feat: replace all client with Lister from mcr provider

.mockery.yaml

@@ -1,60 +1,85 @@
-pkgname: mocks
 include-auto-generated: true
 packages:
   github.com/openfga/api/proto/openfga/v1:
     config:
       dir: internal/subroutine/mocks
       filename: mock_OpenFGAServiceClient.go
+      pkgname: mocks
     interfaces:
       OpenFGAServiceClient:
 
   sigs.k8s.io/controller-runtime/pkg/client:
     config:
       dir: internal/subroutine/mocks
       filename: mock_Client.go
+      pkgname: mocks
     interfaces:
       Client:
 
   sigs.k8s.io/controller-runtime/pkg/manager:
     config:
       dir: internal/subroutine/mocks
-      filename: mock_CTRLManager.go
-      structname: CTRLManager
+      pkgname: mocks
     interfaces:
       Manager:
+        config:
+          filename: mock_CTRLManager.go
+          structname: MockCTRLManager
 
   sigs.k8s.io/multicluster-runtime/pkg/manager:
     config:
       dir: internal/subroutine/mocks
-      filename: mock_Manager.go
+      pkgname: mocks
     interfaces:
       Manager:
+        config:
+          filename: mock_Manager.go
+          structname: MockManager
 
   sigs.k8s.io/controller-runtime/pkg/cluster:
       config:
         dir: internal/subroutine/mocks
         filename: mock_Cluster.go
+        pkgname: mocks
       interfaces:
         Cluster:
 
   k8s.io/client-go/discovery:
       config:
         dir: internal/subroutine/mocks
         filename: mock_DiscoveryInterface.go
+        pkgname: mocks
       interfaces:
         DiscoveryInterface:
 
   github.com/platform-mesh/security-operator/internal/client:
     config:
       dir: internal/subroutine/mocks
-      filename: mock_KCPGetters.go
+      pkgname: mocks
+      all: true
     interfaces:
       KCPClientGetter:
+        config:
+          filename: mock_KCPClientGetter.go
       KCPCombinedClientGetter:
+        config:
+          filename: mock_KCPCombinedClientGetter.go
+      Lister:
+        config:
+          filename: mock_Lister.go
 
   github.com/platform-mesh/security-operator/pkg/clientreg:
     config:
       dir: internal/subroutine/mocks
       filename: mock_TokenRefresher.go
+      pkgname: mocks
     interfaces:
-      TokenRefresher:
+      TokenRefresher:
+
+  github.com/platform-mesh/security-operator/internal/fga:
+    config:
+      dir: internal/subroutine/mocks
+      filename: mock_StoreIDGetter.go
+      pkgname: mocks
+    interfaces:
+      StoreIDGetter:

cmd/model_generator.go

@@ -86,7 +86,9 @@ var modelGeneratorCmd = &cobra.Command{
 			return err
 		}
 
-		if err := controller.NewAPIBindingReconciler(log, mgr, iclient.NewConfigSchemeKCPClientGetter(mgr.GetLocalManager().GetConfig(), mgr.GetLocalManager().GetScheme()), &generatorCfg).
+		providerLister := iclient.NewProviderLister(provider.Provider.Provider)
+
+		if err := controller.NewAPIBindingReconciler(log, mgr, providerLister, &generatorCfg).
 			SetupWithManager(mgr, defaultCfg); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "Resource")
 			return err

cmd/operator.go

@@ -11,7 +11,6 @@ import (
 	"github.com/platform-mesh/golang-commons/sentry"
 	corev1alpha1 "github.com/platform-mesh/security-operator/api/v1alpha1"
 	iclient "github.com/platform-mesh/security-operator/internal/client"
-	"github.com/platform-mesh/security-operator/internal/config"
 	"github.com/platform-mesh/security-operator/internal/controller"
 	fga2 "github.com/platform-mesh/security-operator/internal/fga"
 	"github.com/platform-mesh/security-operator/internal/predicates"
@@ -32,7 +31,6 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 
-	"github.com/kcp-dev/logicalcluster/v3"
 	"github.com/kcp-dev/multicluster-provider/apiexport"
 	pathaware "github.com/kcp-dev/multicluster-provider/path-aware"
 	kcpapisv1alpha1 "github.com/kcp-dev/sdk/apis/apis/v1alpha1"
@@ -61,14 +59,6 @@ var operatorCmd = &cobra.Command{
 			return err
 		}
 
-		if operatorCfg.MigrateAuthorizationModels {
-			kcpClientGetter := iclient.NewConfigSchemeKCPClientGetter(restCfg, scheme)
-			if err := migrateAuthorizationModels(ctx, kcpClientGetter, &operatorCfg); err != nil {
-				log.Error().Err(err).Msg("migration failed")
-				return err
-			}
-		}
-
 		if defaultCfg.Sentry.Dsn != "" {
 			err := sentry.Start(ctx,
 				defaultCfg.Sentry.Dsn, defaultCfg.Environment, defaultCfg.Region,
@@ -159,8 +149,9 @@ var operatorCmd = &cobra.Command{
 			log.Error().Err(err).Msg("Failed to create in cluster client")
 			return err
 		}
-		allClientGetter := iclient.NewConfigSchemeKCPClientGetter(mgr.GetLocalManager().GetConfig(), mgr.GetLocalManager().GetScheme())
-		if err = controller.NewStoreReconciler(ctx, log, fga, mgr, allClientGetter, &operatorCfg).
+		providerLister := iclient.NewProviderLister(provider.Provider.Provider)
+
+		if err = controller.NewStoreReconciler(ctx, log, fga, mgr, &operatorCfg, providerLister).
 			SetupWithManager(mgr, defaultCfg); err != nil {
 			log.Error().Err(err).Str("controller", "store").Msg("unable to create controller")
 			return err
@@ -171,7 +162,10 @@ var operatorCmd = &cobra.Command{
 			log.Error().Err(err).Str("controller", "authorizationmodel").Msg("unable to create controller")
 			return err
 		}
-		kcpClientGetter := iclient.NewManagerKCPClientGetter(mgr)
+
+		kcpClientGetter := iclient.NewManagerKCPClientGetter(mgr, provider.Provider.Provider)
+		kcpClientGetterWithConfig := iclient.NewConfigSchemeKCPClientGetter(restCfg, scheme)
+
 		inviteReconciler, err := controller.NewInviteReconciler(ctx, mgr, &operatorCfg, log, kcpClientGetter)
 		if err != nil {
 			log.Error().Err(err).Str("controller", "invite").Msg("unable to create reconciler")
@@ -181,7 +175,7 @@ var operatorCmd = &cobra.Command{
 			log.Error().Err(err).Str("controller", "invite").Msg("unable to create controller")
 			return err
 		}
-		orgReconciler, err := controller.NewOrgLogicalClusterController(log, kcpClientGetter, operatorCfg, runtimeClient, mgr, controller.ControllerOptions{
+		orgReconciler, err := controller.NewOrgLogicalClusterController(log, kcpClientGetterWithConfig, operatorCfg, runtimeClient, mgr, controller.ControllerOptions{
 			Name: "OrgLogicalClusterReconciler",
 		})
 		if err != nil {
@@ -196,7 +190,7 @@ var operatorCmd = &cobra.Command{
 			return err
 		}
 
-		alcReconciler, err := controller.NewAccountLogicalClusterController(log, operatorCfg, fga, storeIDGetter, mgr, kcpClientGetter, controller.ControllerOptions{
+		alcReconciler, err := controller.NewAccountLogicalClusterController(log, operatorCfg, fga, storeIDGetter, mgr, kcpClientGetterWithConfig, controller.ControllerOptions{
 			Name: "AccountLogicalClusterReconciler",
 		})
 		if err != nil {
@@ -242,48 +236,6 @@ var operatorCmd = &cobra.Command{
 	},
 }
 
-// this function can be removed after the operator has migrated the authz models in all environments
-func migrateAuthorizationModels(ctx context.Context, kcpClientGetter iclient.KCPCombinedClientGetter, operatorCfg *config.Config) error {
-	allClient, err := kcpClientGetter.AllClient(ctx, operatorCfg.APIExportEndpointSlices.CorePlatformMeshIO)
-	if err != nil {
-		return fmt.Errorf("failed to create all-cluster client: %w", err)
-	}
-
-	var models corev1alpha1.AuthorizationModelList
-	if err := allClient.List(ctx, &models); err != nil {
-		return fmt.Errorf("failed to list AuthorizationModels: %w", err)
-	}
-
-	for i := range models.Items {
-		item := &models.Items[i]
-
-		if item.Spec.StoreRef.Cluster != "" {
-			continue
-		}
-
-		if item.Spec.StoreRef.Path == "" {
-			return fmt.Errorf("AuthorizationModel %s has empty cluster field and no path field to migrate from", item.GetName())
-		}
-
-		clusterName := logicalcluster.From(item)
-		clusterClient, err := kcpClientGetter.NewClientForLogicalCluster(ctx, clusterName.String())
-		if err != nil {
-			return fmt.Errorf("failed to create cluster client for AuthorizationModel %s (cluster %s): %w", item.GetName(), clusterName, err)
-		}
-
-		original := item.DeepCopy()
-		item.Spec.StoreRef.Cluster = item.Spec.StoreRef.Path
-
-		patch := client.MergeFrom(original)
-		if err := clusterClient.Patch(ctx, item, patch); err != nil {
-			return fmt.Errorf("failed to patch AuthorizationModel %s: %w", item.GetName(), err)
-		}
-	}
-
-	log.Info().Msg("AuthorizationModel migration completed")
-	return nil
-}
-
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(kcptenancyv1alpha1.AddToScheme(scheme))

cmd/system.go

@@ -7,6 +7,7 @@ import (
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	platformeshcontext "github.com/platform-mesh/golang-commons/context"
 	iclient "github.com/platform-mesh/security-operator/internal/client"
+	"github.com/platform-mesh/security-operator/internal/config"
 	"github.com/platform-mesh/security-operator/internal/controller"
 	"github.com/platform-mesh/security-operator/internal/fga"
 	"github.com/spf13/cobra"
@@ -16,6 +17,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	mcmanager "sigs.k8s.io/multicluster-runtime/pkg/manager"
+	multiprovider "sigs.k8s.io/multicluster-runtime/providers/multi"
 
 	"k8s.io/client-go/rest"
 
@@ -63,15 +65,30 @@ var systemCmd = &cobra.Command{
 			opts.LeaderElectionConfig = inClusterCfg
 		}
 
-		provider, err := pathaware.New(restCfg, systemCfg.APIExportEndpointSlices.SystemPlatformMeshIO, apiexport.Options{
+		systemProvider, err := pathaware.New(restCfg, systemCfg.APIExportEndpointSlices.SystemPlatformMeshIO, apiexport.Options{
 			Scheme: scheme,
 		})
 		if err != nil {
 			setupLog.Error(err, "unable to create apiexport provider")
 			return err
 		}
 
-		mgr, err := mcmanager.New(restCfg, provider, opts)
+		coreProvider, err := pathaware.New(restCfg, systemCfg.APIExportEndpointSlices.CorePlatformMeshIO, apiexport.Options{
+			Scheme: scheme,
+		})
+		if err != nil {
+			setupLog.Error(err, "unable to create core apiexport provider")
+			return err
+		}
+		multiProv := multiprovider.New(multiprovider.Options{})
+		if err := multiProv.AddProvider(config.SystemProviderName, systemProvider); err != nil {
+			return err
+		}
+		if err := multiProv.AddProvider(config.CoreProviderName, coreProvider); err != nil {
+			return err
+		}
+
+		mgr, err := mcmanager.New(restCfg, multiProv, opts)
 		if err != nil {
 			setupLog.Error(err, "unable to create manager")
 			return err
@@ -92,7 +109,7 @@ var systemCmd = &cobra.Command{
 			log,
 		)
 
-		kcpClientGetter := iclient.NewManagerKCPClientGetter(mgr)
+		kcpClientGetter := iclient.NewManagerKCPClientGetter(mgr, coreProvider.Provider.Provider)
 		idpReconciler, err := controller.NewIdentityProviderConfigurationReconciler(ctx, mgr, kcpClientGetter, &systemCfg, log)
 		if err != nil {
 			log.Error().Err(err).Str("controller", "identityprovider").Msg("unable to create reconciler")
@@ -103,7 +120,7 @@ var systemCmd = &cobra.Command{
 			return err
 		}
 
-		if err = controller.NewAPIExportPolicyReconciler(log, fgaClient, mgr, kcpClientGetter, &systemCfg, storeIDGetter).SetupWithManager(mgr, defaultCfg, &systemCfg); err != nil {
+		if err = controller.NewAPIExportPolicyReconciler(log, fgaClient, mgr, kcpClientGetter, &systemCfg, storeIDGetter).SetupWithManager(mgr, defaultCfg); err != nil {
 			log.Error().Err(err).Str("controller", "apiexportpolicy").Msg("unable to create controller")
 			return err
 		}

cmd/terminator.go

@@ -85,8 +85,8 @@ var terminatorCmd = &cobra.Command{
 			cmd.Context(),
 			log,
 		)
+		kcpClientGetter := iclient.NewConfigSchemeKCPClientGetter(mgr.GetLocalManager().GetConfig(), mgr.GetLocalManager().GetScheme())
 
-		kcpClientGetter := iclient.NewConfigSchemeKCPClientGetter(kcpCfg, scheme)
 		alcReconciler, err := controller.NewAccountLogicalClusterController(log, terminatorCfg, fgaClient, storeIDGetter, mgr, kcpClientGetter, controller.ControllerOptions{
 			Name:           "AccountLogicalClusterTerminator",
 			TerminatorName: terminatorCfg.TerminatorName(),

go.mod

@@ -1,6 +1,6 @@
 module github.com/platform-mesh/security-operator
 
-go 1.26
+go 1.26.0
 
 require (
 	github.com/coreos/go-oidc v2.5.0+incompatible
@@ -10,28 +10,29 @@ require (
 	github.com/google/gnostic-models v0.7.1
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/kcp-dev/logicalcluster/v3 v3.0.5
-	github.com/kcp-dev/multicluster-provider v0.5.1
+	github.com/kcp-dev/multicluster-provider v0.7.0
+	github.com/kcp-dev/multicluster-provider/client v0.0.0-20260430101011-fa033a7d2e87
 	github.com/kcp-dev/sdk v0.31.1
 	github.com/openfga/api/proto v0.0.0-20260319214821-f153694bfc20
 	github.com/openfga/language/pkg/go v0.2.1
 	github.com/platform-mesh/account-operator v0.14.26
 	github.com/platform-mesh/golang-commons v0.16.11
-	github.com/platform-mesh/subroutines v0.3.3
+	github.com/platform-mesh/subroutines v0.4.3
 	github.com/rs/zerolog v1.35.1
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/oauth2 v0.36.0
 	google.golang.org/grpc v1.81.0
-	google.golang.org/protobuf v1.36.11
+	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af
 	k8s.io/api v0.35.4
 	k8s.io/apiextensions-apiserver v0.35.4
-	k8s.io/apimachinery v0.35.4
+	k8s.io/apimachinery v0.36.0
 	k8s.io/client-go v0.35.4
 	k8s.io/utils v0.0.0-20260319190234-28399d86e0b5
 	sigs.k8s.io/controller-runtime v0.23.3
-	sigs.k8s.io/multicluster-runtime v0.23.1
+	sigs.k8s.io/multicluster-runtime v0.23.3
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -75,7 +76,6 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kcp-dev/apimachinery/v2 v2.31.1 // indirect
@@ -129,8 +129,8 @@ require (
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20260127142750-a19766b6e2d4 // indirect
+	k8s.io/klog/v2 v2.140.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect