 Good morning, good afternoon, good evening. Welcome to another edition of the Data Services Office Hour. I am Chris Short, Executive Producer of OpenShift TV. I'm joined by the one and only Michelle Dupama. Michelle, how are you today? I'm good, how are you? Long time no stream. Yeah, long time no see indeed. I'm good as well. I hope you are up there in Canada and you're in the lovely city of Toronto. Yeah. So we are talking about vault. We're going to lock some stuff up today. We're going to throw some data in a vault, lock it up and put the hell out of it. Yeah, absolutely. Yes, so we're going to encrypt some stuff and it's a pretty straightforward demo. I think I'd like to show you how to do that, how to configure ODF, Open Data Foundation, to encrypt at rest cluster wide. We'll talk about some stuff that's coming in the future, but I won't demo it. We'll just kind of talk about it. And then if we have time, it would be nice to show off some of the changes in accessredhead.com under our product area. Yeah, you've made some awesome improvements to like a lot of stuff in the past couple of weeks, months. Yeah. We're trying, we're trying. Okay. You're doing a good job. Okay, so I'm going to get started. We're going to, let's start. Level set here. What are we doing? Okay, do you want me to, I can send you this URL. I got it. I got it. Okay, cool. Yeah, I checked my email. Did I say, okay, I'm organized here. Okay, so this is our OCS training page. So I just want to take a moment to shout out to my team about this wonderful site that they set up. So we're full of, our team's full of practitioners and there are, they just, they really put together wonderful training. And it's just, I highly recommend that anyone who's thinking about ODF or has ODF come to these pages, go through them. You will learn so much just by picking one and going through it. CLI based installs, anything you need. So the one we're going to focus on is this one, external KMS encryption. And we're not actually going to do all of these steps. I'll go through it a little bit, but we're going to start really down at 2.4. Ah. Just because, because there's a like, cutting these things, there's no point. Yeah, yeah. So, all right. So before we get there, I will go over the overview. So, okay. So the important points are right here. So, you're going to ask me why we want to encrypt our cluster. Yeah, like, what exactly are we encrypting? Are we encrypting everything in the cluster? Are we like, why are we doing this? Like what regulatory things are we trying to get around here? Like, why do people need to do this? All right. So some, so there are different levels of paranoia, right? So you might just have to worry about hardware theft, straight up hardware theft. Someone comes in your data center, picks up something and walks out and you want to take care of that. That's common. You may also be in an, I have certainly worked in industries where all data at rest needed to be encrypted and stored, right? So when the auditors come in and they say, how can you know, like you just, you just want to check that box, make sure it's done and handled properly. So there can be more than that. There can be PV level encryption, which would think about that as isolating apps from each other. So, you know, a great example would be payroll stuff, HR stuff, things that should be encrypted, running in a namespace on your, you just want to take that extra stuff to make sure that there's isolation there. The key things to note here, one is cluster wide encryption is GA in ODF 4.7. PV level encryption is tech preview. So I'm holding off on the demo for that until it's, until we're further along, unless we find people really want to see it. Maybe we can schedule another one or something, but I'm just going to hold off on it. And the other thing is going to mention, you can combine these two as well, but be aware that PV level encryption is tech preview. So cluster wide. PV level would be for apps, right? Like this app is a finance app. It has to be encrypted, you know, Charbangs, Ockley says I have to encrypt this thing or my entire cluster or whatever, right? Like there's all kinds of reasons. I feel like encryption is a good idea. Like almost by default now, I feel like it would be nice, right? Like if someone pulled a hard drive out and accidentally left it somewhere that it didn't contain my social data, right? Or my PII, for example. Yes, yes. Yeah. Okay, so having said that though, because we have had encryption for a little while, you want to make sure that your encryption keys are not stored with your OpenShift cluster, right? You need to, you want them outside. So this is where this feature comes in. And of course we've, the first KBV support is hash curve ball, right? Which is popular. The most popular one out there, yeah. Exactly. So that makes total, total sense. So one of the things to note, so that's for cluster-wide encryption. One of the things to note for PV level encryption is that it actually only stores the access key involved. The rest is still stored in OpenShift. So this is part of why I didn't want to demo it yet. I'm like, you know, more things are coming. It totally has a place in a use. We can just look at the document and you can test it out, but it's not production. I don't want to encourage people to think about the PV level encryption as production yet. So let's look at cluster-wide. If you accidentally did that right now, it would probably end up in a weirdest state. Well, not probably, but it could end up in a weirdest state because it is tech preview and not GA, yeah. Right, can't call support. Excuse me. You can't call support and say, I'm running this tech preview thing in production and I'm having trouble. So that would just freak them out. So don't do that. Wait for it to become true. So, oh, just, I'm going to commit to saying ODF for the entire show. Okay. Fair enough. Anyone here can say OCS? Call it out. I'm just... All right, you heard it, audience. You hear OCS, drink your coffee and yell at Michelle. Yeah, yell at Michelle, exactly. Okay, so... I should have like the word of the day thing. Like remember that one show and then like everything lights up behind me when you say it, that'd be really good. Yes, that would actually do it. If we did, yeah. Okay, so next show for sure. But by then I'll have to memorize it that I've changed news. Okay, so here's our setup. It's very straightforward. We have OpenShift 4.7. I will prove this to you. Not there, but here. OpenShift version. I'm going to show you how to set up Vault. A very simple, really simple Vault install. And then we're going to install ODF and we'll talk about the steps there. So, and primarily... So Vault is running on my Bastion host, my jump host. Obviously, you got another box where Vault is. Yes, it's not in my cluster at all. It's outside. So, and also you really only need a few things out of Vault. And I'm mentioning this because chances are our customers are actually turning to a security team for Vault, right? Like it would, it's probably unusual that your storage people are actually running the Vault server itself. They're going to go to their security team and say, oh, I'm trying to do this. Can you please create the following? So, we will go through that so that you know what you're asking. I would think given the show or the channel's makeup there's actually probably a lot of people that are worried about storage and encrypting it and Vault. And they probably need to figure out like that picture and what they need to do to get to where we want them to be as far as encryption at rest. And I would hope that anyone on the security side watching this and listening in or going through the stock to be like, oh, great. It's totally standard in terms of the way they use Vault and what have you. So, you want to get started? Hang on. So, I really, okay. I'm going to talk through the steps 2.1 to 2.3 and then we'll start with 2.4. So, my jump hope has to install Vault and all this fun stuff. Yeah, yeah. It's already there. La, la, la. Uh-huh. Oh, you got it. Hang on. I'm going to type. I'm learning to type. Give me a minute. It is early. Right? It is early. Okay. So, it's there. I've done all, not for brute, not brute, but I did this. I downloaded. Yep. Perfect. Did all of that. We're going to use HTTPS because I think that that's the way people use it, right? That's the way it should be used. You shouldn't be passing your secrets in the clear. Totally doing it that way. So, what I did, I already ran, sir, I already did the let's encrypt, right? But if anyone needs it, here are the commands you need to know for sir. They're really actually quite handy. And like copy, paste. There's that. And then this little piece here, right? So in AWS, I did go in and add a nice domain name to my jump hose, which I, you know, not the, not the Amazon name, but a real actual domain. Like an actual domain. Yep. And then down here, all of this happened. All of this worked really well. And I also copied everything into the right spot. Let's encrypt is such an amazing, amazing thing, right? Like it's changed the internet, right? Like seriously, like most sites on the internet weren't encrypted before that they came along, right? And now it's just like, why isn't it encrypted? Literally, it's like one of these commands, put these in the right place. Okay. So, and I was careful to make sure that the name, I didn't change any names. Like I really wanted to follow this wonderful document and get everything right. So, I did this, the important, I didn't miss it this time. I like how they highlighted that. Yeah, yeah. And I actually, let's have a look at mine, but I did this as well. So, I think it's there. It is, tada. So, let's have a look at this. Oh, okay. So, in the document, it's pointed out what you need to change. You have to, like, I did a full path to it and all that other good stuff. Here we go. This is what I got out of Let's Encrypt. Okay. And the only thing I really had to change was this. You have to, oh, TLA, like that's weird. TLS Disable, false. The double negative thing is really kind of like, it's hurting me for a little for a second. Change to true if not, okay. No, no, yeah. Design decisions, yeah, whatever. No, no, I had to read, yeah, it's actually... I'm sure you had to read that twice. So, and then I changed all these pieces too. Here is my, that's the domain name, KMS demo kind of stuff. And the port, notice the port and just this, all this information I already just decided to put in because otherwise I'm sure at this hour of the day I would get the, when you're pasting wrong or the typing wrong, so I did it. Nice. Otherwise, yeah, I was gonna make you do it, but you know. I know, then sadly this was not the morning for me to do things. So I made these directories, here you go. They're all there. What you need is the word under them. Everything is exactly as it should be. We just looked at this file right there, okay. So we're at 2.4. So if you take a look at this, I have this already in my history, hang on a second. And it's gonna run in the foreground and I'm okay with that. Done. All right. So this just runs and we're happy. We'd actually, there's no information here that I need to store at this time. There will be information when we create the dedicated KV store, but we're up and running, it's happy, you have some. And now I could go here, but I don't have, it's not initialized. Let's do that from the CLI because I think it's a little more useful to do it from the CLI. You'll see, I'm following the document exactly, which I just adore. So here's the output, same output. We're gonna do this in another window, hang on. Yeah. Oops, there we go. Oh, and I wanted to, sorry I'm getting set up, give me a minute. No, it's fine, fine, fine. There we go, that too. All right, this is also, I'm just skipping the verify on the HTTPS. So we do, let's do a vault status. So the other one I have in my history is, okay, so I'm setting the vault address. This URL was actually in, where is it? Sorry, here. Here, yeah. It's in my histories, I'm just showing it to you, but so that's like what you have to know. I know this because I set this up, right? I went into DNS and I set up the record and da-da-da-da. So here we are, we set this. Normally someone's gonna hand you that, or you know it already because you set up the vault yourself. Correct, correct. That kind of thing, yeah. Right, so this is unusual in that we are setting this up. Normally someone would just say, here's your address, here's the port, here are your keys, blah. And you would just be off and running. So. I would say it's like, I mean maybe in larger organizations, that's the case, but I mean, I probably know, like if someone is running OpenShift for their organization, they're running all the stuff attached to it as well, probably. So if they needed vault, they would probably have it somewhere for like their IT department or for their application team, whatever it may be. I feel like vault is portable enough to where you can just say, hey, everybody gets a vault, here's a vault, here's a vault, you know, that kind of thing. Hang on a second. And now see, I said everything was gonna go smoothly, look what happened. No, no, no. I changed it. Mm-hmm. Let's go check. Did I say everything I need to set? Probably not. Well, you have vault running on foreground, is it throwing an error? Oh yeah, we're gonna go see if I'm seeing anything. It's on this one. Nope. That looks good. It all looks good. What did I do wrong? It's early, that's what it is. To the docks. This is why docks exist. Hang on. No, I didn't set something properly. That is what it's, we're running the data status. Ooh, I can, did I set this properly? Let me check it again. Good question. We can do. Oh, that was it. Wanna do this? Well, that's the listener IP. I mean, that would mean something's busted in your DNS, which means you're gonna have bigger problems. We will. Here we go. Hang on a second. So let's see, let's see. All the DNS stuff should be still be in place, but let's see, I also, I did, my security group rules on AWS are probably a little restrictive, so. Good point. That will be interesting. I may have to just open them up for like while we're here. I'm okay with that. Okay, so here we are. Vault status following what the documentation says. So at this point, we're initialized, but we're also sealed. So maybe some security vault people can talk more seriously about what that means, but it's already been initialized, but it's still sealed, I don't know. So we, if I run this, I think I'll get an error because I've already initialized. Should I run it again? Don't do an un-net twice if you've already done it. So then. But if you're sealed, I think you kind of have to, right? Right, don't I need these keys to come out of it? Yeah, like, I would do that, yeah. Right, so. So you're sealed. Okay, so it says it's already initialized, fine. Okay. That's okay. And then, so I do have my root key from before, I have my initial root token, and I have all, I usually keep like. Vault operator unsealed, there we go. Yeah, so let's do the unseal. And I'm gonna show you, hang on a second, where are my keys? You know what? I probably stuck them under here because I would do that, right? I totally do that, sorry. So. All good. All vault notes. There's nothing else in there. Mm-hmm. Hang on a second, I'm gonna go through it locally. Now you're gonna get to see me do my stuff, hang on a second, I'll do another brass one here, yeah. Okay. Audience, please let me know if you can't read this for whatever reason. Yeah, yeah, yeah, it's just like, well, okay. So I do office hours, encryption. Nope, that's not what I wanted. Old notes, there we go. All right. Okay, here we are. So let's do, we were gonna unseal, right? That was our next. That was our next step, yeah. Okay, one of three, unseal progress, uh-huh, uh-huh, uh-huh. Okay, next, no, wrong guy, wrong window, here we go. Nana, uh-huh, uh-huh. Okay, third one, hang on a second. We only need three. Raro. Maybe I did a come-pays thing. Failed to encrypt keys for storage, cipher, message, authentication failed. That's weird. I'm saying a number of zero, three. All right, let me just make sure I've done everything right. There's a good chance I didn't. We didn't do this because it was already done. Right, and you already did the in-nit. Oh, I know. Get the right. No, you know what, this is, I have to, I should delete the data under, I wanted to start fresh, that's why I can't keep it with me while I do that. No, go ahead, please. Apologies, okay. We've got music if you want it. It's like Michelle, come on. Okay, hang on a second. Data, yeah, I don't want any of that. Okay, oh, shoot that thing. Hmm, where am I? You said data. Alt. Yeah, I don't want it. I want, I want just the regular, I want the config, but I don't want the data. Okay, so let's go back to the running server. Pseudo vault server config. That, that's what I want. And I killed it over here, perfect. Okay, so we are running. It should, not you, we are here. It's nice and fresh. So then I come over here. I should have, Do you need to do the init again, I think. Yep, need to do the init again, but I'm actually not on the right host yet. Oh, okay. Let's do the export of that. Let's do the export of the other one. There's one more, there's that one. That one, yeah. And now we want to do vault operator init. Do you need the CA key or the CA cert? I mean, Even for this, you think, let's see. Technically no, but you did it in the past. It looks like from your notes, I don't know. Oh, and actually, you know what we did. I did, we didn't use this. We used, We used the IP. Yeah, yeah. Well, let's try the DNS first. If it fails, then we'll do the IP. It was not working. Here, it's coming out. It should come right back. Okay, so. Just not good. I wish this was more verbose. Yeah, I'm sure it has it. Do you know, like, is it what? Debug or something like. Dash VVV or something like that. Okay, nevermind. It's not happy with this. Okay, so hang on. Let's just fix this. It's what happens. I said it was gonna go smoothly. Now you know, I can't say that. Yeah, this is like asking for trouble. Okay, here we go. So we need to, let's just save all of that. Right? I just want to save it. So we have it. Fault init notes. Okay, that makes me happy. Now we're gonna go back here and run operator init. No, we're gonna run unseal. Excuse me. Okay, so we're gonna do it from here. Voila. And the next one is. So I save this because it has the root key in it. And we're gonna need that to log in. Two of three. Hang on. Done. Okay, so no longer sealed. So that was my fault. By not deleting the data directory, we had to put that as fully my fault. If I had started truly fresh like I should have, it would have been fine. So we have done this, vault operator init. We have done the unseal. Save the information. We have saved the information. We did all of this. Our vault should be nice and happy. And we can now do this. Do vault login with the root key. Let me go back and get that root key. Hang on. And we'll also log into the web console for it. The vault root login. Vault login, root token. Okay. Okay. Happy. And then we can do this if we want to. Have a user pass on it. We can do this one as well, but I have to change something, right? Like. Yeah. What username, what password. We'll do red hot like for the demo. Okay. Okay. Oh, goodness. Remember your password. Okay. So we did all of this. We're good. We're pretty much set up. So this is where this, this is a part that matters. The creating the dedicated KV store. So. So you just got your quick run-through on vault setup. Now we're going to encrypt some stuff. Now we're going to start. Well, we're going to set it up so that we can encrypt it. Okay. So we're going to set the path to OCS, right? We're going to enable it. We set a policy. Someone who knows more about vault can talk more to this, but honestly, we can cut and paste it and it's, it's, it's done. So I really, this is fantastic. And we will do exactly that. So. Just click the copy. One at a time if you like. Oh, you're going to do a one at a time, okay. So you can see it. Okay. So we're enabling the secrets engine. We're going to set up the path properly, set up the policy. This is all so that ODF can actually use vault to store keys that you're going to see every OSD have, which I'll show you that in a second. You'll see as we get started, hang on. Michelle's getting her act together here. Okay. So important part that comes out of this, your client token, that's what you need from there. So I'm just going to cut and paste it. There we go. Into our document here. Well, we're going to need it later for setup. And you don't use the root key to do the setup. You don't want your own client token for your dedicated KV store. So we're good. Everything seems fine. Everything seems happy. We can go, we can go look at the web UI for KMS if we want. Hang on a second. Let me go back to the root token and I'll just show it to you. The idea is I want to show you that, well actually I can even, yeah, let's do this. I want to show you that while we create ODF, you'll see the keys getting created. That's really part of why I'm showing you all this. So here, let's see. Let's get rid of that key, put in this key. And if this doesn't come up, it does mean that I have to go open up my AWS stuff. I was about to say, it seems like you're... It's me, all right. So for the sake of the demo, I will preach security. Hang on a second. You might want to take that window someplace else. You might want to take, okay. If you don't want to. Where can I? Do you have only one screen? I do because I did this on my laptop. It's okay, we'll do this from the command line. That's the other way to see it. You can totally do it from the command line or I can stop sharing, do it and then do it while it's building. I just want you to not expose anything you don't want to expose. No, absolutely, you totally right. Okay, so let's switch to deploying ODF. This you've seen a million times. This is not really this part, right? Go to the operator, operator hub, type in storage. This should all feel nice and easy and familiar. Scroll down to see the red hats. It's going to be 4.7, yay. Yay, so many storage options, but this one is my favorite. Perfect. So we install and it's going to force you to make a storage cluster in a second. Everything, I'm taking all the defaults. Nothing special going on here. Okay, so it's not asking me about, do I want to start monitoring anymore, right? It's like by default setup. Ooh, good catch. Yeah, no, it's there, huh? I didn't notice. Even after having complained about such a thing, I didn't notice when they fixed it, shame on me. So we're installing and then I'm just going to go watch it here, right? So we have a moment. Yep. It's just going to take some time. All right, let me, I'm going to stop my share. Sounds good. Do my security stuff and I'll come back back. Two seconds. Yeah, folks in the audience, if you have questions, feel free to fire away and I will do my best to answer them. Michelle is doing that. Yeah, I can. It's just a quick thing I want to do here. Hang on. Okay. This is what happens when I'm all restrictive, as I should be. Well, you should be. I mean, security is important and I would say it's kind of a part of everybody's job. At some point, that's just me, for why not? Let's do it this way. Okay, so here. Yeah, that, yeah. Okay, so I'm going to get rid of this. I'm going to percent again. Here we go. Yes. Okay. Hang on. All right. That's all done. Okay, so let's see. Is that the right key? Does not look like the right key. Hang on a second. I remember we had our initial root code. Oh, it does. You know what? Let me do this one, the client one. Is there anything? Mission denied. Why do I have missions denied? Again, I'm sure I've done something for wacky. Are you logged in? Is there like? Oh, you know, you probably, let's sign out. Sign out, sign back in, kind of deal. There you go. Yep. Let's see. Ah, there it is. When in doubt, restart. Thank you. Thank you. Okay, so at this stage, the operator for ODF is installed. Let's check. Is that true? Yes. But I haven't actually created the storage cluster yet. So my vault setup is there. The KV store is there, but there are no keys in it. Let's go put some keys in it. So we go in here. We have to do this exactly what we want to do. And here, we start this stuff normal. I'm just taking the defaults on this piece. I've set up proper notes, worker notes for this. Yep. To the next page. To the next page. Ta-da, here it is, ready? Enable encryption. So what's it gonna ask for? Cluster wide encryption. Storage plus encryption is tech, like you said, this tech preview. And advanced encryption, what does that mean? So, so we, I mean, I don't, yeah, I don't even know about the description part, but it's there. Here it is. You can test out if you want to just do PVs, but we're gonna do cluster wide. Yes. Well, to be honest with you, you should do cluster wide, right? Like, I mean, it depends on your environment. Yes, but if you're storing data, I would hope that you would try to encrypt it whenever it's being moved around or at rest. I mean, a dev cluster may not be interesting, but as soon as you're like staging production, yeah, you should totally be doing this. And it's easy. Like it actually is really, really, really easy. So we're gonna connect to an external key management service. And here's where I have to go to the documentation to pay attention. Okay. So, yeah, cause I'll mess it up. So service name, I think can be anything unique. So let's make sure, this is the install. Okay, we're skipping, we did this, we did this, we did this. That's all good. This is the operator install that I'm just scrolling through. It's all good. And here you can check it, right? We can do, but we know where we are. We're good. We're on the create encrypt and storage cluster. All right. So you did the installed operator bit. Oh, what are we doing here? Everything from the command line as well. I'm just showing it this way cause it's easier to see. Okay. So, can you hear me? Yeah. I just got that little like your internet connections unstable thing. So, okay. You know what? Zoom has been weird about that lately. It feels like, I've gotten that message like three or four times this week. No real issues that I've seen. Okay. So let me know if anything happens. Okay. So here we are, service name, number four. If you look at it, provide a unique name for your service. Call it anything you want. In the character string. Yeah. You just need a unique string here. We'll call it external cameras. And here. That matters. Yeah. But see my typo? Yeah. Did you have that? Oh, okay. Learn the hard way. So here, and it's a full URL. So I'm going to put in wrong one, wrong one. Here we go. So I'm not going to, I don't want to type it because I've already made that mistake. Uh-huh, uh-huh, uh-huh. Was it a pyre? Where was it? I'm just going to cut and paste it because I know better. Well, do an end, Finnitz. And you're, yeah. There you go. Just wanted to do like this. Okay. This is the default port of 8200. That's fine. And here we put in our client token that we create. Not the root just to be over here. Right. Because the root is for all of vault. Everything. Your security team's not going to even give you root. This is not going to be an issue for most people. Like. They won't have this kind of access. Yeah. So advanced settings. We need a little bit more, as stated in the document. I'm doing this because I know it, but in the document it will tell you, if you've been configured at HTTPS, you need to go into advanced settings. So we're going to do that now. Okay. We did everything. We did all of these steps, provide the security token generated for your dedicated KV store. And now we're going to do, this is where we start to specify our different parts. Okay. Advanced settings. Here's our path. Our path is OCS, because we made it that way. Nice. Because it keeps it simple. All right. The KAMISER name is... Are you sure? This one. Let's check. Because I messed this up once and I had to go back and forth. Copy pasta. That's what I want. This matches the name of your external KMS. Got it. Okay. Vault enterprise namespace. Not using namespaces, but they have them. Right. In a sense. In fact, can you... Yeah, I don't know enough. Like somewhere in here I could show you they're not using namespaces, but we're not using namespaces in this case. We're simple. Okay. So, here come the nice things that we got from Let's Encrypt soon. CA certificate. Wow. Hang on. I will find them. Office hours. Encryption. All I have all my stuff here. Okay. So, this is the full chain. Right. Okay. That's one. And this is... Notice I have to check. Hang on a second. See, I'm not worried about getting it wrong. Hang on a second. Full chain. Oh, cert pen. Okay. Perfect. Just wanted to check how it was named. This is cert. This one. And then the private key. Okay. So, we've got all of our information. I'm going to set it up. We're going to save it. And we say next. And then we say create. So, while this is happening, we're going to watch it. It'll start to do its thing. We can go see. Key's being created. Nothing yet. It takes this time. Hang on. Yeah. I mean, there's API calls involved and... Yeah. Yeah, it's how to do it. It's like Silicon doing math and yeah. And it should be progressing. We can do... We can watch stuff, but it's all good. So, we're just going to watch things happen. We're going to talk and wait for it to catch up. But for the most part, it's just... That was kind of it. We're going to do some more after this. We'll expand the cluster. You can see more keys get created. There's going to be one key per OSD. So, you'll see them start to show up. Oh, and I'm meant to mention... All this talk right now has been about data at rest, right? Because we're just focusing on cluster-wide encryption. We haven't talked about data in motion. So, data in motion encryption, not yet. Not yet for this part of ODF. So, the Multicloud Gateway has always had encrypted both at rest and in motion. It has an HTTPS endpoint, so... But we don't have that yet. And I don't have a roadmap for that for this part. But as soon as I do, we'll post it in the kind of what's new stuff. But as far as at rest goes, it's encrypted. It's all good. Hang on. Let's see. Are we still progressing? Progressing. All right. Let's let it finish. If nothing went wrong, everything should be fine. You get old keys, yeah. Yeah. Maybe it's just... Right, we did this. Usually, when I've messed it up, I get an error. So, this should just be a matter of time. So, we've signed in here, and this is instructions on signing into vault, which we've done here. And then I signed in with the client key. I want to see stuff. I signed in with the root key, excuse me. Nothing's happening. Come on, let's go. Let's go, let's go. What's going on with our node here? Yeah. TLS handshake error. That's weird. See number four, though. Did I... Did you put the right keys in the right place? Did I put the... Yeah, like if something's going to go wrong, it would be me hearing that, not putting things in the right spot. Well, more stuff's happening, so... Okay, here's something. There was a vault, KV... So, it started. Am I looking at the right thing? Why do I get it here? It might have just created it. Who knows, it finally finished or something. Ah, okay, there you go. It just created. Okay, so that had me worried. I was like, oh no. Like the TLS handshaker freaked me out for a second, but yeah, maybe it was trying like older versions or something, who knows? So, one more thing that's going to pop up here is the MCG is going to write its master key here as well. Oh, so the multicolored gateway will just... It will show up. I think it, yeah, it comes in towards the end. So, we can go ahead and look at some stuff in here. So, let's go... So, Rook, Seth, OSD encryption key. And it tells you which OSD it's for. Ta-da! Like, wanna see it? Ta-da! Wow! That's it. That's like the big deal. So, let's see if... So, how do you verify from the cluster side that it's encrypted? Oh! What would you be looking for? Oh, yeah, yeah, yeah. So, okay. So, this is actually in the document. We actually get on the node and take a look. Okay, cool. Let's do that. Yeah, yeah, yeah. Absolutely. So, we're going to do... What is it? Debug? Right? Node. Yeah, that's a lot. Let's pick a worker node. And we'll do an expansion. That's really nice to see, too. Just to see the keys. Like, you don't have to mess with them anymore. It just does it. Okay, give it a second. All right. Ta-da! So, let's look at our block devices. Here you go. Type. Wow! Yeah! Oh! Yeah! You don't have to do anything. Like, in that sense, it's really easy. Right. It's like, click a button and it goes off and does it. Now, your keys are safely stored in vaults outside of the cluster. You've got your encrypted device. Life is good. Life is good. And you want to see it expand. You can expand if you want. Also, this isn't... I'm not doing anything that's not in the document. So, if I'm going too fast or whatever, you can always refer back to the document. But, let's... Let me make this small so I can do this here. Oh, this still says progressing. Is that... It's not. It's ready. Yeah, I was about to say refresh that page. So, here, let's expand. Let's add some capacity. All right. And what I want to see is... I just want to see more keys. It'll come. Yeah, I know. Let's say. Now we know to be patient. Create the disk. Then encrypt the disk. It's doing its thing. And we are using a cloud service. So, you know, we are kind of bound to their service delivery numbers. There we go. There it is. All right. Awesome. So, that's kind of... That's kind of it for what's GA now. So, you can do this today in your production cluster. Notice that if you're in an earlier version and when you go to 4.6, it's not an upgraded path, right? It's an install path. So, I just want to make sure I point that out. So, if you... Could you elaborate on that a little bit? What? Can you elaborate on that for a little bit, right? Yeah. So, remember at the top... Okay. So, you're not just going to go in and say, upgrade the operator and then everything's going to magically do this. And that option to encrypt was only when you were doing the install. Right. So, if you have an already installed ODF, how would you... Like, not asking you to demo it, but can you add encryption after the fact? Not that I... No. Yeah. It's a fundamental change. Yeah. At least that's what I've seen so far. If someone else knows better, please tell me. And there are some other things you should... that you have to be aware of. They were... The PV future encryptions are RBD only until they're waiting on some upstream stuff to make them a CEPFS encryption as well for PV. And, oh, there are no... There's no cloning and snapshotting with encryption. Oh. Yeah. So you have to think about it. I mean... Yeah, like... Yeah. This is here. There's... I think it's mentioned up high actually. Hang on a second. I just want to make sure... I'm going to search for it. Clone. There's a... Yes. It's actually mentioned here somewhere. I remember seeing this. It was kind of like the few gotchas. Okay. You're not doing snapshotting it. And they're just not available yet, right? I would assume that at some point later on it would be available given that you have the keys stored in an external KMS and you can get access to them, but not right now. So you have to be mindful of that. And let's see. Any questions? Does anyone want to go back to anything in particular? Yeah. If anybody wants to review a step or go back over something, please let me know. When you go through this document... So we did three. Two point forward to here. And then we did cluster wide at rest encryption. We did these pieces. We just expanded the cluster. If you go on and do... Certainly we can do persistent volume at rest and do that maybe next time. And because it is tech preview and all that stuff. And then test out an application and what have you. And then there's a full CLI deployment here. It's just wonderful. Anything you need, it's all right here. It's really well done. I encourage everyone to do this part as well. And at the very bottom, you have this. So now you can do these in different pieces. So here in four, you have... From the very paranoid, as you mentioned, if you want to do cluster wide encryption, then in addition, do application PV encryption. You can do both. Just keeping in mind that one is tech preview. One is tech preview. No idea when that will go. GA sometime in the future. Maybe don't hold me to it. Yeah. So. Okay. Do you have any questions? You want to go back and see something? Do I know? Yeah. Like, did that make sense? I mean, it made sense to me. You know, my knowledge of line up to my knowledge of ODF. I almost said it. I mean, this is really straightforward. Right? I mean, I understand that encryption is not straightforward. To anybody, but like, you know, math nerds and super geniuses or whatever, right? Like, I get it. There's encrypted, unencrypted, all that fun stuff, but like applying keys and all that, like this documentation is really good. Your team. Wonderful training. Yeah. I really like it. Like it's like wonderful training document. It's really, really good. Yeah. It's fantastic. Anything you want to know. It's right here. Yeah. Yeah. Yeah. It's really, really good. Yeah. It's fantastic. Anything you want to know. It's right here. So if there are no questions, can I talk about some of the access. Red hat. Absolutely. Okay. All right. Switching gears. Is there a cluster is going on? Okay. So hopefully this is familiar to everyone. This is our, this is the ODF. And we have not rebranded yet. It's coming. But this is the ODF. We talked about that last episode, how the. Release cadence name change is kind of catching up. Right. To the actual name change, right? Like. Yes. All the stuff. To rebrand. Yeah. Yeah. It's an effort. Also all of our current customers know from OCS. They know from open shift container storage. So it might be confusing. If you come here and you say, see something completely different. All of a sudden. Right. So yeah. So I don't know how they manage that, but they do somehow manage this nice name change as we go. So right now this is still the open shift container storage. Access page. And there are a couple of things I wanted to bring to people's attention. And one of them is. You can request a workshop. You can request a two hour workshop. Someone like me will run it with you. We'll go. And just so you know, we give you a cluster to test with. We get together on and have a meeting on phone. And we will go through. Ha, ha, ha. Something like this general deploy and use. And we go, it's, it's really wonderful. Like we just go through it all PVC, cloning and smashing stuff that you and I have done, but in a big two hour workshop where. People, clients can come in just like mess things up. And then I'll have to worry about anything in their own environment. So that's what this, literally this general deploy and use maps to this workshop. Nice. So a question from frequent watcher, Rapscallion Reeves. Can you give a quick one. No sentence reason for the name change. I'll give you two sentences. How about that? And, and I can explain part of it. After you do your piece. Right. Like. What we were talking about before the show started. I can mention that. Now. If you remember. Well, so. One sentence reason why the name change. Because it's more than storage. Right. Exactly. Yeah. There's a lot of, you know, you know, the data science. Right. And. Because it's more than storage. Right. Exactly. Yeah. There's more to. Data. Than just. Storing it. Right. There's. There's actual use of that data called data science. Right. And. After some conversations with some folks this week, we are going to have some data scientists coming on the channel. You're probably after the fourth of July, just the way everything works out. Yeah. You know, scheduling wise. I don't want to put them on a show where everybody's off that week or whatever. That kind of deal. But the. The. Data science team has agreed to come on the show and do some AML with us. And I can't wait to learn more about that because that's the space that I've always been super curious about. Never had enough time to dive in. And also I'm really bad at math. So. Like it's a little intimidating. Yeah. I think it'll be. So, so now like, you know, the, we're expanding out into trying to think of storage as a service and data science. Does the name open shift container storage still makes sense in, in that context? I think that's. To me, it does not. Right. Like. But. I'm curious if the audience thinks that makes sense. Rapskining or is what do you think. And there's like a seven second delay. And then he has. Okay. Yeah. Seven seconds. Okay. And then also I think. I do think that storage teams are more and more required to think like services. Right. Offering. There's been a fundamental shift, right? So you have your, your team that's responsible for your appliances and how all of those other stuff, but they, they slowly. They're writing code. They're doing stuff in open shift and Kubernetes. It's sort of, their world has changed and we're, we're trying to change with them and anticipate their needs. Right. So that's how I see it anyway, but. Yeah. Yeah. Any, any response or did they think it was a good match? Yeah. It's better than calling it. He said, he says. He thinks it makes sense. Yeah. So yeah, like data as a service. Like that. As a service. Yeah. Yeah. It's kind of a. Okay. So, so maybe you can ask them like. As part of this. Page. We have to start conveying that. Right. We have to start getting people to think of this. As, you know, a foundation and services. So we try the usual stuff over here. Documentation and what have you. And, and what's new. That kind of like what recent KCS articles and things like that. But as you go further, I, today, I want to talk about the knowledge tab. And I'm. We're trying to think about what our customers would want to see here. So I love to watch the, the scale testing to 10 billion objects. Demo. And I'm interested in what people think about the. Articles blogs and demos that are presented under these two topics. As you know, so performance and disaster recovery are kind of hot for us, but there might be other topics you would want to see. And just know we have a ton of content. I mean, a ton. So we can present it to you in a very digestible way, where you can look down the list. I'm interested in, and what our audience would like to see. In addition to. So the paradigm shift towards storage plus data science really makes sense, especially because we can basically. Because we got storage figured out. Right. So, you know, like. It's like it is a foundational step. Right. You have to put the data somewhere. It has to live somewhere, but then you do things on top of it. Or with it. And. Right. Pushing those workloads and having people think more holistically about their data is. Important, right? Like. I know that Kubernetes is great at those 12 factor apps, right? Like, you know, stateless, all that fun stuff, but. State matters, right? Like state exists. Your business has state. Your business is states, right? Like. You still have to worry about disaster recovery and stuff like that. That hasn't gone away. No. You might change how you do it, but it hasn't disappeared. The need for it hasn't disappeared. And in question. So there's data security, like, so it's, it's. Oh, those old topics coming back up. It still have to be addressed, but now we want to address them. Better in the way that we do it and manage through OpenShift and, and the whole console integration. The metrics are also included that kind of stuff more. It's more, but you said it's more holistic. For sure. Yeah, totally. Yeah. Yeah. Great show today. I think this is a great demo. Great run through, right? Like if you need. Yeah. Yeah. Yeah. Of course. Yeah. It's not like, yes, the concepts are hard to grasp, but once you've grasped them, fault makes a lot of sense to you in this case, right? Like, yeah. So if you want to see, like for me, that 10 billion object challenge, right? Like that sounds awesome, right? Like I would love to see that happen. I don't know how long that takes though, right? Like, is that like something we need to schedule extra time for? Let me know. We can do that. But yeah, getting to 10 billion objects and like a regular just cluster with ODF. I think regular cluster, meaning like six or seven nodes or whatever, right? Like a normal. Can we do this on your cluster? Can we do this on my cluster at home? I don't know if I have it. Oh God. We like when we auto scale. Right? Your cluster to its knees. Yeah. No, we could totally do that. So question. What are the, do the hardware requirements change from OCF to ODF? I don't think so, right? No. Okay. Yeah, you still need the, the worker nodes that are, you know, you know, design to handle the load of. Yeah. And you still have the same design decisions too, right? Like, are you going to, like, I think we did, um, we added capacity and we just added more less teams, but, you know, you might have a scenario where you have to, um, add more volumes to the standing than the infer nodes you have. Like you, same design decisions. Yeah. I don't think you changed that. Yeah. Yeah. You still need the, the worker nodes that are, you know, design decisions. Yeah. I don't think it changes much other than you now have your key stored in an external, uh, vault. So. Yeah. Yeah. Which should be, you know, nicely tucked away in a VPC that no one else can get to, right? The same with your clusters. Uh, speaking of some report, I forget who I think it was QALIS, one of the security teams out there said that there was over 10,000 or 50,000, some ridiculous number of just exposed Kubernetes APIs. On the internet. So please don't be one of those people. Please, please, please hide your APIs behind something. Right. Like. I want to expose those publicly. It's dangerous. Yeah. Unless you're doing a demo for open. Right. There is that. Demos are one thing. I don't think there's 50,000 demos laying around the internet. Oh, that's something. So yeah. No, but great show. Great demo. Yeah, I want to like scale it. That's, that's what I want to see. I want to see the scale up. I'm just have data on it. Monster. As a result. Yeah. Yeah. Yeah. Like let's fill the desk up with stuff and see what happens. Right. We can do. It may be something like, let's break some stuff and then fix it. Oh, you know, I love to break something like that. Maybe we can start it and then you can see, like, we can do it. Yeah. So the show can start towards the ends, right? So we're not waiting for something. We'll do. Yeah, yeah, yeah. Like, let's, let's have it. Kind of like, you know, hey, we've done this, like, just like you did today, done these parts already. Yeah. Now we're going to make this thing blow up. Yes. Have fun. Yes. Yeah. Awesome. So audience, let me know. As always, you can reach me at short. At red hat.com. And we have our discord server as well. I am Chris short on Twitter with two S's. Michelle, do you have any social or anything that people can reach you at that you want to share? No, is a fine answer. But yeah, like the, if you have any questions, feel free to send them my way. I'll get them forwarded to the right people. Even though I'm really kind of slow at email, I will get you the answer. I promise. But coming up next on the channel today is we have a, in the clouds episode with the one and only Priyanka Sharma from CNCF. So that'll be a good episode to watch. Dev nation. The show is today. And get up sky to the galaxy is today. So it's a wonderful day here on the channel. And please tune in for our other shows as you see them. And if you're watching this after the fact, go to the open shift YouTube page, check out our playlist for all the shows that they are there. And when in doubt, open shift TV is the place to go. So thank you, Michelle. Thank you, audience. Nice to see you. Yeah, likewise. Thanks to the audience. Yeah. And we will see y'all here in about an hour or so. Stay safe out there.