Skip to content

feat(resourcemanager): Remove auto-provision and unify org quota#254

Open
mattdjenkinson wants to merge 10 commits into
mainfrom
feat/unified-organizations
Open

feat(resourcemanager): Remove auto-provision and unify org quota#254
mattdjenkinson wants to merge 10 commits into
mainfrom
feat/unified-organizations

Conversation

@mattdjenkinson

Copy link
Copy Markdown
Contributor

Summary

New users should not get a personal org and default project from a controller before they have chosen how to work. This removes PersonalOrganizationController and the validation policy that blocked renaming personal org display names.

Project quota no longer branches on org type. A single grant creation policy gives every organization a 10-project allowance. The old personal (2) and standard (10) policies are removed.

Ship this with the milo unified-org schema PR. Apply the new grant policy before deleting the legacy ones so orgs created during rollout still receive grants.

Test plan

  • go build ./...
  • Datum controller manager starts without PersonalOrganizationController config
  • New org create (via portal or API) receives a 10-project grant from organization-project-quota-policy
  • Existing personal org grants migrated per milo runbook (2 to 10 where needed)

Breaking changes

  • Signup no longer auto-creates personal-org-* or personal-project-* resources.
  • disallow-personal-org-name-change ValidatingAdmissionPolicy removed.

Notes for reviewers

  • Blocked on milo-os/milo unified organizations API landing first (or shipping in the same release window).
  • Portal onboarding that creates orgs explicitly must be live before this deploys to production, or new signups will have zero orgs until they complete onboarding.

Related to milo-os/milo#636

Stop creating personal orgs and projects at signup. Replace type-split
project grant policies with a single 10-project policy for all orgs.
@mattdjenkinson mattdjenkinson marked this pull request as ready for review June 28, 2026 15:33
@mattdjenkinson mattdjenkinson requested a review from a team as a code owner June 28, 2026 15:33
@mattdjenkinson mattdjenkinson requested a review from gaghan430 June 28, 2026 15:33
ecv
ecv previously approved these changes Jun 28, 2026
@mattdjenkinson mattdjenkinson requested review from a team, JoseSzycho, kevwilliams, savme and scotwells and removed request for gaghan430 June 28, 2026 15:36
@scotwells

Copy link
Copy Markdown
Collaborator

@mattdjenkinson we should put this behind a service level feature flag so it's easy to enable / disable in an environment. We only want to remove it once the feature is fully removed from all environments. This will make it easier to release an updated version that lets us keep it enabled in production but disable it in staging.

@mattdjenkinson

Copy link
Copy Markdown
Contributor Author

@scotwells yep good shout, i was going to ask you about the best way to release all this.

…feature flag

Restore personal org controller and legacy quota policies for gate-off
environments, with a legacy-organizations overlay that drops the unified
grant policy when both would conflict.
Keep legacy grant and validation policy manifests inside the overlay tree
so the component builds when composed with ./services, and drop the unified
quota policy via patch.
Copy pkg/features into the container build context and replace the ginkgo
envtest scaffold with a unit test so go test works without kubebuilder.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should default to the existing behavior to prevent breaking changes on release. This lets us only modify the staging environment to enable the new functionality instead of having to coordinate between all environments.

Restore personal/standard grant policies and validation resources in the
default resourcemanager kustomization. Move unified quota policy into
config/overlays/unified-organizations so only environments that opt in
with the feature gate need the overlay, per release safety review.
Refresh manager-role rules after make manifests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants