Skip to content

Explain the openldap-tls SecretClass in the LDAP tutorial #861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lfrancke merged 3 commits into from
Jun 17, 2026
Merged

Explain the openldap-tls SecretClass in the LDAP tutorial #861

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
56bd8ba
Explain the openldap-tls SecretClass in the LDAP tutorial
lfrancke Jun 16, 2026
abb534b
Clarify the openldap-tls SecretClass uses autoTls vs k8sSearch for re…
lfrancke Jun 16, 2026
4d7013d
Add trailing newline to ldap-authenticationclass.yaml
lfrancke Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/tutorials/examples/ldap-auth/ldap-authenticationclass.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ spec:
verification:
server:
caCert:
secretClass: openldap-tls
secretClass: openldap-tls # <4>
11 changes: 11 additions & 0 deletions modules/tutorials/pages/authentication_with_openldap.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,21 @@ include::example$ldap-auth/ldap-authenticationclass.yaml[]
<1> The name of the AuthenticationClass, which needs to be referenced later
<2> The hostname in this case is the Service at which the OpenLDAP is running, inside of Kubernetes.
<3> Here the SecretClass name is referenced
<4> A SecretClass used to verify the LDAP server's TLS certificate, see below.

// [source,bash]
// include::example$ldap-auth/30-install-openldap.sh[tag=apply-ldap-authenticationclass]

The AuthenticationClass connects to LDAP over TLS (port `1636`) and verifies the server's certificate against the CA provided by the `openldap-tls` SecretClass.
You did not have to create that SecretClass: the `tutorial-openldap` stack created it for you.
It uses the `autoTls` backend with `autoGenerate: true`, so the Secret Operator generates its own certificate authority and uses it both to issue OpenLDAP's server certificate and to let the products verify that certificate.
This works because the Secret Operator owns the CA, including its private key, from end to end.

Connecting to a *real* LDAP server is different: you do not control the server's certificate and usually only have its CA certificate, not the CA's private key.
In that case you create the SecretClass yourself using the `k8sSearch` backend, which simply makes the existing CA certificate available to the products.
A SecretClass used only for server verification needs nothing but the CA certificate; it does not need a key.
See xref:concepts:tls-server-verification.adoc[] for a complete, copy-pasteable example.

Remember the name of the AuthenticationClass (`openldap`), you will use it in the next steps when configuring the products.

[#superset]
Expand Down
Loading