Skip to content

Update README and development documentation#64

Merged
BergCyrill merged 2 commits intomainfrom
docs/update-readme
May 8, 2026
Merged

Update README and development documentation#64
BergCyrill merged 2 commits intomainfrom
docs/update-readme

Conversation

@BergCyrill
Copy link
Copy Markdown
Contributor

@BergCyrill BergCyrill commented May 8, 2026
edited by coderabbitai Bot
Loading

Modified README:

  • add badges like for arc
  • modify content to reflect current multi-shard implementation
  • moved development documentation to the docs/development.md

Summary by CodeRabbit

  • Documentation
    • Updated README with revised dependency-resolution flow, architecture diagrams, and RBAC model clarification
    • Expanded development documentation with Nix-based setup instructions and pre-commit hooks guidance

@BergCyrill
docs: update README and development documentation to reflect implemen…
7845450 
…tation and toolchain setup

Signed-off-by: Cyrill Berg <cyrill.berg@opendefense.cloud>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 8, 2026
edited
Loading

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates project documentation to reflect an architectural shift in dependency resolution: replacing an indexed-cache model with on-demand dependent listing via kcp front-proxy. It also introduces Nix flake–based development setup instructions across README and a new docs/development.md guide.

Changes

Architecture Documentation & Development Setup

Layer / File(s) Summary
Architecture Overview
README.md		 Title refined to lowercase "kcp-aware"; lifecycle Mermaid diagram updated to show rule metadata registration in RuleRegistry with on-demand dependent listing instead of indexed caching.
DependencyRule Specification
README.md		 DependencyRule documentation and YAML example expanded to detail APIExport references (path, name, group, version, resource) and fieldRef.path within dependent resources.
Component Behavior & Admission Flow
README.md		 "Two Binaries" and admission webhook sections rewritten: controller installs webhook config via virtual workspace; webhook maintains only rule metadata and performs per-DELETE dependent listing and in-memory filtering via front-proxy without finalizers.
Architecture Diagram
README.md		 Mermaid architecture diagram updated to rename webhook responsibilities from "indexed cache manager" to rule registry and deletion validation; routing now reflects front-proxy dependent listing in consumer workspace.
Multicluster Watching Model
README.md		 Watching model simplified from two-level to one-level: binaries watch only DependencyRule objects; dependents are listed on-demand from consumer workspace.
RBAC Model
README.md		 RBAC section reworked into three static categories: per-shard webhook listing, controller workspace resolution, and dep-ctrl workspace RBAC for both binaries; clarifies install vs listing permissions.
Development Setup Instructions
README.md, docs/development.md		 README Development section rewritten with Nix flake + direnv quickstart; docs/development.md expanded with Prerequisites (Nix and non-Nix tooling), Dev shell setup, and Pre-commit hooks configuration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A whisker-twitched update, refined and clear,
From cache-indexed past to on-demand frontier.
Flake-built shells now greet each curious soul,
While dependents list freely—front-proxy's kind role. 🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Update README and development documentation' accurately describes the main changes: README.md was rewritten with architectural and behavioral updates, and docs/development.md was created/expanded with dev setup instructions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/update-readme

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@BergCyrill BergCyrill changed the title Update README and development documentation to reflect implemen… Update README and development documentation May 8, 2026
@Perseus985 Perseus985 self-requested a review May 8, 2026 13:50
coderabbitai[bot]
coderabbitai Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
docs/development.md (1)

58-60: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update webhook file descriptions to match the new on-demand model.

These entries still describe a per-rule dependent cache model, which conflicts with the updated architecture in this PR (metadata registry + on-demand listing at admission time).

Proposed doc patch 
-    rule_cache_manager.go          Per-rule indexed cache lifecycle manager
-    rule_registry.go               Thread-safe registry of rule caches
+    rule_cache_manager.go          Reconciles DependencyRules into in-memory rule metadata
+    rule_registry.go               Thread-safe registry for rule metadata lookups
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/development.md` around lines 58 - 60, Update the three file descriptions
in docs/development.md to reflect the new metadata-registry + on-demand listing
architecture instead of the old per-rule cache model: replace the description
for rule_cache_manager.go with something like "Cache lifecycle manager
(deprecated) — previously per-rule indexed cache, now unused by on-demand model"
or remove it, change rule_registry.go to "Thread-safe metadata registry for rule
metadata and lookup used at admission time", and change deletion_validator.go to
"Admission webhook handler that queries the metadata registry and performs
on-demand listing/validation at admission time"; edit the three entries
(rule_cache_manager.go, rule_registry.go, deletion_validator.go) accordingly so
the docs match the new design.
README.md (1)

221-223: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

RBAC section contradicts the new admission data path.

This paragraph says the webhook watches dependents via VW + permissionClaims, but the README now documents on-demand listing via kcp front-proxy. Please align this section to avoid incorrect RBAC expectations.

Proposed doc patch 
-No shard-wide RBAC is needed. The webhook watches dependent resources through the
-dep-ctrl APIExport's virtual workspace, authorized by dynamically managed
-permissionClaims. Providers accept these claims in their APIBinding.
+The webhook does not watch dependent resources via the dep-ctrl virtual workspace.
+Instead, on DELETE admission it lists dependents on demand in the consumer workspace
+through the kcp front-proxy. Required permissions for those list/get calls are granted
+via bootstrap RBAC (as documented in the deployment/development guides), while
+`permissionClaims` on dep-ctrl remain for webhook installation in provider workspaces.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 221 - 223, The README paragraph that claims "The
webhook watches dependent resources through the dep-ctrl APIExport's virtual
workspace, authorized by dynamically managed permissionClaims" is now incorrect;
update the RBAC section to describe the new admission data path: state that the
webhook performs on-demand listing via the kcp front-proxy (not via a virtual
workspace), explain the RBAC scopes/roles required for the front-proxy/listing
path, and remove or replace references to "dep-ctrl APIExport's virtual
workspace" and "permissionClaims" so the text matches the implemented on-demand
listing behavior.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/development.md`:
- Around line 58-60: Update the three file descriptions in docs/development.md
to reflect the new metadata-registry + on-demand listing architecture instead of
the old per-rule cache model: replace the description for rule_cache_manager.go
with something like "Cache lifecycle manager (deprecated) — previously per-rule
indexed cache, now unused by on-demand model" or remove it, change
rule_registry.go to "Thread-safe metadata registry for rule metadata and lookup
used at admission time", and change deletion_validator.go to "Admission webhook
handler that queries the metadata registry and performs on-demand
listing/validation at admission time"; edit the three entries
(rule_cache_manager.go, rule_registry.go, deletion_validator.go) accordingly so
the docs match the new design.

In `@README.md`:
- Around line 221-223: The README paragraph that claims "The webhook watches
dependent resources through the dep-ctrl APIExport's virtual workspace,
authorized by dynamically managed permissionClaims" is now incorrect; update the
RBAC section to describe the new admission data path: state that the webhook
performs on-demand listing via the kcp front-proxy (not via a virtual
workspace), explain the RBAC scopes/roles required for the front-proxy/listing
path, and remove or replace references to "dep-ctrl APIExport's virtual
workspace" and "permissionClaims" so the text matches the implemented on-demand
listing behavior.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14d8e57c-0a81-4daf-8d9c-a4a04f5b35a6

📥 Commits

Reviewing files that changed from the base of the PR and between bcc0e62 and 7845450.

📒 Files selected for processing (2)
  • README.md
  • docs/development.md

Perseus985
Perseus985 previously approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Perseus985 Perseus985 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relates to the Old Jira Issue I guess

@Perseus985 Perseus985 added the documentation Improvements or additions to documentation label May 8, 2026
@BergCyrill
docs: enhance README with detailed RBAC and webhook management explan…
dd19de8 
…ations

Signed-off-by: Cyrill Berg <cyrill.berg@opendefense.cloud>
@BergCyrill
Copy link
Copy Markdown
Contributor Author

BergCyrill commented May 8, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 8, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai[bot]
coderabbitai Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 220-226: The README currently recommends granting the webhook
ServiceAccount `*/* get,list` per-shard under `system:admin`, which is too
broad; update the documentation to mark this wildcard `*/* get,list` binding as
a break-glass fallback only, and replace the default recommendation with a
scoped RBAC approach that limits verbs, API groups, resources, and
namespaces/workspaces to only what the webhook actually needs; mention
`system:admin`, the webhook ServiceAccount, and `BootstrapPolicyAuthorizer` to
explain why the per-shard binding exists, but explicitly advise implementing
least-privilege roles and per-consumer-scoped bindings (or a generated role per
workspace) as the primary recommendation and reserve the `*/* get,list`
per-kcp-shard binding for emergency use.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5cd23074-6dd5-4638-ac07-69784b31209d

📥 Commits

Reviewing files that changed from the base of the PR and between 7845450 and dd19de8.

📒 Files selected for processing (1)
  • README.md

Comment thread README.md
@BergCyrill BergCyrill merged commit 399103c into main May 8, 2026
4 checks passed
@BergCyrill BergCyrill deleted the docs/update-readme branch May 8, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Perseus985 Perseus985 Perseus985 approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BergCyrill @Perseus985