You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The LldapMembership CRD represents a single user-to-group edge. This granular design is Kyverno-friendly and allows fine-grained RBAC over who can assign users to groups.
Definition of Done
On Apply:
Resolve the userName field to the lldap user ID (lookup via LldapUser CRD status or query lldap directly).
Resolve the groupName field to the lldap group ID (lookup via LldapGroup CRD status).
If both exist: call addUserToGroup(userId, groupId). This is idempotent in lldap (adding an existing membership is a no-op).
If either doesn't exist yet: set condition Pending with a message, requeue after 10s. This handles ordering issues where the membership is created before the user or group.
Update status with conditions and observedGeneration.
On Cleanup:
Call removeUserFromGroup(userId, groupId).
If the user or group no longer exists in lldap, treat as success.
Edge cases:
User CRD deleted while membership still exists: membership reconciler detects user gone, cleanup succeeds trivially.
Group CRD deleted while membership still exists: same handling.
Membership for built-in group (e.g., assigning a user to lldap_admin): works normally since the virtual LldapGroup CRD provides the groupId.
Duplicate memberships: if two LldapMembership CRDs reference the same user- group pair (same namespace), the second one should detect the duplicate and set a Conflict condition with a message identifying the existing LldapMembership CRD. The lldap API call is idempotent, but deletion of either CRD would remove the membership for both.
Emit events for membership add/remove/error.
Documentation: Update the CRD Reference with LldapMembership usage. Add examples showing Kyverno integration patterns (e.g., auto-assign new users to a default group). Document dependency ordering behavior.
Resolution strategy: first try to read the referenced LldapUser/LldapGroup CRD in the same namespace and extract the lldap ID from its status. If the CRD exists but status has no ID yet (it hasn't been reconciled), requeue. If the CRD doesn't exist, set error condition.
The membership reconciler should watches() LldapUser and LldapGroup resources so that when a user/group is successfully reconciled (gets an ID), pending memberships are re-triggered.
lldap API note: addUserToGroup takes userId: String and groupId: Int. Despite the name, userId is the username string in lldap, not a numeric ID or UUID. removeUserFromGroup uses the same signature.
Motivation
The LldapMembership CRD represents a single user-to-group edge. This granular design is Kyverno-friendly and allows fine-grained RBAC over who can assign users to groups.
Definition of Done
Apply:userNamefield to the lldap user ID (lookup via LldapUser CRD status or query lldap directly).groupNamefield to the lldap group ID (lookup via LldapGroup CRD status).addUserToGroup(userId, groupId). This is idempotent in lldap (adding an existing membership is a no-op).Pendingwith a message, requeue after 10s. This handles ordering issues where the membership is created before the user or group.Cleanup:removeUserFromGroup(userId, groupId).Conflictcondition with a message identifying the existing LldapMembership CRD. The lldap API call is idempotent, but deletion of either CRD would remove the membership for both.Technical Details
lldap-operator.lukidoescode.com/membership-cleanupwatches()LldapUser and LldapGroup resources so that when a user/group is successfully reconciled (gets an ID), pending memberships are re-triggered.addUserToGrouptakesuserId: StringandgroupId: Int. Despite the name,userIdis the username string in lldap, not a numeric ID or UUID.removeUserFromGroupuses the same signature.