Home GitHub

IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Using Group Sync Operator with Azure Active Directory and ROSA/OSD

Steve Mirman

8 November 2021

This guide focuses on how to synchronize Identity Provider (IDP) groups and users after configuring authentication in OpenShift Cluster Manager (OCM). For an IDP configuration example, please reference the Configure Azure AD as an OIDC identity provider for ROSA/OSD guide.

To set up group synchronization from Azure Active Directory (AD) to ROSA/OSD you must:

  1. Define groups and assign users in Azure AD
  2. Install the Group Sync Operator from the OpenShift Operator Hub
  3. Create and configure a new Group Sync instance
  4. Set a synchronization schedule
  5. Testing the synchronization process

Define groups and assign users in Azure AD

To synchronize groups and users with ROSA/OSD they must exist in Azure AD

  1. Create groups to syncronize with ROSA/OSD if they do not already exist

    Azure AD Groups

  2. Create user IDs to synchronize with ROSA/OSD if they do not already exist

    Azure AD Users

  3. Assign newly created ussers to the appropriate group

    Azure AD add user to group

Install the Group Sync Operator from the OpenShift Operator Hub

  1. In the OpenShift Operator Hub find the Group Sync Operator

    Group Sync in Operator Hub

  2. Install the operator in the group-sync-operator namespace

    Group Sync installation

Create and configure a new Group Sync instance

  1. Create a new Group Sync instance in the group-sync-operator namespace

    Group Sync instance

  2. Create a new secret named azure-group-sync in the group-sync-operator namespace. For this you will need the following values:
    • AZURE_SUBSCRIPTION_ID
    • AZURE_TENANT_ID
    • AZURE_CLIENT_ID
    • AZURE_CLIENT_SECRET
  3. Using the OpenShift CLI, create the secret using the following format:

     oc create secret generic azure-group-sync \
     --from-literal=AZURE_SUBSCRIPTION_ID=<insert-id> \
     --from-literal=AZURE_TENANT_ID=<insert-id> \
     --from-literal=AZURE_CLIENT_ID=<insert-id> \
     --from-literal=AZURE_CLIENT_SECRET=<insert-secret>
    
  4. Using the example below, customize the YAML to match the group names and save the configuration

    Instance YAML modification

    Sample YAML:

     apiVersion: redhatcop.redhat.io/v1alpha1
     kind: GroupSync
     metadata:
         name: azure-groupsync
         namespace: group-sync-operator
     spec:
         providers:
             - azure:
                 credentialsSecret:
                 name: azure-group-sync
                 namespace: group-sync-operator
                 key: AZURE_CLIENT_SECRET
             groups:
                 - rosa_admin
                 - rosa_project_owner
                 - rosa_viewer
             name: azure
         schedule: '* * * * *'
    

Set a synchronization schedule

The Group Sync Operator provides a cron based scheduling parameter for specifying how often the groups and users should be synchronized. This can be set in the instance YAML file during initial configuration or at any time after.

The schedule setting of schedule: * * * * * would result in synchronization occuring every minute.

Testing the synchronization process

  1. Check to see that all the groups specified in the configuration YAML file show up in the ROSA/OSD Groups list

    Groups added

  2. Validate that all users specified in Azure AD also show up as members of the associated group in ROSA/OSD

    Users added

  3. Add a new user in Azure AD and assign it to the admin group

    New User added

  4. Verify that the user now appears in ROSA/OSD (after the specified synchronization time)

    New admin added

  5. Now delete a user from the Azure AD admin group

    Delete admin user

  6. Verify the user has been deleted from the ROSA/OSD admin group

    Verify Delete admin user