Add multi shard adoptions

[BergCyrill]

We have merged the multi-shard adoptions to a staging branch just now but also want this changes to be present on the main branch before creating a new release

Summary by CodeRabbit

• New Features

  • Added resource field to DependencyRule specification to enable better configuration of dependent resources.

• Documentation

  • Expanded deployment guides with comprehensive multi-shard kcp-operator setup instructions.
  • Updated architecture documentation to reflect current webhook querying behavior and RBAC authorization patterns.
  • Enhanced E2E testing documentation with configurable shard deployment options (single-shard and multi-shard).

• Chores

  • Improved E2E test infrastructure to support both single-shard and multi-shard Kubernetes deployments.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 47d21b77-ead0-441c-b192-53e19ae280de

📥 Commits

Reviewing files that changed from the base of the PR and between 0d792c6 and 67b5bfd.

📒 Files selected for processing (48)

• .gitignore
• Makefile
• README.md
• api/v1alpha1/types.go
• api/v1alpha1/validation_test.go
• charts/dependency-controller/files/apiexport-dependencies.opendefense.cloud.yaml
• charts/dependency-controller/files/apiresourceschema-dependencyrules.dependencies.opendefense.cloud.yaml
• charts/dependency-controller/files/dependencies.opendefense.cloud_dependencyrules.yaml
• charts/dependency-controller/templates/webhook-deployment.yaml
• charts/dependency-controller/values.yaml
• cmd/controller/main.go
• cmd/webhook/main.go
• config/crds/dependencies.opendefense.cloud_dependencyrules.yaml
• config/kcp/apiexport-dependencies.opendefense.cloud.yaml
• config/kcp/apiresourceschema-dependencyrules.dependencies.opendefense.cloud.yaml
• docs/architecture.md
• docs/development.md
• docs/getting-started.md
• internal/controller/dependencyrule_controller.go
• internal/controller/integration_test.go
• internal/controller/webhook_installer.go
• internal/kcp/endpointslice.go
• internal/kcp/kubeconfig.go
• internal/kcp/kubeconfig_test.go
• internal/webhook/deletion_validator.go
• internal/webhook/rule_cache_manager.go
• internal/webhook/rule_registry.go
• internal/webhook/rule_registry_test.go
• test/e2e/dependency_test.go
• test/e2e/suite_test.go
• test/fixtures/depctrl-rbac-bootstrap.yaml
• test/fixtures/dependencyrule-vm-dependencies copy.yaml
• test/fixtures/dependencyrule-vm-dependencies.yaml
• test/fixtures/integration-values-kcp.yaml
• test/fixtures/integration-values.yaml
• test/fixtures/kcp-admin-cert.yaml
• test/fixtures/kcp-bootstrap-cert.yaml
• test/fixtures/kcp-controller-cert.yaml
• test/fixtures/kcp-server-nodeport.yaml
• test/fixtures/kcp-webhook-sa-cert.yaml
• test/fixtures/kind-config.yaml
• test/fixtures/root-rbac-bootstrap.yaml
• test/fixtures/shard-admin-rbac-bootstrap.yaml
• test/fixtures/system-admin-rbac-bootstrap.yaml
• test/fixtures/vm-shard-vm.yaml
• test/fixtures/vm-update-vm.yaml
• test/fixtures/vpc-shard-vpc.yaml
• test/fixtures/vpc-update-vpc.yaml

---

📝 Walkthrough

Walkthrough

This PR refactors the webhook deletion validation from per-rule indexed caches to per-request direct queries, adds a resource field to DependencyRule specs, discovers providers via APIExportEndpointSlice, and overhauls E2E testing for multi-shard kcp-operator deployments with shard-aware workspace placement.

Changes

Core Architecture Refactoring

Layer / File(s)	Summary
API and Validation Types api/v1alpha1/types.go, api/v1alpha1/validation_test.go	DependentRef gains a new Resource field with validation constraints for specifying the plural dependent resource name.
CRD and Schema Versioning config/crds/*, config/kcp/*, charts/dependency-controller/files/*	CRD schema version bumped from v260428-3564c91 to v260504-f130a11 across all manifest files; spec.dependent.resource field added with required validation.
KCP Configuration Utilities internal/kcp/kubeconfig.go, internal/kcp/kubeconfig_test.go	New ValidateKubeconfig and BaseConfig functions validate workspace-scoped kubeconfigs and derive front-proxy base URLs.
Provider Discovery internal/kcp/endpointslice.go	New FindEndpointSlice helper discovers APIExportEndpointSlice resources to dynamically resolve provider endpoints.
Per-Request Deletion Validation internal/webhook/deletion_validator.go	Refactors DeletionValidator to query dependent resources per-request using workspace-scoped dynamic clients instead of indexed caches.
Simplified Rule Registry internal/webhook/rule_registry.go, internal/webhook/rule_registry_test.go	Removes runtime Manager and Cancel fields from RuleState; converts to metadata-only registry for admission lookup.
Registry Population internal/webhook/rule_cache_manager.go	Simplifies RuleCacheManager to list DependencyRule objects across virtual workspace shards and register metadata only.
Controller and Webhook Integration cmd/controller/main.go, cmd/webhook/main.go, internal/controller/dependencyrule_controller.go, internal/controller/webhook_installer.go, internal/controller/integration_test.go	Updates controller/webhook mains to discover endpoints, use multicluster manager for webhook installation, and pass base configs to reconciler and validator.
Helm Chart Updates charts/dependency-controller/values.yaml, charts/dependency-controller/templates/webhook-deployment.yaml	Removes --kcp-base-host flag rendering; clarifies front-proxy URL derivation from kubeconfig.
README RBAC and Test Documentation README.md	Clarifies RBAC is not shard-wide but mediated via APIExport permissionClaims; documents E2E multi-shard kcp-operator setup.
Architecture Documentation docs/architecture.md	Rewrites narrative to reflect per-request query flow, system:admin per-shard RBAC, metadata registry pattern, and removal of cache-based limitations.
Deployment and Development Documentation docs/getting-started.md, docs/development.md, Makefile	Reorganizes getting-started into six deployment phases with kcp-operator; updates development guide with E2E shard configuration and test scenarios; adds test-e2e-matrix Make target.

Multi-Shard E2E Test Infrastructure

Layer / File(s)	Summary
E2E Suite Shard Configuration test/e2e/suite_test.go	Adds shard-aware test execution driven by E2E_SHARD_CONFIG, shard placement verification, and front-proxy kubeconfig rewriting via kcp-operator and kind cluster setup.
E2E Test Scenarios test/e2e/dependency_test.go	Adds cross-shard deletion protection and in-place rule update scenarios; removes legacy webhook RBAC verification tests.
E2E RBAC Bootstrap and Root Fixtures test/fixtures/root-rbac-bootstrap.yaml, test/fixtures/shard-admin-rbac-bootstrap.yaml, test/fixtures/system-admin-rbac-bootstrap.yaml, test/fixtures/depctrl-rbac-bootstrap.yaml	Reorganizes RBAC bootstrap for per-shard system:admin, root workspace controller rules, and dep-ctrl workspace access; removes shard-wide apiexport reader permissions.
E2E Test Resource Fixtures test/fixtures/dependencyrule-vm-dependencies*.yaml, test/fixtures/vpc-*.yaml, test/fixtures/vm-*.yaml	Adds new VPC and VirtualMachine test fixture resources for multi-shard deletion protection scenarios.
Removed Legacy KCP Fixtures and Values test/fixtures/kcp-*.yaml, test/fixtures/integration-values-kcp.yaml	Removes cert-manager certificates, NodePort service, and KCP-specific values no longer needed with kcp-operator and front-proxy deployment.

Build Configuration

Layer / File(s)	Summary
E2E Make Targets Makefile	Adds test-e2e-matrix target to run E2E tests with both single-shard and multi-shard configurations; documents E2E_SHARD_CONFIG parameter.
Build Configuration Files .gitignore, test/fixtures/integration-values.yaml	Adds .secrets/ to gitignore; removes static kcpBaseHost from integration fixtures in favor of runtime injection.

🎯 4 (Complex) | ⏱️ ~60 minutes

🐰 A registry born from caches old,
Now queries flow, per-request bold,
From indexed dreams to discovery new,
Shards unite in multi-hued brew,
E2E shines with placement true! 🌟

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/cleaner-export-path-handling

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}