search

redhat-cop / group-sync-operator

Synchronizes groups from external providers into OpenShift
Apache License 2.0
110 stars 60 forks source link

i don't get ldap groups syncing #303

Closed ikke-t closed 6 months ago

ikke-t commented 7 months ago

Hi, I just added the operator, and the sync won't happen. I don't see any kinda job or cronjob. My ldap config is this:

apiVersion: v1
items:
- apiVersion: redhatcop.redhat.io/v1alpha1
  kind: GroupSync
  metadata:
    annotations:
    creationTimestamp: "2024-01-26T13:17:06Z"
    generation: 2
    labels:
      app.kubernetes.io/instance: group-sync-instance
    name: oauth-groupsync
    namespace: group-sync-operator
    resourceVersion: "813941"
    uid: cfa960b9-69f4-470b-957c-16601389cd0e
  spec:
    providers:
    - ldap:
        caSecret:
          key: ca.crt
          kind: ConfigMap
          name: ca-config-map
          namespace: openshift-config
        credentialsSecret:
          kind: Secret
          name: ldap-secret
          namespace: openshift-config
        insecure: false
        rfc2307:
          groupMembershipAttributes:
          - member
          groupNameAttributes:
          - cn
          groupUIDAttribute: dn
          groupsQuery:
            baseDN: cn=groups,cn=accounts,dc=cool,dc=lab
            derefAliases: never
            filter: (objectClass=ipausergroup)
            scope: sub
          tolerateMemberNotFoundErrors: true
          tolerateMemberOutOfScopeErrors: true
          userNameAttributes:
          - uid
          userUIDAttribute: dn
          usersQuery:
            baseDN: cn=users,cn=accounts,dc=cool,dc=lab
            derefAliases: never
            scope: sub
        url: ldaps://rh-idm-01.cool.lab
      name: ldap
    schedule: 0/15 * * * *

Any ideas what might be missing? I have this in via argocd, the operator and instance are defined here except for the secret, which is done manually:

https://github.com/RedHatNordicsSA/cool-lab/blob/main/ocp-configs/gitops/rh-ocpmgt/group-sync/instance/overlays/ldap/ldap-group-sync-patch.yaml

I know the ldap stuff works as my other helm configured clusters work fine. I'm trying to use this operator to automate it now.

➤ oc version
Client Version: 4.11.20
Kustomize Version: v4.5.4
Server Version: 4.14.9
Kubernetes Version: v1.27.9+5c56cc3
ikke-t commented 7 months ago

Andrew found the error. I had declared WATCH_NAMESPACES=openshift-config,group-sync-operator which broke it. I thought I need to add specificly another namespace there to pull in the configMap from openshift-config for CA.

Setting it blank fixed it.

This text needs to be changed in addition to handling the list. It says operator listens to only one group, where as it actually listens to all by default:

By default, the operator monitors resources in the namespace that it has been deployed within. This is defined by setting the WATCH_NAMESPACE environment variable. Support is available for accessing ConfigMaps and Secrets in other namespaces so that existing resources may be utilized as desired.