feat: finish ReferenceGrants implementation (#490)

[dermorz]

What

Finish the ReferenceGrants feature started in #474.

Closes #490

Why

PR #474 merged the ReferenceGrant CRD and a PoC implementation, but left several gaps:

• The target controller had a bug where cross-namespace ReleaseBinding resources (created by the Profile controller in the provider namespace with spec.targetNamespace set) were never discovered — the controller only listed bindings in the target's own namespace.
• No documentation existed for operators or users on how to create and manage ReferenceGrants.
• No ADR captured the decision.
• RegistryBindingSpec was missing the TargetNamespace field needed for future cross-namespace support (blocked on ADR-010).

Testing

• Unit/integration tests: make test — all passing
• mapReleaseBindingToTarget and mapReleaseToTargets mapper fixes covered by existing reconciler tests
• E2e test extended: the cross-namespace Profile→Target scenario now also verifies that a RenderTask is created for the matched target (previously only verified the ReleaseBinding was created)

Notes for reviewers

• Controller change: TargetReconciler.Reconcile now calls collectCrossNamespaceReleaseBindings after the same-namespace list. This lists ReferenceGrants in the target's namespace (already cached) and for each authorized namespace fetches bindings via the existing indexReleaseBindingTargetName field index. No new watches added — the ReferenceGrant watch was already in place.
• API change: RegistryBindingSpec gains an optional TargetNamespace string field. No controller logic uses it yet (see FIXME comment in target_controller.go); make codegen was run to update generated files.
• ADR-005 status changed to superseded; ADR-011 added.
• The ReferenceGrant user guide page lives in
• Controller change: TargetReconciler.Reconcile now calls collectCrossNamespaceReleaseBindings after the same-namespace list. This lists ReferenceGrants in the target's namespace (already cached) and for each authorized namespace fetches bindings via the existing indexReleaseBindingTargetName field index. No new watches added — the ReferenceGrant watch was already in place.
• API change: RegistryBindingSpec gains an optional TargetNamespace string field. No controller logic uses it yet (see FIXME comment in target_controller.go); make codegen was run to update generated files.
• ADR-005 status changed to superseded; ADR-011 added.
• The ReferenceGrant user guide page lives in docs/user-guide/ (not developer guide) — it documents what operators need to create, organised by role.
• In multi-tenant setups, grants per namespace don't scale well if created manually. The user guide calls this out and recommends managing them via namespace provisioning tooling (e.g. Kyverno generate policies). Wildcard namespace support is tracked as a spike for a follow-up issue.

Checklist

• Tests added/updated
• No breaking changes (or upgrade path documented above)
• Readable commit history (squashed and cleaned up as desired)
• AI code review considered and comments resolved

Summary by CodeRabbit

• New Features

  • Resources can reference Targets in different namespaces when authorized via ReferenceGrants
  • Added optional targetNamespace on RegistryBinding/ReleaseBinding to support cross-namespace bindings; controllers honor it when reconciling and queuing work
  • RenderTask naming and repository paths now include the release namespace for per-namespace separation

• Documentation

  • New user guide for ReferenceGrants and updated API reference; ADRs and developer docs revised; navigation entries refined

• Tests

  • Added e2e and controller tests validating cross-namespace ReferenceGrant behavior and deduplication

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds cross-namespace reference support via ReferenceGrants: introduces RegistryBindingSpec.targetNamespace, updates generated APIs/OpenAPI, extends Target controller to discover/reconcile ReferenceGrant-authorized cross-namespace ReleaseBindings, and updates docs, tests, and RenderTask naming to be namespace-qualified.

Changes

Cross-Namespace References with ReferenceGrants

Layer / File(s)	Summary
RegistryBindingSpec API Extension api/solar/registrybinding_types.go, api/solar/v1alpha1/registrybinding_types.go, client-go/applyconfigurations/solar/v1alpha1/registrybindingspec.go, client-go/openapi/zz_generated.openapi.go	RegistryBindingSpec gains an optional TargetNamespace field with JSON metadata; apply-configuration gains WithTargetNamespace; OpenAPI schema documents targetNamespace.
API Conversions api/solar/v1alpha1/zz_generated.conversion.go	Generated conversions now copy TargetNamespace between internal and v1alpha1 types.
ReferenceGrants Design and Documentation docs/developer-guide/adrs/011-ReferenceGrants.md, docs/developer-guide/adrs/005-Cluster-Scoped-Resources.md, docs/user-guide/reference-grants.md, docs/developer-guide/profile_controller.md, docs/developer-guide/target_controller.md, docs/user-guide/api-reference.md, docs/.nav.yml, mkdocs.yml	Adds ADR-011, marks ADR-005 superseded, adds user/developer docs for ReferenceGrant placement and behavior, updates watch triggers and API reference to include targetNamespace.
Target Controller Cross-Namespace Logic pkg/controller/target_controller.go, pkg/controller/helpers.go	Target reconciler collects ReleaseBindings authorized by ReferenceGrants in the Target namespace, resolves Releases from the binding namespace, updates ComponentVersion grant checks, computes effective target namespaces from spec.targetNamespace for mapping/deduplication, and namespaces RenderTask names/repos.
Tests and Fixtures test/e2e/e2e_test.go, test/fixtures/e2e/cross-ns-referencegrant.yaml, pkg/controller/target_controller_test.go	E2E and unit tests updated/added to validate cross-namespace ReleaseBinding authorization via ReferenceGrant, RenderTask creation, and deduplication; fixture adapts ReferenceGrant from to ReleaseBinding.

Sequence Diagram

sequenceDiagram
  participant ProfileController
  participant ReleaseBinding
  participant ReferenceGrant
  participant TargetController
  participant RenderTask
  ProfileController->>ReleaseBinding: create/update (spec.targetNamespace may be set)
  TargetController->>ReferenceGrant: list grants in Target namespace
  ReferenceGrant-->>TargetController: authorize matching ReleaseBinding
  TargetController->>ReleaseBinding: fetch Release from binding namespace
  TargetController->>RenderTask: create RenderTask in release namespace

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• opendefensecloud/solution-arsenal#310: Updates ADR-005 to reflect ReferenceGrants decision (superseding ADR-005).
• opendefensecloud/solution-arsenal#474: Prior ReferenceGrants PoC modifying target_controller cross-namespace ReleaseBinding handling.
• opendefensecloud/solution-arsenal#395: Earlier changes to RegistryBindingSpec definitions related to this field.

Suggested labels

feature

Suggested reviewers

• rebEllieous
• trevex

"🐰 I hopped through namespaces wide and far,
Found grants that say who you are,
A binding points where targets roam,
Now RenderTasks find their proper home,
Hooray — cross-ns hops without a scar!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main change: completing the ReferenceGrants implementation with an issue reference.
Linked Issues check	✅ Passed	The PR fully addresses all acceptance criteria from issue #490: cross-namespace references are supported via controller/mapper fixes with tests, documentation is extended with user guide and ADRs, and e2e verification confirms the implementation.
Out of Scope Changes check	✅ Passed	All changes are tightly scoped to ReferenceGrants completion: API extensions, controller logic for cross-namespace discovery, documentation, ADR updates, and supporting tests—all directly related to the feature objectives.
Description check	✅ Passed	The pull request description covers all required template sections: What (feature completion with issue link), Why (motivation and gaps), Testing (test levels specified), Notes for reviewers (API/controller/ADR changes detailed), and Checklist (all items marked complete).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/490-reference-grants

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/developer-guide/profile_controller.md`:
- Around line 9-10: Update the broken link in profile_controller.md: replace the
relative link target string `./reference-grants.md` with the correct user-guide
path (e.g. `../user-guide/reference-grants.md`) so the "ReferenceGrants" link
from the Profile controller doc resolves to the new user-guide page; locate and
edit the occurrence in docs/developer-guide/profile_controller.md where the text
references ReferenceGrants.

In `@docs/developer-guide/target_controller.md`:
- Line 112: Update the broken ReferenceGrants link in
docs/developer-guide/target_controller.md: replace the incorrect relative link
"./reference-grants.md" (the link text "ReferenceGrants") with the correct path
into the user-guide (e.g., "../user-guide/reference-grants.md") so the reference
resolves from the developer-guide directory.

In `@pkg/controller/target_controller.go`:
- Around line 207-213: After appending cross-namespace ReleaseBindings (from
collectCrossNamespaceReleaseBindings) we still load Releases using the target's
namespace; change the Release lookup to use each ReleaseBinding's namespace when
resolving its Release. In the loop that iterates bindingList.Items (after
collectCrossNamespaceReleaseBindings), build the NamespacedName for the Release
using binding.Namespace (not target.Namespace) so cross-namespace bindings
resolve to Releases in the binding's namespace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 339d4268-3c3a-4b2b-a46a-e01e7def9dd9

📥 Commits

Reviewing files that changed from the base of the PR and between 79d5c36 and 80b4930.

📒 Files selected for processing (16)

• api/solar/registrybinding_types.go
• api/solar/v1alpha1/registrybinding_types.go
• api/solar/v1alpha1/zz_generated.conversion.go
• client-go/applyconfigurations/solar/v1alpha1/registrybindingspec.go
• client-go/openapi/zz_generated.openapi.go
• docs/.nav.yml
• docs/developer-guide/adrs/005-Cluster-Scoped-Resources.md
• docs/developer-guide/adrs/011-ReferenceGrants.md
• docs/developer-guide/profile_controller.md
• docs/developer-guide/target_controller.md
• docs/user-guide/api-reference.md
• docs/user-guide/reference-grants.md
• mkdocs.yml
• pkg/controller/target_controller.go
• test/e2e/e2e_test.go
• test/fixtures/e2e/cross-ns-referencegrant.yaml

[coveralls]

Coverage Report for CI Build 26284570371

Warning

No base build found for commit 40dd62d on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 72.833%

Details

• Patch coverage: 12 uncovered changes across 1 file (79 of 91 lines covered, 86.81%).

Uncovered Changes

File	Changed	Covered	%
pkg/controller/target_controller.go	89	77	86.52%

Coverage Regressions

Requires a base build to compare against. How to fix this →

---

Coverage Stats

Relevant Lines:	3357
Covered Lines:	2445
Line Coverage:	72.83%
Coverage Strength:	31.74 hits per line

---

💛 - Coveralls

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/controller/target_controller.go (2)

1022-1054: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

collectCrossNamespaceReleaseBindings can return duplicate bindings.

If two ReferenceGrants in target.Namespace both authorize ReleaseBinding from the same from.Namespace (or a single grant repeats a From entry), the inner r.List runs once per occurrence and the same ReleaseBindings are appended to result multiple times. Downstream, each duplicate produces another iteration in the binding loop (re-fetching the same Release/CV) and is also fed into resolveReleaseConflicts as a separate releaseInfo with the same bindingKey, which can corrupt skip messages and waste reconciliation work.

🛡️ Suggested dedup

 	var result []solarv1alpha1.ReleaseBinding
+	seen := map[string]struct{}{}
 	for i := range grantList.Items {
 		grant := &grantList.Items[i]
 		if !grantsReleaseBindingToTargetResource(grant) {
 			continue
 		}
 		for _, from := range grant.Spec.From {
 			if from.Kind != "ReleaseBinding" || from.Group != solarGroup {
 				continue
 			}
+			if _, ok := seen[from.Namespace]; ok {
+				continue
+			}
+			seen[from.Namespace] = struct{}{}
 			crossBindings := &solarv1alpha1.ReleaseBindingList{}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/target_controller.go` around lines 1022 - 1054,
collectCrossNamespaceReleaseBindings can append the same ReleaseBinding multiple
times when multiple ReferenceGrants or duplicate From entries reference the same
from.Namespace; fix by deduplicating before returning: while iterating
crossBindings.Items inside collectCrossNamespaceReleaseBindings (function name)
build a seen map keyed by a stable identifier (e.g., rb.UID.String() or a
namespacedName like rb.Namespace+"/"+rb.Name) and only append rb to result if
not yet seen, so duplicate entries from repeated r.List calls are ignored.

---

292-345: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix cross-namespace Release→RenderTask/chart collisions caused by identity keys missing namespace

releaseRenderTaskName is derived only from rel.Name, target.Name, and rel.GetGeneration() (no rel.Namespace). computeReleaseRenderTaskSpec then sets chartName = "release-"+rel.Name, repo = target.Namespace+"/"+chartName, and tag = "v0.0."+rel.GetGeneration(). So two Releases from different namespaces with the same rel.Name and same generation can be accepted by resolveReleaseConflicts (dedup key is release.Spec.UniqueName/CV component name, not namespace) yet map to the same RenderTask name and the same rendered chart artifact/version. The loop will Get the already-existing RenderTask on the second iteration and reuse its Status.ChartURL, so the second Release can incorrectly use the first Release’s rendered output.

Include rel.Namespace (or another namespace/unique identity) in the RenderTask name and in the rendered chart identity (chartName/repo/tag) so each accepted Release maps to a distinct artifact.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/target_controller.go` around lines 292 - 345, The RenderTask/
chart collisions occur because releaseRenderTaskName and
computeReleaseRenderTaskSpec omit rel.Namespace, causing Releases with same
name+generation across namespaces to share a RenderTask and artifact; update
releaseRenderTaskName to include rel.Namespace (e.g., incorporate rel.Namespace
into the generated rtName) and update computeReleaseRenderTaskSpec to include
rel.Namespace in chartName/repo/tag (or otherwise derive a namespace-qualified
unique identifier) so each Release (namespace+name+generation) maps to a
distinct RenderTask and chart artifact; keep resolveReleaseConflicts logic
intact but ensure identifiers used when creating/getting RenderTasks and
rendered chart metadata include rel.Namespace to prevent cross-namespace reuse.

🧹 Nitpick comments (1)

pkg/controller/target_controller.go (1)

259-276: 💤 Low value

Minor: break out of the grant loop after a match.

for i := range grantList.Items keeps iterating after granted = true. Once a single grant permits the access, the remaining work is wasted. Adding break keeps the hot path tight and mirrors the early-return pattern used in registryGranted (lines 823–828).

 		for i := range grantList.Items {
 			if grantPermitsComponentVersionAccess(&grantList.Items[i], rel.Namespace) {
 				granted = true
+				break
 			}
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/target_controller.go` around lines 259 - 276, The loop over
grantList.Items in the block that checks cross-namespace ComponentVersion access
(the for i := range grantList.Items loop that calls
grantPermitsComponentVersionAccess and sets granted = true) should stop as soon
as a permitting grant is found; after setting granted = true add a break to exit
the loop immediately so we avoid unnecessary iterations and mirror the
early-exit behavior used by registryGranted.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/controller/target_controller.go`:
- Around line 1022-1054: collectCrossNamespaceReleaseBindings can append the
same ReleaseBinding multiple times when multiple ReferenceGrants or duplicate
From entries reference the same from.Namespace; fix by deduplicating before
returning: while iterating crossBindings.Items inside
collectCrossNamespaceReleaseBindings (function name) build a seen map keyed by a
stable identifier (e.g., rb.UID.String() or a namespacedName like
rb.Namespace+"/"+rb.Name) and only append rb to result if not yet seen, so
duplicate entries from repeated r.List calls are ignored.
- Around line 292-345: The RenderTask/ chart collisions occur because
releaseRenderTaskName and computeReleaseRenderTaskSpec omit rel.Namespace,
causing Releases with same name+generation across namespaces to share a
RenderTask and artifact; update releaseRenderTaskName to include rel.Namespace
(e.g., incorporate rel.Namespace into the generated rtName) and update
computeReleaseRenderTaskSpec to include rel.Namespace in chartName/repo/tag (or
otherwise derive a namespace-qualified unique identifier) so each Release
(namespace+name+generation) maps to a distinct RenderTask and chart artifact;
keep resolveReleaseConflicts logic intact but ensure identifiers used when
creating/getting RenderTasks and rendered chart metadata include rel.Namespace
to prevent cross-namespace reuse.

---

Nitpick comments:
In `@pkg/controller/target_controller.go`:
- Around line 259-276: The loop over grantList.Items in the block that checks
cross-namespace ComponentVersion access (the for i := range grantList.Items loop
that calls grantPermitsComponentVersionAccess and sets granted = true) should
stop as soon as a permitting grant is found; after setting granted = true add a
break to exit the loop immediately so we avoid unnecessary iterations and mirror
the early-exit behavior used by registryGranted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 76fdbdd9-8715-4a52-9ff5-002e4228e9ae

📥 Commits

Reviewing files that changed from the base of the PR and between 80b4930 and 0692073.

📒 Files selected for processing (4)

• docs/developer-guide/profile_controller.md
• docs/developer-guide/target_controller.md
• pkg/controller/target_controller.go
• pkg/controller/target_controller_test.go

✅ Files skipped from review due to trivial changes (2)

• docs/developer-guide/target_controller.md
• docs/developer-guide/profile_controller.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/target_controller_test.go`:
- Around line 622-629: The release objects created by
newProviderRelease("xns2-release") (and the similar case at the other block)
still reference the old provider-cv, creating a hidden cross-test dependency;
update the release's spec to reference the ComponentVersion you create in the
same test (the cv variable for provider-cv2/provider-cv3) so each test points to
its own ComponentVersion instead of "provider-cv" — locate the
newProviderRelease call and modify the resulting Release object's reference
fields to use cv.Name (or the created ComponentVersion's Name) before creating
it with k8sClient.Create; apply the same change to the second occurrence
covering the other test case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6919ee39-87cd-43db-88b6-795807250c06

📥 Commits

Reviewing files that changed from the base of the PR and between 0692073 and ef103e2.

📒 Files selected for processing (19)

• api/solar/registrybinding_types.go
• api/solar/v1alpha1/registrybinding_types.go
• api/solar/v1alpha1/zz_generated.conversion.go
• client-go/applyconfigurations/solar/v1alpha1/registrybindingspec.go
• client-go/openapi/zz_generated.openapi.go
• docs/.nav.yml
• docs/developer-guide/adrs/005-Cluster-Scoped-Resources.md
• docs/developer-guide/adrs/011-ReferenceGrants.md
• docs/developer-guide/profile_controller.md
• docs/developer-guide/rendering-pipeline.md
• docs/developer-guide/target_controller.md
• docs/user-guide/api-reference.md
• docs/user-guide/reference-grants.md
• mkdocs.yml
• pkg/controller/helpers.go
• pkg/controller/target_controller.go
• pkg/controller/target_controller_test.go
• test/e2e/e2e_test.go
• test/fixtures/e2e/cross-ns-referencegrant.yaml

✅ Files skipped from review due to trivial changes (7)

• docs/developer-guide/adrs/005-Cluster-Scoped-Resources.md
• client-go/openapi/zz_generated.openapi.go
• docs/developer-guide/profile_controller.md
• docs/user-guide/api-reference.md
• docs/developer-guide/target_controller.md
• docs/developer-guide/adrs/011-ReferenceGrants.md
• api/solar/v1alpha1/zz_generated.conversion.go