feat: add lf-staff/lf-contractor LDAP → OpenFGA global team sync script

.cspell.json

@@ -80,7 +80,8 @@
     "unmarshals",
     "uids",
     "tracecontext",
-    "GOTOOLCHAIN"
+    "GOTOOLCHAIN",
+    "datadoghq"
   ],
   "overrides": [
     {

scripts/sync_global_groups/cronjob.yaml

@@ -0,0 +1,66 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+# cronjob.yaml runs the sync_global_groups script on a schedule inside the
+# cluster. Before applying:
+#   1. Run deploy-configmap.sh to push the latest script as a ConfigMap.
+#   2. Replace all REPLACE_ME values with environment-specific values.
+#   3. Create the fga-sync-global-groups-client-secrets-ad-hoc Secret with
+#      client_id and client_secret keys.
+#
+# Apply with: kubectl apply -f cronjob.yaml -n lfx
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-global-groups-ad-hoc
+  namespace: lfx
+spec:
+  schedule: "*/10 * * * *"   # Every 10 minutes.
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 3600
+      backoffLimit: 0
+      template:
+        metadata:
+          labels:
+            tags.datadoghq.com/service: lfx-v2-fga-sync
+          annotations:
+            ad.datadoghq.com/sync.logs: '[{"service": "lfx-v2-fga-sync", "source": "go"}]'
+        spec:
+          restartPolicy: Never
+          volumes:
+            - name: script
+              configMap:
+                name: sync-global-groups-ad-hoc
+          containers:
+            - name: sync
+              image: golang:1.24-alpine
+              command:
+                - go
+                - run
+                - /script/main.go
+              volumeMounts:
+                - name: script
+                  mountPath: /script
+              env:
+                - name: CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: fga-sync-global-groups-client-secrets-ad-hoc
+                      key: client_id
+                - name: CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: fga-sync-global-groups-client-secrets-ad-hoc
+                      key: client_secret
+                - name: LDAP_REST_PROXY
+                  value: "REPLACE_ME"   # e.g. https://ldap-rest-proxy.example.com
+                - name: OAUTH_TOKEN_ENDPOINT
+                  value: "REPLACE_ME"   # e.g. https://auth.example.com/oauth/token
+                - name: OPENFGA_API_URL
+                  value: "REPLACE_ME"   # e.g. http://lfx-platform-openfga.lfx.svc.cluster.local:8080
+                - name: OPENFGA_STORE_ID
+                  value: "REPLACE_ME"   # OpenFGA store ID

scripts/sync_global_groups/deploy-configmap.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+# deploy-configmap.sh wraps scripts/sync_global_groups/main.go as a Kubernetes
+# ConfigMap and applies it to the cluster. The ConfigMap is intended for use
+# with the accompanying cronjob.yaml.
+#
+# Usage: ./deploy-configmap.sh [namespace]
+#   namespace  Target Kubernetes namespace (default: lfx)
+
+set -euo pipefail
+
+NAMESPACE="${1:-lfx}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SCRIPT_FILE="${SCRIPT_DIR}/main.go"
+CONFIGMAP_NAME="sync-global-groups-ad-hoc"
+
+# Support KUBECTL_CONTEXT env var to select a kubeconfig context.
+KUBECTL_ARGS=()
+if [[ -n "${KUBECTL_CONTEXT:-}" ]]; then
+  KUBECTL_ARGS+=(--context "${KUBECTL_CONTEXT}")
+fi
+
+echo "Deploying ConfigMap '${CONFIGMAP_NAME}' to namespace '${NAMESPACE}'..."
+
+kubectl "${KUBECTL_ARGS[@]}" create configmap "${CONFIGMAP_NAME}" \
+  --from-file=main.go="${SCRIPT_FILE}" \
+  --namespace="${NAMESPACE}" \
+  --dry-run=client -o yaml \
+  | kubectl "${KUBECTL_ARGS[@]}" apply -f -
+
+echo "Done."