Name + Company/Organization
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
1. Nanci Lancaster [VMware]
2. Anjali Telang [VMware]
3. Margo Crawford [VMware]
4. Mo Khan [VMware]
### Announcements
* Reminder: Pinniped is participating in [Hacktoberfest](https://hacktoberfest.digitalocean.com/)!
* Look for issues labeled `Hacktoberfest` to participate
* We currently have just one but may add more: https://github.com/vmware-tanzu/pinniped/issues/553
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* `Improving Security Posture` - Supervisor token refresh fails when the upstream refresh token no longer works for OIDC
* Updated roadmap with recent focus for Security hardening features
* [Helm chart discussion on slack](https://kubernetes.slack.com/archives/C01BW364RJA/p1633551477164900)
* Any updates from Scott / Bitnami?
* Anjali has reached out to Bitnami and has started those discussions.
### Discussion Topics
Have a question or need help with something? Please input below:
* [Slack discussion on AD upstream refresh](https://kubernetes.slack.com/archives/C01BW364RJA/p1634818838005000)
___
# October 7, 2021 Agenda
#### Attendees - Add Your Name + Company/Organization
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
1. Anjali Telang [VMware]
2. Ryan Richard [VMware]
3. Mo Khan [VMware]
4. Nanci Lancaster [VMware]
5. Margo Crawford [VMware]
6. Scott Rosenberg [Terasky]
### Announcements
* Pinniped at [KubeCon + CloudNativeCon North America](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/)!
* [Everything Wrong with K8s Authentication and How We Worked Around It - Mo Khan & Margo Crawford](https://sched.co/lV5I)
* **When:** Friday, October 15, 2:30–3:05pm Pacific Time
* **How to Attend:** [Register to attend](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/register/) KubeCon either virtually or in-person!
* Pinniped at KubeCon *Co-Located Event:* [Cloud Native Security Conference North America](https://events.linuxfoundation.org/cloud-native-security-conference-north-america/program/schedule/)
* **Session:** [Pinniped: A Unified Framework for User Authentication to Kubernetes Clusters- Mo Khan & Anjali Telang
](https://sched.co/mBmz)
* **When:** Tuesday, October 12, 2:25pm–2:35pm Pacific Time
* **How to Attend:** You must be [registered](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/register/) for KubeCon + CloudNativeCon North America AND the Cloud Native Security Conference North America
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* `Supervisor token refresh fails when the upstream refresh token no longer works for OIDC` - Expect closer to end of October
### Discussion Topics
Have a question or need help with something? Please input below:
* [Helm chart discussion on slack](https://kubernetes.slack.com/archives/C01BW364RJA/p1633551477164900)
* Scott - Will reach out to Bitnami - https://github.com/bitnami/charts
* Possibly ask someone from community to work on it
* Possibly maintainers will take it on
---
# September 16, 2021 Agenda - Margo: Guest Emcee
#### Attendees - Add Your Name + Company/Organization
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
1. Anjali Telang (VMware)
### Announcements
* Pinniped at [KubeCon + CloudNativeCon North America](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/)!
* [Everything Wrong with K8s Authentication and How We Worked Around It - Mo Khan & Margo Crawford](https://sched.co/lV5I)
* **When:** Friday, October 15, 2:30–3:05pm Pacific Time
* **How to Attend:** [Register to attend](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/register/) KubeCon either virtually or in-person!
* Pinniped at KubeCon *Co-Located Event:* [Cloud Native Security Conference North America](https://events.linuxfoundation.org/cloud-native-security-conference-north-america/program/schedule/)
* **Session:** [Pinniped: A Unified Framework for User Authentication to Kubernetes Clusters- Mo Khan & Anjali Telang
](https://sched.co/mBmz)
* **When:** Tuesday, October 12, 2:25pm–2:35pm Pacific Time
* **How to Attend:** You must be [registered](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/register/) for KubeCon + CloudNativeCon North America AND the Cloud Native Security Conference North America
* Pinniped is participating in [Hacktoberfest](https://hacktoberfest.digitalocean.com/)!
* Look for issues labeled `Hacktoberfest` to participate
* We currently have just one but may add more: https://github.com/vmware-tanzu/pinniped/issues/553
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* Multitple IDP Support moved to backlog for now
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
*
___
# September 2, 2021 Agenda
#### Attendees - Add Your Name + Company/Organization
If you are using Pinniped, please add details on your usage in this GitHub Discussion: [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152)
- Anjali Telang(VMware)
- Matt Moyer (VMware)
- Margo Crawford (VMware)
- Nanci Lancaster (VMware)
- Mo Khan (VMware)
- Andrew Keesler (VMware)
- Ben Petersen (VMware)
### Announcements
- Farewell to Matt Moyer
- [v0.11.0](https://github.com/vmware-tanzu/pinniped/releases/tag/v0.11.0) released!
- Thanks to Anjali and reviewers for the [blog post](https://pinniped.dev/posts/supporting-ad-oidc-workflows/)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
- .
---
# August 19, 2021 Agenda
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Margo Crawford (VMware)
3. Ryan Richard (VMware)
4. Nanci Lancaster (VMware)
5. Matt Moyer (VMware)
6. Mo Khan (VMware)
### Announcements
- Pinniped accepted talk at KubeCon + CloudNativeCon North America!
- [Everything Wrong with K8s Authentication and How We Worked Around It - Mo Khan & Margo Crawford, VMware](https://sched.co/lV5I)
- Friday, October 15, 2021, 2:30–3:05pm Pacific Time
- [Register to attend](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/register/) KubeCon either virtually or in-person!
- Reminder: Register to attend the [Pinniped CNCF Webinar](https://community.cncf.io/events/details/cncf-cncf-online-programs-presents-cncf-live-webinar-easy-secure-kubernetes-authentication-with-pinniped/)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* Remote OIDC login support: SHIPPED
* Non-Interactive Password based LDAP logins: SHIPPED
* Non-Interactive Password based OIDC logins: In Progress
* Active Directory Support: In Progress
* Multiple IDP Support: ([design doc](https://hackmd.io/bPcs_c2ZR8WnpcuQ73FC-w?view))
* Discuss doc in next community meeting
* Identity transforms: Discussion needed
* Starlark everywhere?!
* Start with OIDC Identity Provider
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* [Are you using Pinniped?](https://github.com/vmware-tanzu/pinniped/discussions/152) - Add your details to this discussion :) (nanci)
* Feedback on CNCF Webinar demo flow (matt)
___
# August 5, 2021 Agenda
:::warning
### Meeting Canceled - Company Holiday
:::
---
# July 29, 2021
Occurred on the 5th Thursday of the month vs the usual schedule of 1st and 3rd Thursday due to team being out next week.
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Margo Crawford (VMware)
3. Ryan Richard (VMware)
4. Andrew Keesler (VMware)
5. Nanci Lancaster (VMware)
6. Matt Moyer (VMware)
7. Mo Khan (VMware)
### Announcements
* Reminder: Register to attend the [Pinniped CNCF Webinar](https://community.cncf.io/events/details/cncf-cncf-online-programs-presents-cncf-live-webinar-easy-secure-kubernetes-authentication-with-pinniped/)
* August 24, 2021, 10am PT
* Releasing v0.10.0 today!
* Remote OIDC login support (jump host support)
* Non-interactive LDAP login flowz
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **July 2021**:
* Remote OIDC login support ([design doc](https://hackmd.io/Hx17ATt_QpGOdLH_7AH1jA?view))
* **August 2021**:
* AD Support
* **September 2021**:
* Multiple IDP support
* **From Previous Meeting:**
* Consdering using the functionality provided by [CSR Duration KEP](http://kep.k8s.io/2784) in v1.22+ to broaden support of clusters without the need for the impersonation proxy
* **Future/exploring:**
* [Prototype/exploration of identity transforms using Starlark (open PR)](https://github.com/vmware-tanzu/pinniped/pull/694)
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* Multiple IDP support ([design doc](https://hackmd.io/bPcs_c2ZR8WnpcuQ73FC-w?view))
___
# July 15, 2021
#### Attendees - Add Your Name + Company/Organization
1. Mo Khan (VMware)
2. Anjali Telang (VMware)
3. Margo Crawford (VMware)
4. Ryan Richard (VMware)
5. Andrew Keesler (VMware)
6. Nanci Lancaster (VMware)
### Announcements
* [Pinniped CNCF Webinar](https://community.cncf.io/events/details/cncf-cncf-online-programs-presents-cncf-live-webinar-easy-secure-kubernetes-authentication-with-pinniped/)
* August 24, 2021, 10am PT
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **July 2021**:
* Remote OIDC login support ([design doc](https://hackmd.io/Hx17ATt_QpGOdLH_7AH1jA?view))
* AD Support
* **From Previous Meeting:**
* [#686 non-interactive logins to OIDC providers via password grant](https://github.com/vmware-tanzu/pinniped/issues/686)
* [#577 support for web app clients](https://github.com/vmware-tanzu/pinniped/issues/577)
* Consdering using the functionality provided by [CSR Duration KEP](http://kep.k8s.io/2784) in v1.22+ to broaden support of clusters without the need for the impersonation proxy
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* We are still learning the semantics of AD to better understand what configuration we can default for end-users. Hopefully we can provide updates in regards to this on the next meeting.
___
# July 1, 2021
#### Attendees - Add Your Name + Company/Organization
1. Anjali Telang (VMware)
2. Matt Moyer (VMware)
3. Margo Crawford (VMware)
4. Andrew Keesler (VMware)
5. Nanci Lancaster (VMware)
6. Scott Rosenberg (Terasky)
### Announcements
*
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* ~~June 2021~~ **July 2021:**
* Remote OIDC login support ([design doc](https://hackmd.io/Hx17ATt_QpGOdLH_7AH1jA?view))
* AD Support
* Wider Concierge cluster support
* [From Previous Meeting](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ#Discussion-Topics1)
* [Design for non-interactive LDAP logins](https://github.com/vmware-tanzu/pinniped/issues/636)
* Logout command support
* Demo of jump host login flow
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* https://github.com/vmware-tanzu/pinniped/issues/686 (non-interactive logins to OIDC providers via password grant)
* https://github.com/vmware-tanzu/pinniped/issues/577 (support for web app clients)
___
# June 17, 2021
#### Attendees - Add Your Name + Company/Organization
1. Mo Khan (VMware)
2. Matt Moyer (VMware)
3. Anjali Telang (VMware)
4. Margo Crawford (VMware)
5. Andrew Keesler (VMware)
6. Ryan Richard (VMware)
7. Ben Petersen (VMware)
8. Nanci Lancaster (VMware)
### Announcements
* Pinniped v0.9.2: [Release Notes](https://github.com/vmware-tanzu/pinniped/releases/tag/v0.9.2)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **June 2021:**
* Remote OIDC login support ([design doc](https://hackmd.io/Hx17ATt_QpGOdLH_7AH1jA?view))
* AD Support
* [From Previous Meeting:](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?both#Discussion-Topics1)
* Imgpkg package https://github.com/vmware-tanzu/pinniped/issues/661
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* [Design for non-interactive LDAP logins](https://github.com/vmware-tanzu/pinniped/issues/636)
* Could keep this, but choose defaults for the env var names
* Using "LDAP" in the name might be limiting?
* Just use "username" and "password" without "ldap"
* Consider this story to include documentation
* Be careful with caching
* If we need to hash over the password, we might need a different type of hash
* We might only hash over the username
* Logout command support
* Might also include "switch user" or other session-related commands
* Logout might trigger server-side logout as well
___
# June 3, 2021
#### Attendees - Add Your Name + Company/Organization
1. Matt Moyer (VMware)
2. Mo Khan (VMware)
3. Anjali Telang (VMware)
4. Ryan Richard (VMware)
5. Ben Petersen (VMware)
6. Nanci Lancaster (VMware)
7. Andrew Keesler (VMware)
8. Scott Rosenberg (Terasky)
### Announcements
* **Pinniped v0.9.0**
Big Release! This release has so much stuff we've been working for a long time.
* [Release Notes](https://github.com/vmware-tanzu/pinniped/releases/tag/v0.9.0)
* Blog Post: [Pinniped v0.9.0: Bring Your LDAP Identities to Your Kubernetes Clusters](https://pinniped.dev/posts/bringing-ldap-identities-to-clusters/)
* Somewhat complex to configure because LDAP is
* Pinniped v0.9.1
* To be released soon with a small but important bug fix ([#659](https://github.com/vmware-tanzu/pinniped/issues/659))
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **June 2021:**
* [Device code flow](https://github.com/vmware-tanzu/pinniped/issues/458)
* AD Support
* Ongoing: Improved Documentation
* [From Previous Meeting:](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?both#Discussion-Topics1)
* [Device code flow](https://github.com/vmware-tanzu/pinniped/issues/458) vs. alternatives (Matt)
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* Imgpkg package https://github.com/vmware-tanzu/pinniped/issues/661
___
# May 20, 2021
#### Attendees - Add Your Name + Company/Organization
1. Nanci Lancaster, VMware
2. Matt Moyer, VMware
3. Andrew Keesler, VMware
4. Anjali Telang, Vmware
5. Margo Crawford, VMware
6. Ben Petersen, VMware
7. Mo Khan, VMware
8. Ryan Richard, VMware
### Announcements
* [Pinniped v0.8.0](https://github.com/vmware-tanzu/pinniped/releases/tag/v0.8.0)
### Status Updates
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **May 2021:**
* [LDAP Support](https://github.com/vmware-tanzu/pinniped/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.8.0) (v0.9.0)
* Improved Documentation
* [From Previous Meeting:](https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?both#May-6-2021)
* Refresh flow issues in v0.4.x? (Margo)
* Impersonation proxy deployments on private EKS/AKS/GKE clusters (Matt)
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* [Device code flow](https://github.com/vmware-tanzu/pinniped/issues/458) vs. alternatives (Matt)
*
---
# May 6, 2021
#### Attendees - Add Your Name + Company/Organization
1. Nanci Lancaster, VMware
2. Matt Moyer, VMware
3. Mo Khan, VMware
4. Margo Crawford, VMware
5. Scott Rosenberg, Terasky
### Announcements
* [Pinniped KubeCon Europe 2021 Demo](https://youtu.be/5sVdEVWuHCo)
*
### Status Updates on [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **April 2021**
* [Device Code Flow](https://github.com/vmware-tanzu/pinniped/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.9.0) (v0.9.0)
* Pushed to "exploring/ongoing" pending more user feedback
* **May 2021:**
* [LDAP Support](https://github.com/vmware-tanzu/pinniped/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.8.0) (v0.8.0)
* Main PR is nearly ready to merge
* Improved Documentation
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* Refresh flow issues in v0.4.x? (Margo)
* File this as a bug
* PR to reduce supervisor token lengths
* PR to lengthen the lifetime of the GC for access tokens
* Consider whether we can stop caching access/ID tokens in the CLI
* Breaks some non-Supervisor OIDC use cases
* Impersonation proxy deployments on private EKS/AKS/GKE clusters (Matt)
* File an issue tracking this
* Could add a list of annotations to add on the created LoadBalancer
* Default for main install YAML can probably remain the same
---
# April 15, 2021
### Announcements
*
### Status Updates on [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **April 2021:**
* [LDAP Support](https://github.com/vmware-tanzu/pinniped/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.8.0) (v0.8.0)
* [Device Code Flow](https://github.com/vmware-tanzu/pinniped/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.9.0) (v0.9.0)
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below:
* [LDAP connection options](https://hackmd.io/SHPgH-1GQD6SAP4qWSTOLQ) for [#441](https://github.com/vmware-tanzu/pinniped/issues/441)
* StartTLS support (not exactly one-liner, but should be easy)
* Custom CA support (already built, needed for testing)
* Automatic detection of StartTLS?
* TLS min version? Should we require an "insecure" annotation to set this lower than TLSv1.2?
* Server name to validate on the cert (separately from the hostname/endpoint)?
* Timeouts? (can probably pick good universal defaults)
* Connection pool sizes? (likely no connection pooling due to stateful nature of LDAP)
* Keepalives? (can probably pick good universal defaults)
* TLS client certificates (not yet)
* Other non-password bind types (not yet)
* Open questions for LDAP
* Special custom resource for AD to make configuration easier with good defaults
* Nested group support is desired, especially for AD, and limiting the depth of search for performance reasons
* "Forest of domains" support for AD
* Global Catalog in AD, used where there is a forest of domains to search across the forest (maybe best to use when you have more than ~3 domains in your forest). Responses from Global Catalog can be a bit different.
---
# April 1, 2021
### Announcements
* v0.7.0!
### Status Updates on [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md)
* **March 2021:** Impersonation Proxy
* **April 2021:** LDAP Support and Device Code Flow
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below
* [CLI Login and Supervisor Endpoints for LDAP Login](https://hackmd.io/SHPgH-1GQD6SAP4qWSTOLQ?view#CLI-Login-and-Supervisor-Endpoints-for-LDAP-Login)
---
# March 18, 2021
### Announcements
* [Project Roadmap](https://github.com/vmware-tanzu/pinniped/blob/main/ROADMAP.md) and [Opportunity Areas for Pinniped Contributors](https://github.com/vmware-tanzu/pinniped/discussions/483)
### Status Updates
**March 2021 Roadmap Issue: Impersonation Proxy**
* [@margocrawf]
* Worked with @ankeesler on impersonation proxy integration tests
* Wrote some documentation for the new impersonation proxy behavior
* [@ankeesler]
* Worked with @margocrawf on impersonation proxy integration tests
* Research weird behavior with proxy HTTP handler
* Attempting to do manual testing on GKE
* [@cfryanr]
* Worked with @enj and others on impersonation proxy implementation
* [@enj]
* Finished re-implementing the front end of the proxy to a better design with @cfryanr
* Attempting to do manual testing on GKE
* [@mattmoyer]
* GKE env on PRs?
* [@pabloschuhmacher]
* internal strategy bits
* customer interviews
### Discussion Topics
Have a question or need help with something? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a) or input below
* Impersonation proxy design change: the proxy now accepts the credentials issued by the usual Pinniped `TokenCredentialRequest` API, which allows a client (e.g. the `pinniped` CLI) to treat it like the "real" API server.
* What is there left to do on impersonation proxy? Fix test flakes? Manual testing?
---
# March 4, 2021
### Status Updates on what you've been working on - any blockers?
- [@ankeesler]
- Mostly been working with Mo on Pinniped-related Kubernetes 1.21 stuff this week
- [@cfryanr]
- Implementing the Impersonation Proxy feature with @margocrawf
- [@enj]
- WhoAmIRequest API
- Kube 1.21 code freeze activities (mostly code review, issue triage)
- Upstream CSR improvments
- 1.21 (backdating fixes, signer performance)
- 1.22 (short lived certs)
- [@margocrawf]
- Impersonation proxy with @cfryanr and @mattmoyer
- [@mattmoyer] -
- Update on [v0.7.0](https://github.com/vmware-tanzu/pinniped/issues?q=is%3Aopen+is%3Aissue+milestone%3Av0.7.0) release plans
- Hacked on CLI caching a bit (more thoughts below)
- [@pabloschuhmacher]
- How's roadmap coming along?
### Discussion Topics
Have a question? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a)
- CFP submissions?
- Real user stories would be a good submission
- Working on "enablement" for Pinniped
- Documentation is part of it, but there is more to do ([@pabloschuhmacher])
- How should caching work?
- Action item: write this up as an issue ([@mattmoyer])
- Action item: file an issue about encrypting session data using keychain APIs ([@mattmoyer])
### Community Shoutouts
---
# February 18, 2021
### Status Updates
- [@ankeesler]
- Working with @margocrawf and @cfryanr on Concierge impersonation proxy implementation
- Specifically working through some feedback that @enj gave
- [@cfryanr]
- Working with @margocrawf and @ankeesler on Concierge impersonation proxy implementation
- Working with @enj and team on planning support for Supervisor upstream LDAP IDP support
- [@enj]
- All concierge APIs are cluster scoped now :bomb: :shocked_face_with_exploding_head:
- [@margocrawf]
- Working with @ankeesler and @cfryanr on Concierge impersonation proxy implementation
- [@mattmoyer]
- Dependabot is working again, mostly
- Working on the website and docs this week
- We hit [100 GitHub stars](https://starchart.cc/vmware-tanzu/pinniped) on Wednesday! :chart_with_upwards_trend: :tada:
- [@pabloschuhmacher]
- Working with team + stakeholders on scoping/planning upcoming work
- Catching up on architecture updates while I was out
- Thinking through longer term, but iterative roadmap to share
### Discussion Topics
Have a question? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a)
- LDAP identity provider design ([@cfryanr] + [@enj])
- [design/discussion doc](https://hackmd.io/SHPgH-1GQD6SAP4qWSTOLQ)
- What should we do to handle multiple IDPs? ([@mattmoyer])
- Rough proposal:
- Some way to wire together multiple IDPs and FederationDomains
- A parameter to select an IDP during login
- A way to advertize which IDPs exist on a FederationDomain
- What is the relation between FederationDomain and IDPs?
- Many to many?
- We might need to decouple the OIDC callback from the FederationDomain issuer endpoint, so that the callback is always the same even when a new FederationDomain is introduced
- Many to one?
- Each IDP is attached to a single FederationDomain
- Might have to duplicate IDP configurations
- One to many?
- Use cases for multiple IDPs
- Multiple IDP layers over the same backing user store, but with different functionalities
- Different IDPs for different pools of users
- Different IDPs over time (migrating from one IDP to another)
- What use cases are there for multiple FederationDomains?
- Multiple tenants
- Dev/prod isolation
- Different token lifetimes or other downstream configuration parameters
- Different sets of valid IDPs
- Should we enhance the FederationDomain to support validating allowed audiences?
