 Good morning. Good afternoon. Good evening. Wherever you're hailing from welcome to another episode of DevSecOps is the way today We're going to be talking about identity and access management, which is everybody's favorite thing I'm sure but a critical component in anyone's infrastructure So Dave Meers here with us today and Dave is going to introduce our guests and show topic and all that fun stuff So take it away Dave Yeah, thank you Chris and I appreciate everyone joining today. So I'm just gonna Present a couple slides and I promise these are the only slides you'll see in today's show I think we have a really good one for you today. We've got Mark Orstein Who's the co-founder and CTO of tremolo security? We'll we'll give Mark some time to introduce himself in a bit. I'm Dave Muir I'm at Red Hat in the global solutions architect That's focused on our partners on our security independent software vendor partners mostly around open shift so If you didn't know already DevSecOps is the way is the way and it is a series a monthly series that we're doing this year starting in March And we've broken down the different months According to a framework we've developed around DevSecOps And you could see March was vulnerability April was all about compliance and month is identity and access month And so what we do is we bring several publications To the general public one is this open shift TV show. We also have another open shift TV show That we produce on a monthly basis. The other one we did this month was actually yesterday So you can go catch it on YouTube if you missed it We also produce about three podcasts and As much other content that we can assemble We've done blogs and case studies and white papers and things like that Hopefully in the next couple weeks. We're actually going to be publishing a page on Red Hat that lists all this content by month So you can quickly reference it. So excited about that And so just to talk a little bit about the framework And you can see what we've done here. We've actually worked with the industry and folks like our partners and other industry and analysts to come up with a taxonomy around DevOps and DevSecOps and What security categories? You know, you can name and plot against a DevOps pipeline and you can see some of those categories here We've got nine different categories that map in certain ways Across a DevOps pipeline underneath these categories. We actually have identified 34 different security methods or functions So for example under identity and access you've got things like authorization and Authentication we'll talk about that are back. We've also got things like secret faults under identity and access and And then we're able to sort of plot those against where we typically see integrations in DevOps and And that really helps, you know us Have a conversation with our partners and with our customers about a comprehensive layered approach to security when they're on their journey to DevOps and Some of the audience members have may have seen some of these diagrams before where we have views of One or more partners plotted with Red Hat against all those 34 different Security methods to really give you that comprehensive view So that's the framework a lot of content out there just Google DevSecOps framework Red Hat You'll find actually a complete guide around this that you can get more details and more more diagrams so with that I will stop sharing and I'll just let mark go ahead and if you want to introduce yourself you're the co-founder of Trumella want to Talk about that a little bit Thanks, Dave. So hi everybody out there in the OpenShift TV live. My name is Mark Borschein. I'm the CTO of tremolo security We founded tremolo I think actually we technically found tremolo in 2010 We didn't really Kind of come out to the world until Red Hat Summit at 2015 in Boston. That was our first-ever conference and At the time when when we were first mile, we're really pure play identity management We started off. I had spent You know almost a decade total with PricewaterhouseCoopers as an identity management consultant and As did my co-founder and what we found was we're spending all our time Working around a beautiful demo like here's this beautiful demo for an identity system and You know the executives would all sit there and clap and say this is perfect This is gonna fix all our problems and then they drop it in the laps of the folks in the field that actually Implement it and we found we're spending all of our time working around the assumptions of what the vendor put together Said well, no, this isn't how this business actually works So okay, there's gotta be a better way and and so we first founded the company and first had the idea The buzzword at the time was virtual appliance like there were no containers yet and we're like, you know Yeah, we're gonna have this virtual appliance that you know, you could just drop in And you know nobody really needed to know what a virtual appliance was because it was marketing and yeah but it made people feel that that's what we had and So we said, okay, we're gonna take this toolkit approach instead of having this one monolithic thing That is your identity management system. We're gonna give you something that's gonna sound a lot like microservices for identity We're gonna give you your virtual directory your user provisioning your SSO all these little components We're gonna set let you assemble them in a way that matches what you're doing So implementation time like Was turned on a 10 You know, we used to have a rule that for every dollar of software you buy you're gonna spend $2 implement implementing that software Professional services. We flipped it on a 10 and then some every $2 every dollar you spent on our software you're spending like 50 cents on implementation time and Made for a great implementation made for really hard demo because like yeah, we can do all the things and Yeah, I mentioned Red Hat Summit in 2015 because that's when I was kind of first introduced the OpenShift and I've I always had a soft spot in my heart for infrastructure I always loved infrastructure and I started learning about OpenShift and this was This was pre-Kubernetes. This this was OpenShift v2 and you know, we started to work with it and like okay, this is interesting and we're already pretty small and lightweight so, you know, we started looking into getting ourselves into a gear and then Then we discovered Kubernetes and OpenShift v3 and We've been in love with the Kubernetes and OpenShift ever since so we started our Kubernetes in the OpenShift world with OpenShift v3 and and you know kind of understanding the differences between OpenShift and upstream Kubernetes and and working with customers there and Then you know the last three or four years really Has had a focus on making it easier to secure your Kubernetes infrastructure you know, we were at the first KubeCon in Seattle back in 2016 we actually had a booth and We're sitting there doing namespace as a service before anybody was really even talking about that You know, there wasn't even a concept of that yet And we're seeing that more and more and so what we've found is that especially in the last two years or so There have just been this explosion of systems where identity becomes super important because your, you know Kubernetes is designed not to do everything right the platform for building platforms So if you're going to have a platform for building platforms You need to have that platform know how to talk to all these different systems and all these different systems have to know how to talk to each other And that becomes a big identity game So what went from initially just user provisioning has now morphed into user provisioning access provisioning and Infrastructure provision because once you know how to provision a one API you can kind of provision to all of them and So kind of taking it from that perspective has really accelerated the way that our customers are able to move forward and You know, I've been doing open source since I was 18 and so it just made sense to me So we open source as well. You know, we don't do open core. Everything's open source if we make it it's open source So yeah, cool. Yeah, so man pre Version 3 openshipped. I don't know what that means To do a phishing campaign at one of my previous employers Wow, we were a quasi red hat customer, right like we Bought rail and you know had some support for that and I was like well, you know Let's use this red hat comms. Don't sub domain here and run my phishing campaign and see how well it goes Yeah, yeah, it just works, right? It was amazing Well, hey Mark, I gotta ask I'm not a musician my kids I think got the musical genes it passed past my generation, but um, what what is Tremella? I think it's a Musical reference, right? Yeah, so and I'll be the first to say I am an absolute poser when it comes to anything music I can't get past guitar hero on easy So, you know, I Tried to teach myself the guitar once and failed miserably I was the kid in recorder in third grade who had to sit there and just play with my fingers because I I couldn't So Yeah, so what a tremolo is is it's the fluctuation of the sound wave So when you hit the whammy bar on Guitar or you hit the fluctuate. I forget the name of the thing on Like an organ or something to get that that wave that's called the tremolo. Yeah and so What What Happened was I I'm I'm I'm terrible at marketing. I'll be the first one like naming things like no not my forte. So One of my co-founders who actually is quite good at marketing Yeah, we're trying to sit there. You know, what's the name like we had thought up this idea and the very first Iteration of the product was a and this will sound really close to the heart to all of us in the cloud native computer cloud native community a Universal reverse proxy that'll do authentication authorization integration and The original idea was it was going to do any kind of authentication you want on the front side and the back side was going to use Kerberos and As for you to sell for any Kerberos keeks out there Never worked, but that was the original idea Well, it was to replace what what's commonly known in the the industry as a web access management solution So if you're through a sightminder or obliques, which is now Oracle access manager, you know Kind of really old school tools like that Sun access manager That those are web access management tools. They have agents. They're painful. They're expensive so we wanted to build this reverse proxy where everything was just built in and so my original idea for the company name was auto idea and My co-founders like well, you know, yeah describes it but it's kind of clunky doesn't really roll off the tongue isn't super memorable and So it's like well, you know, he came back to me said, okay Tremolo secure explains to me what tremolo is he goes wham whammy bar tremolo Like oh, that's stupid. Nobody's gonna understand what that means Like no, no, just come back with something else So that night I spent two two and a half hours trying to find a domain name that had the word identity in it I tried different languages I tried I couldn't find anything. Who is tremolo security calm? Nobody cool. That's the name of the company then And so since then we've had the musical theme so all of our different products projects sub projects You know all have kind of a musical Take on it. But like I said, I'm a complete poser like I I can't You know, I I can't figure out the recorder what along the guitar Yeah, same same Yeah, I I also know the The discouragement when you've got a great idea and you have a domain name and then you go and see If it's open and and it's not and you're like, wait a minute It doesn't even work, but somebody had to pay them three grand Yeah Well, cool and you you mentioned you did a lot of stuff with red hat and Um An open shift and in a lot of community involvement. Can you talk a little bit more about what you've done in the community? Oh, yeah, I mean, we've we've been pretty active inside both the kates and the open shift community almost since day one um You know shout out to to diane moerger. I mean the the open shift commons You know getting us involved in that, you know, whether it's just answering questions on slack doing briefings stuff like that um, and then, you know in the kubernetes world where we really got our start was when one three when oidc first debuted um I had to learn how open id connect actually worked. I'd been doing a lot of samol at that point and uh I um went back and you know In order to figure out how to integrate unison at the time it was unison wasn't even open source yet I'm still unison with um With kates using open id connect Had to figure out How open id connect worked and and the documentation was Not awesome. Um And so uh, I ended up writing a big wiki page for our website on how it all kind of connected and worked and all the different pieces and uh Folks were sending people to that wiki instead of the actual kubernetes documentation Because it just got into much deeper detail. Um, and so I was like, okay. Well, that's an easy contribution, right? Let's let's go ahead and document documentation's hard Like anybody who tells you that, you know, oh, let's you know or handoff documentation to a junior person or somebody You know who downplays anything to do with documentation. I don't know what they're talking about like I don't like to kkeep I'm sorry. You talk down documentation. You know No, like documentation is so important Um, and so that was really cool to me to be able to say, hey, let's write some documentation because people actually get a lot out um, so other than our first contribution And uh, since then I've actually made some code contributions, which was fun. Um added impersonation to the To uh, the the the web ui um, so that would work real well and in uh hosted solutions Recently added impersonation and uh reverse proxy open id connect support to kiali. So that's the dashboard for um Istia, so that was a lot of fun. That was that was really interesting And yeah, and you know, if you're in slack and you ask anything about authentication or our back chances are I'll be, you know, the first second person to respond to you So we've been pretty active in the community Um, and then in the red hat world Yeah We've been working with open shift. We were we were the first we were in the first class of the original certification process When um, it switched over to the newer certification process We're in the first class when operators were you know, going to be the first thing we're you know, we're sitting there What was it? Uh, when was the last time uh summit was in boston 2019. Thank you. Yeah um I was sitting there during an open shift commons, you know fixing our scripts that we've we managed to we do everything the hard way Um, so our operator is actually not built on the operator sdk. We wrote it in java script um, and so we were finding all these different edge cases with with with the Certification script or working with them figuring out what's going on. Um, so we You know, we've always had fun and red hats Just always been amazing to us. Um, so, you know, we we always have a blast working with y'all Yeah, likewise, and then you were just presenting at coup con last week, right or was it two weeks ago in europe before? Yeah. Yeah. Yeah It all blurs you didn't get to go to europe the So I did a session on uh, kind of i can our back and so can you you know our back and authorization um, it's just it's one of those things that baffles people like it's people find it really really hard to do uh because it is in fact really really hard to do um and What a lot of i'm seeing now is as kates is moving more and more into the enterprise is a need to look at More deeply the authorization systems inside the cluster Especially as you start looking at your developer workflow because you know your developer workflow isn't just kates, right? It's it's kates It's a pipeline now. Maybe that pipeline, you know, we're going to talk about tecton So that right runs inside your cluster So that'll piggyback off far back, but you might be using jankin You might be using circle ci or azure dev ops or any of the 25 million other pipeline systems out there, right? They'll have their own identity systems. They all have to securely talk to your clusters and your infrastructure You know if you're using git ops, you know, whether it's argo or flux, you know, we're going to talk about argo today That has its own built-in identity system um You know you look at your git system like okay, we're going to make git the center of our compliance world and our our source of truth for what's happening Now git hub and git lab or whatever you're using they all have their own identity systems They have all their own processes all their own setups um You know, uh, where do you store your containers? Are you using a built-in registry and open shift or using harbour or using one of the 25 other container registry systems out there? They all have their identity systems um And so, uh, you know it it where we started was kind of this namespace as a service but what we're finding more and more is that All these different things need to talk to each other and identity is a huge part of that And and so that's really what we've been spending most of our time lately Yeah, so it's a good segue. We'll get into the meat of it before we do that I just want to give you an opportunity to uh To talk about your book sounds like you're gonna oh second version of it Yeah, we're looking to do a rev too, but that's going to take a little while So i'll do a shameless self-promotion here kubernetes and docker enterprise guide um The key to this book is that if you're working in enterprise This book is going to speak to you um, you know, it's uh, the There's a little more docker. I'll be honest and I i'm going to throw my publisher onto the bus on this one There's more docker than I wanted or either of us really wanted to be in there um Publisher told us we had to do more docker and my co-author bit the bullet on that one. It's a good man better than me. Um, but you know the The stuff that enterprises care about because enterprises are just different, right? I mean B2c everybody is narrowly focused on that one thing. I'm getting you a ride or I'm getting you a pizza I'm getting you something else, right and everything is so super focused on that whereas an enterprise You have a handful of truly enterprise wide app, right? You've got collaboration your email your share point, you know, whatever you're using collaboration You've got hr systems. You've got erpu of crm that like those are truly enterprise wide systems But then you have like hundreds maybe even thousands of applications That are very domain specific and can have anywhere between a few hundred users Or a few thousand users depending on the size of the organization and to the people who use it That is like the most machine-critical thing in the world. But to everybody else They're worried about their thing And so enterprises just have different things that they care about they've got to worry about things like Silo's they have to worry about things like You know the centralized authentication with the system that they don't know, right? You know if i'm if i'm working at a service provider, you know, maybe they're using oct or something like that But it's more tightly integrated into the system Whereas in an enterprise the people who own active directory are not the same people Who own your cloud data of infrastructure and not the same people own applications, right? So the people own active directory man active directory goes down. You're having a really bad day Like slot goes down. Yay. We're going to go throw a party active directory goes down the dinosaurs start eating the tourists So, you know Read only account that's easy right account. That's a little bit harder. So you have to deal with those silos And then some of the less sexy things about kubernetes, but things we all need to know like backups policy management Things like that and then it all kind of culminates into the demo that we're going to do today I had wished it was going to be live and it could break and I can show it breaking Unfortunately, I managed to nuke my entire environment ahead of time. So we're going to have to go through a video demo. Yeah, um, but You know, it all kind of culminates into this, you know, building a platform, right? How do you how do you map Your business logic into an actual implementation around get ops and whatnot. So You'll always be able to see the output of that last chapter Cool. Yeah. So let's dive into, you know challenges of identity During the workflow. I guess do we want to step back and define what identity means? Yeah, I mean a lot of folks Talk identity and think ssl like that's the first thing that pops into people's brains is ssl um, and as Painful as ssl is That's the easiest part Like that's simple compared to the rest of To the rest of of the identity landscape Because It's very transactual. You know, it's one of those things that You're authenticated or you're not and Whether you're in legal or you're in dev ops or you're an executive You're authenticated or you're not there. There's there's not a lot of there there from a business standpoint Authorization is where things get really dice because that's where you have to start to map your business processes into code into infrastructure And so That's a really hard thing to do. That really requires Understanding not just technology involved because you have to be good technologists Because you know, we're we're going to throw up the whiteboard here in a minute And you know, there's all these intricacies that you have to understand to do from technology standpoint But you also have to be able to go back and say, okay What are the processes I need to implement this for like why do I have to do it this way? So like going back to the book In that last chapter, we don't even start talking about tech until we're about two thirds of the way through And we're talking about what's a pipeline? Why do you design a pipeline a certain way? How do you design your developer workflow because that that graphic that you showed at the beginning of all the different Categories of security and whatnot If you don't have a way to map that onto your business process You can't match your compliance requirements because you don't know what they are You can't make your users happy Because you can't tell your users how to work your users are your customers, right? They have to tell you how they want to work um, you know, so so All the way up to and including even from an organizational standpoint where we start talking about Owning of identity right who owns? You know, if I'm a cloud team and I own an open shift deployment Do I really want to be responsible for adding users into projects? I might if that's what the business lines up with It's been my experience that I don't you know, usually what ends up happening is the cloud team says, you know We got enough to worry about just keeping everything up and running Here here's your sandbox. Here's your your field. Y'all are responsible for this Um, you know, just leave us at it. We're going to make it so that it's as hard for you as possible to break things uh, and so That becomes a really important process of who's going to own what who's going to own that responsibility And ultimately who's going to sign on the dotted line so that as it goes up the chain Uh, you know and the cfo has to sign on the dotted line or they go to jail um, you know Does everything map or the auditor is going to be happy. Um, you know, are we going to keep our ceo out of the wall street journey? For a breach versus, you know Great numbers because that they want to be in the journal for um, so it it, you know, it really becomes Important to be able peace those things together Yeah Well, yeah, let's take a look at that developer workflow. One of the things I actually failed to mention when I showed that diagram is out of all the categories Uh that we came up with identity Is the only category that's at every That's integrated at every spot But you can't get away from not addressing identity Oh, yeah at every point in the pipeline. It's the only category. So it's it's obviously very important and Yeah, so it looks like you've got your whiteboard up here. Yeah. Yeah, so I figured have some fun with a whiteboard. Um instead of slides because We all hate slides So, you know, but let's think about a developer workflow, right? Well, how do you want your developer to work? So you've got a prod environment. You've got an application, right? so, um, yeah Hello world, right because that's the most complicated application everybody goes um Well, that runs inside of a container, right and we'll say it's running inside of open shift That container Comes from a container registry. Now this conversation here. You want to be authenticated, right? There's an identity chicken scratch, right? So how does that container get into said registry Right, you've got a pipeline If I can draw pipeline Yeah, we're all judging your uh Artistic capabilities. Oh, I hope so. Yeah Yeah, no, I I deserve to be judged Um, so you've got a pipeline, right that pipeline is going to generate a container that needs to get pushed into that registry That's another identity Because obviously if somebody gets a hold of that pipeline, you know, and when I say gets a hold, you know, it's not just you know, the You know the hacker with the sunglasses and the hoodie, you know sitting there trying to ruin the world It's the developer who forgot to switch their dev context I personally have never done that But you know It happens, right Um, you know, I haven't done that since like this morning. Um, so, you know, you've got your pipeline But now that pipeline doesn't just push a registry. Let's talk about get ops, right your pipeline Is also going to push Manifests into open shift, right? So you've got your get ops. You've got your argo Over here. I hope we have a prize for anyone who can actually read what I'm writing So argo needs to be able to talk to open shift, right? That's another identity Argo needs to be able to talk to get that's another identity And so far we've only talked about things at a system level, right? I mean, we haven't actually Like gotten into users humans Yeah So we're still going because your pipeline in the get ops world isn't just going to generate a container But it's also going to make an update to your manifests to point to that container So that needs an identity here Sounds like we need a big notebook to write all these passwords down Jesus No passwords I'd say uh, that's a reference to yesterday's show. I was about to say, yeah Anyway So so, you know, we've got all that but then Get needs to trigger a pipeline, right? You do a commit to get you want that to trigger a pipeline So that's going to push To here, but you don't want just anybody who knows the url to be able to trigger a pipeline That's another identity And then your your get repo So you've got a pipeline that's got to be able to talk back and forth here You've got a container registry. You've got your actual open shift, you know That's running the code to all these different system level identities Okay But now let's talk about the user identity for a second so, you know I'm going to draw some swim lanes here. I'm going to bust out my my management consulting glove And you know, you've got your devs You've got your ops And you've got your owners So your owner that's your pointy-hand manager, right? And they're going to say, okay, we're we're deploying this new application So i'm going to ask that somebody build the application infrastructure out So that's actually another lane, but we'll we'll just say that that all gets on right so new app And I want my ops team To be able to get into the various namespaces associated with this app But I don't want my devs to be able to I want my devs to have to work locally and then commit into repos so, you know A new op a new app gets created and then as a dev or an op I say, you know, can I access now That might be a service now ticket if you know, you have to go through that process somebody has to ask or it's the email shop Right. Can I access That should really go To your owner because that person is responsible for saying yes or no Once you get a yes You then need to get provision. But what do you actually get provision to? Well, if you're talking about git lab, you should be a developer on the projects But you shouldn't be able to commit to the projects Right, so you've got to go into git lab as a dev And then you're going to need to be able to access openshift like even if you're just using it to access tecton to be able to see what's going on So some read access And then you want to get into argo. I mean argo is a great interface. You want to be able to see what's getting synced Um, it has its own identity system. So argo and then finally your Your who's he wants it your uh container registry right These all have their own identity system There's no rhyme or reason like git lab will have something similar to git hub. It's you know It ain't the same language, but at least it's like You know somebody who's done git lab will look at the way github's permissions or something okay that makes sense And vice versa, but it's not the same thing. It's not the same api. It's not the same standard So when you create your projects, you know your your application You have to connect all these things from a user perspective so that as a user All these things are seamlessly integrated. So, you know, we talk a lot about sso and authentication getting in on the front side But that's the easy part once you're in What do you have access to? How are you restricted inside there to actually make your day easier not harder? um, and we'll see that as part of the Part of the demo so as a dev I get provisioned into all these things And then I'm going to go ahead and write some code And then I want to push that into you know git And that's when we get to this stuff and all the magic happens Right. So all this stuff is happening behind the scenes and when you want to provision this stuff, you know, think about and git Get work get flow. You don't want to commit anything to that main project. You want to have forks. So you have prod for dev fork You have some news from fox apparently um, you know And then I'm going to have a local for it, right? I'm going to have my own application fork Uh, that you know, um that I'm going to do my work and then you want to do everything through pull requests and merge requests well Are you making sure to get your? Your authorizations built to work with that As you get new developers on How are you driving that access? You know, are you storing your groups in a database? Are you going to store your groups in active directory? Um, do you have the ability to do that? Are you going to store it in octa? You know, where are you going to store that information? Who's going to own it? How do you keep it up to date? Do you have compliance issues like, uh, you know Should somebody have to recertify this access every, you know Year 60 days night is whatever it is. Um, so like I actually I don't think it's published anymore, but a few years ago red hat published this, um NIST 853 guide to open shift So for for those who aren't aware nist 853 is the the uber set of security controls that the government uses that's like the baseline And red hat published a guide and said this is how you Run these controls with open shift and how you know a big giant spreadsheet And there's you know 20 or 30 controls specific to identity management and they all said not my problem That's somebody else's problem Right because it's a really hard problem to solve. You can't just say this is how I do even though open shift has its own You know open shift unlike upstream kubernetes has its own built-in identity system Uh, it's a way of storing users and groups um There's still a lot of work that goes into making that happen from control standpoint so you know When you look at this I say, okay. Well, I can get SSO into argon. I can get SSO into open shift. I can get SSO into github That's the easy part Building out all these relationships That's the hard part like that like comparatively speaking not say SSO is easy But when you look at them the eye, you know the iceberg picture SSO is the other thing bird up here The authorization framework is the bottom part Down there and that's really where the rubber hits the road and what's great is It's big. It's daunting. But when you do it, right? Oh man, your developers love it I've got one customer that um That they're they're a relatively small hedge fund as these things go in the uk And we built out a system for them that um, you know User goes in and they say I want to create a new project And it was all aws infrastructure So it was you know, we would build out their code bill their code commit check in their initial stuff You know a template You know build out the namespaces build out all the relationships between the identities and they could go from That to production without interacting with anybody from ops Like I at one point it had gone about six months. It's like hey, I haven't heard from you. How things go. That's awesome I don't talk to anybody people leave me alone It's great. I got enough shit to do I don't know So, you know It's daunting But once you get working we'll see that here in the demo here in a second It really like it it and I don't know how to use gestures on mac apparently Can you get out of that? No, how do I How do you do what? How do I hey, there's your air. No, I don't want to leave stop shit. There we go I'll just be christen because myself picking our noses Well, I would say yeah that it is a great thing for developers being a former developer the most frustrating thing for me is That is that something that should know who I am does it like I don't have this thing a smartphone because it takes me five tries for me to just unlock it sometimes like So when everything works and and I only have to by the way single sign in once and not four times a day to the same browser And it's But it's very uh, it's nice, right? It's it's not it's frustrating when when that doesn't work Yeah, and like let's let's kind of show where the rubber hits the road here All right, cool. So i'm sharing that so this is the um not-so-live demo And we got a lot going on here So, um, what you're seeing so in the upper left hand corner, you got open shift get lab argo And then the bottom left hand corner is going to be open years. So open units are open source project That's what drives all of this. So first thing i'm doing is i'm logging in as that app. I want to create a new application so i'm going to go in say, okay create a new app for me and Because this was a live demo and I didn't want things to break. Uh, I I pre did as much as I could Um, so i'm going to say, okay, go ahead. Please create a new namespace create a new project for me So the request goes in and then the next thing i'm going to do is i'm going to log in as a ops person somebody who's going to approve the creation of this project um Now this is kind of opinionated the way we thought people would want to do it But going back to that business discussion People are going to do it the way that they need to do it So i've had customers who have started with this and said, you know, we don't we don't want an approval We're going to use our own portal to do that process. We just want to call your api Right and you want to be flexible enough to be able to handle all those different scenarios. So what i'm doing right now is i'm logging in um As that ops admin And you can see i've got that open approval. So i'm going to review it and i'm going to approve it now keep your eye On what's going on up here because you're going to see Just the scrolling of objects being created across multiple different systems takes a second Or two Or 10 so there we go. So it's starting to churn you see all these provisioning engine implementation That's objects that are being created across the infrastructure inside of argo inside of kit lab We're creating private keys in order to link everything. We're creating tokens ring secrets Everything's being created for you to be able to have that dev environment that prod environment that tecton environment and so All that stuff that we were talking about in that whiteboard session is now being created behind the scenes On your behalf Instead of having to engineer that out Or script it out or terraform it out, you know, you could use terraform here or whatnot But you know, this is automating that entire process and it's tied to identity So not only is it automating that process It's creating groups inside of a database that I have access to and I manage So I can Externalize my authentication while still managing the authorization managing the business process around that And it's also creating an audit of everything. So we're going to see here in a second once I catch up that I'm going to actually log in and take a look at the report. So i'm going to Log out log back in here because I'm realizing. Oh, yeah, so quick And so I'm going to go to a report here and that report is Driven off of a database schema like, you know, we don't make you use some special fancy reporting tool We include some simple reports just to make life easier, but it's all you know, it's all open source, right? so you go to the audit report You can see that In this one single user change log This is the one the security folks really love where we track every single object that gets created associated with this person So it might be a permission that we grant the person It might be an object tied to a workflow that that person executed and then we're tracking all those different objects being created And another report will show which work floats associated who approved Right, and it's all just equal so you can slice it and dice it whatever Way is important to you, but now when it comes to how do you actually do your audit? You have something to audit against We've got one customer a bank that you know is Writing an operator that is just constantly checking to see namespaces and if a namespace Doesn't exist in its open unison database shoots up a red flag. Why is this here? Because it's it's that constant auditing So now i'm logging in to git lab and i'm logging in as my app owner slash developer make the The demo a little easier. I cut down on the amount of Identities, so you see I got four projects here. I've got a build project. That's where my tecton pipelines go I got an operations project. I got two operations project one for demo one for product That's where my yaml goes and I have my actual application source code Now I go to argo and I can see That I have projects and applications in argo that line up to my projects in git lab so Because I've got identity tying these things together I only see in argo what I can only see in git lab that I can only see an open chip And now i'm securely able to use these systems as one even though they're completely different applications Like completely different people I don't have multiple credentials. I don't have multiple requests. Everything is synchronized So the first thing i'm going to do is Try to remember what the first thing i'm going to do is so i'm checking out right now the build process So we also stubbed out our tecton pipelines and event listeners. So there's an event listener there It's set up. It's integrated into git lab There's a token in there to protect it to make sure that anybody who knows the url can't just call it um And uh, uh, that's been provisioned into the project inside a git lab So now i'm in the the argo production one. You'll see there's nothing there because well, there's nothing There um, so now we're going to actually start loading things up So first i'm going to do is i'm going to go into operations and i'm going to fork it I think i'm going to fork am I going to fork this one? maybe not The the the really cool thing here is that there are two operations project The dev operations project is a fork of the production operations project So when it comes time to actually deploy to production I'm running a merge request. So I just actually fork the application code project Um, so I can actually just check in the application. That that's the least amazing part of all this So I'm I'm going ahead. I'm calling my project I don't know. Have there been any questions coming in chris? Uh, not that I haven't been able to answer. Oh, okay, cool. Yeah um This demo was originally actually to show off uh, um how tecton works. Um, so it uh There's a little more downtime than I would have liked So I've pushed the code hello world, you know, I'm not really super amazing um There's the code right so The next question is how do we get that code into a container? and into production so Next I'm actually going to go to my operation. So this is where I'm going to store my am This is where my deployment file is going to go So, uh, I'm going to go ahead now in in the real world What you would want is as a developer I would fork this repository into my own space Do my work Deploy it into my little dev environment my little slice of the world Make sure I'm happy with it and then do a merge request but to make this demo a little simpler We went ahead and just did as the app owner Um, so I'm going ahead and at this point. I'm checking in my ammo file I do have to say all that identity was built, uh quicker than anybody could whiteboard it Oh, yeah, I mean that's the beauty of api driven, right? It just It's there It looks nicer Yeah So you could see our go just picked it up and we have a broken deployment because we're not pointing to any specific tag um So, you know How do we do this, right? We want our deployment to point to a specific tag So the next thing we need to do is we've deployed our code. Um, we've deployed our yaml Now we need a container Right. Um, so I'm going to go into build clone it and again just like before I would want to fork this Get it working in my environment and do a merge request, but that gets even messier than this demo already is um And so uh, I'm going to go ahead and just check out this code and Add my pipeline into it. Um this part of building So we did this This was all based out of the the last chapter of the book I'd say this was some of the most fun I had had was figuring out how tecton worked Um, and and just trying to work through the different abstractions and you know, kind of how they approach things. So it's so different From you know, your typical kind of shell script based pipeline system So i'm updating here, you know some parameters making sure that's pointing to the right git repo If I done this really correctly, you might say well, you shouldn't have to do that all it should be generic and you'd probably be right Um, so we pushed it in and now