feat: watch AuthenticationConfig CM changes

.github/renovate.json

@@ -3,8 +3,8 @@
   "extends": [
     "config:recommended",
     "default:pinDigestsDisabled",
-    "mergeConfidence:all-badges",
-    "docker:disable"
+    "docker:pinDigests",
+    "mergeConfidence:all-badges"
   ],
   "assignees": [
     "@cloudoperators/greenhouse-backend"
@@ -58,6 +58,15 @@
       ],
       "dependencyDashboardApproval": true
     },
+    {
+      "matchFileNames": [
+        ".github/workflows/checks.yaml",
+        ".github/workflows/ci.yaml",
+        ".github/workflows/codeql.yaml",
+        ".github/workflows/container-registry-ghcr.yaml"
+      ],
+      "enabled": false
+    },
     {
       "matchPackageNames": [
         "/^k8s.io\\//"

.github/workflows/checks.yaml

@@ -24,33 +24,29 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           check-latest: true
-          go-version: 1.26.3
+          go-version: 1.26.4
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9
         with:
-          version: latest
+          version: v2.12.2
       - name: Delete pre-installed shellcheck
         run: sudo rm -f "$(which shellcheck)"
       - name: Run shellcheck
         run: make run-shellcheck
       - name: Dependency Licenses Review
         run: make check-dependency-licenses
       - name: Check for spelling errors
-        uses: crate-ci/typos@v1
+        uses: crate-ci/typos@37bb98842b0d8c4ffebdb75301a13db0267cef89 # v1
         env:
           CLICOLOR: "1"
-      - name: Delete typos binary
-        run: rm -f typos
       - name: Check if source code files have license header
         run: make check-addlicense
       - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@v6
-      - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
-      - name: Run govulncheck
-        run: govulncheck -format text ./...
+        uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6

.github/workflows/ci.yaml

@@ -27,12 +27,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           check-latest: true
-          go-version: 1.26.3
+          go-version: 1.26.4
       - name: Build all binaries
         run: make build-all
   code_coverage:
@@ -43,12 +45,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Post coverage report
-        uses: fgrosse/go-coverage-report@v1.3.0
+        uses: fgrosse/go-coverage-report@cbeb2ab2e32591d690337146ba02a911cc566f3f # v1.3.0
         with:
           coverage-artifact-name: code-coverage
           coverage-file-name: cover.out
+          root-package: shoot-grafter
     permissions:
       actions: read
       contents: read
@@ -60,16 +65,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           check-latest: true
-          go-version: 1.26.3
+          go-version: 1.26.4
       - name: Run tests and generate coverage report
         run: make test-with-envtest
       - name: Archive code coverage results
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: code-coverage
           path: build/cover.out

.github/workflows/codeql.yaml

@@ -27,18 +27,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           check-latest: true
-          go-version: 1.26.3
+          go-version: 1.26.4
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
         with:
           languages: go
           queries: security-extended
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4

.github/workflows/container-registry-ghcr.yaml

@@ -23,16 +23,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Log in to the Container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           password: ${{ secrets.GITHUB_TOKEN }}
           registry: ghcr.io
           username: ${{ github.actor }}
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -45,11 +47,11 @@ jobs:
             # https://github.com/docker/metadata-action#typesha
             type=sha,format=long
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
       - name: Build and push Docker image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
         with:
           context: .
           labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -1,3 +1,4 @@
 .vscode
+.claude
 /bin/
 /build/

Makefile

@@ -61,10 +61,10 @@ prepare-static-check: FORCE install-goimports install-golangci-lint install-shel
 # To add additional flags or values (before the default ones), specify the variable in the environment, e.g. `GO_BUILDFLAGS='-tags experimental' make`.
 # To override the default flags or values, specify the variable on the command line, e.g. `make GO_BUILDFLAGS='-tags experimental'`.
 GO_BUILDFLAGS +=
-GO_LDFLAGS +=
-GO_TESTFLAGS +=
-GO_TESTENV +=
-GO_BUILDENV +=
+GO_LDFLAGS    +=
+GO_TESTFLAGS  +=
+GO_TESTENV    +=
+GO_BUILDENV   +=
 
 build-all: build/shoot-grafter
 

Makefile.maker.yaml

@@ -6,7 +6,6 @@
 # NOTE: After running go-makefile-maker, manually apply these changes:
 # 1. Add 'branches: [main]' to container-registry-ghcr.yaml for main branch builds
 # 2. Change 'make build/cover.out' to 'make test-with-envtest' in ci.yaml for envtest support
-# 3. Change 'rm typos' to 'rm -f typos' in checks.yaml
 
 metadata:
   url: https://github.com/cloudoperators/shoot-grafter

README.md

@@ -148,6 +148,8 @@ For each CareInstruction, a dedicated Shoot controller is dynamically created an
 - Optionally configures OIDC authentication on Shoot clusters for Greenhouse access. Also see respective [Greenhouse docs](https://cloudoperators.github.io/greenhouse/docs/user-guides/cluster/oidc_connectivity/) and [Gardener docs](https://gardener.cloud/docs/guides/administer-shoots/oidc-login/#configure-the-shoot-cluster)
 - Optionally configures RBAC on the Shoot cluster for Greenhouse access
 
+> **Auth ConfigMap labeling & watch**: When `authenticationConfigMapName` is set, the shoot controller labels the referenced Greenhouse ConfigMap with `shoot-grafter.cloudoperators.dev/auth-configmap: "true"` on first interaction. The CareInstruction controller watches these labeled ConfigMaps; when the data changes, all CareInstructions referencing that ConfigMap are re-enqueued. Each stamps `shoot-grafter.cloudoperators.dev/auth-cm-revision` on its matching Shoots, triggering the ShootController to re-run OIDC configuration with the updated data. Multiple CareInstructions may reference the same ConfigMap.
+
 ## Custom Resource: CareInstruction
 
 A `CareInstruction` defines the configuration for onboarding Shoots from a specific Garden cluster.
@@ -208,7 +210,7 @@ spec:
 | `shootSelector.expression` | string | No | CEL expression for filtering shoots by status or other fields (max 1024 chars). The shoot object is available as `object` |
 | `propagateLabels` | []string | No | List of label keys to copy from Shoot to Greenhouse Cluster |
 | `additionalLabels` | map[string]string | No | Additional labels to add to all created Greenhouse Clusters |
-| `authenticationConfigMapName` | string | No | Name of ConfigMap in Greenhouse cluster containing AuthenticationConfiguration [(config.yaml with apiserver.config.k8s.io/v1beta1 content)](https://gardener.cloud/docs/guides/administer-shoots/oidc-login/#configure-the-shoot-cluster)|
+| `authenticationConfigMapName` | string | No | Name of ConfigMap in Greenhouse cluster containing AuthenticationConfiguration [(config.yaml with apiserver.config.k8s.io/v1beta1 content)](https://gardener.cloud/docs/guides/administer-shoots/oidc-login/#configure-the-shoot-cluster). Multiple CareInstructions may share the same ConfigMap. |
 | `enableRBAC` | bool | No | When false, skips automatic RBAC setup on Shoot clusters (default: true‚) |
 
 *Note: Either `gardenClusterName` or `gardenClusterKubeConfigSecretName` must be provided (priority: kubeconfig secret > cluster name)

REUSE.toml

@@ -11,6 +11,7 @@ path = [
   ".gitignore",
   ".license-scan-overrides.jsonl",
   ".license-scan-rules.json",
+  "build/**/*",
 ]
 SPDX-FileCopyrightText = "SAP SE or an SAP affiliate company"
 SPDX-License-Identifier = "Apache-2.0"
@@ -20,6 +21,7 @@ path = [
   "go.mod",
   "go.sum",
   "Makefile.maker.yaml",
+  "vendor/modules.txt",
 ]
 SPDX-FileCopyrightText = "SAP SE or an SAP affiliate company and Greenhouse contributors"
 SPDX-License-Identifier = "Apache-2.0"

api/v1alpha1/careinstruction_types.go

@@ -29,14 +29,21 @@ const (
 	// ShootsReconciledCondition indicates that the shoots targeted by this CareInstruction have been reconciled.
 	ShootsReconciledCondition greenhousemetav1alpha1.ConditionType = "ShootsReconciled"
 
+	// AuthCMFoundCondition indicates that the auth ConfigMap referenced by this CareInstruction was found and is readable.
+	// Only set when authenticationConfigMapName is configured.
+	AuthCMFoundCondition greenhousemetav1alpha1.ConditionType = "AuthCMFound"
+
 	// CommonCleanupFinalizer is the finalizer used to clean up resources when a CareInstruction is deleted.
 	CommonCleanupFinalizer = "shoot-grafter.cloudoperators.dev/finalizer"
 
 	// CareInstructionLabel is the label used to identify resources created by this CareInstruction.
 	CareInstructionLabel = "shoot-grafter.cloudoperators.dev/careinstruction"
 
 	// AuthConfigMapLabel is the label used to identify AuthenticationConfiguration ConfigMaps
-	AuthConfigMapLabel = "shoot-grafter.cloudoperators/authconfigmap"
+	AuthConfigMapLabel = "shoot-grafter.cloudoperators.dev/auth-configmap"
+
+	// AuthCMRevisionAnnotation is set on Shoots to trigger re-reconciliation when the Greenhouse auth ConfigMap changes.
+	AuthCMRevisionAnnotation = "shoot-grafter.cloudoperators.dev/auth-cm-revision"
 
 	// ShootStatusOnboarded indicates the shoot has been onboarded as a Greenhouse Cluster.
 	ShootStatusOnboarded = "Onboarded"

config/rbac/role.yaml

@@ -15,6 +15,7 @@ rules:
   verbs:
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups: