You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users declare passwords via Kubernetes Secret references. The operator must detect when a Secret's content changes and re-apply the password to lldap.
Definition of Done
The user reconciler controller watches Secrets cluster-wide. Note: unlike CRDs, Secrets cannot be filtered by the instance label — the watcher sees ALL Secrets. The mapper function filters relevant ones by cross-referencing against known LldapUser CRDs. Consider RBAC implications: the operator's ClusterRole requires get, list, watch on Secrets across all namespaces.
When a Secret changes, the mapper function identifies all LldapUser resources in the same namespace whose passwordSecretRef.name matches the changed Secret.
Those LldapUsers are enqueued for reconciliation.
The reconciler applies the hash-based password change detection mechanism defined in Ticket User Reconciler #11's Technical Details.
If the hash differs: apply password via OPAQUE protocol, update status.passwordHash.
If Secret is deleted: set condition SecretNotFound, do NOT delete the user from lldap.
If Secret key is missing: set condition SecretKeyNotFound.
Documentation: Update the Password Management chapter with details on how Secret rotation triggers password updates. Document the hash-based change detection mechanism and its limitations.
Technical Details
Controller::watches() on Api<Secret> with a mapper closure.
The mapper needs to list LldapUser resources in the Secret's namespace and filter by spec.passwordSecretRef.name. This can be done via the kube API (list with field selector) or by maintaining an in-memory index in the Context.
In-memory index approach: maintain a HashMap<(Namespace, SecretName), Vec<UserCrdName>> updated on every user reconcile. More efficient than API calls in the mapper.
Password hash: SHA-256 hex string stored in status.passwordHash. This is not a security-sensitive field (the actual password is in the Secret, the hash just enables change detection).
Motivation
Users declare passwords via Kubernetes Secret references. The operator must detect when a Secret's content changes and re-apply the password to lldap.
Definition of Done
get,list,watchon Secrets across all namespaces.passwordSecretRef.namematches the changed Secret.status.passwordHash.SecretNotFound, do NOT delete the user from lldap.SecretKeyNotFound.Technical Details
Controller::watches()onApi<Secret>with a mapper closure.spec.passwordSecretRef.name. This can be done via the kube API (list with field selector) or by maintaining an in-memory index in the Context.HashMap<(Namespace, SecretName), Vec<UserCrdName>>updated on every user reconcile. More efficient than API calls in the mapper.status.passwordHash. This is not a security-sensitive field (the actual password is in the Secret, the hash just enables change detection).