- Consensus: yes
- Could be a static list of allowed audiences, this list could be managed by an addon controller
- Current model is safe because you should only get kubeconfig from a trusted place
- Should we deprecate local-user-authenticator in favor of some "local user" IDP in the supervisor? in the concierge? ([@mattmoyer])
- Notes: some discussion, but not consensus, need to discuss more another time
- Should we consider making the brainstorm document the team worked on in January available on git as opportunity areas for contributors? ([@pabloschuhmacher])
- Consensus: yes
- Should we try merging the supervisor and concierge binaries into subcommands of one binary? ([@mattmoyer])
- They have a lot of duplicated library code, we might be able to make our container images almost half the size.
- Consensus: no objections
- ~~Action item: file an issue about doing this ([@mattmoyer])~~
- https://github.com/vmware-tanzu/pinniped/issues/449
- Action item: file an issue about reorganizing our package structure for clarity ([@mattmoyer])
### Community Shoutouts
# February 4, 2021
### Status Updates
- [@ankeesler]
- [@cfryanr]
- [@enj]
- [@margocrawf]
- Worked on implementing impersonation proxy features:
- Detection of cloud hosted environments
- [@mattmoyer]
- Hooked up test coverage tracking, what do we think?
- Attempted to design impersonation proxy feature with Margo's help (see design doc below).
- Wrote a blog post (with help): [vmware-tanzu/pinniped#387](https://github.com/vmware-tanzu/pinniped/pull/387)
- Have been working on roadmap with Pablo (welcome back!)
- [@pabloschuhmacher]
- first week back; mostly catch up with team
- some review of short term roadmap and starting to plan for longer term initiatives over the coming weeks
### Discussion Topics
Have a question? You can ask in [the Discussion Q&A](https://github.com/vmware-tanzu/pinniped/discussions/categories/q-a)
- Review [API Design Proposal: Impersonation Proxy](https://hackmd.io/@pinniped/ryE5LfwlO) doc ([@mattmoyer])
- Need to rewrite some existing issues in light of the new design
- Need a new issue for the autodetection task
- Discuss how we want to handle v0.5.0 and [vmware-tanzu/pinniped#385](https://github.com/vmware-tanzu/pinniped/pull/385).
### Community Shoutouts
# January 21, 2021
### Status Updates
- [mattmoyer](https://github.com/mattmoyer)
- [enj](https://github.com/enj)
- We are getting close to having support for running multiple Pinnipeds on the same cluster (without them interfering with each other)
- [cfryanr](https://github.com/cfryanr)
- [ankeesler](https://github.com/ankeesler)
- This week I’ve been working with Mo and Ryan to get the multiple-Pinnipeds-one-cluster passing in CI (see Mo’s update)
- Mo and I opened up an issue to improve debug-ability of our test environments: https://github.com/vmware-tanzu/pinniped/issues/348
- [margocrawf](https://github.com/margocrawf)
- This week Matt and I have been working on writing an impersonation proxy. This way we can operate as a specific user without having to issue a cluster certificate. See https://github.com/vmware-tanzu/pinniped/issues/339 for more details.
### Discussion Topics
- What is in v0.5.0 besides multiple-Pinnipeds-one-cluster?
- Schedule?
- Why multiple Pinnipeds (Mo)?
- Matt - if we get this working, blog post worthy
- Rajat Goyal - Public Roadmap
- Matt: Need to categorize milestones and documentation page needs attention
- https://pinniped.dev/docs/scope/
- Matt: We should all try to add the “good first issue” label where appropriate, along with writing clear issue descriptions
- Point various documentation issues to Rajat
- Why build an impersonation proxy in the concierge (Moyer)?
- CI Transparency
- Idea: split public CI task/job definitions into a public repo?
### Action Items
- ~~Moyer: file an issue about splitting and making more CI definitions public~~
- https://github.com/vmware-tanzu/pinniped/issues/430
### Community Shoutouts
- Welcome [Rajat](https://github.com/rajat404)!
# January 6, 2021
### Action Items
- How we can combine this meeting with our iteration planning meetings, for more transparency
# November 5, 2020
### Announcements
- Our first community meeting!
### Demos
- Initial supervisor + CLI flow
[@mattmoyer]: https://github.com/mattmoyer
[@enj]: https://github.com/enj
[@cfryanr]: https://github.com/cfryanr
[@ankeesler]: https://github.com/ankeesler
[@margocrawf]: https://github.com/margocrawf
[@pabloschuhmacher]: https://github.com/pabloschuhmacher