OpenShift Azure AD Sync

The purpose of the code in this repo is to demonstrate how a set of Azure AD groups and their associated users can be synced into the OpenShift Groups running on an OpenShift cluster.

Azure AD

Follow the MS Graph Get access without a user documentation to understand how to create the Azure AD Client ID and Secret that are used by this controller.

Deploy

The AADGroupSync CRD and RBAC yaml in the kubernetes folder must be deployed before the controller will operate correctly.

AADGroupSync.crd.yaml
AADGroupSync.rbac-roles.yaml
AADGroupSync.rbac.yaml

The aadsync-controller binary is best deployed as a CronJob on a schedule that is suitable.

Autogenerated Code

The .sh scripts in the hack folder are used to autogenerate client and api code to handle the CRDs. This code is generated via the Kubernetes code generator k8s.io/code-generator, which is Apache 2.0 licensed.

The autogenerated code is in the pkg/aadsync/apis and pkg/aadsync/client folders and also Apache 2.0 licensed.

Exclusions

A controller that watches the aadgroupsyncs.aad.microsoft.com CRDs for changes and then pushes those changes to OpenShift Groups is not included in this repo.

Testing - Locally

You can test the controller locally, but need to ensure the following steps have been followed:

The following aadsyncClient lines must be uncommented:

# cmd/aadsync-controller/aadsync-controller.go
38: aadsyncClient := aadsyncclient.NewClientForLocal(controllerConfig.Namespace, log)

You will need controller config file location set via AADSYNC_CONTROLLER_CONFIGFILE environment variable. Here is an example of the controller config file.

# AzureAD Sync Controller Config
namespace: "openshift"
groups:
- "464e7cdd-b431-4e49-9aa7-8c6ef24c9dbc"
- "ca65a5de-3ca5-474a-8fc5-bee95dd3e335"

You will need the following environment variables set so that the controller can access the MS Graph API:

AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET

You can test retrieving an Azure AD token for accessing the MS Graph API as follows. This will ensure that you have the correct values set in your environment variables.

curl -d "client_id=$AZURE_CLIENT_ID&scope=https://graph.microsoft.com/.default&client_secret=$AZURE_CLIENT_SECRET&grant_type=client_credentials" -H "Content-Type: application/x-www-form-urlencoded" -X POST https://login.microsoftonline.com/$AZURE_TENANT_ID/oauth2/v2.0/token

You will need the following environment variables set so that the controller can access the Kubernetes API:

KUBERNETES_SERVICE_HOST
KUBERNETES_SERVICE_PORT
KUBERNETES_SERVICEACCOUNT_TOKENFILE (Found incluster at /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBERNETES_SERVICEACCOUNT_ROOTCAFILE (Found incluster at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)

Testing - In Kubernetes

The following aadsyncClient lines must be uncommented:

# cmd/aadsync-controller/aadsync-controller.go
39: aadsyncClient := aadsyncclient.NewClient(controllerConfig.Namespace, log)

You will need controller config file mounted at the following location in the container:

/etc/aadsynccontroller/config.yaml

Here is an example of the controller config file.

# AzureAD Sync Controller Config
namespace: "openshift"
groups:
- "464e7cdd-b431-4e49-9aa7-8c6ef24c9dbc"
- "ca65a5de-3ca5-474a-8fc5-bee95dd3e335"

You will need the following environment variables set so that the controller can access the MS Graph API:

AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET

Run aadsync-controller binary with loglevel flag

aadsync-controller --loglevel debug
aadsync-controller --loglevel info
aadsync-controller --loglevel error

Debug prints out sensitive details for debugging ...

Contributing

This project welcomes contributions and suggestions. You can read more about how to contribute in the Contributing Guidelines

Code of conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.