feat: watch AuthenticationConfig CM changes#46
Open
Zaggy21 wants to merge 22 commits into
Open
Conversation
4 tasks
There was a problem hiding this comment.
Pull request overview
Adds cross-cluster reconciliation for Shoot OIDC configuration by labeling referenced Greenhouse AuthenticationConfiguration ConfigMaps and watching them for changes, so matching Shoots are re-enqueued when the auth ConfigMap updates.
Changes:
- Label Greenhouse auth ConfigMaps on first interaction with
AuthConfigMapLabelandCareInstructionLabel. - Add a Greenhouse-cache-backed watch to the Shoot controller to re-enqueue matching Shoots on auth ConfigMap changes.
- Extend tests and update README documentation for the new labeling + watch behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| controller/shoot/shoot_controller.go | Adds Greenhouse ConfigMap watch and re-enqueue mapping for Shoots. |
| controller/shoot/auth.go | Adds CareInstruction ownership labeling to the referenced Greenhouse auth ConfigMap. |
| controller/careinstruction/careinstruction_controller.go | Passes the Greenhouse manager into ShootController so it can watch Greenhouse resources. |
| controller/shoot/shoot_controller_test.go | Starts the Greenhouse manager in tests and adds watch-triggered reconciliation coverage. |
| README.md | Documents auth ConfigMap labeling + watch behavior and updates related references. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Adds cross-cluster watch support so changes to a labeled Greenhouse AuthenticationConfiguration ConfigMap trigger immediate re-reconciliation of affected Shoots, keeping Garden-side OIDC configuration up to date. It also ensures the referenced auth ConfigMap is labeled on first interaction to make the watch predicate work.
Changes:
- Label Greenhouse auth ConfigMaps with
authconfigmap=trueand the owningcareinstruction=<name>on first use (via merge-patch). - Add a Greenhouse-cache-backed watch in the Shoot controller to re-enqueue matching Shoots on auth ConfigMap changes.
- Extend controller tests and update README documentation for the labeling/watch behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| controller/shoot/shoot_controller.go | Adds Greenhouse ConfigMap watch + enqueue mapping for watch-triggered reconciles. |
| controller/shoot/auth.go | Switches to merge-patching labels and adds CareInstruction ownership label logic. |
| controller/careinstruction/careinstruction_controller.go | Passes Greenhouse manager into ShootController to enable cross-cluster watches. |
| controller/shoot/shoot_controller_test.go | Starts Greenhouse manager/cache for tests and adds watch-triggered reconciliation coverage. |
| api/v1alpha1/careinstruction_types.go | Unifies auth ConfigMap label key under shoot-grafter.cloudoperators.dev. |
| README.md | Documents labeling + watch behavior and updates OIDC doc link. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
This PR improves OIDC AuthenticationConfiguration synchronization by labeling the referenced Greenhouse auth ConfigMap on first interaction and adding a Greenhouse-cache-backed watch that re-enqueues matching Shoots when that ConfigMap changes. It also standardizes the auth ConfigMap label key under the shoot-grafter.cloudoperators.dev prefix and updates docs/tests accordingly.
Changes:
- Add labeling of Greenhouse AuthenticationConfiguration ConfigMaps with
auth-configmap=trueand the owningcareinstructionlabel (using a merge patch). - Add a Greenhouse ConfigMap watch (via Greenhouse manager cache) to trigger immediate re-reconciliation of matching Shoots on auth CM updates.
- Update label key constant + README and extend tests to cover labeling and watch-triggered reconciliation.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| controller/shoot/shoot_controller.go | Adds cross-cluster ConfigMap watch and re-enqueue mapping for matching Shoots. |
| controller/shoot/auth.go | Switches to merge-patching labels and adds CareInstruction ownership labeling with conflict handling. |
| controller/shoot/shoot_controller_test.go | Starts/syncs Greenhouse manager cache and adds tests for labeling + watch-triggered reconciliation. |
| controller/careinstruction/careinstruction_controller.go | Wires Greenhouse manager into ShootController for cross-cluster watches. |
| api/v1alpha1/careinstruction_types.go | Updates the auth ConfigMap label key constant to the new .dev/auth-configmap value. |
| README.md | Documents new labeling/watch behavior and updates OIDC doc link + field description. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
This PR extends the Shoot controller to keep Garden-side OIDC authentication configuration in sync with a referenced Greenhouse AuthenticationConfiguration ConfigMap by (1) labeling the ConfigMap on first interaction and (2) reconciling Shoots when that labeled ConfigMap changes.
Changes:
- Add labeling of the referenced Greenhouse auth ConfigMap with both an “auth CM” label and an owning CareInstruction label.
- Add a cross-cluster watch (via the Greenhouse manager cache) that re-enqueues all matching Shoots when the labeled auth ConfigMap changes.
- Update the auth ConfigMap label key constant, tests, and README documentation accordingly.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| controller/shoot/shoot_controller.go | Adds Greenhouse cache-backed ConfigMap watch and re-enqueue mapping for auth ConfigMap changes. |
| controller/shoot/auth.go | Patches Greenhouse auth ConfigMap labels (auth + careinstruction) without overwriting data. |
| controller/careinstruction/careinstruction_controller.go | Passes the Greenhouse manager into the ShootController for cross-cluster watches. |
| api/v1alpha1/careinstruction_types.go | Renames the auth ConfigMap label key to the .dev/auth-configmap form. |
| controller/shoot/shoot_controller_test.go | Starts/syncs the Greenhouse manager cache in tests and adds watch-triggered reconciliation coverage. |
| README.md | Documents labeling + watch behavior and updates the referenced Greenhouse docs link. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
uwe-mayer
reviewed
Apr 30, 2026
| // GreenhouseMgr is passed so the ShootController can watch Greenhouse cluster resources (e.g. auth CMs). | ||
| sc := &shoot.ShootController{ | ||
| GreenhouseClient: r.Client, | ||
| GreenhouseMgr: r.Manager, |
Contributor
There was a problem hiding this comment.
I am not super convinced that watching resources on two different Clusters is the way to go here.
I would opt to actually watch the CM changes in the CareInstruction controller for separation of concerns.
That would involve:
- Adding a watch on the auth CM
- Maintaining in-memory status of CM for shoot-controller restart
Looping in @abhijith-darshan for his opinion
Zaggy21
force-pushed
the
feat/watch-authenticationconfig-cm-changes
branch
2 times, most recently
from
7d85659 to
4193706
Compare
…enhouse auth CM changes On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
…iggered reconciliation On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
* feat: trigger Shoot reconciliation on OIDC ConfigMap updates On-behalf-of: @SAP krzysztof.zagorski@sap.com * simplify the conditions for triggering shoot reconciliation On-behalf-of: @SAP krzysztof.zagorski@sap.com * update docs On-behalf-of: @SAP krzysztof.zagorski@sap.com * add bin to gitignore, remove invalid G118 from gosec excludes, regenerate files On-behalf-of: @SAP krzysztof.zagorski@sap.com * revert golangci config due to mismatch between CI and local version On-behalf-of: @SAP krzysztof.zagorski@sap.com * update go to 1.26.0 On-behalf-of: @SAP krzysztof.zagorski@sap.com * update project with go-makefile-maker On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
…auth-configmap On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
…nager context in tests On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
Zaggy21
force-pushed
the
feat/watch-authenticationconfig-cm-changes
branch
from
4193706 to
1807100
Compare
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
…e events, fix fetchAuthConfigMapData NotFound contract On-behalf-of: @SAP krzysztof.zagorski@sap.com Signed-off-by: Zaggy21 <k.zaggy@gmail.com>
Merging this branch will not change overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. Changed unit test files
|
Comment on lines
+33
to
+36
| if r.AuthConfigMapData == nil || r.AuthConfigMapData[authConfigKey] == "" { | ||
| return fmt.Errorf("AuthenticationConfiguration ConfigMap %s does not contain config.yaml (data not available)", | ||
| r.CareInstruction.Spec.AuthenticationConfigMapName) | ||
| } |
| // Fetch the current auth ConfigMap data so we can detect changes and pass it to the ShootController. | ||
| currentAuthCMData, authCMErr := r.fetchAuthConfigMapData(ctx, &careInstruction) | ||
| if authCMErr != nil { | ||
| r.Info("failed to fetch auth ConfigMap data, will proceed without it", "error", authCMErr) |
Comment on lines
35
to
40
| // CareInstructionLabel is the label used to identify resources created by this CareInstruction. | ||
| CareInstructionLabel = "shoot-grafter.cloudoperators.dev/careinstruction" | ||
|
|
||
| // AuthConfigMapLabel is the label used to identify AuthenticationConfiguration ConfigMaps | ||
| AuthConfigMapLabel = "shoot-grafter.cloudoperators/authconfigmap" | ||
| AuthConfigMapLabel = "shoot-grafter.cloudoperators.dev/auth-configmap" | ||
|
|
Comment on lines
+91
to
+99
| // Watch auth ConfigMaps on the Greenhouse cluster. When their Data changes, re-enqueue the owning | ||
| // CareInstruction so reconcileManager detects the change and restarts the ShootController with | ||
| // the updated CM data. | ||
| Watches(&corev1.ConfigMap{}, handler.EnqueueRequestsFromMapFunc(r.enqueueCareInstructionForAuthConfigMap), | ||
| builder.WithPredicates( | ||
| clientutil.PredicateHasLabel(v1alpha1.AuthConfigMapLabel), | ||
| authCMDataChangedPredicate, | ||
| ), | ||
| ). |
Comment on lines
2052
to
2056
| It("should annotate Shoot with gardener.cloud/operation=reconcile when ConfigMap content changes", func() { | ||
| // Create Greenhouse auth ConfigMap | ||
| greenhouseAuthCM := &corev1.ConfigMap{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: "greenhouse-oidc-config", | ||
| Namespace: "default", | ||
| }, | ||
| Data: map[string]string{ | ||
| "config.yaml": `apiVersion: apiserver.config.k8s.io/v1beta1 | ||
| kind: AuthenticationConfiguration | ||
| jwt: | ||
| - issuer: | ||
| url: https://greenhouse.example.com | ||
| audiences: | ||
| - greenhouse | ||
| claimMappings: | ||
| username: | ||
| claim: sub | ||
| prefix: 'greenhouse:' | ||
| `, | ||
| }, | ||
| } | ||
| Expect(test.K8sClient.Create(test.Ctx, greenhouseAuthCM)).To(Succeed(), "should create Greenhouse auth ConfigMap") | ||
| // Note: the Greenhouse auth ConfigMap was created in BeforeEach. | ||
|
|
||
| // Create a shoot that ALREADY has the OIDC ConfigMap reference | ||
| shoot := &gardenerv1beta1.Shoot{ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds auth ConfigMap awareness and moves the watch responsibility to the CareInstruction controller so the ShootController only watches resources on the Garden cluster.
1. Auth CM labeling on first interaction
When
authenticationConfigMapNameis configured, the shoot controller labels the referenced Greenhouse ConfigMap with:shoot-grafter.cloudoperators.dev/auth-configmap: "true"— marks it as an auth CMshoot-grafter.cloudoperators.dev/careinstruction: <ci-name>— associates it with the owning CareInstruction2. Watch-triggered reconciliation (moved to CareInstruction controller)
The CareInstruction controller now watches labeled auth ConfigMaps on the Greenhouse cluster. When an auth CM's data changes, the owning CareInstruction is re-enqueued, which detects the data change and restarts the ShootController with the updated config. This keeps the Garden-side OIDC configuration in sync without requiring the ShootController to watch resources on two clusters.
3. In-memory auth CM data
The auth ConfigMap data is passed in-memory from the CareInstruction controller to the ShootController via
AuthConfigMapData. The ShootController no longer fetches the auth CM from the Greenhouse cluster directly.