Skip to content

Secret Watching and Password Change Detection #12

Description

@lukidoescode

Motivation

Users declare passwords via Kubernetes Secret references. The operator must detect when a Secret's content changes and re-apply the password to lldap.

Definition of Done

  • The user reconciler controller watches Secrets cluster-wide. Note: unlike CRDs, Secrets cannot be filtered by the instance label — the watcher sees ALL Secrets. The mapper function filters relevant ones by cross-referencing against known LldapUser CRDs. Consider RBAC implications: the operator's ClusterRole requires get, list, watch on Secrets across all namespaces.
  • When a Secret changes, the mapper function identifies all LldapUser resources in the same namespace whose passwordSecretRef.name matches the changed Secret.
  • Those LldapUsers are enqueued for reconciliation.
  • The reconciler applies the hash-based password change detection mechanism defined in Ticket User Reconciler #11's Technical Details.
  • If the hash differs: apply password via OPAQUE protocol, update status.passwordHash.
  • If Secret is deleted: set condition SecretNotFound, do NOT delete the user from lldap.
  • If Secret key is missing: set condition SecretKeyNotFound.
  • Documentation: Update the Password Management chapter with details on how Secret rotation triggers password updates. Document the hash-based change detection mechanism and its limitations.

Technical Details

  • Controller::watches() on Api<Secret> with a mapper closure.
  • The mapper needs to list LldapUser resources in the Secret's namespace and filter by spec.passwordSecretRef.name. This can be done via the kube API (list with field selector) or by maintaining an in-memory index in the Context.
  • In-memory index approach: maintain a HashMap<(Namespace, SecretName), Vec<UserCrdName>> updated on every user reconcile. More efficient than API calls in the mapper.
  • Password hash: SHA-256 hex string stored in status.passwordHash. This is not a security-sensitive field (the actual password is in the Secret, the hash just enables change detection).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions