 Everybody, welcome to the DevNation Tech talk. Today, we've got some very, very cool stuff that we're going to talk about in terms of KeyClug, straight from the guys that do it. I'd like to introduce Chef, who is an architect or developer or something fantastic to do with KeyClug. Do you want to give a quick intro, Chef? Yeah, sure. So thank you. Thank you for inviting me to do this session. And yeah, my name is Chef. I've been a Java developer for many, many years. I've won multiple hats as a solution architect, as a consultant. So yeah, here I am talking about something that I really like, which is Java and KeyClug together. Excellent. And we've also got Issa on the line, who is going to help with the questions. Do you want to introduce yourself quickly, Issa? Yes, sure. Hi, I'm Chef, I'm Issa. And currently, I'm the head of KeyClug Product Manager here in Red Hat. So in charge of the product direction and looking forward to assist our customer about what they ask and what they need. Cool. So I'm really looking forward to this myself, because I've been playing with KeyClug for a while, and I'm a huge fan of Quarkus as well. So I hope there's some good stuff I'm going to hear about. But I'll pass it on to you now, Chef. So let me show you a screen, and we'll get started. Cool. Thanks. So yeah, I guess my screen is on, right? So yeah, so we wanted to talk about the Red Hat Bill of KeyClug. What I'm going to do is quickly showcase some of those things. I'm going to talk about them as well. And then we jump into a demo. In the demo, we look at the developer experience and some of the other things that I'm really excited to show you and everybody else at the same time. So who am I? Quick introduction. I think I already gave that. I'm a Java developer. If you wrote code in AWT and then you know my age, that's pretty much what I did back in the days with Swing, with AWT, et cetera. So I've been a longtime Java developer. And I love to speak about technology. I'm also an InfoQ technical editor for JavaQ. What I love doing is working with Quarkis and KeyClug. So that's what this is going to be about. I'm going to go through a quick introduction, a little bit of technical overview for folks who might not know KeyClug. So if you don't know KeyClug, this is perfect. I'm going to give you a little bit of overview as well. Obviously, I won't be able to go into the details of those overviews to showcase that demo. But we're going to do something simple, like create an app in Quarkis, use it, develop it locally, and then push it out onto something like OpenShift. I also have Angular app that works with KeyClug as well. So we're going to see how these two sets of applications work together, one being a backend service, one being a front-end service. We're going to deploy to OpenShift. And I think that's going to take a lot of time from us today. And then we're going to jump into some question and answers. So hopefully, just throw as many questions as you want. And Isa and I are here, and Ruth as well, and we're trying to answer as much as possible. So what is KeyClug? KeyClug is an open-source identity and access management solution. It's based on the upstream KeyClug project. If you haven't been on there, GitHub has the upstream KeyClug project. It has the KeyClug org website as well. Lots of people use it, whether they use it in containers, zip files, et cetera, et cetera. At the moment, the current KeyClug version is 22 for the Red Hat build of KeyClug. And I believe a KeyClug version for the upstream community version 23 is pretty much nearby. What do we mean by open-source and identity and access manager? Obviously, securing your software, you might have users' identities that you want to protect. You might have access and access rights and resources, et cetera. You might even want to broker those identities when it comes to things like you might have Azure, ADFS as an example, or an LDAP store. And you might even store all your users over there. So connecting all of those different areas together and then managing it becomes very, very important. And obviously, federating across them also becomes important. So stuff like that KeyClug really helps with them. We're going to get into detail, so don't worry too much. I'll explain this even more. KeyClug is a CNCF project. It has a bunch of client libraries. If you use Java, if you use Quarkis, which we're going to showcase today, Spring, Node.js, et cetera, you should be able to use that. And in future, if you're going to use standard protocols, you'll also be able to use standard client connectors to work with KeyClug as well. So that's a quick introduction what KeyClug is. Let's get into some more details about what the Red Hat build of KeyClug is based out of today. So KeyClug has been there for almost like a decade. And it's been used a lot, like I said, across multiple sort of scenarios. Obviously, the older KeyClug version was based on the JBoss EAP. And JBoss EAP, if you know, is an application server, a really well-lived application server. Serves a lot of applications, business critical applications across the globe. But it is based on a monolithic pattern. And obviously, as we move into the cloud, monolithic pattern not always is the right fit. Doesn't mean it is not always not the fit, but it's not always the right fit either. So there are some things that when you put into the cloud, you want to make aware of. For example, you want your solution to be spinning up quickly. You want your solution to be scalable across multiple nodes. If things fail, then it's able to come back up again quickly and restore from that. So all of that architecture sort of comes in with some sort of microservice mindset. And Quarkis in that area, and going towards serverless as an example as well, helps you. So Quarkis in that area helps a lot. Quarkis minimizes the time it takes for an application to start up. It minimizes the memory that the application uses. And it also has the possibility to run applications in native mode as well. So it becomes an extremely interesting choice when we're talking about resource consumption, when we're talking about workload density, and when we're talking about serverless applications as well. So Quarkis becomes a good choice for example, in this case key cloak to base off its stack. I have some pictorials here on the right, which pretty much I said the same as, traditional native stacks take a lot more. Quarkis takes a lot less. And even when it's native, it takes even a lot lesser time and as well as the memory that it operates with as well. What requires security? So like the title of my talk today, I mean, it's important that I also sort of make you aware of or some of you aware of, why do we actually sort of care about security or what applications require security? I've been in projects where we have developed our own solution for security, obviously full confession here. I've been in the industry for more than 20 years developing and solutions have not been sort of there that would actually centralize this. But then obviously one starts an application might be a backend application or a web application, could be a desktop application, mobile applications, APIs, clouds, all of these, they have increased a lot more in the last couple of years. And obviously it's not the same desktop application sort of thing that we used to live in where you could get away with Kirby Ross or some sort of active directory behind it that you could secure your stuff with. Now you have multiple areas that you want to secure your applications with. So kind of becomes trivial to start thinking how is this going to work for us? Homegrown applications or homegrown security mechanisms kind of has been something that we are all very familiar of or me in this sense as well, playing that developer role. When we do that obviously we start thinking about putting our identities in a database whether we sort of let's say it's an MVC application we create a user entity, we create a little bit of logic around putting all those credentials in a database or backed by an LDAP maybe, or even in these days actually use something external like an OAuth provider from one of the big cloud providers like maybe Google or somebody else and sort of do that. And that's sort of in a way, okay? But then what we don't care about mostly is the type of algorithm we might be using in the self-grown application. We might have problems tracking this and then obviously if somebody did this and then they left or they moved to another project, then you have a problem tracking and trying to fix all of this non-standardized code and recipes that has been created over a period of time. This becomes a serious challenge even for auditing and obviously when we're looking at putting things online on the cloud, et cetera, hybrid cloud security becomes paramount importance and security sort of has to be standardized across all these applications. And that's exactly what something like Keycloak does. You have a simple centralized server which is, let's say in this case, Red Hat Build of Keycloak. You have different services that need to be authenticated, they need to be verified. And then you have users that needs to use those applications and get themselves verified with Red Hat Build of Keycloak in this case. So you sort of come to a point where you start to say, okay, we maybe want to outsource that part that we have been cooking in ourselves, in our applications to something that's external, whether we are writing our own tokens, et cetera. And why is that helpful? We get into that in a bit as well. So assuming, let's say you decide that, okay, we want to secure our services, when you look at user stores, users all over will, or applications all over would be using different sort of user stores. Active Directory is one, LDAP is another, there could be custom user stores as well. So what Keycloak would be able to do is able to connect to those user stores and federate those users across them. Now, obviously if I was to write an application for this myself, I can imagine how much complexity I would bring in just by connecting to different user stores and then managing them across one centralized application. So Keycloak takes that complexity away from you and does the user federation for you as well. Also does the identity brokering. So let's say on top of that, you wanted to use a different sort of protocol. Some of your applications might be using Kerberos, some of your applications might want to use OpenID Connect or OAuth or SAMLv2, et cetera. You're able to work with that as well and bring all the identity brokering into Keycloak as well. So it has its arm in that area as well, where still you're focusing on configuring and putting things in a Red Hat Builder of Keycloak rather than actually putting it together. And we have an example that I'm gonna show you today as well. And then finally, social logins like GitHub or Google, et cetera, you're able to do that too. So you have that interface. So now think that you have an application that you just created. All you need to do is basically use the Red Hat Builder of Keycloak and secure your application as a client, whereas put all the logic that's about security into Red Hat Builder of Keycloak and let it manage users and roles and identities, et cetera from there as well. So it becomes really, really interesting proposition because now if you're multiplying your applications by let's say 10 or something, or even 20 or thousands, you're able to manage them with a centralized piece of software that basically handles this rather than you actually managing multiple combinations of it across your application and state as well. Then let's look at maybe in a wider scenario, you might have different things. Like we mentioned some of the ones like social login providers, LDAP, also SAML V2. So SAML is a protocol for applications, older applications that have used it, and then obviously you're able to integrate them and bring them into your application and that's the story. You bring whether you have the applications that were written many years ago or whether you have applications today using these protocols, you're able to connect them together, you're able to do all the auditing, monitoring and logging, et cetera and make sure that the user experience is seamless with Red Hat Builder of Keycloak and in the demo, we're gonna see how that user experience works as well. So that was a quick overview on what Keycloak is, right? I mean, I hope for users that haven't used it, this is useful and then we can move on to, for example, what does the Red Hat Builder of Keycloak version 22 bring us? So this is the release overview. Like I said, Keycloak has been there for quite a long time, almost like a decade. The previous version of Red Hat Single Sign-On, the product was based on Keycloak 19, which was based out of JBoss EAP. Keycloak 22 is based off on a Quarkus Build. It's a new distribution, it's friendlier for cloud environments, faster startup times, lower memory, smaller distribution size altogether and obviously reduce and constrain container images. So it's really, really looking at how efficiently we can bring it up. And when I show you in the demo, when we bring it up, you'll see that it's actually quite fast and it works really nicely with OpenShift or Kubernetes as well, if you would say like that. So what are the things that we bring in in Red Hat Builder of Keycloak apart from, yes, it's performing, yes, it's re-architected and that might not be so much visible to end users, but what's most visible to the end users is the user experience. Quarkus is known for its developer experience. Quarkus has a really good set of services when it comes to dev services, continuous testing. There's tons of things that are really, really good with Quarkus and I'll show you that in the demo, how we actually work together with Keycloak when we do that as well. So developer user experience is much, much more different. How you create your container images, how you sort of add your functionality into Keycloak, all of that, we're gonna take a look at it today as well. The users obviously from a user perspective, looking at the accounts, looking at their managed access, et cetera, all of those with a new user portal that's out there plus the administration experience, whether it's CLI, et cetera, being able to define that as well. For example, when it comes to security and I'm gonna talk about this in a second, you're also able to have like a production profile, a developer profile. So you do start dev, you're able to use Keycloak on your local machine in a developer mode with HTTP and HTTPS disabled as an example, making it easier for you. If you started in a production mode, obviously the full secure mode comes on and you get functionality for production in there as well. So there's features that we have looked into when it comes to how we make sure that the user experience for all different roles that use Keycloak are also being able to use that, whether it's on your physical machine or whether it's inside OpenShift with the operator experience as well. So from a usability perspective, like I said, simple, you're using a KC.save start and then you give it a database, which is Postgres in this case. And that's pretty much it. You can start it with a CLI, you can start with an environment variable, you can start with the Keycloak.conf that you can pass on to it as well. There's no longer a standalone.xml that was there before. So that's gone. So that kind of helps you to sort of put your configuration in place when you are starting the server and that's much, much more simpler than we have seen the previous experience as well. The configuration is quite self-destructive and there's a lot of those environment variables that you can use there as well. Here again, if you look at it, KC.save start, you put the Postgres database there, you put in the URL host name and this is obviously in a local machine that we're trying to showcase here in the container image. It's totally different, which I'll showcase to you in a bit as well. But you don't need to think about installing drivers. Everything is built in. Every time there are changes, there's re-augmentation as well. So all of this is support coming from Quarkis directly and Keycloak itself is an extension of Quarkis. So it sort of makes it much, much more simpler to work with as well. And these are all built-in optimizations. So when you put them in, then you have the entire stack, taking the benefit of Quarkis and it's ahead of time compilation as well. From a security perspective, one of the big items is having the FIPS support, the Federal Information Processing Standard, which ensures that you have the right security guardrails into it, whether it's encryption, et cetera. So it supports the 142 FIPS standard with the Bouncy Castle libraries and also the SunPKCS11 plus NSS as well, right? So you're able to create a more secure environment with Keycloak than what it's already is. And what it already is, is that it's secured by default. You have a production mode, like I mentioned before, and you also have a developer mode. In the developer mode, HTTP is enabled, the strict host name resolution is disabled, and the whole setup is more developer friendly. Whereas in the production mode, obviously, there's TLS requirement, there's host name requirements and HTTP is disabled. This wasn't the case in previous releases, but from this release is obviously this is the case, and you sort of have the profiles that you can work with, which makes it much, much more easier when you're developing or when you are using it in production. So secure by default for production in that case as well. When we look at observability, again, the ability to take out metrics. So let's say you're using an open shift and you wanna take the metrics out of the system or you have on your zip file into your physical machine or in containers, you have the slash metrics endpoint that gives you the metrics from the system, whether it's you can set the metrics out from your database and you'll get them too. So all the different details around the caching mechanism that's being used under the hood within Keycloak to ensure that all the sessions and all the caches are maintained within a node, for example, if you are clustering it and also the system level details as well. So slash metrics sort of gives you the possibility as an example to work with Prometheus. So now you're able to have metrics being scraped by Prometheus as well as you can also have a Grafana dashboard that you might use in your operations to do that as well, or if you have any other system at home that you actually use it. It also integrates with something like Creostat and Creostat is if you have heard about JFR, the Java Flight Recorder, the Java Flight Recorder system it takes away all the different JVM related details like garbage collection, if there's any bottlenecks within the JVM, et cetera, it's able to take them out as well. So you are able to use Creostat within the together with OpenShift to actually get those details out of the system as well. So some comprehensive things around observability as well. The health endpoint is also something similar with the Quarkis Health Extension. You're able to look at the health of the system, whether it's up and running. So if you have systems that other automation system that have to react based on if the health of the system is degraded or is not working, then polling these endpoints sort of helps as well. So you're able to scrape that too. And by just providing the minus minus health dash enabled parameter equals to true on the command line, this would come up as well. The new operator, and this is something that I will showcase in the demo as well is, you know, it's rewritten from scratch. If you're a Java developer and you wanna write operators, I know Uth loves to have operators these days. He's working a lot on them. So Uth, I hope you use Java operator SDK. So Java operator SDK will help you as a Java developer to create operators with Java. It is, and that's what the Keycloak system is also using. It makes it easy for us to create, you know, production grade installations of Keycloak, the Red Hat build of Keycloak, you know, in close alignment with user experience, et cetera. And we'll see in the demo like some of the things like we do like the realm import CR, which is new this time is that you can take the entire realm and import it once the server is up. And I'll also show that with some re-augmentation when we go into that demo. So one of the big things obviously with the operator experience is supporting all the databases that we use. In our demo, we're gonna use the Postgres database, but with the CRs, you're able to actually connect with the databases through the operator experience as well. So some good things, good nuggets that we use there as well. From the client adapters part, we get into, you know, like I mentioned earlier, Keycloak, you know, has a possibility to use OpenID Connect or SAML. So you have the possibility for that, obviously to use them. You have the Node.js adapter, is the client side JavaScript adapter itself. In my app, in Angular today, I'm gonna use the Node.js adapter from the Angular Keycloak project. And obviously, if you're using Micro-Profile, if you're using Quarkus, you'd use the OpenID Connect extension and you're able to do that. One thing definitely that we're focusing on going forward is, okay, thinking that applications and frameworks, frameworks mostly, should be able to use the default, you know, standard connectors when it comes to OpenID Connect and be able to work with Keycloak as well. So that's something that definitely that's on the cards as we mature into this particular distribution at this point as well. An important point I think I missed is that there's no more OIDC adapter for EAP-8, but you know, it's this native OIDC support that comes from the Wildfly community as well since the JBoss EAP-8 is based on Wildfly. So you'll be able to use that going forward as well. So some good stuff there. So, awesome. So now let's just move on to the two words, the demo, unless if there's any question, I could take a pause and take those questions. If that makes sense, I'm not sure, OIDC up to you. No questions so far. I was just enjoying your comments on the Java operator stuff. Well, I just had to put that in for you, but okay. Over here, what I've done is I have a Quarkis application. What I've simply done is I've went on to something like code.quarkis.io and obviously, this is not a Quarkis demo, so I'm not gonna try to go into these details, but I basically just generate an application after selecting a certain bunch of extensions and got my application up, right? So when I did that, obviously I'm using something called a book service. And a book service has a title, a generic, an ISBN and summary. Simple, it takes, that's my entity over here. So if you're familiar with Java code, it's a simple entity, Pojo, that is a Panache entity, which is a simple way of creating entities in Quarkis and sort of working with some of the methods, like helper methods, like here, get all, et cetera, where I don't need to sort of give all the details. And there's positives and negatives to it, but I think from a usability perspective, very easy to work with and start to work with. The other thing I have is the book resource which has functions like get all, get one, create, update, delete. And obviously what I wanna do is that first, I'm just gonna show you how this is working. Next I wanna do is obviously secure them as I go forward. So I'll do this, I'm gonna use my Java 17 and I'm just gonna start up what is called the Quarkis Dev mode. And obviously as a developer, depending on which framework you're using, this basically helps me to put Quarkis, what we call into Dev mode. Once we put it into Dev mode, it will come in, come up as you see. Quarkis knows that, what kind of things am I using underneath my palm file, which extensions I'm using. It knows that it will know that I'm using Postgres, it knows I'm using OpenAPI, I'm using the OpenShift extension. So all of these extensions that I'm already using, Quarkis is well aware of it. What does that mean? That means that let's say if Quarkis has something called, it's Quarkis Developer Console, so I'm gonna go there and it's called on queue slash dev. When I go on the queue slash dev, I can see, for example, there's a bunch of extensions and I hope this is clear. Let me just make it white. Yeah. So all the extensions, for example, it knows that I'm using a Hibernate, it knows that I asked for an OpenShift extension so I can actually go and deploy this on an OpenShift server if I wanted to, but I'm not doing that right now. It has all the different extensions that I've put in my project at this time. But what's interesting is because it knows that I'm actually using Hibernate and Postgres, if I go into my developer services, it has actually started up an instance of Postgres for me already, which has basically loaded my entire schema, my import.sql file into it as well and I'm ready to develop. So over here, when I go back into my book resource, I'm able to, or even if I make a simple change over here, Quarkis is able to do that very quickly and look at it. So if I go back here and try to hit my URL again, it's gonna crash and I didn't have to restart the server, restart the application, et cetera. So from a usability perspective, Quarkis is quite smart. It understands what's going on. It's able to kind of give me all the details that I need working with Quarkis as well. And obviously has the underlying, in this case, database. So I don't need to worry about spinning it up. It's a container. If I go on my console here and just do a Docker PS, it's a test container integration, which has spun up a Postgres instance just like two minutes ago for me as well. So that's pretty nice. I can do that. I have my API. If I go on to HTTPS, call this, so HV call this dash at local most. And my end points is API slash books. I'm able to see that my API is loading. So that's pretty much it. It's a simple thing. It has a bunch of books, title, generic, eyes being somebody like we had over there. And it loads that in as well. So if I go back into my application and now I say, okay, Quarkis, well, I already have it. So let's just do that. Quarkis extension at Quarkis dash OIDC. You'll see that the extension is added. And what Quarkis is doing is that it's already start to re-augment my server and it start to do something which is start to pull the key cloak extension into my development environment. So what's this gonna do is basically it starts a key cloak server through the test container integration. And it says that Quarkis has started my key cloak instance. So if I go back on my Dev Services console and I go back into this, I can see that, hey, key cloak is already up and running. And that's awesome. Now I have my key cloak running and what does that mean for me? So if I go back to my extensions, I have the OpenID Connect extension. And let's say if I go into my admin, I can actually log in and start to work with my application and key cloak at the same time. Now it already has a default realm for playing around with and it has this Quarkis app. But what if I don't wanna use that? I don't want this particular one to be used. I want my realm, my own realm that I might be working with to be able to use this. So what I'll do in this case is I have already a Quarkis realm JSON file. And obviously I don't wanna bore you with this 20, 2073 line code. I'm just gonna say, okay, uncomment. And also what I wanna do is I don't want a random port to come for my Quarkis because I might have other applications I'm working with. So I want a standard port for this as well. So when I do this, obviously it's gonna change. And when I go back, let's go back. And now I'm really being bullish playing with ports here. Let's see. And it's loading. And if I go back here, I can see that, it's starting the KeyCoke server again. And this time when it starts, it's gonna use the configuration that I have provided in this particular case. So obviously I go here, I go to the KeyCoke admin and obviously it didn't work, 8.8.0, administration, admin, admin, I put that in and go back to the Quarkis realm. And I'll see that now I don't have that Quarkis app, but I have my backend service. And my backend service is my book service that I'm working with. So now I can just start to develop with my book service on my local machine as well. So this is pretty cool. I mean, KeyCoke is up and running. And all I need to do is I have my extension in. All I need to do is make sure that I have all my configuration set and start to put in some code around this. Now, if I go back to my realm here, I have users. I have Alice, Alice is part of the role user. And then there's Jojondo, which is from a different one. We'll see that one as well in a minute. So now if I go back to my code and I have those users and I say, okay, since Alice has the role user, actually what I'll do is I'm just gonna paste this out here on the other links as well. And all these method functions that I am, like for example, on create, I want it to be user. Obviously I can change that on my function update. I want it to be authenticated as well. And so these are the roles that I wanna allow. And for now, I'm just gonna use this one over here but we can change this later as well. So what I'm saying is that, hey, make sure that only user, the role user is allowed to work with my service. So when I go back here and I go back to my API endpoint, look at those API and books was it. And obviously it's not gonna do anything because at this moment everything has been authenticated and books. So yeah. So everything needs to be authenticated and it has to be done by a key cloak. Now obviously this is a backend service. So we are creating a backend service at this time, a new nice book service. Nothing happens, it fails because it needs authentication, it needs a specific token. So let's just go and get a token and see how that works for us. So if I do curl and local home, curl and squark is, I'm gonna get an access token, echo access token, I have my access token. So let's take a look at that, what that is. Yep. So that breaks the token apart. We can see that I have a user, a role user which is in this case Alice because if I look at my command again, I am using the Alice as the username and password to get this token. So that's perfect. I have the user roles and I have some additional things into it but that's the token I need. So if I go back now and say, okay, I wanna curl my get request with this access token, I should be able to get my API details as well. So that's how simplified it is to do this. Now remember that I haven't really restarted anything here again, it just happens by itself. So again, if I wanna come here and say, I wanna change the role now. And in this case again, if I go back here and try to get my API, I'm not gonna be able to do that. It's four or three forbidden. So basically it's not allowing me to do this anymore. And because I've changed the role and then in this case, it has to be a different user. So sort of kind of gives you that overview of how this could be done. Now, obviously I wanna play a bit more and we're gonna do this a little bit differently. So now I move on to my Angular app. Sorry, it needs some water. In the Angular app, obviously in the Key Cloak, I'm using the Angular Key Cloak. I have the Key Cloak Angular extension. I have the Key Cloak Angular module in my Angular modules. And I also have a Key Cloak service. I do a Key Cloak in it here, which is my local host, 810. I have a couple of components, which is adding books, some book details, listing of the book. I have the model similar to what I had in the other application as well. And finally, I have a book service, which is basically just going to that API that we have and working with it. So the whole flow it's gonna be is that what I want is that this application should use my backend API that I have on this host right now. So before I do that, I'm gonna go here to my administration console. I'm gonna go into my clients. I do not have a backend of books front-end client. So I'm gonna create a books front-end client, call it Brooks front-end for my Angular app. And I'm gonna have so simple authentication, no changes there. And the root URL is gonna be localhost colon 4200. That's my app, ng-serve, for example, at this time as well. So that's done. And we have that clearly perfect. So this looks good. Save it one more time. I'm just being paranoid, but okay, let's be prepared for it. And then I'm gonna start my application with ng-serve, making sure that I have the right URL for my key code perfect. And then I believe in my environments, I should have the right URL for the localhost. Yes, I do. So ng-serve will build this up and we'll be able to use this locally. And let's just quickly take a quick look how this actually works. I'm gonna go up here, try on the browser localhost 4200 and automatically rather than going to my front end, my Angular front end, it redirects me to the Quarkis run which has this particular front end client that I put in. So if I say Alice and Alice again, I should be able to see the books, right? So perfect. I'm able to do that. I'm able to edit this, I'm gonna make a mistake here. And Alice is making some mistakes just like a simple user and Quarkis has been renamed in sort of like a different way, SQuarkis. So we wanna fix that, right? And we don't want these mistakes to happen. So how are we gonna work with that? So let's say we don't want all the users in here to be able in our organization to do this. So what we're gonna do is that I'm gonna use my put method which is my update method. I'm gonna change this to confidential. Save this and obviously when I go back, refresh my app and try to edit which one is it? This one cannot access this book. So it's not letting me access this book anymore and that's because I don't have the right user. So let's log out and this time I wanna have a different user and that's John Doe. Perfect name for a user, a confidential one. And here obviously I can change details and the update is as well. So here you can see the update is done. Sorry, and I can just reload this. I can see that the verification is done. I can see my tokens are being assigned all of these details. Obviously also one of the things that you'll see is if you wanna know all your details about what endpoints you can use, et cetera, you also are able to do that locally using the dot well-known OpenID configuration as well. So all those details, and encryptions, et cetera, everything is available to you. So this is a nice way of developing applications. So it helps me to work with it. But then what about if I wanted to deploy this application, there comes the interesting piece which is in my case on this side of the window. I think I'm just gonna make it bigger is using the operators. Now this is my OpenShift workspace. My namespace is called RHBK. What I'm gonna do is I'm gonna install a new operator which is called the Red Hat Build of KeyCoC operator which you will find on the operator hub. I use that operator. It says it is the build 2206. I'm gonna install it. And actually before I do that, let's take a look again. It has certain features. It's able to do basic installation. It's able to do upgrades, full life cycle, deep insights. So there's tons of things that you can do. Most importantly, it's able to install KeyCoC in a namespace and it can also import realms. And that's exactly what we're gonna try to do right now. We're gonna install this in an RHBK namespace. So we can install it in multiple namespaces if we wanted to. But this particular operator only installs in one namespace at a time. So we're gonna do that, install it in our RHBK namespace. So while that's happening, obviously, the operator part is being provisioned. We're gonna see it here. So it's going to come up. I can see the logs, you know, it starts to create itself. And this is again, based on Quarkis, comes up pretty nicely and quickly. So we're able to do that. But for this to work, I also need some more details. So I'm just gonna cheat a bit here. And the cheating is because I do not remember all the YAML by heart. So I'm just gonna bring in my readme file which sort of has some YAML for me. What I need to do obviously is to create my database. I wanna create a database in the backend. And this is a Postgres database I use with Crunchy as an example and I'm able to do that. So let's do that, creating the database. And you can see that it's gonna come up. A Crunchy database will come up as well. What I can then do is, which I've already done, I create an open SSL certificate. So basically saying in my subject, I'm gonna put in, for example, my CN which is pretty much, if I look here is the key cloak RHBK app. So if you look at it, it's the RHBK project I have. And then it's the route which actually it serves on. So what I wanna do is obviously I wanna make sure that my system is secured. And like I said, in production, it's default secured. And I don't wanna disable HTTP. So I need to generate these files. They are generated again. And what I'm gonna do next is, I'm gonna load this into OpenShift as well to create a TLS certificate into it as well. So here's, for example, my secret, which will have my certificate and my key file as well. So let's just create that. Actually, I hope I'm in the right project. I should check that first, OC project. Yes, I'm in the right product. So always make sure to be in the right project. I've made that mistake many times. TLS, we do that, load that in. So if I go into, for example, secrets here with my RHBK project, I will see that my example TLS secret has been loaded. What I also wanna do is create a secret for my database that it needs to connect to, and we're gonna do that too. So a generic database secret that I also push in here. So now I have two secrets that I wanna do. And next, what I want to do after that is basically create my instance for key clock using the operator. To do that, I have a hostname. Obviously the hostname binding has to be correct. In this case, it has to be the correct place that I'm pointing to. So I'm gonna copy this one just like I did for my certificate. Put it here. Example TLS secret is there. I have my DB secret to connect to my database. I think this looks good. Let's hope so. So key clock will start. If I look at my operator, it has already started beginning the provisioning of this key clock instance. It comes up pretty fast. If I look at it, logs wise, there you go. It's up already. That's quite amazing. What I do wanna do is get my, when this is created, obviously, it's gonna get, I need to get the secret, which is the example KC initial admin secret, which is my admin username and password, because that is what my operator would create by default. So if I go here onto the operator, obviously this is a self-signed certificate. Proceed anyways, go to the administration console. And here I am able to log in as the admin. So now you have the same thing. You don't have the quarkus realm here, right? That was something that we had in our local environment. So obviously we wanna make sure that we are able to load that. And with this new operator, we can do that as well. So let's do that and then let's get into some more details. And obviously for that I would, I have obviously created that file that I would use. Let me just get it one second. Because I have to, in this case, this was a JSON file that I used with my single sign on and I converted my key clock JSON realm file into a YAML file, which you should be able to do with simple converters as well. So what's it doing? It's the same 2000 plus lines code, but it's also saying, hey, this is my realm, import this, the ID and the name of the realm is quarkus. So I create this and then it's gonna start to create it. But if I go back here and I look quickly that there is something happening is that the realm quarkus is being created and it's going to be loaded within this specific instance as well, which has reinitialized itself as the realm is loading. So this is pretty interesting. It sort of re-augments itself, the server, and starts to reinitialize the server with the new realm and all the settings. This means that if I wanted to add extensions or custom code, et cetera in the future, I would be able to do something similar to that as well. So let's go back. I think I will need re-authentication. If I do anything here, we'd probably do that. Yes, administration console. And then I need to get my password again. And I'm able to do that. And now if I look at it, I have the quarkus realm as well. I have the clients. It's the same realm I used on the local. I just converted it to use over here. I have my backend service. I will need a new service that I need to put in, which is my Angular service. I have the same users that I needed. So let's quickly go and deploy this application into OpenShift as well. To do that, I have already done some pre-configuration. I have the quarkus OIDC AuthServer URL. So this is my AuthServer URL that I just created. The backend service is my client ID in this case that I work with. And then obviously I have a secret, which is super secret called secret. I'd say it's a service, but also because I have a self-signed certificate, I don't wanna do the verification, otherwise the server is gonna fail. So all of that is up in place. What obviously I wanna do before I put my app up is I wanna install my Postgres database because that's where my data is gonna live. And I do that quickly as well. And my Postgres database should start coming up. If I go back here, yes, it's coming up as a books database. Perfect. Now all I wanna do is I wanna deploy this quarkus app into my machine as well, into OpenShift as well. And with the quarkus, I can do that through my command line by providing the deploy functionality with the OpenShift extension that I'm already using. There's different strategies you could use. I'm in this case using the OpenShift S2I. You could also use a Docker build strategy, et cetera. But what's it's gonna do is it's gonna just go in there into my OpenShift environment and it's gonna start a build. And here you see the book service build is going on. It will start and then it's gonna push my book service into an image that it's gonna be used by OpenShift as well. Let's do this as well quickly that while I do that, I'm also gonna deploy the Angular app. And to do that, again, I can use the OpenShift as well. Just gonna change my server URL here for key clock. I need to do an ng build to build this so that it has the right things in it. And I think my Quarkus service is taking time. Okay, it's there. So it should come up there. It comes up right now. The book service, it won't get directly working right now because I will need a token but we can check that quite quickly. The Quarkus service is up. I have a specific URL. So if I go back to doing my curl command here and in my current command, I am going to simply change my URL. In this case, oops, not that one. Too many copy paste can happen. So let's take it here. Control C and control three. We have that now. And I should be able to get my token, echo, access token. We have our new token, perfect. Now, obviously I wanna curl this and check that I am able to do that as well. Yeah, that should work. And there you go. So we have our token working. We have our application working. All we need to do now is deploy this front end. So I'm just gonna create a new app, sorry, new build, which uses HDPD in OpenShift. So it's basically using the S2I image again for Angular. And then OC start build is gonna start this build. It's gonna take all this code from my local machine and it's gonna push it into the OpenShift environment as well. Next I will do is I'll take this container image and I'm going to create the application, which I should be able to do quite quickly and expose it. And then we will have our fully functioning app with the front end and back end as we do. So new app, do this. That should create the new app and then OC expose. Should expose my URL. So if I go back here, I should see my bookshelf UI. I click on it and it should redirect me to the key clock and it doesn't. And guess why? Why it doesn't? It is because I have not set up my client yet. So let's do that quickly. Create the client, client ID, books. Front end, next, next. And root URL, same thing, save. And if I am doing it right, this should be the moment. Yes, so now I have Alice in Alice as a password and I can log in. So I see the books, I can edit them. I probably cannot edit them. Yep, and because I'm not the right user, oops. So I'll log out. Some problems there, obviously there are demos and I'm gonna log in and be able to do that as well. So now I can edit my books, not the best way to edit, able to do that, et cetera, able to add all of those through the different roles that we saw. Obviously with the new front end, the administrative console as well, there's some nice features. If you're looking at client ID, you wanna know what that is. It gives you some details around that too. It has the options, more options with run settings as an example. It's more divided, plus more importantly, it has these nice tweaks where you can actually go into, okay, I need to know how these groups work and what I need to do, it's able to go into those guides as well. And I can see I'm only left at four minutes. So I'm gonna pause here and I did not see your screen. I did not see any questions coming up. So Uth and Issa, you can keep me honest here. So there aren't any questions in the chat as yet. I've got a question if you don't mind. In terms of the databases that we support as the backend for Key Cloak, do we support any databases on the cloud vendors as first class databases? You mean databases like Aurora, et cetera? Like the Azure database for Postgres SQL and the Amazon RDS for Postgres SQL. Are those supported as part of the build currently or is it limited things like crunchy Postgres? Yeah, I think the standard databases that we supported with single sign-on are pretty similar to that. So even if it's Oracle, you'll be able to do that. So there's a list of them. I guess Issa, maybe you might know exactly if there are any cloud vendor databases that we support. Yeah, I can take that one. Basically, we do not support this cloud-match databases because there are a lot of them and we struggle to have a team capacity to be able to test those because we can officially support them as long as we have conducted some tests and make sure we are happy with the test results and they work perfectly fine with the product. So far as of today, we support these five databases. They are on-prem databases, but let me share a knowledge-based article that may help. We are going to support Aurora Postgres SQL compatibility and RDS Postgres SQL. So for commentary, reasonable support and we plan to officially support those in the upcoming release update of Redambe.qlub. So to simply put, they are not officially supported, but a customer, they can raise support exceptions if they don't have any other options than using Zeus and we will see what can be done. But officially, we can't plan support of this until we haven't tested, so. Okay, cool. I'm not seeing any other questions in the chat. Do you guys want to say something to finish before we close it down? Have you got sort of any URLs we can share in terms of landing pages or product pages? Yeah. Sorry, go ahead, Yusuf. Yeah, landing pages I can share. It's, let me put it on the chat. So it's this one for the product page. It has links to the download page. It has links to all the documentations and yeah, the knowledge-based articles that we published and links to how to get engaged with support so how we can open a support case, call out Redambe support, so. Okay, sounds good. I say we've hit the hour. Thanks for that, guys. That was a really cool demo. I do like watching Key Clock in action. And the demo goals were pretty nice to you. Yeah, were, yeah. Yeah, yeah, yeah. Thank you, thank you. It's all I can say, yeah. So thank you. Running a remote cluster is never an easy thing, you know? So. Oh, absolutely, absolutely. I've had too many classes go down in the middle of my demos. But that was brilliant, thanks for that. Thanks for everyone for tuning in. Thanks for putting up with the problems we have at the stream. We'll sort that out for next time. And if that's the case, I'll say goodbye. Cheers all. Thank you.