feat(teamrolebindings): support multiple teamRefs in a single TRB#1854
Merged
mikolajkucinski merged 9 commits intomainfrom Mar 26, 2026
Merged
feat(teamrolebindings): support multiple teamRefs in a single TRB#1854mikolajkucinski merged 9 commits intomainfrom
mikolajkucinski merged 9 commits intomainfrom
Conversation
github-actions
bot
added
size/L
feature
core-apis
helm-charts
documentation
mikolajkucinski
force-pushed
the
feat/teamrefs-in-trb
branch
from
50a6be2 to
d367bd6
Compare
mikolajkucinski
changed the title
mikolajkucinski
force-pushed
the
feat/teamrefs-in-trb
branch
3 times, most recently
from
7f0722b to
bc3804b
Compare
On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
- Refactor getTeams to return partial results with missing team names - Add deduplication of teamRefs in defaulting webhook - Update printcolumn from teamRef to teamRefs for kubectl output - Add unit tests for resolveTeamRefs fallback path - Add webhook tests for dedup scenarios On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
mikolajkucinski
force-pushed
the
feat/teamrefs-in-trb
branch
from
3dcca81 to
755e272
Compare
mikolajkucinski
force-pushed
the
feat/teamrefs-in-trb
branch
from
755e272 to
f66b97f
Compare
…pproach On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
mikolajkucinski
force-pushed
the
feat/teamrefs-in-trb
branch
from
14a96cc to
2e0d4bb
Compare
mikolajkucinski
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends TeamRoleBinding to support binding a single TeamRole to multiple Teams via spec.teamRefs, while deprecating the legacy spec.teamRef. The webhook defaults/migrates legacy fields, the controller reconciles RBAC across multiple teams (tolerating missing teams), and metrics/tests are updated accordingly.
Changes:
- Add
spec.teamRefsto the API/CRD and deprecatespec.teamRef(with deepcopy + printcolumn updates). - Update webhook defaulting/validation and add tests for migration/deduplication + deprecation warnings.
- Update TeamRBAC controller/metrics to resolve multiple teams, reconcile subjects accordingly, and add/adjust tests.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
api/v1alpha2/teamrolebinding_types.go |
Adds TeamRefs to the spec, deprecates TeamRef, updates printer columns. |
api/v1alpha2/zz_generated.deepcopy.go |
Adds deepcopy support for TeamRefs. |
charts/manager/crds/greenhouse.sap_teamrolebindings.yaml |
CRD schema + printer column updates for teamRefs and deprecation text for teamRef. |
api/well_known.go |
Renames field index constant to .spec.teamRefs. |
internal/webhook/v1alpha2/teamrolebinding_webhook.go |
Implements defaulting migration to teamRefs + deprecation warnings; updates warning aggregation. |
internal/webhook/v1alpha2/teamrolebinding_webhook_test.go |
Adds/updates tests for defaulting migration, deduplication, and warnings. |
internal/controller/teamrbac/teamrolebinding_controller.go |
Reconciles RBAC subjects from multiple teams; indexes/enqueues by teamRefs; adds resolveTeamRefs + getTeams. |
internal/controller/teamrbac/metrics.go |
Emits readiness gauge per teamRef; cleans up old label sets on updates. |
internal/controller/teamrbac/teamrolebinding_controller_test.go |
Adds integration tests for multi-team behavior and legacy teamRef migration. |
internal/controller/teamrbac/teamrolebinding_controller_unit_test.go |
Adds unit tests for resolveTeamRefs. |
internal/test/resources.go |
Adds WithTeamRefs test helper; keeps WithTeamRef for backwards compatibility. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
mikolajkucinski
force-pushed
the
feat/teamrefs-in-trb
branch
from
ac8d608 to
d026605
Compare
abhijith-darshan
approved these changes
Mar 26, 2026
This was referenced Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds
teamRefstoTeamRoleBindingSpecso a single TRB can reference multiple teams. The oldteamRefis deprecated (the webhook merges it intoteamRefsautomatically, so existing resources migrate lazily). The controller handles partial failures (missing teams don't break RBAC for the rest) and metrics track each team individually.What type of PR is this? (check all applicable)
Related Tickets & Documents
Added tests?
Added to documentation?
Checklist