Draft
Conversation
- Introduce `App` CRD (api/v1/app_types.go) for namespaced GitHub App config - Add `appRef` to Token and ClusterToken CRDs/specs for referencing App - Implement App controller and registry for per-App ghait client caching - Update RBAC, Helm chart, and CRD manifests for App support - Add tests for App logic and registry caching - Bump chart version to 0.4.0 - Enhance metrics setup with OTEL resource attributes - Update docs for multi-tenancy and observability
generics - Extract shared reconciliation logic for Token and ClusterToken into generic helpers in internal/controller/reconcile_token.go - Introduce TokenReconcilerBase for shared dependencies - Add controller name constants in internal/controller/names.go - Refactor main.go to use TokenReconcilerBase - Remove unused ghapp/context.go and ghapp/ghapp.go - Refactor Registry to use functional options for testability - Simplify e2e test helpers for Token creation - Remove redundant TokenSpec tests
- Remove unused GetName methods from Token and ClusterToken types - Remove HasStartupConfig from ghapp.Registry and related test - Remove commented and scaffolding code from CRDs and API types - Refactor tokenmanager to simplify tokenSecret construction and context usage - Update controller and tokenmanager to use new tokenSecret API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a major new feature: support for managing multiple GitHub App credentials using a new
Appcustom resource, enabling per-tenant or per-org credentials in addition to the existing startup configuration. It also updates the CRD API, documentation, and developer workflow to reflect this enhancement, and adds comprehensive tests for the new and modified behaviors.New multi-App support and CRD changes:
AppCRD (api/v1/app_types.go,api/v1/appref.go) that allows users to define GitHub App credentials as first-class Kubernetes resources, supporting both cloud KMS-backed and Secret-backed keys. This enables per-tenant or per-namespace credential management and is referenced fromTokenandClusterTokenresources viaappRef. [1] [2]TokenandClusterTokenCRDs to support referencing the newAppresources usingspec.appRef, with appropriate handling for namespaced and cluster-scoped scenarios. Existing tokens continue to work without changes. [1] [2]Documentation updates:
README.mdwith a new section on managing multiple GitHub Apps using theAppCRD, including detailed usage instructions, YAML examples for both Secret- and KMS-backed Apps, migration notes, and security considerations. The feature matrix and sample manifests were also updated to reflect the new capabilities. [1] [2] [3]Status and condition improvements:
KeyValid,AppNotFound,AppNotReady, etc.) for better observability and troubleshooting of App and Token reconciliation.Developer workflow enhancements:
Makefileand documentation to clarify the requirement forPOD_NAMESPACEwhen running the controller locally, and improved the developer experience by defaulting it formake run. [1] [2] [3]Testing:
Appresource's status condition logic and for the correct resolution ofappRefin bothTokenandClusterTokenresources.