Skip to content

nais/azurerator

Repository files navigation

Azurerator

Kubernetes operator for declarative lifecycle management of Entra ID (formerly Azure AD) applications.

How it works

Azurerator watches for AzureAdApplication (azureapp) resources and reconciles them against Entra ID — registering apps, configuring credentials, managing pre-authorized clients, and producing Kubernetes Secrets with the resulting metadata.

See Lifecycle for the full sequence diagram and detailed operations.

Example resource

apiVersion: nais.io/v1
kind: AzureAdApplication
metadata:
  name: myapp
  namespace: myteam
spec:
  secretName: azuread-myapp
  preAuthorizedApplications:
    - application: other-app
      namespace: other-team
      cluster: other-cluster
  replyUrls:
    - url: "https://myapp.example.com/oauth2/callback"

See the Custom Resource Definition (CRD) for all available options.

Secret keys

The operator produces a Kubernetes Secret using the name specified in .spec.secretName. The Secret contains the following keys:

Key Description
AZURE_APP_CLIENT_ID Application (client) ID
AZURE_APP_CLIENT_SECRET Client secret (password credential)
AZURE_APP_JWK Private key (JWK) for client assertion
AZURE_APP_JWKS Private key set (JWKS) for client assertion
AZURE_APP_WELL_KNOWN_URL Endpoint to OpenID Connect discovery document
AZURE_OPENID_CONFIG_ISSUER issuer from discovery document
AZURE_OPENID_CONFIG_JWKS_URI jwks_uri from discovery document
AZURE_OPENID_CONFIG_TOKEN_ENDPOINT token_endpoint from discovery document

Documentation

Document Description
Lifecycle Detailed walkthrough of all operations performed per reconciliation
Configuration Entra ID setup, all flags, and example config
CRD spec (liberator) Full custom resource definition
Example resource Sample AzureAdApplication manifest

Development

Requirements

  • mise — tool version manager and task runner

Getting started

Start a local Kubernetes cluster, e.g. using kind, minikube, or similar.

mise install              # install prerequisites
mise run install:crd      # install CRDs into cluster
mise run local            # start the controller

# in another shell
mise run install:sample   # apply a sample AzureAdApplication resource

Testing

mise run test

About

Kubernetes Operator for automated registration of Azure AD applications

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages