redhat-cop
diff --git a/‎README.md
+104-8 b/‎README.md
+104-8
diff --git a/‎deploy/crds/redhatcop.redhat.io_groupsyncs_crd.yaml
+49-5 b/‎deploy/crds/redhatcop.redhat.io_groupsyncs_crd.yaml
+49-5
diff --git a/‎examples/github.yaml
+10 b/‎examples/github.yaml
+10
diff --git a/‎examples/keycloak.yaml
+2-3 b/‎examples/keycloak.yaml
+2-3
diff --git a/‎go.mod
+5 b/‎go.mod
+5
diff --git a/‎pkg/apis/redhatcop/v1alpha1/groupsync_types.go
+25-6 b/‎pkg/apis/redhatcop/v1alpha1/groupsync_types.go
+25-6
@@ -43,22 +43,82 @@ oc -n group-sync-operator apply -f deploy
 
 Integration with external systems is made possible through a set of plugable external providers. The following providers are currently supported:
 
+* [GitHub](https://github.com)
 * [Keycloak](https://www.keycloak.org/)/[Red Hat Single Sign On](https://access.redhat.com/products/red-hat-single-sign-on)
 
-The following sections describe the configuration options provided by each provider
+The following sections describe the configuration options available for each provider
+
+
+### GitHub
+
+Teams stored within a GitHub organization can be synchronized into OpenShift. The following table describes the set of configuration options for the GitHub provider:
+
+| Name | Description | Defaults | Required | 
+| ----- | ---------- | -------- | ----- |
+| `caSecretRef` | Reference  to a secret containing a SSL certificate to use for communication (See below) | | No |
+| `credentialsSecretName` | Name of the secret containing authentication details (See below) | | Yes |
+| `insecure` | Ignore SSL verification | 'false' | No |
+| `organization` | Organization to synchronize against | | Yes |
+| `teams` | List of teams to filter against | | No |
+| `url` | Base URL for the GitHub or GitHub Enterprise host (Must contain a trailing slash) | | No |
+
+
+The following is an example of a minimal configuration that can be applied to integrate with a Github provider:
+
+```shell
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: GroupSync
+metadata:
+  name: github-groupsync
+  namespace: group-sync-operator
+spec:
+  providers:
+  - github:
+      organization: ocp
+      credentialsSecretName: github-group-sync
+```
+
+#### Authenticating to GitHub
+
+Authentication to GitHub can be performed using an OAuth Personal Access Token or a Username and Password (Note: 2FA not supported). A secret must be created in the same namespace that contains the `GroupSync` resource:
+
+When using an OAuth token, the following key is required:
+
+* `token` - OAuth token
+
+The secret can be created by executing the following command:
+
+```shell
+oc create secret generic github-group-sync --from-literal=token=<token>
+```
+
+
+The following keys are required for username and password:
+
+* `username` - Username for authenticating with Keycloak
+* `password` - Password for authenticating with Keycloak
+
+The secret can be created by executing the following command:
+
+```shell
+oc create secret generic github-group-sync --from-literal=username=<username> --from-literal=password=<password>
+```
 
 ### Keycloak
 
 Groups stored within Keycloak can be synchronized into OpenShift. The following table describes the set of configuration options for the Keycloak provider:
 
 | Name | Description | Defaults | Required | 
 | ----- | ---------- | -------- | ----- |
-| `url` | URL Location for Keycloak | | Yes |
+| `caSecretRef` | Reference  to a secret containing a SSL certificate to use for communication (See below) | | No |
+| `credentialsSecretName` | Name of the secret containing authentication details (See below) | | Yes |
+| `groups` | List of groups to filter against | | No |
+| `insecure` | Ignore SSL verification | 'false' | No |
 | `loginRealm` | Realm to authenticate against | `master` | No |
 | `realm` | Realm to synchronize | | Yes |
-| `secretName` | Name of the secret containing authentication details (See below) | | Yes |
-| `insecure` | Ignore SSL verification | 'false' | No |
 | `scope` | Scope for group synchronization. Options are `one` for one level or `sub` to include subgroups | `sub` | No |
+| `url` | URL Location for Keycloak | | Yes |
+
 
 The following is an example of a minimal configuration that can be applied to integrate with a Keycloak provider:
 
@@ -72,7 +132,7 @@ spec:
   providers:
   - keycloak:
       realm: ocp
-      secretName: keycloak-group-sync
+      credentialsSecretName: keycloak-group-sync
       url: https://keycloak-keycloak-operator.apps.openshift.com
 ```
 
@@ -83,12 +143,47 @@ A secret must be created in the same namespace that contains the `GroupSync` res
 * `username` - Username for authenticating with Keycloak
 * `password` - Password for authenticating with Keycloak
 
-To specify the TLS certificates that should be used to communicate with Keycloak, add the certificates to `ca.crt` key 
+## CA Certificates
+
+Each provider allows for certificates to be provided in a secret to communicate to the target host. The secret must be placed in the same namespace as the `GroupSync`. An example of how a CA certificate for the Keycloak provider can be found below:
 
-## Sync Period
 
-To specify the period for which synchronization should occur on a regular basis, the `syncPeriodMinutes` field can be set as described below
+```shell
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: GroupSync
+metadata:
+  name: keycloak-groupsync
+  namespace: group-sync-operator
+spec:
+  providers:
+  - keycloak:
+      realm: ocp
+      credentialsSecretName: keycloak-group-sync
+      url: https://keycloak-keycloak-operator.apps.openshift.com
+      caSecretRef:
+        name: keycloak-certs
+        key: tls.crt
+```
+
+
+## Scheduled Execution
+
+A cron style expression can be specified for which a synchronization event will occur. The following specifies that a synchronization should occur nightly at 3AM
+
+
+```shell
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: GroupSync
+metadata:
+  name: keycloak-groupsync
+  namespace: group-sync-operator
+spec:
+  schedule: "0 3 * * *"
+  providers:
+  - ...
+```
 
+If a schedule is not provided, synchronization will occur only when the object is reconciled by the platform.
 
 
 ## Local Development
@@ -110,3 +205,4 @@ Using the [operator-sdk](https://github.com/operator-framework/operator-sdk), ru
 ```shell
 oc apply -f deploy/crds/redhatcop.redhat.io_groupsyncs_crd.yaml
 OPERATOR_NAME='group-sync-operator' operator-sdk run --local --watch-namespace ""
+```
@@ -37,9 +37,55 @@ spec:
               items:
                 description: Provider represents the container for a single provider
                 properties:
+                  github:
+                    description: GitHubProvider represents integration with GitHub
+                    properties:
+                      caSecretRef:
+                        description: SecretRef represents a reference to an item within
+                          a Secret
+                        properties:
+                          key:
+                            type: string
+                          name:
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      credentialsSecretName:
+                        type: string
+                      insecure:
+                        type: boolean
+                      organization:
+                        type: string
+                      teams:
+                        items:
+                          type: string
+                        type: array
+                      url:
+                        type: string
+                    required:
+                    - credentialsSecretName
+                    type: object
                   keycloak:
                     description: KeycloakProvider represents integration with Keycloak
                     properties:
+                      caSecretRef:
+                        description: SecretRef represents a reference to an item within
+                          a Secret
+                        properties:
+                          key:
+                            type: string
+                          name:
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      credentialsSecretName:
+                        type: string
+                      groups:
+                        items:
+                          type: string
+                        type: array
                       insecure:
                         type: boolean
                       loginRealm:
@@ -51,13 +97,11 @@ spec:
                         - one
                         - sub
                         type: string
-                      secretName:
-                        type: string
                       url:
                         type: string
                     required:
+                    - credentialsSecretName
                     - realm
-                    - secretName
                     - url
                     type: object
                   name:
@@ -66,8 +110,8 @@ spec:
                 - name
                 type: object
               type: array
-            resyncPeriodMinutes:
-              type: integer
+            schedule:
+              type: string
           type: object
         status:
           description: GroupSyncStatus defines the observed state of GroupSync
 
