DevConf.US 2022

JSON Web Tokens (JWTs) became widely used in authentication processes to transfer information in a JSON format while ensuring data integrity. However merely using a JWT is not enough to ensure your information is handled in a secure way. As a result of JWT's simplicity, it is easy to change the configuration or misuse the data that is sent, thus creating a potentially vulnerable application while thinking it is totally secure.
This talk will explain what JWTs are and how to avoid common security mistakes when using them. We will discuss proper token validation, settings that disable the JWT signature and should be avoided, and what information should not be sent when creating JWTs.

Containers are one of the driving forces supporting many modern cloud native applications, and thanks to its ease of distribution within container registries, container images have become one of the most popular packaging formats in use. Registries have become the backbone for anyone making use of containers as they play a role in not only the development, but more importantly, the deployment of containers. However, we have only scratched the surface of what container registries can provide.

Approaches defined within the Open Container Initiative (OCI) and implementations, such as the ORAS project, have enabled additional content types, like Helm charts and image signatures, to be stored within OCI compliant registries. But, this is just the beginning of the possible integrations OCI based registries can provide.

In this session, attendees will learn how container registries have evolved from serving only container images to enabling the distribution of varying content types and the opportunities that they have provided for managing content within OCI registries.

Specifically, attendees will:

• Learn how container registries have evolved to support additional content types beyond container images.
• Review common artifact types stored in container registries.
• Comprehend the format and structure of content stored in container registries.
• See how container registries can serve any content to a consumer based on attributes within the OCI manifest.
• Understand the potential integrations and opportunities provided by these capabilities.

FetchIt is a research project with the aim of remotely managing fleets of small devices. There are plenty of GitOps tools such as ArgoCD that allow for lifecycle management of containers running on Kubernetes. Wouldn’t it be great if there was a GitOps tool for the lifecycle management of containers on systems without the need for Kubernetes? Sometimes, Kubernetes is so much more than what is needed! Sometimes, all you need is a single pod to run your critical applications and anything else is overkill! What if your system lacks the resources to run Kubernetes! Or, what if your devices require remote-only management?

Enter FetchIt. FetchIt is a tool for remotely managing workloads with Git and Podman, and without requiring Kubernetes. Podman provides a socket to deploy, stop, and remove containers. This socket can be enabled for regular users without the need for privilege escalation. Combining Git, Podman, and Systemd, FetchIt offers a complete solution for remotely managing machines and automatically updating systems and applications. Since the instructions for FetchIt can also be managed through a Git repository, a system running harpoon can be remotely managed from the start. This session will walk the audience through the different features of FetchIt. The audience will learn how to manage containers, pods, and other files on remote machines with FetchIt and a periodic push to Git repositories.

Establishing and improving SRE practices is hard. That is why we established a special interest group (SIG) within Red Hat: SIG-SRE. The SIG is dedicated to collecting and sharing the best SRE practices to help new and existing SRE teams level up. The SIG contributes to Operate First, which is a concept to incorporate operational experience into software projects both inside and outside Red Hat.

In this session we will focus on one of the the SIG's areas of interests: Service Level Objectives (SLOs). Join us for a review of what's worked, what hasn't worked as the SIG tries to elevate the SLO practice for teams inside Red Hat.

One Platform (https://github.com/1-Platform/one-platform) is an open-source ecosystem that powers developers for the Single Page App development and provides hosting of the app with the powering with of opensource technologies. One Platform powers the developers to integrate the major pillars of the SPA development process like

1) Feedback Framework
2) App Management Framework
3) Web component Support
4) Performance tuning
5) Notification Framework
6) Search Framework
7) Infrastructure Support

This framework fastens the development process and easify the life of an app developer. The process of development with One Platform is Framework independent. All Technologies like (React, Angular, Vue...etc) are supported. One Platform Acclelarates the development process and creates new experiences for the developers. This super-powered technology is an awesome one for app development and delivery experiences.

In this session I will be talking about how to develop your app with one platform with the mentioned features above I will be demonstrating with the process with the demo.

The rise of ubiquitous and easy-to-use data science frameworks, programming languages, and IDEs has led to a vast expansion in the number of people participating in the software development process. This increased quantity of "cooks in the kitchen," many of whom may not have been formally trained in software engineering, creates additional opportunities for bugs, performance bottlenecks, and security vulnerabilities to enter the software development pipeline. Traditionally, many of these issues aren't noticed until the quality assurance phase (if at all), slowing down the development process and increasing the risk of exploitable bugs surviving into production.

To help address this issue, we're developing the real-time quality assurance (RTQA) framework. RTQA is an open-source plugin framework for Jupyter-based IDEs that provides code feedback to developers and data scientists in real-time during the development or experimentation phases. This feedback includes warnings about outdated dependencies, security vulnerabilities, suboptimal configurations, and performance bottlenecks — allowing IDE users to catch bugs long before their code reaches the QA phase. RTQA is also designed to be easily extensible, meaning software engineering researchers can quickly develop, trial, and gather feedback on the latest innovations in real-time code analysis. In this session, we will discuss the architecture of RTQA, demonstrate its latest features, and show attendees how they can use and contribute to the framework.

Getting people to think about computation is just as important as teaching coding. At work I started a coding basics series for creative designers for our own digital transformation strategy. I realized that if I don’t explain to people about computational thinking then then coding won’t make much of a difference to them. This talk will review how a group of designers with zero coding experience were brought into computational thinking and how that enabled them to use coding in their projects. Outline: * What is computational thinking * Why understanding computational thinking can help coding problem solving * How to bridge the gap of learning to code for creatives like designers * Establishing the thought process of sequential problem solving * Prepare people to understand how to abstract problems down into steps * Use visual aides and diagrams to help visual learners understand key concepts of computational thinking * Leading from abstractions to problem solving with simple patterns *With patterns people can build the basis for creating algorithms * Case study of how HMC Architects used computational thinking and learning * Company wide training for designers of diverse backgrounds * Goals of creating training to learn to code while being mindful of different learning styles * The results including how people were able to get a handle on coding due to computational thinking * Review Key points and lessons learned

Integration testing is a new challenge for developers to validate functionalities, features, and business requirements in a local development environment as it works exactly the same as the production using databases and messaging brokers based on containers and Kubernetes. It can be also a big roadblock to accelerating the inner and outer loop development lifecycle. To solve this challenge, you might think of Testcontainers, a framework to provide common lightweight test services like databases that can run on a container engine. But, developers still need to inject particular code and configurations into applications for enabling Testcontainers. What if the Java framework offers an out-of-the-box feature that automatically starts containers for the integration tests and developers don’t even need to configure anything since the container(e.g., Postgres, Kafka) is automatically wired to the cloud-native microservices. In this talk, we will explore Quarkus Dev Services for prod-like integration testing as well as live coding development while developers implement cloud-native microservices for PostgreSQL transactions and Kafka integration automatically with zero configurations.

How do you handle authentication and authorization in your API projects? Do you bake them as part of your application’s code?

It turns out that decoupling your application’s runtime auth layer to an external authorization service is a good practice that improves maintainability, scalability and performance, governance, among other aspects of the software process and operation. And there are secure and practical ways to do so. Even better when the tools you rely on are made for Kubernetes and the cloud context we all live in nowadays!

This talk will introduce one of the latest developments in API protection, sponsored by Red Hat, a general-purpose Kubernetes-native external authorization service, that pairs with Envoy Proxy's external authorization protocol for identity verification and authorization policy enforcement. We will walk you through the steps of protecting an API ecosystem or API mesh, for use cases such as of authentication and authorization based on JWTs and OpenID Connect, API keys, Kubernetes TokenReviews and SubjectAccessReviews (aka Service Account tokens and Kube RBAC), Open Policy Agent, and many other patterns and auth technologies, using one single tool.

It is not a proxy, it is not another Identity Provider/SSO server, it doesn’t involve changing your application’s code. At the same time, it’s clean, versatile, cloud-native, and of course it’s open source. It’s Authorino!

After this talk, you will feel comfortable to implement state of the art Zero Trust API security for your applications running on Kubernetes, by just writing a small piece of YAML code.

In this talk, we will present our vision of Micro Front-End architecture, the challenges related to the implementation of this paradigm, and the lessons learned in the experience of migrating a monolith of hundreds of thousands of lines of code, developed by 30+ developers distributed in 6 different teams, to micro front ends architecture.

We will also show many examples and implementation options and discuss BFFs, sync and async services, event bus, federated modules, and other opportunities for decoupling your front-end architecture.

Also, we will present how it was possible to decouple Drools and jBPM web applications and take the same 'micro front-end' to different media such as Web, Desktop, VS Code, and Chrome Extension without only a few changes to the source code.

In this session, we will build a fully-functional OpenAPI-compliant REST API using Quarkus, the supersonic, subatomic, Kubernetes-native Java stack. Starting at the database schema and moving up to the OpenAPI layer, we will create all the necessary component implementations and explain the libraries used including Flyway, JPA, Panache with Hibernate, MapStruct, RESTEasy, SmallRye OpenAPI, and more

In 2008 Amazon released their death star, a very complex graph of their MicroServices architecture. Twitter and Netflix released their own versions in 2015. The complexity and interconnectedness that was shown in those graphs highlight long-running challenges in microservices development that have been killing us for 15+ years. A world where Microservices is agile and code quality meets the needs of the business sounds amazing, but in reality managing, the complexities of typical Java programming standards and techniques is challenging to say the least

Following the success of the “10 Design Tips for Microservices Developers” talk at Red Hat Summit, DevConf.us, GovLoop, and Straight Talk for Government, this session will explore 10 Design Tips for Microservices Development with Java.

In this talk, we will explore the idea that the JVM and non-traditional Java programming techniques can be used to provide a compiler enforced JVM firewall that limits the undesirable traditional broad and public access given with typical Java development. We will funnel all requests into one well-known, tested, and validated access point. This technique will limit the amount of code we write and deliver great abstractions with robust and well-tested capabilities. What we cover aligns nicely with the principles of Domain-Driven Design, allowing you to simplify the typical 100s of artifacts in each of just a few packages. This talk will also explore ideas around telemetry and reporting on throughput. We will look at test-driven development and finish up with some specific items to consider when creating your microservices using this technique.

To round out the theory an example will be used. This example saves tens of hours and many decisions on how to get started with a recommended practice and some prebuilt scaffolding.

Are you curious about the dark magic behind the lock-free code in the kernel? Did you ever wonder when you need to use READ_ONCE and WRITE_ONCE calls? Are you confused about the role of smp_mb? If you said yes to any of these questions, then join me in this beginner tutorial about the memory barrier primitives of the Linux kernel!

There have been a number of advancements in both storage and the Linux boot process in recent years. This talk aims to take a look at the process for fully supporting Stratis, a userspace volume manager, in early boot. While many newer Linux storage solutions are kernel based, our process for early boot support can provide some insight into design recommendations, usability considerations, and best practices for userspace volume management code in early boot. This talk will primarily focus on how best to abstract complexity in the boot process for storage solutions and provide simple, usable interfaces for projects aimed at user experience while designing a robust systems solution. The audience will gain understanding with how to integrate a device mapper stack and daemon in early boot using Stratis root filesystem support.

One of the top priorities in every company nowadays is to ensure High Availability(HA) and Disaster Recovery in their services. Despite this emphasis, you can hear news almost every single day about businesses losing part of their revenue due to inoperative applications or outages! While moving applications to the cloud helps improve availability, additional modifications are needed to take full advantage of the cloud. If you are interested in learning more about how to support High Availability in your applications, join us in this talk as we walk through the process the Open Data Hub team went through to implement HA for the JupyterHub. We will also explain how to implement load balancing with Traefik for networking, and how to ensure only one HA instance is “actively” running via leader election. Finally, we will discuss some common traps as well as lessons learned.

UX designs that once were science fiction are now integral parts of our lives. Star Trek communicators became the first flip phones. HAL from 2001: A Space Odyssey navigates our cars and runs our kitchens. The Dick Tracy video wristwatch has morphed into Fitbits and smart watches.

As a UX writer, I notice that the UX designs in SciFi miraculously don’t require user guides. Frankly, you don’t see documentation in movies or on TV at all, unless it’s a joke about how difficult the instructions are to understand. That may be because SciFi interfaces are more stagecraft than good design, but I think there’s more to it. For one, the audience needs to understand what’s happening without any training. But also the artists that are designing these new user experiences are imagining the world that they want to live in, and that doesn’t include documentation.

Science Fiction in movies and television is the playground where artists can imagine new UXes that engineers and UX designers can some day make a reality. The best part of all this is that the designs on screen are open for everyone to see and experiment with. This talk is a deep dive into those SciFi UX designs with a focus on what they mean for our own futures and freedoms.

KEY TAKEAWAYS
This presentation explores how SciFi has influenced both past and current UX designs.

• The talk will shows lots of video clips and screenshots, so attendees can see UX designs from both older and recent media. I have gathered many examples and am excited to share them. 
• The talk teases out which UX designs are a byproduct of filmmaking and which are actually innovative design. 
• We’ll explore some of the more recent UX design trends in various media and investigate whether similar trends are already appearing in current designs. 

Attendees should leave this session feeling as if their brains have been opened up to new design possibilities.