 Good morning, good afternoon, good evening, wherever you're handling from, welcome to another edition of the future of OpenShift administration with PM and UXD. Today, we're talking about, you know, some fun things. And I'd like to just start our show with a round of introductions. I'm Chris Short, technical marketing manager here at Red Hat, also executive producer of this thing we call OpenShift TV. Ali, why don't you go next in the fun round of intros? Yeah, hey, everybody. Thanks for that show, Chris. So the name's Ali Moverham. I'm the OpenShift PM, console PM. And today I brought a couple of great guests, right? So first off, we're going to have Megan Hall, one of our lead UXD folks that's going to kind of cover anything and everything over the air upgrades. So some really cool stuff. And then after that, we're going to go into some live demos with one of our console architects, Sam Padgett is here today with us and he's going to be our demo keen. So that being said, let me hand this off to Megan. You share my screen. Let me know if you can see in here. Yes, you're good. Awesome. And keep me honest on time. Oh, just cut me off. If I take too long. So as Ali said, I'm an interaction designer, mainly focused on the admin perspective of OpenShift, and sharing today, some of the improvements and enhancements that we've made around the update experience in OCP and the console. So the first part of this, we just want to show like what's landed. Most of what has landed that I'm showing here today was in 46. Didn't jump to what's coming soon. 4849 releases. And then what we're exploring for the future. Yeah, one thing I want to kind of jump in real quick and like give a quick little vision of what we're doing. So like, like Megan from the UXD team, they've been doing an amazing job of like, bringing transparency into the upgrade process. And like, in the future goal, again, this is the future show. So we want to talk about in the future, we want to like build and establish so much trust with our users that we could set up auto updates on the clusters, and that users eventually don't even realize that the upgrades happening. So in order to do that, we got to take incremental steps and showing, you know, kind of what's happening and behind the scenes is, you know, part of that. So back to you, Megan. Thanks, Ali. So we've, we have a group of UXD researchers that have been conducting interviews around all things update related. And so we were able to take action on in 46, some of the feedback that we were hearing, which are things like channels are confusing. Like, it would be great if we could understand better how they work. Things like candidate fast and stable. Users want access to release notes in the console. And more transparency sort of what Ali referenced as like what's happening during the update. And then making things inside of cluster settings with regards to OCM more actionable. So the main areas of focus for 46 as a recap to make it easier to find information on channels and versions, provide recommended update paths, and inform on operator and node progress during an actual update. One thing that people don't know what OCM is is OCM is our cluster manager. That's part of our SaaS offering. So if you go to cloud.rehead.com, you'll get OCM right up there. That's the multi cluster manager piece. So the first part of this new work that landed in 46, focused on guiding users to recommend and update paths and available channels. So what you'll see here on the cluster details page under the cluster settings tab is this new visualization that we've added that I'll talk a little bit more about in a minute. But I want to focus first on some of the like channel help text and linking to documentation that we provided here. So we are trying to surface a little bit more about what channels are and linking out to documentation. So you'll see this new popover that we added here regarding channels. And in that update modal, we also link out to learn more as well. So there's sort of three visualizations that you may find when you navigate to that cluster settings tab. And the first one is where we hope that you find yourself most often, which is up to date. And so what you see is this blue line with a single dot denoting the current version that you're on. And the channel that you're in. So if you see this single line, there are no other available channels and you are up to date and doing great. This second state that you can find yourself in is that there are available updates for the channel that you're currently in. What we do if there are more than one, if there's more than one choice there, we just surface the farthest leap that you can take all the way to the right. And then if there's more in between that you'd want to choose from we service that in a popover. And then the sort of the second or sorry, the last status that you can find yourself in is that there are updates for the current tunnel that you're in. And then this gray line denotes that there's a next available channel. There are limitations to this visualization. So you could be, you know, if you're on four three, we're not showing you the channels for four, five and four, six, because you have to get yourself to that for four channel to continue to make progression through that update. So like Megan said, can't show you everything is kind of overwhelming, right? But we do try to show you like the best possible possible path forward. That's the goal is to like help move people along. Again, there's there's tons of advantages of having the latest stuff, right? You got all the latest security fixes, you got all the latest bells and whistles, you have the most stable build. And it's easiest for us to come in and to resolve issues when you're at the latest, right? So we really are motivated to help you get motivated to get the latest. And just a couple of other small notes here, we're linking now to the release notes for the current version that you're on, so that you can compare your current version and then what's available. And then you can also interact with the versions on that line to link you out to release notes as well. And then in this popover middle, we're linking out so all of the versions that are available for you to choose in between that far this leap are also denoted in that class more with release notes. So Go back a sec. Sorry. Like previously, we didn't have all these convenience leaks to the release notes, you kind of had to go and search for them yourselves. So we thought it was really important to just, you know, bring this information right to people's fingertips, reduce the headache of them having to go search for all the different release notes. And then also, you know, create this visualization of like the best path forward again, right? So it's all about really increasing that transparency and making it easy as possible for users to make smart decisions when upgrading to the cluster. All right, folks, we're back. Apologize for the issues there. Just making sure that we're live everywhere and we can get started again. So we are having just a bang up day here on the channel. I do apologize for all the technical errors and difficulties. It's amazing what happens when you try to just make things more reliable. They break. So yeah, having fun with our own high availability today. So please, Megan, go ahead. I'm sorry. I'm still sharing my screen. Yes, you are. All right, awesome. So I think where we left off was just describing what our intentions were behind this channel visualization. So in order to provide even more transparency into the upgrade process, what we wanted to do was sort of show an in progress checklist of what's happening during the update. So I'm just going to go through this flow really quickly. Say I am on my current versions 4.3.18. I click that update button because I'm ready to make an update. The version that's selected is the farthest jump in the channel that I'm currently in. So fast 4.3. So I've got 4.3.2.2 pre selected. I hit update. And this is when we now have this new in progress checklist that starts to surface the progress of cluster operators, master nodes and worker nodes. And I actually am going to switch to a pre recorded video from YouTube that shows this visualization a little bit better than my static screen. So we've just clicked update and now you can see this update to 4.5.4 in progress. And as soon as these cluster operators start to kick off, what you'll start to see is this progress bar start to load. So 2 of 30, et cetera. Now fast forward through this a little bit. But you'll see you're now going to get feedback every time you go back to this details tab during an upgrade. And I can fast forward to that a little bit too. It's not always the case that these cluster operators finish before master and worker nodes start to progress. But that may happen here in this example. We'll see. This is one of my favorite screens. Like previously there was not this level of transparency. There's no break right like cluster operators versus the master nodes versus the worker nodes. So this is really cool and really amazing that like you can visualize this and get enough information. And then if something goes wrong, like it services it for you. And I think of note the only thing that we've added since these wireframes were created was the ability to add custom machine pools. So if you have like infer nodes that will start a new list underneath the workers and you'll see that progress here as well. Yeah. The only other nuance of this is that at least for 4.6 these worker nodes can still progress once we mark an update is complete. So that's just one thing. It's not surprising here that these worker nodes are still progressing. But we've marked your update status up to date. And soon as those worker nodes have that have reached 8 of 8 in this particular example that will disappear. And I believe in 4.7 or future that those worker nodes will actually be a part of what we validate as a cluster being up to date. So this is I think this is maybe only for 4.6. And there is a little pop over that just tells you a little bit more information of what's happening and not to be surprised to see that progress still occurring. And then the very popular question, what if a failing condition occurs? This is definitely something that the over the air team is continuously trying to work on in terms of the messages that we're surfacing here and how often are playing around with the threshold of the cluster operator actually failing. So what we've added here is a quick link to view conditions. And we're working on improving the messages that we're surfacing there as well to make them more actionable. But the hope here is to provide as much transparency as possible as to what's happening with that failure and if in actuality an action needs to be taken or that that failure will actually resolve itself. And then the last part of all of this that we ended in 4.6 was these new recommendations. So you will there's three new recommendations that were we've added here. One, when a new patch becomes available, when a new minor release becomes available and when a new channel becomes available. These recommendations will surface in that notification drawer and you'll be able to take actions on them there. So I can move now to what's coming soon and sort of what's in the pipeline. We try to cover this really quickly but so we're sort of continuing to try to address this long list of feedback that we are continuing to hear. One is to improve the way that we handle the failing true during an update and the OTA team like I mentioned is working on that. The next big part of this is providing general update information in OCM for users to better understand how OCP releases and updates work. And then there's some small fixes that we made to improve like some channel UX when no channel is available, no channel is selected and when the current version cannot be found as well as providing the ability in the UI to configure air gapped environments in the cluster settings. So Ali, I don't know if you want to provide a little bit more background on the goal behind this release page and the value that this will add into OCM but basically what we're trying to do here is surface the late, the foremost recent versions of OpenShift, their corresponding maintenance support, whether that's full support, maintenance or end of life and the latest version for each of the channels as well for the corresponding OpenShift minor releases as well as some other information like the data was released, etc. And this is just the beginning of this particular unit of work. I think right now we're trying to surface as much information as told like why it's important to keep your clusters up to date and better understand how releases and updates work with OCP and this will become more valuable if we can start to think about how this matters across your current fleet and the state that your current fleet is in. One thing I want to point out or highlight on this screen right here, if you all look at OpenShift 4.6 and you go to the bottom part you see EUS 4.6. I can't remember what the exact acronym stands for but that's essentially our extended support lifecycle. Anyone remember what EUS stands for? Extended users or extended update support? There you go. So that means you get support until the next EUS version that comes out which is going to be 4.10 so you could stay on 4.6 longer if you wanted to and that's to help and enable or customers that aren't able to upgrade as fast as possible aren't as nimbly-bimbly as some others so we have that built in there. Before we go any further I just kind of want to ask anyone in the screen like do you guys have any feedback for us? Any information that we're not sharing with you all that you think is important you'd like to see? Are we sharing too much? We don't want to overwhelm people either. Let us know if you have any feedback on how or what we can improve in this process for all. Yeah the folks are a few seconds behind us as far as liveness and chat so feel free to comment and I can fish those questions back up to the team. All right, back to you guys, let's keep going. I don't know if it's worth saying but so I guess we're focusing on putting this into OCM now because that's the place that's a place where you sort of have a list of all your current clusters and it's the hope there is to be able to apply so these are the latest apprenticeship releases and in the future understand like where are all of my clusters where are they right now and what available updates do they have and how can I get there. These are just some really small improvements that we tried to make in OCP so again we're on the cluster settings details tab. Today we don't do a really great job when a channel isn't selected and so the hope here is to add an alert to surface and like in order to request update recommendations configure a channel and change that like the empty state under channel to say not configured that way we encourage users to sort of set that configuration and receive the recommendations. The second part of this is something that I think we often see which is this version not found and this happens if you are on nightly versions so we would like to change this status underneath the channel like to remove that channel selector and say that no channels are available and that update recommendations aren't available for nightly builds. So just in case people don't know what nightly builds are if you go to openshift.com slash try and you select one of our options right that will take you to assume yeah this is this is different people so openshift.com slash try. I've dropped it in chat for everybody yeah. Yeah so here you could go come in and see all your different options so let's let's just for example take try it in the cloud let's click that one this will actually take you to OCM right or cloud.red.com openshift cluster manager. Now you have all these different options right so if we scroll down a little bit let's say we want to install to AWS ourselves we would select that AWS on the left and then I always recommend people do IPI unless you have some crazy requirements that you can't do IPI but if you look right here and it's subtle right but it's there so right under the macOS drop down we actually have developer preview download free release build too that link is our nightly build so you know every every night we put the latest and greatest there for anyone to come and give it a try so if you scroll down a little bit this will allow you to download and install the nightly build so if you want the bleeding cutting edge this is it you guys can set it up try it out play with it do whatever you want but one of the the caveats of the nightly is I don't believe you could do over there upgrades right hence the hence our warning message of there's no channels available because it's so cutting a bleeding edge we don't we can't guarantee upgrades will work so that's why we just disable it for that make sense and then the last one is I think this does happen I'm not sure how often but perhaps you've like forced an upgrade in the CLI and that current that version that you've upgraded to is not in the channel that you previously selected so here we have what we have today is just version not found and we wanted to provide a little bit more information as to like what's happening so an alert that says the version six out one isn't found and stable for five and then making more explicit messaging and that update modal for the channel that we have actually found your current version and what we're providing in that top down so those are just some small things and then the the last piece of this that we're working on currently is configuring your upstream and being able to edit that in the UI so there's a default configuration from Red Hat or we want to allow the ability to provide a custom update service URL so we're on the cluster settings page a little bit further down underneath that visualization you'll see this upstream configuration field and so we want to make that editable and just provide a modal where you can switch that upstream configuration and it's probably good to know here we should think about adding this to the cluster version details as well because that field is also there so being able to edit that in both places would probably be helpful yeah so so for airgap we give you that ability to set up the Cincinnati is a Cincinnati