Nic Cope

> My biggest concern would be making the OAM spec tightly coupled with Kubernetes spec (either consciously or inferred by the community). It would have long term consequences in support,...

> OAM still don't have some kubernetes concepts like Secret/Configmap, I'm not sure if it's possible to have a clean separation for OAM subset. I imagine we'd omit any fields...

Some related issues: https://github.com/crossplane/addon-oam-kubernetes-remote/issues/5 https://github.com/oam-dev/spec/issues/313 https://github.com/oam-dev/spec/issues/308

This overloaded term has certainly hindered discussions around OAM and Crossplane; it's been unclear whether "a Kubernetes OAM runtime" means "an OAM runtime built using Kubernetes" or "an OAM runtime...

> The second case seems to violate the spec in the sense that if it requires its user to fill in a field not in the OAM spec. I'm not...

I don't think a `TokenReview` object is involved when doing OIDC authentication (but I could be wrong - I don't actually use OIDC from day to day anymore). That said,...

Just checking in. I haven't had time to look at this, but my current plan when I do is to decode the JWT per your suggestion and log it.

I'd like to implement this, but didn't have time this weekend. I need to Prometheus-ify something during my day job this week so hopefully that will inspire me to find...

I agree, but don't have time to work on this project. I'm happy to review PRs to lock this down.

This sounds like a bit of a tricky one. As you say, there's two ways to load CA data at the moment: either by reading them from the kubeconfig template...