refactor(charts): consolidate GitHub configuration keys and structure

Author: onuryilmaz

charts/repo-guard/templates/github.yaml

@@ -1,22 +1,22 @@
 # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
 # SPDX-License-Identifier: Apache-2.0
 
-{{- range $githubKey, $githubItem := .Values.githubs }}
+{{- range $githubItem := .Values.githubs }}
 apiVersion: repoguard.sap/v1
 kind: Github
 metadata:
-  name: {{ $githubKey | lower }}
+  name: {{ $githubItem.name | lower }}
 spec:
   webURL: {{ $githubItem.webURL | default "" }}
   v3APIURL: {{ $githubItem.v3APIURL | default "" }}
   integrationID: {{ $githubItem.integrationID | int64 }}
-  clientUserAgent: repo-guard-{{ $githubKey | lower }}
-  secret: github-{{ $githubKey | lower }}-secret
+  clientUserAgent: repo-guard-{{ $githubItem.name | lower }}
+  secret: github-{{ $githubItem.name | lower }}-secret
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: github-{{ $githubKey | lower }}-secret
+  name: github-{{ $githubItem.name | lower }}-secret
 type: Opaque
 data:
   clientID: {{ $githubItem.clientID | b64enc }}

charts/repo-guard/templates/githubaccountlink.yaml

@@ -1,45 +1,43 @@
 # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
 # SPDX-License-Identifier: Apache-2.0
 
-{{- range $githubKey, $githubItem := .Values.githubs }}
-    {{- if $githubItem.githubAccountLinks }}
-      {{- /* Build per-org email check configuration map for all orgs under this GitHub */ -}}
-      {{- $emailCfgByOrg := dict -}}
-      {{- if $githubItem.organizations -}}
-        {{- range $oidx, $org := $githubItem.organizations -}}
-          {{- if and $org.githubAccountLinkEmailCheck (or ($org.githubAccountLinkEmailCheck.domain) ($org.githubAccountLinkEmailCheck.enabled) ($org.githubAccountLinkEmailCheck.ttl)) -}}
-            {{- $entry := dict -}}
-            {{- if $org.githubAccountLinkEmailCheck.domain -}}
-              {{- $_ := set $entry "domain" $org.githubAccountLinkEmailCheck.domain -}}
-            {{- end -}}
-            {{- if hasKey $org.githubAccountLinkEmailCheck "enabled" -}}
-              {{- $_ := set $entry "enabled" ($org.githubAccountLinkEmailCheck.enabled | default false) -}}
-            {{- else -}}
-              {{- $_ := set $entry "enabled" false -}}
-            {{- end -}}
-            {{- if $org.githubAccountLinkEmailCheck.ttl -}}
-              {{- $_ := set $entry "ttl" $org.githubAccountLinkEmailCheck.ttl -}}
-            {{- end -}}
-            {{- /* key by organization name */ -}}
-            {{- $_ := set $emailCfgByOrg $org.organization $entry -}}
-          {{- end -}}
-        {{- end -}}
-      {{- end -}}
-      {{- range $uidx, $user := $githubItem.githubAccountLinks }}
+{{- /* Build per-github email check configuration maps */ -}}
+{{- $emailConfigs := dict -}}
+{{- range $org := .Values.githubOrganizations -}}
+  {{- if and $org.githubAccountLinkEmailCheck (or ($org.githubAccountLinkEmailCheck.domain) ($org.githubAccountLinkEmailCheck.enabled) ($org.githubAccountLinkEmailCheck.ttl)) -}}
+    {{- if not (hasKey $emailConfigs $org.github) -}}
+      {{- $_ := set $emailConfigs $org.github (dict) -}}
+    {{- end -}}
+    {{- $ghCfg := get $emailConfigs $org.github -}}
+    {{- $entry := dict -}}
+    {{- if $org.githubAccountLinkEmailCheck.domain -}}
+      {{- $_ := set $entry "domain" $org.githubAccountLinkEmailCheck.domain -}}
+    {{- end -}}
+    {{- if hasKey $org.githubAccountLinkEmailCheck "enabled" -}}
+      {{- $_ := set $entry "enabled" ($org.githubAccountLinkEmailCheck.enabled | default false) -}}
+    {{- else -}}
+      {{- $_ := set $entry "enabled" false -}}
+    {{- end -}}
+    {{- if $org.githubAccountLinkEmailCheck.ttl -}}
+      {{- $_ := set $entry "ttl" $org.githubAccountLinkEmailCheck.ttl -}}
+    {{- end -}}
+    {{- $_ := set $ghCfg $org.organization $entry -}}
+  {{- end -}}
+{{- end -}}
+
+{{- range $user := .Values.githubAccountLinks }}
 apiVersion: repoguard.sap/v1
 kind: GithubAccountLink
 metadata:
-  name: {{ $githubKey | lower }}--{{ $user.userID | lower }}
-  {{- $hasCfg := gt (len $emailCfgByOrg) 0 -}}
-  {{- if $hasCfg }}
+  name: {{ $user.github | lower }}--{{ $user.userID | lower }}
+  {{- $emailCfgByOrg := index $emailConfigs $user.github -}}
+  {{- if $emailCfgByOrg }}
   annotations:
     repoguard.sap/email-check-config: {{ toJson $emailCfgByOrg | quote }}
   {{- end }}
 spec:
-  github: {{ $githubKey | lower }}
+  github: {{ $user.github | lower }}
   githubUserID: {{ $user.githubID | int64 | quote }}
   userID: {{ $user.userID }}
 ---
-      {{- end }}
-    {{- end }}
 {{- end }}

charts/repo-guard/templates/githuborganization.yaml

@@ -1,13 +1,11 @@
 # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
 # SPDX-License-Identifier: Apache-2.0
 
-{{- range $githubKey, $githubItem := .Values.githubs }}
-  {{- if $githubItem.organizations }}
-    {{- range $idx, $org := $githubItem.organizations }}
+{{- range $org := .Values.githubOrganizations }}
 apiVersion: repoguard.sap/v1
 kind: GithubOrganization
 metadata:
-  name: {{ $githubKey }}--{{ $org.organization | replace "/" "-" | lower }}
+  name: {{ $org.github }}--{{ $org.organization | replace "/" "-" | lower }}
   labels:
     repoguard.sap/addTeam: "{{ $org.addTeam | default "true" }}"
     repoguard.sap/removeTeam: "{{ $org.removeTeam | default "true" }}"
@@ -26,7 +24,7 @@ metadata:
     repoguard.sap/skipDefaultRepositoryTeams: "{{ $skipTeams }}"
   {{- end }}
 spec:
-  github: {{ $githubKey }}
+  github: {{ $org.github }}
   organization: {{ $org.organization }}
   {{- if and $org.defaultPublicRepositoryTeams (gt (len $org.defaultPublicRepositoryTeams) 0) }}
   defaultPublicRepositoryTeams:
@@ -42,6 +40,4 @@ spec:
   {{- end }}
   installationID: {{ $org.installationID | int64 }}
 ---
-    {{- end }}
-  {{- end }}
 {{- end }}

charts/repo-guard/templates/githubteam.yaml

@@ -1,15 +1,13 @@
 # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
 # SPDX-License-Identifier: Apache-2.0
 
-{{- range $githubKey, $githubItem := .Values.githubs }}
-  {{- if $githubItem.organizations }}
-    {{- range $idx, $org := $githubItem.organizations }}
-      {{- if $org.teams }}
-        {{- range $tidx, $team := $org.teams }}
+{{- range $org := .Values.githubOrganizations }}
+  {{- if $org.teams }}
+    {{- range $tidx, $team := $org.teams }}
 apiVersion: repoguard.sap/v1
 kind: GithubTeam
 metadata:
-  name: {{ $githubKey }}--{{ $org.organization | replace "/" "-" | lower }}--{{ $team.name | replace "_" "-" | replace " " "-" | lower }}
+  name: {{ $org.github }}--{{ $org.organization | replace "/" "-" | lower }}--{{ $team.name | replace "_" "-" | replace " " "-" | lower }}
   labels:
     repoguard.sap/addUser: "{{ $team.addUsers | default "true" }}"
     repoguard.sap/removeUser: "{{ $team.removeUsers | default "true" }}"
@@ -117,15 +115,13 @@ spec:
       group: {{ $team.static.group }}
     {{- end }}
   {{- end }}
-  github: {{ $githubKey }}
+  github: {{ $org.github }}
   organization: {{ $org.organization }}
   team: {{ $team.name }}
   {{- if $team.greenhouseTeam }}
   greenhouseTeam: {{ $team.greenhouseTeam }}
   {{- end }}
 ---
-        {{- end }}
-      {{- end }}
     {{- end }}
   {{- end }}
 {{- end }}

charts/repo-guard/templates/githubteamrepository.yaml

@@ -1,25 +1,21 @@
 # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and Greenhouse contributors
 # SPDX-License-Identifier: Apache-2.0
 
