feat(teams): enable token request for team service account

[Zaggy21]

Description

• Support-group teams can now request tokens for their ServiceAccount, enabling CI/CD pipelines to authenticate against the Greenhouse API using the team's identity
• Greenhouse automatically creates the necessary RBAC (Role + RoleBinding) alongside the existing ServiceAccount when a team is marked as a support-group
• A mutating webhook caps all token requests for Greenhouse-managed ServiceAccounts at 90 days

What type of PR is this? (check all applicable)

• 🍕 Feature
• 🐛 Bug Fix
• 📝 Documentation Update
• 🎨 Style
• 🧑‍💻 Code Refactor
• 🔥 Performance Improvements
• ✅ Test
• 🤖 Build
• 🔁 CI
• 📦 Chore (Release)
• ⏩ Revert

Related Tickets & Documents

• Closes [FEAT] - Enable token request for Team Service account #1965

Added tests?

• 👍 yes
• 🙅 no, because they aren't needed
• 🙋 no, because I need help
• Separate ticket for tests # (issue/pr)

Added unit tests.

Added to documentation?

• 📜 README.md
• 🤝 Documentation pages updated
• 🙅 no documentation needed
• (if applicable) generated OpenAPI docs for CRD changes

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• New and existing unit tests pass locally with my changes

[Copilot]

Pull request overview

This PR enables support-group Teams to request Kubernetes ServiceAccount tokens for their auto-created team ServiceAccount, allowing CI/CD pipelines to authenticate to the Greenhouse API as the team identity. It extends the Team controller to create and clean up the necessary namespace-scoped RBAC (Role + RoleBinding) alongside the existing support-group ServiceAccount.

Changes:

• Team controller now creates a Role permitting create on serviceaccounts/token for the team ServiceAccount, plus a RoleBinding binding that role to both the support-group:<team> group and the team ServiceAccount.
• Cleanup logic updated to delete the ServiceAccount, Role, and RoleBinding when the support-group label is removed.
• Added unit tests for RBAC creation/deletion, and updated user documentation with token request guidance.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
internal/controller/team/team_controller.go	Creates/deletes support-group token-request RBAC (Role/RoleBinding) along with the team ServiceAccount.
internal/controller/team/team_controller_test.go	Adds tests asserting RBAC resources are created and deleted appropriately.
docs/user-guides/team/authorization.md	Documents how to request a token via kubectl create token and notes expiration capping.
charts/manager/templates/rbac/manager-role.yaml	Updates manager ClusterRole permissions related to RBAC resources.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

[Zaggy21]

I've checked that Helm templating works and that token expiration capping works correctly in local env. Also I considered setting an admission warning message about shortened token expiration (which would require validating webhook for create), but, as agreed with Abhi, the documentation and log message in webhook pod is enough.