TCA user is unable to configure a TCA Permission against an AD Group.

3.1.1.01 (patched on 3.1.1)

• This could happen in TCA 3.1.1.01 environments (TCA 3.1.1 patched with Ignoring misconfigured users on Customer AD)
  
  
• TCA 3.1.1.01 does not sync (import) AD users/groups locally to allow configuring customer ADs with erroneous entries (Previously, customer will be unable to configure AD if even a single user record is not compliant with AD object rules)
  
  
• TCA Permission creation against an AD group attempts to validate the input group against locally stored AD Group.
  
  
• This validation fails, preventing the TCA user to configure a Permission against an AD group.

The issue is resolved by importing the AD Groups manually via the debug-tca-cluster utility. Please refer the following steps:

1. Configure the AD SSO using TCA Appliance Management as usual. Reference: Configure VMware Telco Cloud Automation Manager
   
   
2. SSH into TCA Manager.
   
   
3. (Only needed for upgrade scenarios) if TCA was upgraded from 2.3 to 3.1.1. → Delete previously imported groups. Is a must if the customer has moved a group under a different AD subtree.
   

   admin@TCA [ ~ ]$ kubectl exec -it postgres-0 -n tca-mgr bash # Login to postgres pod
   postgres@postgres-0:/$
   postgres@postgres-0:/$ psql keycloak
   psql (14.7 (VMware Postgres 14.7.0))
   Type "help" for help.
    
   keycloak=#
   keycloak=> delete from "group_attribute";
   DELETE 53
   keycloak=>
   keycloak=>
   keycloak=> delete from "keycloak_group";
   DELETE 53

4. Execute the "debug-tca-cluster" command.
   
   

   admin@10 [ ~ ]$ debug-tca-cluster
   2024-09-18 08:33:37,126 - INFO - Attaching to debug pod tca-debug-epjcho-vbgqh
   debug-pod [ ~ ]$

5. Execute the the "debug-tca" command and navigate the menu as follows:
   
   

   debug-pod [ ~ ]$
   debug-pod [ ~ ]$ debug-tca
    
   ========================================
   Welcome to TCA
   ========================================
    
   ? Main Menu: What do you want to do? (Use shortcuts or arrow keys)
      1) Connect to Postgres
      2) Get logs of a service
    » 3) Debug service
      4) Exit
     Answer: 3) Debug service

   
   

   debug-pod [ ~ ]$ debug-tca
    
   ========================================
   Welcome to TCA
   ========================================
    
   ? Main Menu: What do you want to do? Debug service
   ? Select namespace (Use shortcuts or arrow keys)
    » 1) tca-mgr
      2) argocd-system
      3) cert-manager
      4) default
      5) deployment-config
      6) fluent-system
      7) istio-system
      8) kafka-operator-system
      9) kapp-controller-packaging-global
      0) kube-node-lease
      a) kube-public
      b) kube-system
      c) local-path-storage
      d) metallb-system
      e) postgres-operator-system
      f) tca-services
      g) tca-system
      h) tcx-system
     Answer: 1) tca-mgr

    

   debug-pod [ ~ ]$ debug-tca
    
   ========================================
   Welcome to TCA
   ========================================
    
   ? Main Menu: What do you want to do? Debug service
   ? Select namespace tca-mgr
   Question: 'Debug Menu: Choose an option'
   Auto-selecting Answer 'Choose pod from list of Running pods'
   ? Debug Menu: Enter pod name (Use shortcuts or arrow keys)
      1) audit-log-service-68c9dc596d-m4tcv
      2) caas-hub-0
      3) central-kafka-0
      4) central-zookeeper-0
      5) edge-hub-677595cd99-9x6gf
      6) event-mesh-connect-connect-6c9778cf4b-wks9g
      7) istio-ingressgateway-668c487bf-5jq69
      8) network-slicing-nsmf-6fc678456c-v42ck
      9) network-slicing-nssmf-7dd6bb6fcc-4lq95
      0) network-slicing-nssmf-ran-5475988457-qjwq2
      a) network-slicing-sms-6fcdc6874f-n4vw6
      b) postgres-0
      c) postgres-monitor-0
      d) tca-api-9cd796ddb-dsszs
      e) tca-app-69d9596656-xzpvg
      f) tca-catalog-parser-9dff64fbf-pl87d
      g) tca-catalog-parser-r4-7459fdfc7d-89vp6
      h) tca-cert-obs-6b9d8578d6-8x9p6
      i) tca-database-admin-service-6b64cffdf9-2kpbb
      j) tca-debug-epjcho-vbgqh
      k) tca-diagnosis-controlplane-7f95d4854b-299cr
    » l) tca-keycloak-service-7fb45f9664-zqzg9
      m) tca-platform-manager-96bcf4c9d-n4p7n
      n) tca-prometheus-proxy-c875769db-tpc54
      o) tca-proxy-cd8c966cc-5s5gr
      p) tca-tcf-manager-6bd98dfd8f-ftc9m
      q) tca-ui-cdb8cb664-qhpt4
     Answer: l) tca-keycloak-service-7fb45f9664-zqzg9

    

   debug-pod [ ~ ]$ debug-tca
    
   ========================================
   Welcome to TCA
   ========================================
    
   ? Main Menu: What do you want to do? Debug service
   ? Select namespace tca-mgr
   Question: 'Debug Menu: Choose an option'
   Auto-selecting Answer 'Choose pod from list of Running pods'
   ? Debug Menu: Enter pod name tca-keycloak-service-7fb45f9664-zqzg9
   ? Debug Menu: Which container? (Use shortcuts or arrow keys)
    » 1) tca-keycloak
      2) istio-proxy
     Answer: 1) tca-keycloak

    

6. Execute the attached shell script (sync_keycloak_ad_groups.sh) to trigger AD group import locally. Note the script execution may fail the first time due to cache invalidation issue. If this happens, please execute the script again.
   
   
7. Use "exit" as needed to get back to the previous shell prompt.