 Well, hello everyone and welcome to another video of Red Hat OpenShift Container Platform. I'm Dave Muir. I'm a Principal Solution Architect at Red Hat and I'm focused on our Security ISV partners. So in this demo, I plan to show an integration between CyberArk and Red Hat OpenShift. This can help organizations strengthen security in Kubernetes clusters across production and development environments. And whether that's in multiple clouds, public and private, and this all is implemented without impeding your DevOps velocity. So in this demo, we'll look at a quick solution overview. And I'll show a couple architecture slides and then I'll give a demo around CyberArk's secret list capability. So managing secrets across Kubernetes clusters in a hybrid, multi-cloud environment can be very challenging, especially risky. It can quickly lead to secret sprawl and greatly expand the attack surface for bad actors to exploit. So if you're looking at this diagram, there's many different integration points where secrets are needed. And you can see that secret sprawl can get out of hand pretty quickly. And so building on the security features baked into Red Hat OpenShift, CyberArk centralizes secrets management in a secure vault. Automatically issuing and rotating secrets across containers and clusters and any type of cloud, either public or private. And the value of this joint solution can be summed up with three key points. First, it's secure. It essentially manages and secures secrets according to your policies across multiple clusters and clouds. This eliminates that secret sprawl and shrinks the attack vector. Second, it's simple. This enables developers to secure and manage rotate secrets with really no need to write code or make script changes. And third, it's a comprehensive approach, allowing you to consistently secure secrets used by your containers, your automation scripts, as well as your people accessing platforms and management consoles. Now, if we take a quick look at the CyberArk secrets manager on Red Hat OpenShift architecture, there's three parts to call out. First is the conjure leader, which is deployed outside of OpenShift and holds the repository of secrets, policies and all conjure services. Then within OpenShift conjure followers are running in one or more pods. These are read only replicas of the leader. And finally, you have a handful of options to implement authentication to the conjure follower and retrieve secrets for your application. One option is actually to retrieve secrets directly from the CyberArk secrets manager using REST API calls. A less intrusive option is secrets injection. This provides secrets as dynamically created environment variables rather than requiring the application to retrieve its own secrets. CyberArk provides an open source solution called Summon, which runs in an application image and retrieves secrets for your applications. But the most secure and least intrusive approach for handling secrets is with Secretless. This solution uses a Secretless broker. It's a container that authenticates the pod, it retrieves the credentials and establishes connections to the databases, the web servers or SSH servers without the application ever having to access those credentials. Secretless further strengthens security by reducing the attack surface because those secrets are not exposed to the application code or to the developers. This also simplifies life for your developers in your operations staff because there's no longer a need for developers to directly integrate with a secrets management solution or learn how to code to its APIs. And more of our operations can provision and remove access more easily because there's no need for each application to interact with a secrets management solution. Alrighty, let's jump over to the demo. If you're interested in learning more about this demo or following along, you can head over to demo.openshift.com and choose the CyberArk secrets management for OpenShift Workshop navigation item. That'll show you a page with a link to this lab guide. And if you're interested in doing a workshop within your organization, feel free to contact either CyberArk or Red Hat and we'd be happy to provide it for you. I'm going to show you one of the labs of this workshop. It's the fourth lab around Secretless and everything you need to do within the lab is contained within your within the installation. So if I go to my user project here that I'm logged into and I check out the workloads, I can see there's a lab admin pod running this provides all the documentation and scripts you need to run this demo. So if I go in here and go to the terminal, just going to go ahead and expand it right out of bash command. That enters me into this container and you can see 12345 these different labs that you can in demos that you can walk through. So I'm going to CD into the Secretless directory. If we take a look at that directory, you can see a bunch of YAML that's created. So the one of the first steps that you would run is use this lab cuddle command line. So lab cuddle helps to has various options. It can create the YAMLs you need for the actual demo. So I'm just going to create the YAML files again. And let's just take a look at the app Secretless policy. This policy loads into CyberArk that you're going to use this Secretless broker that we just talked about. So let me go ahead and run the load policy for my user. You can see this created the role. Now I want to take a look at the Secretless YAML. And this is really the key part of the demo. And you can see here that by using Secretless, you're not storing any sort of sensitive information within configuration files. So username and password are all parameterized. And then they use that keyword to grab the secrets. The application, the container, the developer have no idea what the credentials here at this point. So in this case, I'm going to create a config map with this Secretless information. If I do that, it goes ahead and creates it. And then we'll take a look at the app that we're going to create. So this app is a simple app that connects to a MySQL database. And it will be running as a pod as well. And it's going to use those Secretless credentials. So let me go ahead and create this application. All right. So if we go ahead and take a look at the pods that have been created, you can see that we have lab admin, which we're in right now. And then the Secretless app that was just created. So in fact, let me just jump over into the UI and show you those two pods running. Here's that app Secretless pod. By the way, I'll take a look real quick at the config map. This was created as well. You can see those keywords there that grab the Secretless information. But let's go into the app pod here. And that comes preloaded with a bunch of scripts as well. So in this case, we are actually going to take a look at the MySQL Secretless script. It's pretty simple. It just tries to connect to the SQL database. So let's go ahead and run it. If you think about what's happening in the background that is actually connecting to a MySQL database without understanding or knowing what the actual secrets are to connect to that database. Let's go ahead and just show the database here. Just to show you that we are connected to a MySQL database. And really, that's it. It's a pretty straightforward lab, but it shows you the power of Secretless approach within CyberArk. Alright, I'd like to thank everyone for watching how CyberArk and Red Hat OpenShift can simplify secrets management across your hybrid and multi-cloud environments. And to learn more about this demo, please head on over to demo.openshift.com.