# README
OpenShift Azure AD Sync
The purpose of the code in this repo is to demonstrate how a set of Azure AD groups and their associated users can be synced into the OpenShift Groups running on an OpenShift cluster.
Azure AD
Follow the MS Graph Get access without a user documentation to understand how to create the Azure AD Client ID and Secret that are used by this controller.
Deploy
The AADGroupSync CRD and RBAC yaml in the kubernetes folder must be deployed before the controller will operate correctly.
AADGroupSync.crd.yaml
AADGroupSync.rbac-roles.yaml
AADGroupSync.rbac.yaml
The aadsync-controller binary is best deployed as a CronJob on a schedule that is suitable.
Autogenerated Code
The .sh scripts in the hack folder are used to autogenerate client and api code to handle the CRDs. This code is generated via the Kubernetes code generator k8s.io/code-generator, which is Apache 2.0 licensed.
The autogenerated code is in the pkg/aadsync/apis and pkg/aadsync/client folders and also Apache 2.0 licensed.
Exclusions
A controller that watches the aadgroupsyncs.aad.microsoft.com CRDs for changes and then pushes those changes to OpenShift Groups is not included in this repo.
Testing - Locally
You can test the controller locally, but need to ensure the following steps have been followed:
The following aadsyncClient lines must be uncommented:
# cmd/aadsync-controller/aadsync-controller.go
38: aadsyncClient := aadsyncclient.NewClientForLocal(controllerConfig.Namespace, log)
You will need controller config file location set via AADSYNC_CONTROLLER_CONFIGFILE environment variable. Here is an example of the controller config file.
# AzureAD Sync Controller Config
namespace: "openshift"
groups:
- "464e7cdd-b431-4e49-9aa7-8c6ef24c9dbc"
- "ca65a5de-3ca5-474a-8fc5-bee95dd3e335"
You will need the following environment variables set so that the controller can access the MS Graph API:
AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
You can test retrieving an Azure AD token for accessing the MS Graph API as follows. This will ensure that you have the correct values set in your environment variables.
curl -d "client_id=$AZURE_CLIENT_ID&scope=https://graph.microsoft.com/.default&client_secret=$AZURE_CLIENT_SECRET&grant_type=client_credentials" -H "Content-Type: application/x-www-form-urlencoded" -X POST https://login.microsoftonline.com/$AZURE_TENANT_ID/oauth2/v2.0/token
You will need the following environment variables set so that the controller can access the Kubernetes API:
KUBERNETES_SERVICE_HOST
KUBERNETES_SERVICE_PORT
KUBERNETES_SERVICEACCOUNT_TOKENFILE (Found incluster at /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBERNETES_SERVICEACCOUNT_ROOTCAFILE (Found incluster at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)
Testing - In Kubernetes
The following aadsyncClient lines must be uncommented:
# cmd/aadsync-controller/aadsync-controller.go
39: aadsyncClient := aadsyncclient.NewClient(controllerConfig.Namespace, log)
You will need controller config file mounted at the following location in the container:
/etc/aadsynccontroller/config.yaml
Here is an example of the controller config file.
# AzureAD Sync Controller Config
namespace: "openshift"
groups:
- "464e7cdd-b431-4e49-9aa7-8c6ef24c9dbc"
- "ca65a5de-3ca5-474a-8fc5-bee95dd3e335"
You will need the following environment variables set so that the controller can access the MS Graph API:
AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
Run aadsync-controller binary with loglevel flag
aadsync-controller --loglevel debug
aadsync-controller --loglevel info
aadsync-controller --loglevel error
Debug prints out sensitive details for debugging ...
Contributing
This project welcomes contributions and suggestions. You can read more about how to contribute in the Contributing Guidelines
Code of conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.