Motivation
E2E tests verify the complete operator lifecycle against a real lldap instance in a real Kubernetes cluster (k3d). They catch integration issues that unit tests cannot.
Definition of Done
- The E2E test suite covers:
- User lifecycle: create LldapUser CRD -> verify user exists in lldap -> update CRD -> verify changes propagate -> delete CRD -> verify user removed.
- Group lifecycle: same as above for LldapGroup.
- Membership lifecycle: create user + group + membership -> verify membership in lldap -> delete membership -> verify removed.
- Attribute schema lifecycle: create LldapAttributeSchema -> create user with that attribute -> verify in lldap -> delete schema -> verify removed.
- Password management: create user with
Manage policy -> verify login works -> change Secret -> verify new password works.
- Built-in groups: verify virtual CRDs are created on startup -> create membership to lldap_admin -> verify user is admin.
- Restart resilience: operator restarts -> verify no duplicate create/update calls to lldap (check lldap logs or state).
- Error handling: missing Secret -> verify condition reflects error -> create Secret -> verify reconciliation recovers.
- Ordering: create membership before user/group exist -> verify pending state -> create user/group -> verify membership resolves.
- Deletion ordering: delete user while memberships exist -> verify cleanup succeeds without orphaned state.
- Tests run in CI via GitHub Actions (k3d cluster).
- Tests are idempotent and can be re-run without manual cleanup.
- Each test run uses a unique namespace (e.g.,
e2e-<random-suffix>) to enable concurrent CI runs (multiple PRs) without collision. The namespace is cleaned up after the test run.
- Documentation: The Development Guide chapter documents how to run E2E tests locally (prerequisites, k3d setup, commands).
Technical Details
- Test framework: Rust integration tests using
kube client to apply/delete resources and reqwest to query lldap directly for verification.
- Alternatively: shell-based tests using
kubectl and curl for simplicity.
- lldap test instance: deployed via the existing
tests/e2e/fixtures/lldap- deployment.yaml.
- Operator image: built locally, imported into k3d via
k3d image import.
- Each test case should use unique usernames/group names to avoid interference.
- Timeout assertions: use
kubectl wait --for=condition=Ready with a timeout.
- Verification against lldap: use the GraphQL API directly (authenticate as admin, query for users/groups).
Motivation
E2E tests verify the complete operator lifecycle against a real lldap instance in a real Kubernetes cluster (k3d). They catch integration issues that unit tests cannot.
Definition of Done
Managepolicy -> verify login works -> change Secret -> verify new password works.e2e-<random-suffix>) to enable concurrent CI runs (multiple PRs) without collision. The namespace is cleaned up after the test run.Technical Details
kubeclient to apply/delete resources andreqwestto query lldap directly for verification.kubectlandcurlfor simplicity.tests/e2e/fixtures/lldap- deployment.yaml.k3d image import.kubectl wait --for=condition=Readywith a timeout.