-{{- range $githubKey, $githubItem := .Values.githubs }}
-  {{- if $githubItem.organizations }}
-    {{- range $idx, $org := $githubItem.organizations }}
-      {{- if $org.teamRepositoryAssignments }}
-        {{- range $ridx, $assign := $org.teamRepositoryAssignments }}
+{{- range $org := .Values.githubOrganizations }}
+  {{- if $org.teamRepositoryAssignments }}
+    {{- range $ridx, $assign := $org.teamRepositoryAssignments }}
 apiVersion: repoguard.sap/v1
 kind: GithubTeamRepository
 metadata:
-  name: {{ $githubKey }}--{{ $org.organization | replace "/" "-" | lower }}--{{ $assign.team | replace "_" "-" | replace " " "-" | lower }}--{{ $assign.permission }}
+  name: {{ $org.github }}--{{ $org.organization | replace "/" "-" | lower }}--{{ $assign.team | replace "_" "-" | replace " " "-" | lower }}--{{ $assign.permission }}
 spec:
-  github: {{ $githubKey }}
+  github: {{ $org.github }}
   organization: {{ $org.organization }}
   team: {{ $assign.team }}
   repository:
 {{ toYaml $assign.repositories | indent 4 }}
   permission: {{ $assign.permission }}
 ---
-        {{- end }}
-      {{- end }}
     {{- end }}
   {{- end }}
 {{- end }}

charts/repo-guard/values.yaml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 manager:
-  enabled: true
+  enabled: false
   image:
       repository: ghcr.io/cloudoperators/repo-guard
   resources:
@@ -74,85 +74,87 @@ monitoring:
 #          - user2
 
 # githubs:
-#  enterprise:
-#    webURL: 
-#    v3APIURL: 
-#    integrationID: 
-#    clientID:
-#    clientSecret: 
-#    privateKey: 
-#    
-#    githubAccountLinks:
-#    - userID: 
-#      githubUsername:
-#      githubID:
-
-#    organizations:
-#      - organization:
-#        installationID:
-#        # TTL overrides applied to this organization and all its teams
-#        # If omitted, chart-wide defaults in .Values.ttl are used.
-#        ttl:
-#          failed: 24h        # overrides ttl.team.failed and ttl.organization.failed where applicable
-#          notfound: 24h      # overrides ttl.team.notfound
-#          completed: 72h     # overrides ttl.team.completed and ttl.organization.completed where applicable
-#        addTeam:  
-#        removeTeam:  
-#        addOrganizationOwner:  
-#        removeOrganizationOwner:  
-#        addRepositoryTeam: 
-#        removeRepositoryTeam:  
-#        dryRun:  
-#        disableInternalUsernames:  
-#        # GithubAccountLink email verification settings applied to all GALs
-#        # associated with this GitHub (organization-level policy).
-#        # When set, the Helm chart will populate a JSON annotation on each
-#        # GithubAccountLink containing per-organization config entries:
-#        #   repoguard.sap/email-check-config: '{ "<org>": {"domain": "example.com", "enabled": true, "ttl": "1h" } }'
-#        # The controller will write results into:
-#        #   repoguard.sap/email-check-results: '{ "<org>": {"domain":"example.com","status":"verified|not-part-of-org|no","timestamp":"..."} }'
-#        githubAccountLinkEmailCheck:
-#          # Domain to require for verified email, e.g., example.com
-#          domain: ""
-#          # Whether to actively check email verification status
-#          enabled: false
-#          # Optional TTL for re-checking email status
-#          ttl: ""
-
-#        defaultPublicRepositoryTeams:  
-#        - team:
-#          permission:
-#       
-#        defaultPrivateRepositoryTeams: 
-#        - team:
-#          permission:
-#    
-#        organizationOwnerTeams:
-#          -
+#   - name: enterprise
+#     webURL:
+#     v3APIURL:
+#     integrationID:
+#     clientID:
+#     clientSecret:
+#     privateKey:
 
