You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Groups defined in [IBM Security Verify](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-main.htm) (ISV) can be synchronized into OpenShift. Currently only the `userName` field from ISV will be synchronized. The developer docs for the ISV API can be found [here](https://docs.verify.ibm.com/verify/page/api-documentation).
484
+
The following table describes the set of configuration options for the provider:
485
+
486
+
| Name | Description | Defaults | Required |
487
+
| ----- | ---------- | -------- | ----- |
488
+
| `credentialsSecret` | Reference to a secret containing authentication details (see below) | `''` | Yes |
489
+
| `groups` | List of groups to synchronize (see below) | `nil` | Yes |
490
+
| `tenantUrl` | The ISV tenant URL, for example `https://my-isv.verify.ibm.com`) | `''` | Yes |
491
+
492
+
The following is an example of a minimal configuration that can be applied to integrate with an Okta provider:
493
+
494
+
```yaml
495
+
apiVersion: redhatcop.redhat.io/v1alpha1
496
+
kind: GroupSync
497
+
metadata:
498
+
name: ibmsecurityverify-sync
499
+
spec:
500
+
providers:
501
+
- name: ibmsecurityverify
502
+
ibmsecurityverify:
503
+
credentialsSecret:
504
+
name: isv-group-sync
505
+
namespace: group-sync-operator
506
+
tenantUrl: https://my-isv.verify.ibm.com
507
+
groups:
508
+
- name: 'application owners'
509
+
id: 645001V3V9
510
+
- name: developer
511
+
id: 645001V3VA
512
+
```
513
+
514
+
#### Group Objects
515
+
Each group object in the `groups` array must contain an `id` field. The group ID can be retrieved by pulling the group information from the ISV API. Optionally, the object may also contain a `name` which corresponds to the group's display name. When defined, the operator will confirm that the name defined in the YAML matches that received from the API when synchronization occurs; as the group IDs are not human-friendly, using the name can confirm the correct groups are configured. If the names do not match an error will be logged.
516
+
517
+
#### Group Names
518
+
The name of each groups created in OpenShift will match the group name in ISV. Any whitespace in the ISV group name will be replaced with a hyphen.
519
+
520
+
#### Authenticating to IBM Security Verify
521
+
522
+
A secret must be created in the same namespace as the group-sync-operator pod. It must contain the following keys:
523
+
524
+
* `clientId` - The API client ID.
525
+
* `clientSecret`- The API client secret.
526
+
527
+
See the IBM Security Verify [API documentation](https://docs.verify.ibm.com/verify/docs/api-access) for setting up authentication.
528
+
480
529
### Support for Additional Metadata (Beta)
481
530
482
531
Additional metadata based on Keycloak group are also added to the OpenShift groups as Annotations including:
// KeycloakProvider represents integration with Keycloak
@@ -462,6 +467,35 @@ type OktaProvider struct {
462
467
Prunebool`json:"prune"`
463
468
}
464
469
470
+
// IbmSecurityVerifyProvider represents integration with IBM Security Verify
471
+
// +k8s:openapi-gen=true
472
+
typeIbmSecurityVerifyProviderstruct {
473
+
// CredentialsSecret is a reference to a secret containing authentication details for the IBM Security Verify server
474
+
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Secret Containing the Credentials",xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
Groups defined in [IBM Security Verify](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-main.htm) (ISV) can be synchronized into OpenShift. Currently only the `userName` field from ISV will be synchronized. The developer docs for the ISV API can be found [here](https://docs.verify.ibm.com/verify/page/api-documentation).
1170
+
The following table describes the set of configuration options for the provider:
1171
+
1172
+
| Name | Description | Defaults | Required |
1173
+
| ----- | ---------- | -------- | ----- |
1174
+
| `credentialsSecret` | Reference to a secret containing authentication details (see below) | `''` | Yes |
1175
+
| `groups` | List of groups to synchronize (see below) | `nil` | Yes |
1176
+
| `tenantUrl` | The ISV tenant URL, for example `https://my-isv.verify.ibm.com`) | `''` | Yes |
1177
+
1178
+
The following is an example of a minimal configuration that can be applied to integrate with an Okta provider:
1179
+
1180
+
```yaml
1181
+
apiVersion: redhatcop.redhat.io/v1alpha1
1182
+
kind: GroupSync
1183
+
metadata:
1184
+
name: ibmsecurityverify-sync
1185
+
spec:
1186
+
providers:
1187
+
- name: ibmsecurityverify
1188
+
ibmsecurityverify:
1189
+
credentialsSecret:
1190
+
name: isv-group-sync
1191
+
namespace: group-sync-operator
1192
+
tenantUrl: https://my-isv.verify.ibm.com
1193
+
groups:
1194
+
- name: 'application owners'
1195
+
id: 645001V3V9
1196
+
- name: developer
1197
+
id: 645001V3VA
1198
+
```
1199
+
1200
+
#### Group Objects
1201
+
Each group object in the `groups` array must contain an `id` field. The group ID can be retrieved by pulling the group information from the ISV API. Optionally, the object may also contain a `name` which corresponds to the group's display name. When defined, the operator will confirm that the name defined in the YAML matches that received from the API when synchronization occurs; as the group IDs are not human-friendly, using the name can confirm the correct groups are configured. If the names do not match an error will be logged.
1202
+
1203
+
#### Group Names
1204
+
The name of each groups created in OpenShift will match the group name in ISV. Any whitespace in the ISV group name will be replaced with a hyphen.
1205
+
1206
+
#### Authenticating to IBM Security Verify
1207
+
1208
+
A secret must be created in the same namespace as the group-sync-operator pod. It must contain the following keys:
1209
+
1210
+
* `clientId` - The API client ID.
1211
+
* `clientSecret`- The API client secret.
1212
+
1213
+
See the IBM Security Verify [API documentation](https://docs.verify.ibm.com/verify/docs/api-access) for setting up authentication.
0 commit comments