 Hello everybody and welcome to another Red Hat OpenShift Commons briefing and this time we're going to talk about bringing Red Hat OpenShifts to the IBM Cloud with Chris Rosen. I'm going to let Chris introduce himself and take us on a tour and talk about his journey with OpenShift on IBM Cloud and give us a bit of a demo and there'll be live Q&A at the end so Chris take it away. All right thank you Diane, appreciate it. Thanks everyone for joining. My name is Chris Rosen. I am the program director of offering management responsible for all things containers and microservices related running an IBM Cloud. So really excited today to kind of go through a few slides on what is the actual offering and then I think more exciting we'll get into the actual demo and if you're watching this after the fact feel free to reach out with any questions or comments you can see my email and my Twitter handle are both listed on this page. So before I get into the actual technology I want to quickly touch on the use cases because when we're developing offerings you know it's it's cool when we build new things and new widgets and new capabilities but the reality is if they're not solving some of our customer's problems then you know really what's the premise of doing that. So when we're building things like Red Hat OpenShift on IBM Cloud from here on I'll basically just call it Managed OpenShift for short because it is quite a long name. What are the use cases that we're really trying to identify? And the first one is really about innovation and it's enabling our users who are generally developers and they're building new applications and they need to be able to do so and move quickly and automate everything in their CICD pipeline so that way it's all source code controlled and they've got the right teams that have the right access to be able to make those pushes and changes and do so in a very secure manner. So some of the offerings that we build around this use case are of course using the Managed OpenShift. We see some things like IBM Cloud Functions for our event driven serverless and obviously that's a very dynamic space as we get into Knative starting to become more prevalent in those use cases and really enabling developers with CICD tooling things like the IBM Garage if that's a new term to you it's basically a way that think of it as IBM's consultant branch where they'll go out and they'll work with our customers through a garage session and what that means is the customer brings their real problem I'm trying to solve X and you'll go through a design thinking session where at the end of it you'll have a thousand post-it notes all over the walls and you think about how to solve your problem what's the ultimate lighthouse kind of solution for it then you sit down and pair program with IBMers and by the end of that session you have a real prototype so what's great is it's not just a you know workshop where you're getting hands on with the technology although that's very valuable as well this is actually solving your problems and at the end you've got a prototype you're thinking about how do I solve these not only technically but then generally the biggest hurdle is culturally how do I adopt in this more cloud native dev ops dev sec ops type world and the garage helps our customers through that transformation and then the second one that I want to mention is really about app modernization and there are different flavors in that spectrum do I simply want to repackage my existing app as a container and get some benefits around packaging and deployment and monitoring and logging or is it worth the investment to completely refactor to microservices and run that in a truly cloud native application and you'll see a lot of consistency obviously with the solutions running an IBM cloud to help solve that and redhead openshift on an IBM cloud being our our lead offering the lead landing spot for those containerized workloads whether they are brand new cloud native apps or if they're coming in from a modernization sales play effort so let's get into the actual offering you know we've been running managed kubernetes and containerized workloads for nearly five years and IBM cloud through several iterations and so we're excited when we launched this offering on august 1st 2019 after you know the acquisition with red hat and bringing them on board so we're excited to bring all of the value of open shift so IBM's not done anything to open shift red hat and we provide all of the same capabilities as the managed service open shift obviously could run on any infrastructure in any cloud so how do we make it optimize in the best landing spot to be able to run those workloads in public cloud so that's really our focus is bringing the the value to this managed service so we leverage our existing sre management capabilities for the 20 000 plus production clusters that we're running and we bring that to managed open shift and so you'll see some things around not only the day one deployment of your compute your networks your storage but then day two lifecycle management whether it's a rel patch anything in that stack whether it's open shift itself which obviously red hat vets and make sure is that those things that updates are validated and ready or anything in that entire stack IBM's going to manage that lifecycle for you and you'll think about kind of the line of roles and responsibilities whereas a customer you want to focus on those use cases whether it is delivering innovation or at modernization so let IBM manage the infrastructure in the lifecycle so that way you can focus on solving your line of business objectives some of the things were very focused on building in operational characteristics to the offering so things like with every cluster having highly available masters and with a multi-zone cluster now i'm distributing masters and worker nodes across three different data centers in a given IBM cloud region so for example if there were some catastrophic network outage in one of those data centers well my api endpoint is still accessible i still have workloads running in those other two data centers and then i could auto scale out to get to the right capacity required to run those workloads so my end users don't know that there was an outage or that there was an upgrade happening so as i update from one version to the next we seamlessly roll through that upgrade so that way again it's a seamless for the end user experience compliance is something that we take very seriously in IBM cloud as well our managed open ship offering went at gade back on august 1st had all the things around stock one stock two type one and type two hippo readiness pc i compliance and compliance is a two-way street so obviously you know we've got responsibility to control the the compute side of this and you as a user have responsibility as well and how do you maintain access and encryption and all of those capabilities within the workloads running inside your clusters isolation choices including bare metal so if you need that amount of resource or gpu or 10 gig bond at ethernet you can get that as a part of the managed service and then the last point here is an industry leading 99.99 sla for that multi-zone cluster so because all of our control plane and most of the services running in ibm cloud have standardized to run on top of kubernetes that built-in resiliency and availability has allowed the platform to increase its sla to the 99.99 and the far right bringing the fact that open shift as i said earlier is open shift consistently wherever you run it that's the real value prop of hybrid cloud and multi-cloud and using open shift as that platform now i can consistently run workloads wherever i want to run and wherever i have i as the far right column is really talking about taking that platform and integrating it to the ibm cloud capabilities so things like bring your own key with ibm key protect or keep your own key with ibm hyper protect services and the difference there being with keep your own key it's phips 140-2 level 4 encryption we're the only public cloud to be able to get that level of encryption and customers own the keys so even though it's a managed service from ibm we don't have access to your data if you lose the keys we have to replace the physical hsm that stores those keys so depending on the level of encryption and isolation of those workloads our users can determine which level works best for their use cases and requirements and they may mix and match depending on different projects or different life cycles of an application this chart uh you know obviously there's a lot of words here but we start to when we think about the word managed and at least in ibm the word managed means something different to everyone for a cloud managed service essentially what it means is that we're taking off a lot of the operational burden for our user that instantiation of the cluster originally or that ongoing updates and lifecycle management tying out with the rest of the platform so that way as you start to focus and build or add cognitive capabilities to your apps and you want to bind a Watson service or create a chat bot or use weather data or iot or analytics you can securely consume those within your red hat open shift on ibm cloud cluster and just extend those apps make them work smarter work better with the existing code base that you have and now you're leveraging these higher value services from ibm cloud we'll show a lot of these things in the demo but quickly just kind of you know talk through a few of these points the first one is around simplified cluster management you know you'll see there's a lovely UI where you can point and click through things but the reality is most of my users will do that once and then they're going to automate that either through the cli or the api we also have ibm cloud schematics which is our infrastructure as code based on terraform and soon ansible to do that deployment in a consistent manner of your clusters of your lifecycle management we talked about highly available masters user controlled worker node management and that's a mouthful but essentially what that means is that ibm is providing all of the tooling but our users determine when is the best time to upgrade so if they're running on for example open shift 4.3 and we say hey 4.4 is available they determine when is the right time for them and even though we'll roll through like I mentioned earlier they still control and determine when that upgrade will take place all they need to do is click the button and then we take care of the rest of the magic for them essentially the way it works is we take the first node we drain all the deployed pods from it once it's quarantined then we reload it top to bottom when it's online and healthy we move on to the second node third node so on and so forth until we've completely rolled through your cluster's capacity we also support worker node auto recovery you know the reality is we're just dealing with hardware and software so things can and will go wrong so it's really about again simplifying the operations building in that that chaos monkey mentality when we're building our apps and ensuring that they are architected to be able to handle those types of failures and outages and then the last thing is worker node auto scaling so as you need to add additional capacity you can do so and control when to scale up or down designing your own cluster you know it's really about one is about compute isolation choice and IBM cloud you could have shared compute which is a single tenant virtual machine multi-tenant hypervisor hardware just think of any public cloud VM we also have what's called dedicated compute where it's single tenant VM hypervisor hardware so I'm the only tenant running out a physical piece of hardware in IBM cloud and then the last option is bare metal like I said earlier if you need that amount of compute and resources in one node you can get that as a part of the managed service the other thing that we provide are something called edge nodes and think about this is really just minimizing the attack surface of your cluster so instead of one worker pool where everything is running now I've got an edge pool and all of my inbound and outbound traffic route through this there's my IPS and my IDS are all running my actual containerized workloads are in a fully separate pool that only have private IBM backbone networking so again just adds a layer of protection from your workload security and isolation you know obviously we could spend an hour on this one a few other things that we we enable here for our users we use lux encryption by default on all of the secondary drives where your containers are running if you are running some high performance workload you could opt out of that or you know whether it's at the worker pool or cluster level so you can determine the amount of encryption and the isolation that we talked about before we also integrate with image signing with red hat notary so that way you can ensure that images have not been tampered with from container registry to deployment the fourth thing is around extending your apps with IBM cloud services and I briefly touched this earlier where IBM is really focused on these higher value services we acquired the weather company a handful of years now because weather impacts all of us or other industries having that weather data can make our apps smarter and they can make our engagement models more more engaging with our end users so really focused on that the other thing that I'll mention here and we'll see this in the demo are things like integrating with IBM cloud identity and access management so now I can be very fine-grained and prescriptive over the amount of control that I give users because some of my customers will create different clusters for different teams or different stages of that application's life cycle but other customers will create a larger internally multi-tenant cluster such that within that I've got different projects and I've got team a in this project and then I've got team b in this one and I can give access down to that project level so it allows me to control and leverage my underlying resources much more efficiently the fifth thing you know open source obviously very important to IBM and red hat both have not only been core contributors to these technologies but also consume and build our commercial offerings on top of open source so that was you know really obviously red hat and IBM have been partners for over 20 years and bringing the acquisition last year just brings that to a closer relationship where we both continue to contribute and run these open source projects so I think that's great when I talk to customers obviously they want this whole eliminating vendor lock-in and that's what container technology has given them so now they've got that ability to package up their apps and all their dependencies and have that movement but the reality is these open source projects are hard when you look at all the components that go into open shift and into our managed open shift offering there are a lot of open source projects so let IBM and red hat handle the complexity so if an update in one community ensuring that it doesn't adversely affect anything else in the stack or making sure that when new updates are available that they are in fact secure upgradable operational you know all of those things that are important to you is end consumers of our offerings and then the last thing is around integrated operational tools as I've said several times open shift is a platform so there's a lot that comes baked into open shift itself to have that consistently consistency anywhere that it's running in IBM cloud we also have managed services whether it's monitoring or logging or security tools that can live outside of the life cycle of an individual cluster you can also leverage those from other compute choices or other solutions whether it's an IBM cloud other cloud or on prem to give you operationally that consistency now the great thing is that if your customers have already chosen some other vendor to provide monitoring or logging or security or CICD you know fantastic no one is advocating that you scrap what you've invested in then those technologies you can deploy those very easily and open shift and send those metrics out to your you know the source of truth whether it's a SaaS offering or something running on prem and again your operations teams don't need to learn the new model of managing an environment even though they may be running red hat open shift on IBM cloud for the first time it's really about consistency and easing that adoption curve one quick topic before I jump into the demo is around IBM cloud packs and I want to talk about that briefly just to kind of make sure everyone is aware of what we're doing and I'm sure we'll have a deeper dive into these as we proceed through these sessions a cloud pack is basically think about IBM bringing its standard middleware stack of applications and capabilities to a containerized ecosystem and from a cloud pack if I'm a software seller obviously want to be able to sell that cloud pack that solution to run on any open shift environment in any of these public clouds in a consistent manner so open shift becomes that vehicle to provide IBM cloud packs in your data center and IBM cloud or any of these other public clouds that are listed here today there are six cloud packs you know each of the cloud packs are really targeted toward an individual kind of use case or mission so for example let's just use cloud pack for multi-cloud management is our example and coming back to this relationship with red hat and IBM red hat owns the multi-cloud management open source technology they're developing it then the cloud pack around it which includes that and some other capabilities as well so now I deploy this cloud pack for multi-cloud management and it gives me insight to my clusters running in different clouds it gives me governance it gives me access in a through a single pane of glass to these regardless of where they're actually running so as I said each of these cloud packs can run anywhere my challenge as the offering owner in IBM public cloud is how do we make IBM cloud the best place and most optimized place to not only run open shift but also cloud packs so the things that we've already talked about with managed open shift around our compliance and our security isolation all that operational experience that's all consistently true here as well to run that cloud packs but a few other things that we've done to make it easier the first thing is around discoverability and that's really with our IBM cloud content catalog bringing content or software as a first class citizen to IBM cloud so now you would discover all of the cloud packs that are out there other software from IBM and Red Hat so discoverability is easier now I find this cloud pack from multi-cloud manager and I think you know that sounds pretty awesome let me deploy it now through a one-click installation with IBM cloud schematics which is I mentioned earlier that's our Terraform and soon to be Ansible based infrastructures code offering I can deploy that to an existing Red Hat open shift on IBM cloud cluster now I've easily discovered it number two I've easily deployed it now I'm running that cloud pack software stack in my open shift cluster now I've got all the benefits around deploying and lifecycle management right here now I can leverage that cloud pack for what its real value is whether it is a multi-cloud management solution or cloud pack for data which is going to look at my existing data likes and analyze that and help me make more cognitive and in tuned decisions around that data to enhance my end user experience so with that let's jump over to a demo I think you know that will speak louder to kind of what we've just talked through Diane I'm sure you'll jump and yell if you cannot see my web browser where I've logged into IBM cloud you can see my overview dashboard of all my resources all the things that are happening whether it's maintenance or my usage my users all that is a quick overview when I log into IBM cloud let's jump into the catalog and you'll see here before I look at this this software tab that's what I talked about with all of bringing software as a first class citizen I can select cloud packs and I can see all my cloud packs that are available let's go back and take a look at the the offerings because that's what we really want to demo here today you can see right here under my featured or I could navigate under containers and I can see red hat open shift on IBM cloud of course my login has expired so it always works out best for a demo and I have to log in in the middle it's hard to plan that any better so this will load here and it'll take me back to my landing page for red hat open shift on IBM cloud where I've got some as I get started some basic cluster information so what do I want to call this nothing better than calling it demo under resource group here I could this is what I talked about earlier with allocating resources to different people within my IBM cloud account so maybe this is going to go to my prod resource group because this is a very important demo cluster I could also tag it so that way I could find it later as I scroll down here you'll see location now here I've got single zone we support all six of the existing multi-zone regions or MZRs for short and 35 single zone regions or SCRs so if I needed to deploy something in San Jose or in Montreal or Toronto when I create a cluster there the masters the workers everything remains in that boundary so when I talk to customers in Canada you know especially they need to ensure that data logs etc are not leaving the Canadian boundary so now they've got that option they could deploy to Montreal or Toronto and have that that isolation you can see it's out here querying that I have no VLANs in those data centers so it would go ahead and create one for me let's go back to multi-zone because I think that's slightly more interesting in that original capability at cluster creation time so under geography I can search whether I want to do AP or Europe for this example let's let's just pick Europe under the metro I can do London or Frankfurt and we'll use Frankfurt here so these are the three different data centers that I talked about no VLANs there either which is no problem let me scroll down so now we've got our default worker pool today we're g8 on 3.11 when we developed this offering it was during our acquisition quiet period so we couldn't actually talk to red hat and say hey this is what we're going to build what do you think we had to go build it once the acquisition closed then we could go back to the team and say hey look at this is how we run it this is how we operationalize open shift and then go from there based on that we needed to do some joint work with an open source project called the hypershift toolkit which basically enables how IBM manages our infrastructure and what that means is when we create this cluster the master nodes deploy to my infrastructure account in a separate cluster then the worker nodes that deploy to your infrastructure account in a different cluster so that's where this joint collaboration with red hats open shift team and my team came into play to make that a reality so now we're currently in an open beta on 4.3 we will GA on April 1st here in just a few weeks so we're very excited to be able to get this live and out the door for our customers so let's use the beta because that's more exciting on the left hand side I've got some filters so as I mentioned earlier if I want that bare metal or different virtual machine isolation choices I can select that and then I could scroll through and read different basically t-shirt sizes or flavors with a baked in amount of virtual CPU and memory so well let's just use a 4 by 16 here's the encryption that lux encryption that I talked about you can turn it on or off and then you know how many nodes do I want in each zone so when I think about my Frankfurt 0204 and 06 data centers by default I'm going to put three workers in each of those zones and then the last little check is I've got an infrastructure permissions checker because if I'm running a multi-tenant account maybe I've given you access but I'm not allowing you to create and deploy resources so then you would see a red X in here that says you know maybe you don't have the right permissions to create networks or storage this is my account so you can see that I could go ahead and deploy it one thing that you'll notice that because this is a beta we're not metering and billing for the open shift license itself once we GA all beta clusters will will be removed after 30 days and you'll have to redeploy new production clusters where we are in fact metering that so I'm going to click create and it'll go off and churn once this jumps me out to the right page you know since that will be less exciting to watch that deploy let's take a look at something that's already running an IBM cloud on my left hand nav you can see I can take a look at different types of compute or resources that I'm running in the catalog when I look at my open shift clusters landing page here's the new guy you can see him he's off and churning and creating my master nose and getting that ready to go for this example let's take a look at here we go so when I look at my cluster again I've got a big blurb across the top which is again doesn't play very well in a demo but it's telling me that this is a beta cluster and it will be purged after we GA but I get a lot of relevant information to my cluster the ID the version where it's running my ingress subdomain which is a very painful long name I obviously if I'm running production workloads I'm going to bring my own domain name to this so that way it's just chris's app.com not this whole big arbitrary name so you can do that as well under worker nodes I can see additional detail around individual nodes what's the flavor what are their public and private vlands what's their hardware isolation choice and this is where I would do life cycle management so here I could select all three and say update and it's going to take me to 4.3.5 1514 and say yep let's do it so let's go ahead and do that update and like I said earlier it's going to roll through it's going to take this first node offline reload it second node third node so on and so forth worker pools it's a fairly common construct when I was the first time I created default pool if I later said well the 4 by 16 it's not big enough I need some larger some additional capacity obviously I can't change that on the fly but what I can do is create a new pool so I call this pool 2 and I need this to have 16 by 16 my apps are very CPU intensive so I need that and here I could create a multi-zone pool or I could keep it as a single zone pool so now it's all running in Dallas 10 in this example now I'm say yep let's go ahead and create that let's jump back out but it allows you now in this model if I wanted to now I could delete the default pool and essentially will automatically redeploy anything from that pool to the second one so that's how I would grow and expand and add new capabilities this other tab is called the add-ons tab these are things that IBM is managing as a part of the overall offering so we've got something called the diagnostics and debug tool I'll open that up here and that will essentially allow me to run some queries against routes and against other services that are a part of my managed service and make sure that they're running properly gives me some great insight so as I start to troubleshoot things and try and figure out you know that networking is that something in my yaml really try and identify the root cause of that problem and then the last tab is DevOps and so this is bringing from a broader view of CICD tooling from IBM cloud which is moving toward the tecton base if I've got some workload if I already had a CICD pipeline deploying to this cluster it would show up here but I don't so with this would allow me to create that tool chain that lives outside of that cluster so now I could be deploying from from here to this cluster or to other clusters running anywhere consistently so it kind of gives me that ability to control the CICD tooling again whether I want to do it directly in OpenShift or if I want to do it from an IBM cloud services capability the last thing that I want to show because I talked earlier about a native consistent user experience which is obviously really important for our users if you're using OpenShift on prem or in any other cloud you want the same capabilities when you come and try redhead OpenShift on IBM cloud so things like making it easy one click to get out to the OpenShift console you can do that you may have seen that I got asked to reauthenticate again security extremely important here at IBM so we need to make sure that we're we're checked and updated but once I do get in now I've got access to the same capabilities that you would see in OpenShift 4.3 anywhere I've got my administrator view I could go in here I could discover operators I could go up here to the dev console I could look at my build my pipelines my deployment topologies I can see all of that in this cluster so you know obviously this call is not meant to do a an OpenShift 101 we're assuming that you already have that level of experience and what I want to show is that it's the same capability again whether you want to do it from the UI or the CLI and start running OC commands you can do that either model with that same consistency that same ability to bring your existing YAMLs and apps and run that in Red Hat OpenShift on IBM cloud just as you would whether you're running on ARO or OpenShift on prem or you stood up something on your own IaaS consistency simplifying that that ease of getting started so with that I'll take a pause and see if we have any questions there have not been any questions from outside but I've actually learned quite a bit about things that I hadn't realized about the IBM offering including the HA availability bare metal and the edge stuff so I think maybe when you get to the end of this if you can talk a little bit more about how how to go about using maybe the bare metal or that piece and also totally blown away by getting to see 4.3 beta live demoed so this is totally on target with what you're delivering so keep on motoring on here excellent that's good to hear the bare metal so one of the differences that you'll see and it's the same flow if I create something like some bare metal generally the use cases that we see there are two main ones today number one is you'll see some of these flavors and I can even filter over here if I can find it extra storage for software defined storage and this is providing additional local disks you don't need to use file block or object storage from IBM cloud IaaS it's directly built in to that flavor and now you can consume that one of our largest users runs all bare metal with this attached local desk that way they have the ability to be able to run that workload keep all the data in proximity for much faster compute time the other use case is really around you know machine learning or we have a lot of data scientists that are running workloads and that allows them to run that in very you know resource intensive manner and what's great is that I don't have to be an IaaS admin when I deploy this if I select this and it goes and deploys IBM is going to handle deploying that bare metal server and all the life cycle so to you as a consumer it just looks like bare metal resources that I'm deploying my open shift worker nodes to I'm running my workloads there I could pin workloads so particular pool or cluster if I needed to to have access to that amount of compute and resources that's awesome and probably the easiest deployment on bare metal I've ever seen so that's that's great to know and just on the support for 4.3 do you have a timeline for when that might go GA yes so we've we've been working with a number of customers on the beta getting their feedback working very closely with the open shift team they've just got us some fixes this week so we're excited we should have everything tied out with a GA announcement on April 1st so everyone keep that between us friends right now and stay tuned for all of the blog announcements and all of the twitterverse noise that will happen when we are virtually popping champagne since we all have to be isolated from each other right now yes I will be popping a bottle here at home as well it is an interesting choice of dates April Fool's Day so maybe maybe it's auspicious maybe it's not but I'm really looking forward to seeing 4.3 and you may actually be the first managed service to support that release I'm guessing my dates correctly so that'll be really something to celebrate I'm not seeing any other questions in the chat at the moment hopefully we will get more beta testers and a lot of people using this one of the things that always is the toughest is getting all those industry level compliance offerings and so I'm pretty impressed with with that achievement on on your hot path with open shift so I think you're going to see some real interesting use cases come your way so looking forward to having you back again soon Chris to hear from your customers and more feedback on open shift so thank you very much for taking the time today absolutely thank you very much if anyone has questions afterwards again my contact information is up here and we'd love to hear your feedback so thank you