-#        teams:
-#        - name:  
-#          greenhouseTeam:
-#          # ldap group example referencing top-level ldap provider name:
-#          # ldapGroup: cn=my-group,ou=groups,dc=example,dc=org
-#          # ldap object example allowing provider and kind override:
-#          # ldap:
-#          #   provider: corp-ldap   # defaults to .Values.ldaps[0].name if omitted
-#          #   kind: ClusterLDAPGroupProvider # optional, auto-populated if provider matches an entry in .Values.ldaps
-#          #   group: cn=my-group,ou=groups,dc=example,dc=org
-#          # generic http example:
-#          # genericHTTP:
-#          #   provider: my-http-provider  # must match an entry in genericExternalMemberProviders.name
-#          #   kind: ClusterGenericExternalMemberProvider # optional, auto-populated if provider matches an entry in .Values.genericExternalMemberProviders
-#          #   group: engineers
-#          # static example:
-#          # static:
-#          #   provider: my-static-provider # must match an entry in staticMemberProviders.name
-#          #   kind: ClusterStaticMemberProvider # optional, auto-populated if provider matches an entry in .Values.staticMemberProviders
-#          #   group: team-a
+# githubAccountLinks:
+#   - github: enterprise
+#     userID:
+#     githubUsername:
+#     githubID:
 
-#        teamRepositoryAssignments:
-#          - team: 
-#            repositories:
-#             - 
-#            permission: 
+# githubOrganizations:
+#   - github: enterprise
+#     organization:
+#     installationID:
+#     # TTL overrides applied to this organization and all its teams
+#     # If omitted, chart-wide defaults in .Values.ttl are used.
+#     ttl:
+#       failed: 24h        # overrides ttl.team.failed and ttl.organization.failed where applicable
+#       notfound: 24h      # overrides ttl.team.notfound
+#       completed: 72h     # overrides ttl.team.completed and ttl.organization.completed where applicable
+#     addTeam:
+#     removeTeam:
+#     addOrganizationOwner:
+#     removeOrganizationOwner:
+#     addRepositoryTeam:
+#     removeRepositoryTeam:
+#     dryRun:
+#     disableInternalUsernames:
+#     # GithubAccountLink email verification settings applied to all GALs
+#     # associated with this GitHub (organization-level policy).
+#     # When set, the Helm chart will populate a JSON annotation on each
+#     # GithubAccountLink containing per-organization config entries:
+#     #   repoguard.sap/email-check-config: '{ "<org>": {"domain": "example.com", "enabled": true, "ttl": "1h" } }'
+#     # The controller will write results into:
+#     #   repoguard.sap/email-check-results: '{ "<org>": {"domain":"example.com","status":"verified|not-part-of-org|no","timestamp":"..."} }'
+#     githubAccountLinkEmailCheck:
+#       # Domain to require for verified email, e.g., example.com
+#       domain: ""
+#       # Whether to actively check email verification status
+#       enabled: false
+#       # Optional TTL for re-checking email status
+#       ttl: ""
+#
+#     defaultPublicRepositoryTeams:
+#       - team:
+#         permission:
+#
+#     defaultPrivateRepositoryTeams:
+#       - team:
+#         permission:
+#
+#     organizationOwnerTeams:
+#       -
+#
+#     teams:
+#       - name:
+#         greenhouseTeam:
+#         # ldap group example referencing top-level ldap provider name:
+#         # ldapGroup: cn=my-group,ou=groups,dc=example,dc=org
+#         # ldap object example allowing provider and kind override:
+#         # ldap:
+#         #   provider: corp-ldap   # defaults to .Values.ldaps[0].name if omitted
+#         #   kind: ClusterLDAPGroupProvider # optional, auto-populated if provider matches an entry in .Values.ldaps
+#         #   group: cn=my-group,ou=groups,dc=example,dc=org
+#         # generic http example:
+#         # genericHTTP:
+#         #   provider: my-http-provider  # must match an entry in genericExternalMemberProviders.name
+#         #   kind: ClusterGenericExternalMemberProvider # optional, auto-populated if provider matches an entry in .Values.genericExternalMemberProviders
+#         #   group: engineers
+#         # static example:
+#         # static:
+#         #   provider: my-static-provider # must match an entry in staticMemberProviders.name
+#         #   kind: ClusterStaticMemberProvider # optional, auto-populated if provider matches an entry in .Values.staticMemberProviders
+#         #   group: team-a
+#
+#     teamRepositoryAssignments:
+#       - team:
+#         repositories:
+#           -
+#         permission: