feat: multi-shard support

[trevex]

_{Stack created with GitHub Stacks CLI • Give Feedback 💬}

Closes #25

[BergCyrill]

I may have an oversight here but I haven't seen anything that will enable the controller to actually watch and reconcile on events regarding new dependency rules on more than just the first virtual workspace url (and related shard). Changing the webhook installer to not use virtual workspaces but instead rely on access through frontProxy may seem tempting at first but comes with the huge tradeoff to not leverage virtual workspaces and permissionClaims anymore but instead rely on instance wide permissions. There even may be more issues when it comes to controller-sharding.
I still would suggest to look at the way the api-syncagent does it and/or thing about leveraging the cache server - may be sufficient here too.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 087bba77-a533-4a44-ab65-c31d1aef4891

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/multi-shard-support

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BergCyrill]

I am currently unsure about the following points:

• how is consumer RBAC ensured for the webhook? There isn't anything in here (or I have missed it) - maybe it is because of a RBAC misunderstanding
• What is now cached so the webhook can access this information? Only dependencyRules information and it now queries everything through its dynamicClient?

[BergCyrill]

I validated the current implementation and modified the e2e tests to match the current desired setup regarding authorization & sharding. The e2e tests now ensure everything is working across shards and implements the same authorization objects that are required by design.
I have also modified the documentation since this was outdated and did not match the current architecture & implementation.

So looks good for me now