Skip to content

Releases: opendefensecloud/dependency-controller

v0.3.0

07 May 07:37
@trevex trevex
v0.3.0
1fb2920
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.3.0 Latest
Latest

What's Changed

Full Changelog: v0.2.0...v0.3.0

Contributors

trevex and BergCyrill
Assets 2
Loading

v0.2.0

07 May 06:58
@trevex trevex
v0.2.0
0d792c6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.0

What's Changed

  • Adding OpenSSF Scorecard by @Perseus985 in #4
  • Update kubernetes monorepo to v0.35.4 by @renovate[bot] in #1
  • Update module sigs.k8s.io/controller-runtime to v0.23.3 by @renovate[bot] in #2
  • Update actions/upload-artifact action to v7.0.1 by @renovate[bot] in #5
  • DependencyRule Validation Markers & Tests by @BergCyrill in #17
  • feat: migrate to dev-kit by @olzemal in #16
  • Update docker/metadata-action action to v6 by @renovate[bot] in #15
  • Update docker/login-action action to v4 by @renovate[bot] in #14
  • Update actions/setup-go action to v6 by @renovate[bot] in #13
  • Update actions/checkout action to v6 by @renovate[bot] in #12
  • Update module github.com/onsi/gomega to v1.39.1 by @renovate[bot] in #11
  • Update module github.com/onsi/ginkgo/v2 to v2.28.2 by @renovate[bot] in #10
  • Update module github.com/kcp-dev/sdk to v0.31.1 by @renovate[bot] in #9
  • Update github/codeql-action action to v4.35.2 by @renovate[bot] in #7
  • chore: upgrade multicluster-runtime and multicluster-provider by @trevex in #22
  • Update dependency opendefensecloud/dev-kit to v1.0.6 by @renovate[bot] in #19
  • chore: remove unused Resource from DepndentRef and updates test and docs. by @trevex in #37
  • chore: add comments regarding readyz using healthz.Ping by @trevex in #38
  • Update module addlicense to v1.2.0 by @renovate[bot] in #27
  • Update module controller-gen to v0.20.1 by @renovate[bot] in #30
  • Update module ginkgo to v2.28.3 by @renovate[bot] in #31
  • Update module github.com/onsi/ginkgo/v2 to v2.28.3 by @renovate[bot] in #32
  • Update docker/setup-buildx-action action to v4 by @renovate[bot] in #34
  • Update docker/setup-qemu-action action to v4 by @renovate[bot] in #35
  • Update docker/metadata-action action to v6 by @renovate[bot] in #36
  • Update dependency opendefensecloud/dev-kit to v1.0.7 - autoclosed by @renovate[bot] in #42
  • Update golangci/golangci-lint-action action to v9 by @renovate[bot] in #44
  • Update module osv-scanner to v2.3.7 by @renovate[bot] in #46
  • Update module golangci-lint to v2.12.2 by @renovate[bot] in #47
  • Update github/codeql-action action to v4.35.3 by @renovate[bot] in #48
  • Update module controller-gen to v0.21.0 by @renovate[bot] in #49
  • Update sigstore/cosign-installer action to v4.1.2 by @renovate[bot] in #52

New Contributors

Full Changelog: v0.1.0...v0.2.0

Contributors

trevex, renovate, and 3 other contributors
Loading

v0.1.0

17 Apr 11:11
@trevex trevex
v0.1.0
6c7f6a7

Choose a tag to compare

View all tags
v0.1.0

Full Changelog: https://github.com/opendefensecloud/dependency-controller/commits/v0.1.0

First release, but the project went through some iterations. A short log:

2026-04-17

Added

  • Nix flake for reproducible dev environment with pinned Go version, linters, and pre-commit hooks.
  • Renovate configuration for automated dependency updates.
  • GitHub Actions workflows: golang.yaml (lint + test), docker.yaml (multi-arch build, cosign signing, SBOM, provenance attestation), helm-publish.yaml (OCI push + signing), helm-lint.yaml, osv-scanner.yml.
  • Dockerfile improvements: multi-target build (controller, webhook, combined), BuildKit cache mounts, -ldflags="-s -w".

Changed

  • Default webhook.tls.certManager.enabled to false in Helm values so chart templates render without user-provided issuer configuration.
  • Updated container image registry to ghcr.io/opendefensecloud.
  • DependentRef.APIExportRef (path + name) replaced with DependentRef.APIExportName (string). DependencyRules now reference only the APIExport name -- the workspace path is derived from the rule's own location, enforcing that rules can only be declared for resources in the same workspace.
  • Webhook admission handler scopes dependent lookups to the same namespace as the deleted resource. Cross-namespace references are not supported.
  • Copyright holder changed from "Open Defense and dependency-controller contributors" to "BWI GmbH and Dependency Controller contributors".

Removed

  • Old ci.yaml and release.yaml GitHub Actions workflows (replaced by new workflow suite).
  • devenv.nix (replaced by flake.nix).

2026-04-16

Added

  • Getting started guide with full walkthrough for deploying on kcp.
  • Helm chart with separate controller and webhook deployments, cert-manager integration, and kcp kubeconfig support.
  • envtest-based controller integration test suite (moved from e2e).
  • RBAC manager that dynamically maintains ClusterRoles for webhook service account access to dependency resources.
  • WebhookInstaller for automatic ValidatingWebhookConfiguration management in dependency provider workspaces.
  • Architecture documentation with Mermaid diagrams covering request flow, reconciliation, and component interactions.

Changed

  • Adopted system:admin Bootstrap Policy Authorizer for shard-wide RBAC instead of dynamic ClusterRole/ClusterRoleBinding permission claims.
  • Refactored permissions model to run controller and webhook with least privileges -- webhook uses only system:admin, controller manages VWCs via permission claims.
  • Controller name validation changed to skip instead of leaking internal names.
  • e2e tests restructured as proper end-to-end tests (kind + kcp + Helm), with YAML-based fixtures replacing programmatic object construction.
  • Linted entire codebase, cleaned up Makefile.

2026-04-14

Added

  • Readyz endpoint that blocks admission until the rule registry is fully populated, preventing deletions from slipping through during startup.
  • Mermaid diagrams in README and architecture docs, with dark mode support.

Changed

  • Major refactor: removed Dependency marker objects entirely. Rules are now evaluated dynamically using per-rule indexed caches over the dependent resource's virtual workspace. Field indices on dependent resources allow efficient "which dependents reference resource X?" queries without creating or cleaning up marker objects.

2026-04-10

Added

  • Initial implementation of the dependency controller for kcp.
  • DependencyRule CRD for declaring how resource types reference each other across workspaces.
  • Validating admission webhook that blocks deletion of resources still referenced by dependents.
  • Per-rule multicluster managers connected to APIExport virtual workspaces for cross-workspace dependent resource discovery.
  • Automatic ValidatingWebhookConfiguration installation in dependency provider workspaces.
  • Workspace-aware dependency tracking across logical clusters.
  • Skip-protection annotation (dependencies.opendefense.cloud/skip-protection) to bypass deletion checks.
  • Unit tests for core components.
Loading