Skip to content

browol/crossplane-aad-member-mgmt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 

Repository files navigation

Azure AD Group Member Management with Crossplane

Manage Azure AD groups and members using Crossplane. This guide provides a step-by-step process to set up Crossplane, install the Azure AD provider, and manage Azure AD groups and members.

References

Prerequisites

  • Azure CLI installed and configured
  • Kubernetes cluster running (e.g., using Kind)
  • Helm installed
  • K9s installed (optional)
  • Kubectx and Kubens installed (optional)

Create Kubernetes Cluster

kind create cluster
kubectx kind-kind

Add and Update Crossplane Helm Repo

helm repo add \ 
crossplane-stable https://charts.crossplane.io/stable
helm repo update

Install Crossplane

helm install crossplane \ 
crossplane-stable/crossplane \ 
--namespace crossplane-system \ 
--create-namespace

Switch to Crossplane Namespace

kubens crossplane-system

Verify Crossplane Installation

kubectl get pods -n crossplane-system

Check Available Crossplane API Resources

kubectl api-resources | grep crossplane

Install Azure AD Provider

cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-azuread
spec:
  package: xpkg.upbound.io/upbound/provider-azuread:v1
EOF

Verify Provider Installation

kubectl get provider

Create Azure AD Service Principal and Credentials

az ad sp create-for-rbac --sdk-auth --name crossplane-azad > azuread-credentials.json

Assign Required Permissions to Azure AD App

Ensure that the following permissions are assigned to the Azure AD App for the service principal:

Permission Name Type Description Admin Consent
Group.ReadWrite.All Application Read and write all groups Yes
GroupMember.ReadWrite.All Application Read and write all group memberships Yes
User.Read.All Application Read all users' full profiles Yes

Create Kubernetes Secret for Azure AD Credentials

kubectl create secret generic azuread-secret -n crossplane-system --from-file=creds=./azuread-credentials.json

Configure Azure AD Provider

cat <<EOF | kubectl apply -f -
apiVersion: azuread.upbound.io/v1beta1
metadata:
  name: default
kind: ProviderConfig
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: azuread-secret
      key: creds
EOF

Describe Provider Configurations

kubectl describe providerconfigs

Create Azure AD Group

cat <<EOF | kubectl apply -f -
apiVersion: groups.azuread.upbound.io/v1beta2
kind: Group
metadata:
  annotations:
    meta.upbound.io/apiversion: groups/v1beta1/group
  labels:
    azadgroup.upbound.io/name: aks-reader
  name: aks-reader
spec:
  deletionPolicy: Orphan
  forProvider:
    displayName: aks-reader
    securityEnabled: true
  providerConfigRef:
    name: default
EOF

Verify Managed Resources

kubectl get managed

Describe Managed Resources

kubectl describe managed

Add Member to Azure AD Group

cat <<EOF | kubectl apply -f -
apiVersion: groups.azuread.upbound.io/v1beta1
kind: Member
metadata:
  annotations:
    meta.upbound.io/apiversion: groups/v1beta1/member
    meta.upbound.io/objectid: xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    meta.upbound.io/upn: yourname@example.com
  labels:
    azadmember.upbound.io/name: aks-reader-xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  name: aks-reader-xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
spec:
  deletionPolicy: Delete
  forProvider:
    groupObjectIdSelector:
      matchLabels:
        azadgroup.upbound.io/name: aks-reader
    memberObjectId: xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  providerConfigRef:
    name: default
EOF

Open K9s Dashboard for Crossplane Namespace

k9s --context kind-kind -n crossplane-system

About

Azure AD Group member management with Crossplane

Topics

kubernetes azure azuread crossplane

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository