 Good morning, good afternoon, good evening, wherever you're hailing from, welcome to Get Ops Guy to the Galaxy. I am Chris Short, host of Red Hat Live Streaming. Eventually I'll say that correctly. And I'm joined by the one and only Christian, the Get Ops Guy, Hernandez. How are things with you, Christian? It's been great, yeah. I also need to pivot from saying Openshift.tv to Red Hat Streaming, right? Like we sold the startup, now we're official, we should fully embrace it, right? I have to go Google Openshift TV and find every instance of it, though, at this point. Because that's how it's spread very quickly, yeah. Yeah, so I also need to make that mental switch because it's a good thing, right? That's a good thing. So, yeah, doing great, as you all see me and Chris here, Chris and I, yeah, we coordinated shirts. Do we actually do it this time? We did coordinate it this time. Yeah, we did coordinate this time. It was not by happenstance. Yeah, yeah, it didn't happen this time. Yeah, yeah, it didn't happen by accident, how it usually happens. So, yeah, so today, pack show, right? Because we're kind of revisiting our back as some of you, hopefully you've forgotten, but I'll remind you. We did a show about our back, right? And the demo kind of fell on itself. I mean, do you want to go into it or not? Well, I mean, you know, let's embrace it, right? We embrace failure. Go ahead, link to the old one. So, I figured we talk a little bit more about our back, kind of, you know, review some of that and kind of actually, hopefully, if the demo gods are with us, go through three different demos. So, it's kind of packed today. So, yeah, let's roll. So, before we get to it, I actually have some things to share. So, let's do my best impression. How's the universe? Yeah, how's the universe? Let's ask the galaxy, right? Let's take a quick, let me know when you can see my screen. Oh, let me move this little thing. Yeah, you see it, let me move this little thing. I'm gonna do my best Andrew Sullivan, right? That's like top, you know, topical things, right? But I like the way you put it, right? Let's take a spin around the galaxy, see what's going on. So, couple of things I do want to mention is the, let me put this in chat, in the stream chat. So, you guys have it. So, we released, so by we, meaning the communities released application sets, version 0.2. So, and that'll be alongside with Argo 2.1. So, here, this is a great article here from Jonathan West, who is not only a member of the Argo community, but is also a Red Hat engineer, kind of wrote up this little clip here about what's new in the release. We've talked about application sets before, right? So, when this comes GA in an open shift, I'll revisit this and, you know, talk about like what's new and upcoming. But if you're like me, if you're like living on the edge, the edge of the galaxy, go ahead. Go ahead, read that article and take application sets for a spin, right? Especially if you're using them already, there's some really cool new generators and some bug fixes and whatnot. So, I'll let you guys take a look at that. We'll promise, I'll come back to this because there's a lot of cool stuff I wanna talk about. Let's go. Also. This is an office hour, folks. It's anything about get-ups. So, you know, feel free to ask your questions. We'll get everything queued up and we'll get you answered. Yeah, we'll help you out where we can. If we can't figure it out, we'll make it up. So, don't worry. Yeah, we'll make it up. We'll find somebody that can actually help you. Yes, okay. We're good people. We're good people. Get-ups, Conorth America. The schedule is out. So... Schedule is out. I just dropped the link. Schedule is out. You dropped the link, perfect. So, schedule is out. Lot of cool stuff going on, right? I'm actually working on a lot of cool speakers. I'm working a blog, kind of highlighting everything that's coming up here. But just some of the key things is that I wanna highlight. First, Dan Garfield and Scott Rigby, who were actually on the show before. Separate occasions, right? They're gonna do kind of the state of the get-ups and the get-ups working group. So, that's gonna be kind of exciting to hear. I have a keynote there. So, kind of a little, you know, little bump for me. Day, yeah. But we do have things like end user stories, right? There's, you know, we have architects from Chick-fil-A, Starbucks, CERN has a talk. So, that's gonna be really, really interesting. That's really cool. I'm gonna be excited about that. People from State Farm. And then, you know, the usual suspects, right? Red Hat, WeaveWorks, CodeFresh is there. So, you know, people from VMware. So, it's a really action packed. It's one day. We actually had enough to make multiple tracks, but since this is a co-located event, and we only had one day, we only have one room. So, we decided, so we have a single track, but there's a lot of things that's up and running. So, go ahead, check out the schedule, build out your schedule, and don't forget to register, right? So, you can register on the same page, or if you're registering for KubeCon, there is a, you can add it as well. So, remember, it's also a hybrid event. So, if you can't make it in person, there are gonna be streaming it on the CNCF platform, right, whichever platform I forget which one to use. So. I forget the name of it, but yeah. So, if you can't make it out to LA, right? No big deal. No big deal. I'll be there in person because I live here, but. Right. But if you can't make it out. Christian, the only one with a valid reason. Yeah, exactly. To travel to the convention center, yeah. Yeah, yeah. Well, actually, yeah. Well, the drive's gonna be as if I'm traveling. That's true, LA traffic's bad. So, for those that know. So anyway, if you can't be there in person, you can be there virtually. So, it's gonna be a hybrid event. So, no worries there. So, one last thing. So, you can, talking about conferences. Remember? Oh yeah. I've already registered for this one. Yeah, ArgoCon, it's gonna be December 8th. CFP still open, right? So, we'll be there. Red Hat Co-Fresh into it, kind of the core maintainers of Argo. Specific to Argo, right? So, this is not just Argo CD and GitOps. This is like workflows. This is image updater, application sets, like everything under the umbrella of the Argo project. So, I'll drop this also. I got it. I already got it. Oh, you got it. Look at you, you're on top of this. I'm fast, man. You are quick, man. I've been doing this for a while. So, yeah. So, it'll probably be virtual. We talked about it maybe being in person, but it'll most likely just be virtual. Stay tuned, but it'll, it's 90% be virtual. So, yeah, cool. So now, topic at hand. Let's get to it. So, it's RBAC, right? So, this is a topic that always comes up, especially with people, especially with people first adopting GitOps and Argo CD in their CI CD workflows or in their environment, right? Because it's like, it's the first thing that's top of mind, especially for like me on the admin side, release management side, that's like a really, really important. So, just the recap, right? If you didn't watch it, I don't know if you, oh yeah, you did put, you posted it. So, in the link, we talked about RBAC, kind of in depth before, so I'm just gonna go over really quick about how RBAC works in Argo CD before we kind of dive into multiple ways of doing it. So, let me make this a little bigger here. Just in case. Yeah, please, I was just about to ask you that. Yeah, make this a little bigger so you can see. So, let me put this, did you put that in the chat? I'm grabbing it right now, but you can do it if you want. I beat you to it, first time. Okay. But I'm bookmarking it. Yeah, you're bookmarking it. So that way, you're quicker next time. So, Argo CD actually has two built-in roles. So there's two. So, there is read only and full admin, right? So that's kind of like the two extremes. Wow, lots of options, yeah. You can either only, you're only looking through the window or you're inside causing a ruckus, right? There's no, so there's no, and the default is read only, by the way. So. That's encouraging. Yeah, so the default policy is read only, like if you don't define it, right? So the way RBAC works, you know, after like the built-in one, it's like, well, if you need something more granular, you have to like, essentially build it yourself in Argo CD. So it actually gets, so essentially it's the idea of like Legos, right? Like we'll give you the Lego pieces, but you have to build it yourself. And so there are, when you're setting up your RBAC scheme, right? It's essentially, it's a configuration file and comma separated values. And you essentially use start with like P, meaning you're gonna build a policy. And then you're gonna target a role, a user, a group, whatever, right? Whatever you scope it down to. So for most people, it's gonna be a user group. And then the resource, right? And the resources can be, like this explains down here, it could be clusters, it could be projects, it could be applications, it could be repositories, right? Resource meaning like a resource within the Argo CD world, right? So you can see- Not a Kubernetes resource. No, not a Kubernetes resource. Argo CD resources, things like, you know, the things that are listed down here. So, and then an action you can perform against that resource. So things like get, create, update, delete. So you think of the crud, right? So kind of just basic things that you can do to a resource, right? You can update it, you can list it, you can, you know, delete it, have some things called sync, right? Sync specifically to Argo CD, you can sync the resource. And that's the object, the action. And then the object within the resource, they can perform that action on, right? So let's, if that sounds, all sounds confusing, it is. Because it was confusing to me when I first, when I was first diving into it, right? So it's fair. I would be kind of dumbfounded too at first, yeah. So I'm like, wait, what? Like, so then how do I build these? So tying it all together. So even the examples a little bit, I think upside down because they give you the policy. So open up everything. First, yeah. Well, they give you the policy first and then to me, it makes sense, like building. On top of. Yeah, you're like, I guess you're building on top of your roles, right? But for me, I like to build my role first and then assign the policy to the role. But in my mind, that's how it works. This example, this is why I'm starting at the bottom. I guess this is a long way of me saying, I'm starting at the bottom and going up. So this G in your policy, oh, by the way here, it'll say default policy. You can set default policy to, you know, specifically to read only or admin. But if you don't, yeah. Please don't put admin, right? Don't put the default policy. Right, it should be denied by default. So here, what you're saying is, all right, I'm gonna, a group, right? And it says here, you're GitHub organization, your team versus right away, you're gonna be like, okay, little hot, you know, and I'm gonna say role org admin. So a few questions pop up. Right, right. So first, you know, you said there's only two built-in roles. So why, why is this, there's different roles now? Like how? Yeah, where did this come from? So where did this role come from? First question, right? A second question, how does it know my GitHub org and your team sort of thing? So yeah, structure or anything like that. So stepping back just a little bit, and then I'm gonna jump right back into the Argo way of looking at things. So like, technically speaking in Kubernetes, there's not really a such a thing as a user or a group, right? It's just a label that comes along with an API call. Right, so your API call just comes with a label saying user equals, you know, Chris short or a group equals admins, right? But there's no like a real thing in it, right? As it grows, obviously there's, you know, the created objects and stuff like that. But if you just really think about the API calls that are happening back there, that's all it is, right? So now jumping back to Argo CD, similar thing, right? Argo CD doesn't house users or doesn't house groups in the traditional sense. It basically relies on the platform to pass that information onto it. So, when you say your things like your GitHub org, your team, that's just the label that comes through Kubernetes, right? So in the OpenShift world, when you connect to your OAuth, your OAuth is gonna have certain fields in it like group membership, right? And that's gonna come through into Argo CD, so. But it only comes through in the labels that were given to it, or you gave it. Correct, yes, yeah. It's only coming through in the labels that were given to it, right? So then, so it's very important how you tie those things together. And then when you're saying role, org admin, you're saying, okay, policy, role or admin or applications, it can do anything to any sub-resource, I'm gonna allow that stuff here. So like down here, I'm gonna create a policy. So for role or admin, for the repositories, I'm gonna allow for it to delete everything in that. So you're setting up policies, all right? So then you have, you set up your policies in this weird, weird way, right, granular way. And then you set up who it applies to and how do you tie those together, right? And that is in this next thing here, so let me put that. In the project, right? So then when you're talking about projects, you're talking about the Argo CD project, not the Openship project, they're independent of each other. And they have their own view of how these things go, right? So, yeah, don't conflate the two. Don't confuse the two, yeah. They have the same name, but they're different, so. Yes, they are different things in different places. So the biggest difference is that Argo CD project can span multiple namespaces on Openship and Kubernetes. So whereas it's a one-to-one relationship on Openship. So that's why it's kind of hard to think about it. So I'll let you guys read some of the boring stuff here, but what I want you to take away from this document here is that, so here. So when you're specifying your app projects, you're gonna say, hey, in my app project, here are the policies I want to target these groups, right? So you're saying policy for this, this role can get all the applications under projects and then apply that to that group. So this is kind of like the high level and it's really, really hard to like grasp all the little pieces. So this is why I ended up just like having three demos because I think it's just easier just to see it in action versus trying to piece all these together. So let's go through, let's go through the three demos, right? So I'm gonna go through three demos. The first one, this is using Openship GitOps and Red Hat SSO. And so I have to say this first demo is the one that is 100% supported. So this is, so what I'm showing you is 100% supported. This is the way where, if you're gonna do it, do it this way and you can call Red Hat and Red Hat will help you throughout this whole process. So happily help you through all this process. So I, because the reason I call that out is because I'm gonna go through other ways that are not supported. So I decided on the first one to go full support here. So let's go here. I should have here, let's do OC Git pods. Openship GitOps, right? So I installed the operator already because that's just easy, right? You just click a button, you saw the operator. And I linked to the docs for folks. Yep, and then, and so what is easy here is what you want to do is, so in order to set up for SSO, you have to do two things. One, you need to have some place to call. Yeah, well, OC, so the operator takes care of this for you. So you have to do OC edit, or go CD, Openship GitOps in the Openship GitOps name space. All right, so here it's pretty easy. You go down to the spec and then you add SSO. And then you do a pro, I think provider, provider. Provider makes sense, yeah. Yeah, key cloak. I spell a key cloak. There's a spell that I'm ready to see. Yeah, it's both are in. All right, so essentially you just add, you just tell it in the specification and then you add SSO and then you add SSO. Specification key cloak. And then this will kick off a deployment. So if I do a Git pods here, as you see here. So that's adding, so this is. Just adds a pod. So essentially, oh, and it adds all the connections for you. So, Okay. So like, right, yeah, so. So normally in your SSO, like if you're using key cloak, so for those of you who use key cloak, you have to go in, create a provider and then add the open shift as the provider and then add the ODIC connectors and then tell Argo CD to, this is your OIS, O-I open ID connect, O-I-D-C bridge, to, you know, whatever, right? So all that stuff. The operator does all that for you. So me as a dumb admin, I like to pull back up. OC, roll out, oops. OC get deployed. I think it's deployment. Let me clear this, but it's not a deployment. It's not. What is it? It's a pod. Yeah, it's a pod now. Is it a statement set? But yeah, what was it? Oh yeah, it might be a statement set. No. Or it, no, that's not it. Daemon set. Daemon set? We don't know what it is. How do we not know what it is? That's a good question. We'll see. Is it a deployment config? Oh, it's a deployment config. Look at that. There you go. All right. Let's go pods. I think it should be fine now. You get your gold star of the day, Christian. There you go. Yeah, it takes a while. So yeah, so then that is getting set up. So for, I think, should we wait for the rollout? Should we try? I mean, yeah. So if you want, you can roll out status, key, cloak, right? So for those, there we go. There we go. See, I told you, but. It's out. All right, cool. So that's it. We'll see give routes, open shift, get ops. And then we have, It should be. Right there. There we go. That's it here. So let's go here, except the sell sign certificate. So here you'll get, come on. Oh boy, here we go. Let's go. Come on. There we go. So here it'll, it'll, it'll give you, if for those of you who use key cloak, it'll have this password, man. Yeah, you're saying password there here. So before I click. So let me just click here. Right. What happens? Right. And so here's a caveat. So one caveat. So one here. First time you do it. Well, see the thing is usually here, you'll do QBadmin, right? And then you'll want to do QBadmin. You're not supposed to, but yes. I do. Well, well, and, well, most people do, right? When they're testing and, and even some of them keep QBadmin around as like an emergency fail. Yeah. Like as a fail safe sort of thing. Here's the caveat. You can't use QBadmin with Red Hat, so with key cloak. No, not with Argo. It works with Argo. Just not with a key cloak. All right. So here, so that's, that's one issue. So you need to actually have a user. So, so for this, I have Oauth. So Oauth.yaml. So here, what I'm going to do is I'm going to just create a simple HT password provider. Okay. And the HT password is just going to be OCPadmin, OpenShift, right? Like it's just, I'm just going to add, add that password file so that we can use that user. It doesn't have to be HT password. Remember, it could be whatever you want on OpenShift. OpenShift could connect to whatever you want. Get up, get up, yeah. Yeah. Whatever you want. I'm going to apply to that and try to get, there we go. So, okay. But then that, that'll cause the API server to, to reload. So while we're waiting for that, let's give that user, which is that user OCPadmin. Let's give that user permission, clusteradmin, right? Cause that's what we want. Oauth.yaml, policy, policy, policy, add cluster role to user clusteradmin, but to the user OCPadmin. Cool. Wait, oh. There we go. Yeah. Yeah, it's not found. That was weird. Yeah. Yeah, I always, yeah. And I always do it twice too. Just technically the first time it works, but I just do it the second time. So that way it doesn't, I hate seeing errors. Like, come on, why, why throw the warning? Yeah. So this, I have to close it here. Let's do an OC get pods, open, shift, API server. There it is. So that should have, although, or maybe- Would it? Something else. Well, it should have, it says age two days. So I don't think it rolled it over. It should have, I think. Oh, let's try it. Let's get the route again. Yeah. All right. Again, key cloak, log in with open shift. So now here, this is what, all right, so provider. So now you do it, HT password provider. So let's do OCP admin, whatever the password was, open shift. You had it. We're very secure here. Yeah. All right, so here, obviously with the OAuth, it's asking you what information you need. I want the user's full information, cool. So here, it brings you up this little information here that you have to provide. Who are thou, right? Your email, right? So I'll put Chris Short at redhat.com, right? Chris Short, right here. I need to provide the information so it saves it in key cloak. So you do that. And there you are, right? You're logged in. And if you take a look here, where is user info? So here has the username here and the groups here. So here's another caveat. Wait, so it creates a username and a group of the same name? Of your email, right? So here's another caveat with using SSO. So let's create a group. Let's go OCADM group, let me clear this so you guys can see it OCADM groups. And I always have to get the help new. Who doesn't? Who doesn't need the help? Let's create groups, group groups. Well, okay, give me a cool name, a fun name. Banana. B-A-N-A-N-A. Oh, I should have given you one that you could spell easily. Yeah, exactly. That's Mississippi. Yeah, that's right. And that OpenShift admin is to it, right? Okay. And so then if you do OC, get groups. It'll be a banana and a C-Sword. A group, and then OCP admin here. If I reload this, that group doesn't come through. So there's an issue with SSO where it doesn't pass through the group to Argoson. So there's an SSO. So then that's why I had to enter in the information first is that I have to- Because it didn't get it from SSO. Correct, yeah, nothing came through. It's just your username just came through. So we're doing those fun things here. So then also I need to give the controller admin access one second. Okay, cool. So next step is actually setting up the policy for this user slash group, right? And that is done in the config map, I believe. Checking out my notes here. Where is a config map? Ah, here it is, okay. So it is a config map. So it's clear. Here's OC, get, CM, we should get ops. Argoseed should be a RBAC, there we go. There it is, nice. So let's edit. So here, cool. So then policy default read only, right? So that's the read only. Good job. Good stuff here. And then, so the policy CSV, so let's create one, let's call it a G. So the group, C, what do we call you? Go back to the docs. There we go. No, we called you C-short, yeah. Should have just done short, that would have been easier. Yeah, it would have been easier. Oh, wow. Okay. Do you have that email address short? I do. Short, short, I read that. That's great. All right. Chris, I'll take short. I'll do a role here and then admin, right? So remember, the admin role here is a built-in role, so I don't need to define anything else. Right. Built-in. So I don't define anything else, I just say, for the group, whoever's part of the C-short group, C-short.readout.com, I'll give it the admin role. And then so, and there. So then actually that should be it. So let's create an app. Then project, default, I thought that was do manual. Let's go to my. Dandy. GitOps examples. Well, what's funny is that there was someone posting an issue on the CNCF Argo CD Slack channel and they were having trouble testing something and it turns out they were just using my repo and I was like, well, like, this is like my, this is my scratch. Personal space. It's like my notepad. Yeah, exactly. Like, don't read instructions from my notes, please. Yeah, yeah, exactly. Don't, this is, this is ugly. So I mean, it's fine to get ideas and stuff, but don't actually use it directly. I'm not calling your baby ugly. Yeah, but it's ugly. No, I'm 100% there for you with you. So BGD, so let's do that. That one's always easy. That's BGD. And then again, so then I'll create this. This should create it here. Let's synchronize, synchronize swatches. Yes. Come on. Sync. I can realize how high I had to hold up my hand to show my watch. There you go. Cool. So, Chris Short is able to do all the fun things. So admin, right? So this kind of shows that you can offload authentication to something else with Red Hat SSO. So this doesn't necessarily have to use OpenShift's OAuth, but I think it's just easier, right? Because you're using, OpenShift can connect to GitHub or LDAP or Active Directory, Google, I mean, all kinds of stuff, right? And you can use the users coming through that way, right? And this is 100% supported. Why do I, oh yeah, this is another thing. I'll show this something else. But so yeah, so that's the idea of using Red Hat SSO. So the caveat is that groups don't come through, right? So if you are, if you are those people that just does everything with groups and not individuals or users, this may not work, right? You may have to tweak your workflow. Yeah, you might have to better out your groupings a little bit, you know, in advance, yeah. And then a second one is you can't use QBadmin, right? So you have to actually have to use a real user, right? Real user. So you have to actually have to use a real user, right? Real user on the platform, right? So, but other than that, this is 100% supported, right? All right, with the GitOps operator, Red Hat SSO, it all works, it does it for you. As you can see, I only had to do a few tweaks here and there, but other than that, it works out just fine and you can call Red Hat for it. So that's number one, right? Right, so this is supported. Now we're moving into uncharted waters. So now we're gonna talk about unsupported territories. Let's go to the next cluster, I'm here. Cluster I have here, I built three clusters, so just to kind of keep it separate. Your cloud privilege is showing. Yeah, exactly, you're 100% right on that, right? And so, so I didn't install the, I did not install the operator here for a very specific reason is because the unsupported way starts all the way from install, right? So on install, I actually need to tell it that I'm running unsupported. So let me take out my notes here so you can kind of see. So here, by the way, this is how you install an operator from the CLI, right? You just provided a subscription and it just magic happens in the background. But then here I have to add this configuration, right? So configuration environment disabled decks equals false, meaning I actually want decks. I want to be able to use decks. And so are the pods up and running? Get pods, open shift, getups. Not yet, I have a little handy dandy script here. All right, so we'll start waiting on that. So by default, the getups operator disables decks because it's not officially supported by Red Hat. So again, this method here is not supported by Red Hat, but it works. It's one of those things, it's kind of hard to explain to people. Being an open source company, right? Because usually when a company, this is especially true like with Oracle or Microsoft, like when they say something's not supported, it means two things, meaning like one, we won't support you and two, it doesn't even work, right? Where as like in the open source world is like, well, it's not supported in that you can't call us, but it actually technically works and it works fine. So, and this is one of those situations, right? Although it technically works and I'm showing you how to do it, it's not technically supported. You can't call Red Hat for it. So, so we're- I just dropped a little chat. So in case you were curious, please read it. It's recorded, yeah. That's right. And then to find myself is essentially what I'm doing. So, stuff's coming up now, cool. Stuff's coming up, cool. So here, similar to the SSO, is actually you just kind of modify the operator and the operator does everything for you. Okay. So I have actually a specific patch. I'll just run the patch and then we'll take a look at it after, right? Because that's like, what are you doing there? It's quite the patch, yeah. Yeah, it's an ARLEE patch, right? Well, I'm on about automation. So it's like a script. Well, I get it. Well, your copy is awesome. Yeah, exactly. It's hard to read, right? So let's do this export, cargo city, ownership, the GitOps. And then let's write that to temp, osu.go, yeah, yaml. And then code. Oh, what could you do? Hopefully you're sharing your whole screen. And you are, wow. So is that, whoa. Yeah, no, whoa. Put that thing away. Put the search thing again. Yeah, there we go. Yeah, so yeah, so there we go. By the way, for those that you saw, I saw I ran an OC export. That's not an actual command. That's a plug-in I have. That's for those of you who are curious. There's a plug-in here, so in case. Okay. So, yeah, let's minimize this. We don't need that. Here we go. Here's a section I want. Hold on. Where is it? There we go. I think it's missing something. Hold on. Maybe my export didn't work. Oh, here we go. So there's DEX, right? Okay. So here I say DEX, Openshift Olof equals true. So essentially I'm saying, hey, DEX, I want you to set yourself up for Openshift Olof. So it's already built into the DEX image, even upstream, right? So it's already built in. So you can use this with OKD or Openshift. So that's just step one, you're just enabling DEX. All right, step two is kind of like where the gnarly configuration is. So here we go. So here I'm setting up RBAC. All right. In line 63, you see default policy, I set to blank. And when you don't specify default policy, the default policy is read only. And then I'm saying, anyone who's cluster admin, I want you to assign the role admin. So anyone who's part of group admins is part of the role admin. So that makes sense. That's the built-in role. The group developer, so anyone who's part of the developer group on Openshift will have the role developer. And same thing for the marketing group. Anyone who's defined as a marketing group on Openshift will be defined role marketing. So here's where it gets kind of weird. You're like, okay, well, there's a built-in role admin, but there's no built-in role developer. So where are you defining that? And that is actually in the deployment of the, where is it here? Cluster configuration, let me make this a little bigger. So when I'm creating an application project, I'm gonna create an ArgoCity project called priceless. And then here I'm gonna set up the developer role, right? The policy is it's okay here. Anyone who's, I'm defining a policy called developer and they can get everything under this application, under this, all applications under this project. And then I'm setting get, you can sync all application under this project and I can get, I have like basically view of everything under this project. So that's where I'm setting these policies. And so essentially you can think of this column here is the group as it comes in to Openshift. And then the role marketing is how I'm defining that role inside of ArgoCity. And that's like where the connection happens. And again, I'm gonna scope out the group. So that is, and then the other copy pasta stuff is just resource customization specific for this application. We don't have to go through all this. Maybe I'll do a stream about resource customizations and what you can do for ArgoCity. That's actually a good idea. Maybe maybe I'll do that. Yeah, that is a good idea. It's like, how do you customize how ArgoCity checks the health status of things, right? So especially if you have, if you're creating like CRDs and stuff yourself, you wanna control how ArgoCity handles those. So I just saw in chat that you have the referee. Go, go. Yes. That's great. I love that. So let me, let's exit out of here. So, cool. So that should be, so while that's going, let's see, get pods, Openshift, get ups. And then Dex, there it is. So DexServer is there. So now that that's there, it's apply this actual application project sort of thing. So where is, talking about another copypasta here. Copypasta, copypasta, copypasta. That's right. Well, I forgot to do this. I have to give it, give the controller admin so I can actually do stuff. There we go. Now we'll just deploy this repo. All right, and this is the repo that has all the stuff I wanna configure it. So this will take, cool. Bloop, bloop, bloop, bloop. I probably should have ran that and then explained it. Now it's like, now we just sit around for it to apply. Where is that here? Also I have other, well, that's in the other one. One second. Oh wait, no it's, which one am I deploying? Good question. Okay, so this is- You're on cluster two. Yeah, yeah, I'm on cluster two. And then- That means you're deploying dex and... So let's close that guy. I don't need that config here. I appreciate the tab cleanup though, right? Like, I fully appreciate that. Gotta get rid of that stuff or else you get confused. Oh man, you get into, well then you end up like, like you and I, you end up with a tab manager, which is supposed to make your life easier, but it just compounds the problem. Now I have tabs of multiple tabs. So it's an enabler more than anything else. Okay, so let's go to, let's go to the routes. I'll get routes, open shift, get ops. Cool, so then this guy here. So much like the advanced except search, go baby, go baby. So then now you have this login via open shift. Cool, and so let's see if the users have been added. So let's go see get groups. Yeah, so there I have an admin group, developer group and a marketing group, right? So, because we know marketer people from marketing, they love- Always need to log in. Did you give them QBadmins just cause- The QBadmins just, yeah, exactly. So remember like this group admins was defined in the, let's go back to code. So shout out to the marketing team using our there. That's right, shout out. Yeah, shout out to the admins. The admins are connected to role admin developer to role developer marketing to role marketing, you know, I mean easy. So that's, you know, that's that group and that's the user. So, let's log in with OCP admin. Okay. Oh, see, see it's not there yet. Oh, why not? Let's go to OC get pods, open shift API server. Maybe it's the operator, maybe that's it. Three restarts, okay. Okay, all right, that sounds about right. Sounds all right. Yeah, sometimes it just takes a while for it to come up. Refresh. See now, I think now it's coming up, all right. Now it's coming up. Yeah, when it craps, it's funny. When it craps out, I know it's working. It's a work in progress. It's a work in progress, yeah. Sometimes people ask me like, how did you figure, you know, like troubleshooting is like, how did you figure that out? I'm like, quite honestly, a lot of it is tribal knowledge. I mess up things so much that I'm like, hey, that error looks familiar. I ran into that. Yeah, so it's like it like IT, like whether you're a developer, anyone in IT, it's not that you get smarter. It's just, you mess up things so many times that you start seeing certain patterns. So here, let's go to HD password and then I think, right, so let's go full access, right? Here, me as an admin, I have access to everything. So I have, so with DEX, so let's go back over here. So with DEX, my username comes through and you notice right here it says admins. My groups come through as well. So if I want to do OCP, ADM groups, new, B, A, N, A, N, A, OCP admin, I created banana and then I think I have to log out, log back in. Yeah. That should come through now. I actually never tested this. So let's see if it comes through. I may have to restart the controller. No, bananas there now. Nope, there's bananas. So if you're using, for using DEX, the groups come through. So now you can start assigning roles based on groups now, not just usernames. So here as an OCP admin, I'm able to sync things, right? Like I can sync this if I want to, that'll work. I can see different projects, right? There's cluster config, there's price list. I can see that project as well. Let's log out and log in as developer. It's a different password, I think, as it is. So here, again, developer, right? He's not a banana. So this particular developer is not a banana. That's only the admin. But they have access only to, if I go to projects, only to the price list project. I don't have access to any other project. So as you see, I only have access to this one Argo CD project. If we go back to, let's go back, where is, no, that's the cluster config is the one config. This is the danger of closing your tabs. You have to find things that you wanted to show. There we go. Price list project, right? So here I'm allowed to get every application. I'm allowed to sync every application. Okay. But does that mean, so I can sync here? Right. That syncs just fine. It allows me to do that. Does that mean I can delete? No, you shouldn't be able to. It's not. You shouldn't be able to just test this, right? So I get it. I can't delete this application. So I can view it, right? I can interact with it. I can sync it. Can I pause syncing? I can terminate this trade. Oh yeah. So it allows me to terminate the sync. So you can stop a bad rollout. Yeah, stop a bad rollout, yeah. Panic button. Yeah, panic button, yeah. Your schema change is going upside down. You're like, oh, that sounds really bad. All of a sudden our error rate just increased. Did anybody do something? Oh, that was me, sorry. Yeah, that was me. So yeah. Give me a banana. Give me a banana. This is a banana group. Just for fun, the banana group. I love the banana. I'm going to start using that now. OCP marketing. OK, working marketing, see. Working marketing, see. Let's see here. We can see nothing, right? Because we're marketing. Who really wants? Who really wants them to? They don't have their own little app? No. There's got to be some Argo thing we can do that helps marketing. Oh, yeah, some marketing. That's right. So if any of you out there have an app that can help marketing, we'll throw it up on here. Absolutely. Marketing, right? Marketing has that. So this here, the RBAC here on Argo City, you have to think about how it's independent of the OpenShift one. So you can actually have. And because it's independent, it's not supported. Correct. So this is part two, right? So this method using DEX, groups come through. Yeah, yeah. So which is actually a good wrap up because the last way of doing it is my favorite way. This is the easiest way. So here with DEX, you've got the username. You get the groups, right? So the groups come through and you're able to use OpenShift OAuth, which OpenShift OAuth can use then LDAP, Active Directory, whatever. So the only caveat is it's just not supported by Red Hat. So there's that, right? So you can use DEX, but kind of use it as in your own. Yeah. Use it in your own demise, but it's not like DEX doesn't work. DEX is fine. No, right? Like use it at your own discretion, right? Yeah, I guess you have discretion. Yeah, I mean, if you don't like key cloak, you can use DEX. That's fine. You can use DEX, right? And if you talk to a lot of Red Haters, they like using DEX. But as you're about to say, it's just not like you can't. If something's wrong with DEX, you're going to have to just go on the forums or get an issue. Yeah, hit up the Slack or whatever. Hit up Slack, hit up his issue, and just go that route. So there's that. Cool, all right. What's your favorite easy way? My favorite way. So far, we're talking about Argo specific, right? My favorite way is actually using GitOps workflows specifically. What do I mean by that? So I have cluster three. All right, three clusters. OpenShift GitOps. I installed the operator. Operator's installed. Cool. OC get secrets. OpenShift GitOps. How many times a day do you type OpenShift GitOps? A lot. I should have a shorthand, right? Like Oso, right? Or Ogo. It should be OC-n, OpenShift GitOps. And then just, I think I'm going to do that here. Giving you a new idea now. Here we go. If you guys want to know how to write a function inline, I think I'm missing something. OpenShift GitOps. Yeah, I guess I am. No, this thing. Oh, yeah, that thing. Yeah, you got to turn around. So Ogo get secrets. Oops. Git, does that work? Let's see. It didn't work. No, don't troubleshoot this. Just don't troubleshoot this. Just keep going. I should get out. Oh, I did. Now I'm going to go down a rabbit hole. No, don't go down a rabbit hole at the same time. No rabbit hole. That's right. No rabbit holes. All right, so I get that secret. I'm going to do, not the Argo city secret, GitOps cluster. That's it. Or is it? It's one of these. It's one of the server tokens maybe. Oh, here. I actually have it. I could copy, post it, all right. OpenShift GitOps cluster is what it is. Got it. OK, so you weren't going down the right path there. Git routes, OpenShift GitOps. I know the mistake I made, and I'm trying to. Not go back to it. Yeah, I got to resist going to it, because I need to make a point here, right? So that's not it. So here I log in as actually Argo city admin. So why am I doing that? Yeah, why are you doing that? Are you setting up something in Argo for us? And then I need to give the controller cluster admin, right? OK, cool. Why isn't the controller getting cluster admin by default? Is it like a day two for Argo step? Yeah, so we, as in engineering Red Hat, the idea is that it should be secure by default. So even me giving a cluster admin is technically a no-no. Although I have the belief is like, if you're doing GitOps, the controller needs to have full access to your cluster. So that's just, but Argo CD or OpenShift GitOps, the idea is you're using it for your CI CD workflows. And so that's why they shut it down, meaning like you should probably just open it up per namespace. And it makes sense, right? So like from that aspect, it makes sense. So here, let's create a new app. I don't care which project. Pick your own project. Yeah, Argo, you should know what you're doing. Yeah, you do you. Yeah, it's AIML Ops, right? You put it out for me. YOLO Ops. YOLO Ops, yeah, exactly. Let's create here, right? So I logged in as, am I missing something? Oh, project. Oh, you do have to specify. I do have to specify. You can't tell it. No project. I can't tell it YOLO, right? Yeah, sorry. So here, and then I sync. So the point I'm trying to make here is that now if I want someone to make changes here or if I want someone to do something with a cluster, I actually don't want them to log into Argo CD. So from a GitOps standpoint, what you need to do is someone needs to make a pull request. Right. Right? I'm moving the ARG back. The point of change into your Git workflows right now. So using something like GitHub, Bitbucket, GitLab, whatever, right? There's a bunch of them, right? They have their own. Yes, yeah, exactly. I'm surprised Google doesn't have one. But anyway. I think they do. Yeah, I know Azure has one. It's really weird. Anyways, everyone has their own. GitT, I like using GitT. GitT's awesome, yeah. Yeah, GitT's awesome. The idea is that you're using that system, right? The RBAC built into your Git workflows. Yeah. And that way it's one management of users and groups and so forth and so on. And that management of it is done in the system of record. Correct. Which is GitHub or GitLab or whatever it is you might be. Whatever it is. In the source of truth, right? In your canonical source that you want to keep track of all those changes in that. So really you're just using Argo Admin and you're done. Correct. And so there's a few things with that. So one, it's 100% supported by Red Hat. That's the most important. Good point, yeah. And two, it's actually this workflow, making pull requests, using that whole system, is tool agnostic. So it works whether I'm using Argo CD, it works whether I'm using ACM, it works whether I'm using Flux. It doesn't matter what tool I'm using. What matters is my Git workflows. Yes. You solve the problem in the Git repo. Correct, yes. So like if you're in the GitHub organization or Git organization of any type, yeah. If you don't want marketing to make changes, you don't accept their PRs, right? Or you don't even let them in your organization, right? Like in your GitHub organization, you don't even let them in, right? Unless they need to make a change to a certain file that would then kick off another sync, yeah. But I mean, that's the granularity, right? That's the... Right, like that's the, okay, you get access to this one project, right? Or one repo, yeah. So I am a fan of letting the tool do its thing, right? Not building so much into the tool itself, right? Even though it's more than capable, and even though Gerald, who I talk about a lot, disagrees with me, which is cool. I mean, I actually, I understand... I understand both sides, right? Like me being the neutral party here, I understand why you would be like, nope, admin means cluster admin and cluster admin means this group done. They have access to that. And then developers get to it through GitHub or GitLab or GitTE, whatever. I understand that model, but I also understand the potential need for a developer to stop a bad sync or without having to pick up the phone, right? Or just like, do you like, how did my sync go? Or what's the status of... So I understand, I also understand both sides, right? And I'm not saying one's better than the other. What I'm saying is that... They're both possible. They're both possible. And whether you wanna do one or the other, you can, right? They get states, you can do it, right? So we got a question and we have 70 seconds. Let's do it. It could trigger same as simple CI CD, right? Like trigger a build with a specific commit name, specific branch on request. Yeah, totally. That's what GitOps is about. Yes, correct, yeah. So yeah, so I've been using like main, right? And like, and, you know, going to the head of main. Right, like if it goes in main, kick off the sync, yeah. But like you don't have to, right? Like you can do a specific branch, right? Yeah, you could say if you merge things into this branch of this repo, it goes off, yeah. You could, and you could even, not only target a branch, but a specific tag of that, yeah. Or yeah, yeah, yeah, yeah. That's awesome. So yes. Such granularity, such power. Such power. And multiple ways to give people access or not give them access to it. Just depends on you wanna manage change in your environment, yeah. Exactly. So just imagine where you want to manage change and there's something there for you. I went through three, right? Two of them are fully supported. There's more, right? Two of them are fully supported. One of them is not supported, but totally possible. And it works. It's just, you know, fire beware. Right. We can't support Dex right now. So yeah, we did this in an hour. Look at that. Good job, Christian. I thought I was gonna go over and I thought we're gonna have trouble, but it looks like we're gonna do it. No dude, you nailed it, man. Great work. Yeah. Oh, cool. Augustra says, nice, awesome. Awesome, thank you. Thank you, welcome by the way. Welcome. Yeah, welcome. We appreciate you tuning in live. If you're watching this after, we appreciate you turning in as well. Noreen said he couldn't make it. One of our regular watchers. Yeah, Norenda could not make it because he has a flu. He has a flu. But if you're watching this on recording, I'm gonna say hi. Thank you for watching. Thank you very much. And Christian, I'll catch up with you later. I have another meeting to run off to. Yes, yes. Thank you everyone. Thank you and stay safe out there. Cheers.