followed with bouncing poly you'll get our go here in the bottom right hand corner And you're going to find that it's going to crop pop up here With all of our additional pipeline objects. So we now have a pipeline if we can And because we automatically provisioned all of the event listeners and integrated it with all the repos We don't have to manually execute a pipeline like we don't have to create a pipeline of an object We can now go over to git Now let's do a merge request So i'm going to go in And i'm going to um, this is kind of showing you there's nothing out my sleeve because there are no pipeline built Um And i'm going to go in and do a merge request this we're github world. We'd be doing a pull request, right? So I create my merge request And i'm going from my local project into the dev project Yeah, give the reasons all that good stuff So, um, this is uh the community edition. So approvals are optional Excuse me, but I merged it and now you can see immediately stuff starting to happen in the argo screen Because the webhooks were all automatically integrated. So we now have a pipeline that's running So our pipeline is really straightforward. It generates a tag based on a timestamp. It creates a build pushes that build into my registry and then Updates my dev operations repo with updates my dev operations repo with um attack So i'm actually going to kind of skip ahead here because the the build process isn't really all that interesting And what we can see here is that um In our dev operations, we have this commit The commit includes the commit id from our application repo So now we have a chain of custody from our dev environment all the way back to our application development So now when it comes time to move into production All we have to do is synchronize You know do a merge request and i'm going to fast forward again because the rest of this isn't nobody Everybody who know watch this knows what's like to sit and watch pod load up So now we come over to production we run our merge request and because We've set up the permissions in such a way that all these things are linked The only reason we've had to go into open shift at all is just to show what's going on behind the scenes, right? We haven't actually had to to Do a single kube controller or c command to make any of this work So i merge it and then uh Hargo does its beautiful thing Where it goes ahead pulls it in the poise everything um And yeah, and so that's everything and that that's the whole demo So, you know, you're seeing that that beginning to end without actually having to to to do any of that manually And at no part did the ops folks ever have to get involved See all smiling We have we have about five minutes left one of the things i wanted to ask you was um You know, this is uh all about enterprise identity. How does this relate or doesn't it relate to? just just sort of regular identity for b2c type Consum you know like an uber or or me ordering dominoes Yes, so i mean there there's application identity. Um But when you're talking about, you know The the those b2c systems There's super ways of like everybody's focused on that one thing, right? It's the delivery of a service of some kind of good, right a pizza a ride or something Whereas when you get into enterprises, it's all silent. It's organizationally silent, right? Because you know, you can't manage what more than three people four people. What's the rule of thumb? So You have to have siloed you like as much as we say no, let's go horizontal. Everything's the same No, you have to have siloed everybody has different ways of managing things. Everybody has certain things that Their paycheck is dependent on Right, like if your paycheck is dependent on your application being up and running and your bonus is based on that You'd be really really careful not to hurt that um and so it's it's becomes really important to be able to um Supply business process that works with that silo and that's a big part of what makes Um enterprise identity so much harder in a lot of ways than be to see identity Yeah Awesome Right. Well, we have a couple minutes left. Um, any anything else you wanted to mention mark on on this subject um I guess uh Some shameless self-promotion follow me on twitter. Um, uh at mlb. I am and um the uh, uh the recording from The kube con session that one was a lot of fun. Actually we did a demo Open unison and fair winds our back manager to be able to do team-based Authorization so instead of that one project being everything we did so that you could have multiple namespaces all managed By a team without actually having to have an ops person creating namespaces for you You know, there's some other projects that um Uh are getting really interesting um hierarchical namespaces when I'm really interested in seeing that's going to go a long way Towards making multi-tenancy a lot easier to manage And uh, uh the the loft virtual clusters I just saw That's another project. I'm going to be keeping an eye on that one looks really interesting Um, but yeah, this this is an interesting space. This is a space where I think that there's still A long ways to go and there's going to be a lot of fun getting there Yeah, did I did I hear right? Your initials are mlb No wonder you're a baseball fan. Exactly Exactly case anybody who's wondering the box and accident. He's actually yankees fan. Oh die hard yankees fan. Yep You know, it's just a rare combination It comes from good parenting Cool Well, hey, I don't have anything else. Um, I guess we can go ahead and wrap up I want to thank you mark for uh participating and in this month's open shift security Thanks for having me an identity our pleasure And I guess I'll hand it back to chris any last parting words from you or we can just no Please stay tuned uh for the upcoming get-ups guide to the galaxy with christian herring as of myself. Um I think we have a guest today. I forget But you know, we'll we're gonna be there in just a moment So stay tuned folks awesome And ill hackham says thanks for a wonderful show slash demo Cool. I'm glad you all liked it very much mark and thanks guys. Thanks y'all. Take care. Stay safe out there