@@ -0,0 +1,10 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: GroupSync
+metadata:
+  name: github-groupsync
+spec:
+  providers:
+    - name: github
+      github:
+        credentialsSecretName: github-group-sync
+        organization: myorg
@@ -6,7 +6,6 @@ spec:
   providers:
     - name: keycloak
       keycloak:
-        insecure: true
         realm: ocp
-        url: "https://keycloak-keycloak-operator.apps.cluster-a8b1.a8b1.example.opentlc.com"
-        secretName: keycloak-group-sync
+        url: "https://keycloak-keycloak-operator.apps.openshift.com"
+        credentialsSecretName: keycloak-group-sync
@@ -4,10 +4,15 @@ go 1.13
 
 require (
 	github.com/Nerzal/gocloak/v5 v5.1.0
+	github.com/google/go-github v17.0.0+incompatible
+	github.com/google/go-github/v31 v31.0.0
 	github.com/openshift/api v3.9.1-0.20190924102528-32369d4db2ad+incompatible
 	github.com/operator-framework/operator-sdk v0.16.0
 	github.com/redhat-cop/operator-utils v0.2.1
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/pflag v1.0.5
+	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
+	google.golang.org/appengine v1.6.5
 	k8s.io/api v0.17.4
 	k8s.io/apimachinery v0.17.4
 	k8s.io/client-go v12.0.0+incompatible
 
@@ -23,7 +23,7 @@ type GroupSyncSpec struct {
 	// +patchStrategy=merge,retainKeys
 	Providers []Provider `json:"providers,omitempty" patchStrategy:"merge,retainKeys" patchMergeKey:"name" protobuf:"bytes,1,rep,name=providers"`
 
-	ResyncPeriodMinutes *int `json:"resyncPeriodMinutes,omitempty"`
+	Schedule string `json:"schedule,omitempty"`
 }
 
 // GroupSyncStatus defines the observed state of GroupSync
@@ -63,17 +63,36 @@ type Provider struct {
 // ProviderType represents the provider to synchronize against
 type ProviderType struct {
 	Keycloak *KeycloakProvider `json:"keycloak,omitempty"`
+	GitHub   *GitHubProvider   `json:"github,omitempty"`
 }
 
 // KeycloakProvider represents integration with Keycloak
 type KeycloakProvider struct {
-	URL        string `json:"url"`
-	LoginRealm string `json:"loginRealm,omitempty"`
-	Realm      string `json:"realm"`
-	SecretName string `json:"secretName"`
-	Insecure   bool   `json:"insecure,omitempty"`
+	CaSecretRef           *SecretRef `json:"caSecretRef,omitempty"`
+	CredentialsSecretName string     `json:"credentialsSecretName"`
+	Groups                []string   `json:"groups,omitempty"`
+	Insecure              bool       `json:"insecure,omitempty"`
+	LoginRealm            string     `json:"loginRealm,omitempty"`
+	Realm                 string     `json:"realm"`
 	// +kubebuilder:validation:Enum=one;sub
 	Scope SyncScope `json:"scope,omitempty"`
+	URL   string    `json:"url"`
+}
+
+// GitHubProvider represents integration with GitHub
+type GitHubProvider struct {
+	CaSecretRef           *SecretRef `json:"caSecretRef,omitempty"`
+	CredentialsSecretName string     `json:"credentialsSecretName"`
+	Insecure              bool       `json:"insecure,omitempty"`
+	Organization          string     `json:"organization,omitempty"`
+	Teams                 []string   `json:"teams,omitempty"`
+	URL                   *string    `json:"url,omitempty"`
+}
+
+// SecretRef represents a reference to an item within a Secret
+type SecretRef struct {
+	Name string `json:"name"`
+	Key  string `json:"key,omitempty"`
 }
 
 func (s *GroupSync) GetReconcileStatus() status.Conditions {