service so it's called yeah locally behind your firewall so you can set up upgrades that way just in case you're your environment requires that which a lot of a lot of companies and governments and whatever do right so we want to enable that they get the same high-level experience that everybody else does and everything else should perform the same right you'll get the same same UX experience same for the rollout for all of it so this allows you to configure that endpoint to get you to the floor and then the last part of this are just improvements that we're exploring for the future and some of them are follow-ons to the ocp console versus ocm so i can try to run through these really quickly for ocm things that we're trying to explore is just surfacing more information so with the addition of that new releases page we really want to make that valuable to the clusters and that you currently have so your your fleet of clusters so surfacing things like on this overview dashboard the update status what clusters are up to date versus what clusters have updates available and then also surfacing the visualization that we added in the ocp console for channels under the cluster details as well in ocm something that's even even more impactful probably is okay yes you're telling me that i have the ability to update but i may be really far behind so show me how to get there and that's something that i think we're really trying to look at both show me how to get there in the UI or also in the CLI and so that's something that we're definitely looking at as well and these are all very conceptual wireframes so it may not end up looking like this at all i'm going really quickly so stop me only if you want to add anything so go back to the other one real quick this is i need to work backwards i've been told i need some security fix or something that's in this certain version right and i'm at this version let me know the fastest least amount of hops to get me to to this version because i i have requirements or needs of a certain thing right so this is the work backwards mode which is a you know super helpful right like being able to say i want to be on this channel and i want this particular version and this is where i am so show me how to get there um without having to leave the context of of ocm and then ocp these are really small things that we're just sort of surfacing as continuous thoughts one is show me um when i go to update my cluster i want to know why i don't see a particular path to a particular version so being able to surface the missing patches um and surfacing also the reasons why that they were pulled um we've heard a lot of times from customers that four out of their five clusters have migrated um and they go into update to a next and they don't understand why that version made no longer be there um so this is just some thought of surfacing um the numbers and explanations um in the context of the console very early mock-ups and then this is alerting when a channel is reaching end of life so adding a recommendation notification um letting you know um that the channel that you're currently in is reaching end of life and that you should change um that channel and upgrade as soon as possible and then thinking of ways to denote that as a visual UI element as well on the cluster settings page uh next to that visualization thank you go back a screen sir this guy yeah so i just want to like reiterate this one we've had scenarios where we'll discover something right and so at that point we do pull that edge because we're like okay we need to we gotta resolve some issue uh where we're noticing some kind of pattern or something's happening so let's pull that and again like it's all about increasing trust and transparency with our customers so they know what's going on uh so we want to surface to y'all any information that we have with you of why and when and then again try to resolve issues as soon as possible so this is this i think is a really important piece of the work uh we're doing so all right back to me oops and then this is a small thing too um that we're working with some teams on to try to understand how we can surface node versions or the status of a node um during an update so what you'll see here it's probably hard to see but under the status you have nodes that say that they're ready um and there's two conditions they're either ready and waiting to update or they're ready and up to date and so um we would like somehow to surface that level of information um either underneath that ready status with waiting to update or up to date um or somehow servicing the versions that the nodes are on um so you can really uh track and understand the progress of what's happening and just providing again more transparency into that process and i think that's all i had to share um but all that to say is that we continue to track um and here the feedback regarding upgrades and so there's a lot on this list that we haven't even gotten to yet um and um are just continuing to to sort of listen and understand um what will make the biggest impact and um and start to build that trust again do you have a chance of the link to the new access thing or the show the the crazy spider web graph oh i have that somewhere i think so i kind of want to share that find it faster go ahead and drop it and chat or on stream or whatever we were just looking at it yesterday actually yeah yeah so there you go so select some stuff here this is uh this is new we added this to our customer portal which kind of does some of the stuff that we're talking about doing an scp and walk in real quick no update after that one yeah like you can get yourself really now with this tool all right so that now click click the web one is that the one that shows the oh there's the graph at the bottom so behind the scenes this is the what i call the spider web right like this this crazy mess of different every permutation of getting to you know point A to point B and so there's a lot of complexity behind there and we do try to simplify it and give you all the best path forward we don't want you to have to think about the spider web that's a bad experience right but that's what's behind the scenes um and it's super complex as you all could tell um so i think you know uh Megan and team guys have done an excellent job of like really bringing out the essence of the UI and the experience and and simplifying it but also yet providing the transparency necessary um for for our users to to get a feel of what's what's happening behind the scenes so this is really cool and now let's share the URL with everybody as well so this is live today i did i put it in chat oh yeah and i think this is more of what we're trying to think about to surface in the context of the ocm as well um but the cli and then the ui has to get where you need to be and i like to point out that all of this is transparent so long as you filter apps to take advantage of the resiliency of kubernetes or open shift um if you have single pod applications you're going to notice downtime because if it upgrades a node that that pod is running on well your application is down so make sure you have multiple pods spread out across multiple nodes when you're doing updates yeah if you guys build your apps like that then you you should not even notice a hiccup hopefully yeah which is awesome yeah that's the power of kubernetes a great orchestration scheduling tool super exciting megan thank you so much that was that was awesome all right now we're gonna hand it off to uh sam uh aka i like to call him the maestro uh he he uh he always fixes it so thank you sam for all that so we got some cool demos for you now all right thanks i should be sharing yes all right yeah so i i just want to demo quickly uh one other feature um in console that admins can do so the open shift version three console was very developer focused and in version four we still support all those various developer workflows but we also support a number of admin tasks you know megan shared some of those things around cluster settings around upgrading and upgrade status i just wanted to demo uh a how you would set up identity providers in an open shift console you may not be aware that you can do this through the ui it's definitely somebody's possible to do through the cli um and uh if you look at the various various topics for the different identity providers there are a number of steps you need to do if you're using the cli you have to create a secret in a certain namespace you need to go in and work with yaml and update the ol config and there are a number of steps um and it's good you can do this through the cli because you can script it or you can um commit your yaml manifest the source control but if all you want to do is set up an idp it's it's pretty easy to do through the ui so i wanted to share that so this is a four seven nightly cluster um you do see the version not found because it's a nightly ability you can't upgrade from nightly builds as Megan and Ali were talking about earlier um but under cluster settings there's a global configuration tab and here you have all the various config resources for the different cluster components um so you can see here there's one for oauth that's where you configure the integrated oauth server to set up authentication in the cluster so by default when you install all you have is the cube admin identity providers you have one qbat admin user which is essentially root on the cluster and then when you log in you also get this message if you log in it's cube admin saying hey you know your your login is this admin user you should really go and set up identity providers so there's a link here in the banner but you can also get to this later through the cluster settings pages so if i click oauth here it's uh it's a new cluster i don't have any identity providers configured yet um and you can add them here through this drop down sam can you can you go back a page real quick sure just want to show another another thing uh if you click the three dots on the right it's like a little hidden shortcut as well um you get all your options right there also so you can and you can also see the api as well but if you're using the web forms you you don't need to know the api which is nice so i was going to show configuring two different identity providers today so i was going to start with ht password which is a pretty simple one um with ht password you create an ht password file using a command line tool um and then you can for your openshift use that ht ht password file which has all the users in the in the encrypted passwords in it so you say i add identity provider ht password it's really easy there are only two fields there's a name and there's a default preview and this will show up um if you have more than one identity provider this name will actually show up on login when you have to pick which one you want to use to log in so i think i can pick a name like twitch and then the other thing you need is the ht password file so i was going to create one um today from scratch so most uh Linux systems will have the ht password command you it's also available on windows if you have a patch htd server for instance uh so you say ht password minus c to create a new file uh switch ht password and then you tell it uh what user you want to add so i'll i'll add user twitch and font c for a password so type this right yeah silly question but does the file name have to end an ht password it does not it can it's a convention but it doesn't it can be any file um and then you can go through and add additional users here um but i'll just add the one for now so now i've got the ht password file here and then i just go here and i i simply select the file folder twitch ht password and click add and i'm done so that that's pretty easy right um so it does take a moment for this to roll out so i go back to a cluster settings page here and i go to cluster operators i can see the progress um of the authentication operator rolling out the new config to its various replicas so this might take a minute or so but as soon as this completes and the change will be live can we actually go to the logs uh you can add and i'm already done uh yeah so if you were to go over yeah one nice thing is like the all the various cluster operators run as pods on the cluster so you can actually go in and see all of their logs so there's an open shift authentication operator um project um and pretty much all the operators use the same convention so they're always open shift dash operator name so you can go in and see you have one one pod here and you should be able to okay there's a lot of there's a lot of data here um but if something goes wrong you can often troubleshoot by looking um by looking at these log files um but now that i've set up this identity provider hang on me so request from the audience uh authentication is something i would that this is from uh i'm gonna say tony tv uh authentication is something i would like to learn more about creating admins doesn't doesn't have a lot doesn't it doesn't seem to be a lot of walkthroughs on creating admins but it looks easy enough though so as we go through this idp process think of the the cluster admin versus the cluster user if we can gosh so so sam was gonna say maybe we go um so you created a new user right um he's not the new user isn't visible in the cluster yet right like so if you go to user uh management section you won't see the user yet because they haven't logged in correct right that's right yeah so you have to yeah so that happens once a user logged in and then which is a little which is i think a little weird because then you could go add roles and in our back so that they can get cluster admin right yes you can um so you could go and say role bindings and say i want to if you want to make the twitch user cluster admin yeah go into roles and role bindings which is how kubernetes manage is um so it's control the different things and there are a bunch of roles that are out of the box um there is like for instance the cluster admin role that basically makes the user super users you can say cluster admin and you say user and then the subject name is the username here it could also be a service account per group um so let's use a twitch so when i do this this creates the role binding that makes the twitch user a cluster admin so i haven't logged in as twitch there's no twitch user yet um but you're still allowed to create the role binding it's kind of a kubernetes thing where you can create resources in any order and eventually when everything's there things just work right um so as an admin even if my if the user hasn't logged in yet i can grant different authorities to that user um so if i go log out now this is going to kick me back over to this page and it's because i have multiple identity providers so if i only have a single identity provider this gets skipped and you go directly to the log in i still have the kubernetes identity provider which is the default one when you create the cluster and then also the twitch one so let me and uh so sorry no xanth go ahead previously uh on one of our other shows we brought on andrew block and andrew block came in and he showed us how to customize his login page and one of the things that he did was he actually parsed out the cube admin idp right so you can still get to the cube admin idp but it wasn't displayed as one of the options there so if you want to kind of have that cube admin backdoor uh you can but for your normal users that would come to this page uh it would be hidden and there's some cool stuff you could do without the login login because this is customizable so go look at that previous stream yeah i'm not going to wrap it all up i'm going to log in this user twitch i must have typed it uh there we go okay the warden is asking me to save the password i'm going to dismiss that uh there we go okay so now i'm logged in and since i created the role binding you can see that uh let me see i probably created the role binding on let me go back out um oh i i created it in the namespace so i'm only an admin in the authentication operator namespace that didn't create it as a cluster wide role binding um so before before you log out uh one quick thing is you'll notice that blue banner that was at the very top of like hey go set up oh it's gone now right that's and that's the people everyone wondered how to get rid of that blue banner it's you create the idp you log in as a non-cuban user and voila the blue banner is now gone all right same sorry yeah i don't have permission to be written in this namespace any are okay role bindings yeah so i created as a our namespace scope role binding right here instead of cluster scope so let me log out um i'm going to log back in as keybedman um so i can show you setting up an additional identity provider so let me copy the keybedman password from when i installed uh now i have once again logged in as the keybedman user so i'm going to go in and um let's go back to global configuration oauth and then you can see the twitch identity provider i'm going to go ahead and add github as well all right so in order to do this you also need to do some configuration on the github side this is all um detailed in the documentation one thing you need to know is that you need to have a github organizational team setup um because otherwise any github user in the world to log in in your cluster which is probably not what you want so i'm going to go in my github here let's go to settings and if i can find it organization so i set up a set up a demo organization here um that just has me for now um but if you go to settings from here and then i believe it's the developer settings you can register a new application which is what you need to do to set up off with open shift using github so let me do that now and you can give this application any name might open your cluster it asks for a URL so you can make this a um make this your cluster URL or anything you want really we have a description blank for now and then you need a callback URL so what you put in here is is documented in the open shift docs i'm going to copy this so i don't type though anything but essentially you need to have a specific callback URL so that when you've done uh approving open shift from from the github side it will redirect to our ol server and continues along and so this is this URL is is pretty much the same so this part will be whatever your actual cluster is and then this last segment here will be the name of the IDP you create so we're using the github as the name of the IDP so that's what i would put in right here and this is all documented right here in the open shift docs so let me register this application so now i have a client ID i can copy that and then use that as the client ID here my next thing i need is a client secret from github so i don't have any client secrets yet uh you generate a new secret and it's asking me to pulse asking me to my password again and there it is so it generated a new secret i'm going to go ahead and copy that and then put this back over here and then if you're not using github enterprise you don't need a host name or a ca file what you do need is an organization so let me type in organization here which is s project demo is the one i set up so it could be an organization or a team but one of these is required unless you're using github enterprise can you do both use translate to group you think i'm not sure off hand if you can do both you can you can specify more than one you you probably can i think you can so if you specify more than one as long as the user is a member of any of those organizations or team this should be allowed yeah cool actually says cannot be using combination of organizations okay multiple but has to be one or the other so let me add this when we should be done so github shows up here let's go back to cluster settings and check the progress of the authentication operator as it rolls out these changes meanwhile should we add some rback yeah i try to do it right this time let me go back to role bindings so here's what i did wrong let's see can you not create a cluster role binding from here let's do that so one of our regulars uh james dade he's asking if ocp could pull users from ad in advance he's already got groups set up and everything like does he have to have that user login every time or can he create all the things in advance of that user landing in the right place that's a great question i believe that um there is actually a mapping method you can set up when you can figure the identity provider and it has different behavior depending on the mapping right so we can look at that so by default we use claim mapping which uh let me find that configuration so console does have this home explorer where you can see all the various apis and we can drill then to the oauth api here so there's an identity provider map and then looks like it doesn't give you detail information about these that's mapping method yeah oh mapping method yeah mapping method not a lot of detail here so mapping method okay so this is what you want to set if you want different behavior and you can go in and create users manually in the system let's see so typically you use claim and then you just log in as the user today identity provider and openshift automatically creates the user it looks like there are different ways of doing it so you probably want to look up where you can go in and create the users manually and then it will map only to existing users so i have an espadget get a byd i can use lookup mapping method and then it would only let me log in if there's an espadget user on the cluster so if you use this if you use lookup mapping method that's another way where you can set up github as your identity provider without providing an organization if you're not an admin for an organization saying or you don't want to go through those steps so uh this description is so much better than what we have in the UI yeah it's open the bug for that and get all this into the UI because that that's yeah far better yeah so let me go ahead and let me log out i can show you the github login so if i've done this all right let me close some of these tabs here i'll leave this one open okay so now i have another option here i have github so when i click on this it'll go through and it's asking me to go ahead and authorize my openshift cluster to be able to read my identity on github so let me authorize and then it redirects back then i'm logged in so you can see my full name here this is pulled in through my github profile so see i'm pageant there i am i can create projects and use openshift that's awesome this is when i wish i had a ad instance to test with um jpdade let me know if you're still having issues it sounds like you have a ball of issues you're dealing with right now so yeah i dropped the link to the docs and chat any other questions from the audience i'm saying thank you that was awesome thank you i love to buy my salt on that one the claim one is new to me yeah the i don't know how ad treats that like claim assignment because ad isn't quite ill-dapped it's kind of its own beast um i know i've had problems with that in the past but yeah if if you have issues or the docs seem wrong please let me know and we can get that corrected yeah awesome difficult yeah no yeah exactly right like so we want to make sure that we have a all the use cases covered and then b like actual functionality working so yeah if if something's not working let us know we can definitely get it fixed so awesome show uh let's see jpdade says yeah i tried all the mappings i have bigger and different fish to fry right now it works it might not be perfect i will try that on my next cluster okay cool awesome um yeah jpdade's doing a lot of switching over infrastructure and all that fun stuff so yeah so cool great show everybody thank you for thank you megan thank you sam thank you allie as always um great yeah thank you i appreciate that uh it's always great to have y'all on because some folks get to learn how kind of like the sausage is made and sausage is fun um ad is active directory tony um and then there's you know all kinds of things that you can use instead of active directory like github or twitch or navy or other things so cool great show everybody thank you uh appreciate you joining us today the next show isn't for a few hours uh at 3 p.m eastern 20 hundred utc we will be having the one and only getoffs happy hour so um stay tuned for that i have not heard what we're talking about today but i'm sure it will be fun all right everybody stay safe out there and have a great day