You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deployment (with health/readiness probes). Strategy MUST be Recreate (hardcoded, not configurable) — two concurrent instances with the same instance label would corrupt state.
ServiceAccount + ClusterRole + ClusterRoleBinding
PodDisruptionBudget (optional)
Service (for metrics endpoint)
ServiceMonitor (optional, for Prometheus Operator)
CRD YAMLs are generated from the Rust crate (via crdgen binary) and stored in charts/lldap-operator/crds/.
The Deployment template includes a hardened securityContext: runAsNonRoot: true, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities: {drop: [ALL]}.
Default resource requests are set: cpu: 100m, memory: 64Mi (so clusters with LimitRanges don't reject the pod). Limits are configurable.
The lldap.credentialsSecret is mounted as a volume into the pod. The operator reads credentials from files rather than environment variables, enabling credential rotation without pod restart (see Ticket Operator Credential Rotation Handling #7). The expected Secret keys (username, password) and the mount path are documented in the values file and the Installation chapter.
Chart lints cleanly (helm lint).
Documentation: The Installation chapter is completed with step-by-step Helm install instructions, prerequisites, and a quickstart guide. The Multi- Instance Deployment chapter is filled in with examples of deploying multiple operators for different lldap instances. The Configuration Reference includes all Helm values with descriptions and defaults.
Technical Details
ClusterRole must include permissions for:
All four CRDs (get, list, watch, patch, update)
Status subresources of all four CRDs (get, patch, update)
Secrets (get, list, watch) — for password reading
Events (create, patch) — for event recording
Leases (get, create, update) — if leader election is added later
The operator needs cluster-wide watch permissions (ClusterRole) because it watches resources across namespaces (filtered by label).
Health probe: GET /healthz returns 200 if the controller is running.
Readiness probe: GET /readyz returns 200 if lldap is reachable and controllers are synced.
Motivation
The Helm chart must be production-ready, configurable, and support the multi- instance deployment pattern.
Definition of Done
lldap.url— lldap base URLlldap.credentialsSecret— Secret name with admin username/passwordlldap.instanceLabel— the instance label value this operator managesvirtualGroupNamespace— namespace for virtual built-in group CRDs (defaults to release namespace)metrics.enabled,metrics.port— Prometheus metrics toggleresources,nodeSelector,tolerations,affinity— standardpodDisruptionBudget.enabled,podDisruptionBudget.minAvailableserviceMonitor.enabled(for Prometheus Operator integration)Recreate(hardcoded, not configurable) — two concurrent instances with the same instance label would corrupt state.crdgenbinary) and stored incharts/lldap-operator/crds/.securityContext:runAsNonRoot: true,readOnlyRootFilesystem: true,allowPrivilegeEscalation: false,capabilities: {drop: [ALL]}.cpu: 100m,memory: 64Mi(so clusters with LimitRanges don't reject the pod). Limits are configurable.lldap.credentialsSecretis mounted as a volume into the pod. The operator reads credentials from files rather than environment variables, enabling credential rotation without pod restart (see Ticket Operator Credential Rotation Handling #7). The expected Secret keys (username,password) and the mount path are documented in the values file and the Installation chapter.helm lint).Technical Details
GET /healthzreturns 200 if the controller is running.GET /readyzreturns 200 if lldap is reachable and controllers are synced.