Provide for registering tenants

[GoebelL]

Summary Provide an endpoint for registering a tenant application in the OIDC provider.

Details Currently the registration of new tenants with the OIDC provider has to be performed manually by the the operator. For automating the installation in Azure we a need an option to setup OSCM in OIDC mode without further user interaction.
At first place we need endpoint to register new a OSCM tenant application in Azure AD with required reply URLs, API permissions and other OIDC settings needed for OSCM.

Acceptance criteria

• [ ] endpoint to register application is working properly
• [ ] Unit test coverage is ok

Additional context N/A

[kowalczyka]

Registering new application would still require some user interaction (manual step) - to use Graph API we need to register first new Service Principal identity and create new secret for it. Following this step we can consider two options for regitering new application.

Option 1 - Creating new endpoint in oscm-identity Graph API - https://docs.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-1.0 This option would also require additional step for configuring the tenant properties (oscm-identity is using it OOTB).

Option 2 - Preparing sample powershell script AzureAD PowerShell Module - https://docs.microsoft.com/en-us/powershell/module/?view=azureadps-2.0 This option would also require addtional step for setting up service in OSCM and configure it so that it could be provisioned with shell controller (powershell extension)

[GoebelL]

Hi @kowalczyka Thanks for your your feedback. The goal of this request is to automate the required tenant setup at the OIDC provider, which currently needs manual interaction steps for the operator. I guess the option 1 will lead us into an hen-egg issue with the tenant properties, because these settings can only result from an already registered OIDC tenant. Thinking over my request, it may be the wrong approach, to build this setup on top of the oscm-identity service. I think the whole procedure for registering the default tenant at the OIDC provider, needs to be done before hand. Your idea with option 2 seems better to me, though I don't think that configuring the whole OSCM with shell controller is required. Given that we have a service principal identity and secret - we can assume this exists... How about a custom PowerShell script that is provided on the host in the scripts directory, and executed from shell it in the oscm-app container? As long as oscm-app startup or any OSCM operation is involved, this should work as initial step, even when the setup with OSCM tentant properties is still incomplete.

For example, running something like

 docker run --rm -it --entrypoint /bin/bash  -v <script dir>:/opt/scripts oscm-app servicecatalog/oscm-app:latest
 # prepare PowerShell in container
 ....
 # Run PowerShell script to setup the default tenant
 pwsh - ...  

Thus, if you consider oscm-identity is not helpful here and scripting is a better approach, let's close this here and move forward with a new task in the oscm-dockerbuild repo. How do you think?

[kowalczyka]

I agree that scripting would be better approach. Moreover, your idea to prepare such a custom script so that it can be run in an isolated context (without setting up proper OSCM service) seems to be more lightweight.

[kowalczyka]

Closing with follow-up task https://github.com/servicecatalog/oscm-dockerbuild/issues/306

[kowalczyka]

Reopening due to the fact that AzureAD PowerShell Module is not supported by any Linux OS. As oscm-app container is Linux based, it is impossible to install and use there AzureAD module.

[kowalczyka]

In this circumstances the only possibility to resolve the issue seems to be initial idea with creating new endpoint in oscm-identity

[kowalczyka]

The issue is handled with the sh shcript instead of oscm-identity API endpoint. Script is added and will be integrated underneath https://github.com/servicecatalog/oscm-dockerbuild/issues/321