From f83741eb09d3609008fb526c0a6f55089934f40a Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Mon, 16 Jun 2025 20:10:17 +0200
Subject: [PATCH] Add extra helper function to generate subjects

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/library/cozy-lib/templates/_rbac.tpl | 28 ++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/packages/library/cozy-lib/templates/_rbac.tpl b/packages/library/cozy-lib/templates/_rbac.tpl
index b1e3e7fd..0759c0a3 100644
--- a/packages/library/cozy-lib/templates/_rbac.tpl
+++ b/packages/library/cozy-lib/templates/_rbac.tpl
@@ -35,6 +35,9 @@ super-admin: 3
 {{-   range $tenants }}
 - {{ . }}
 {{-   end }}
+{{-   if not (eq . "tenant-root") }}
+- tenant-root
+{{-   end }}
 {{- end }}
 
 {{- define "cozy-lib.rbac.groupSubject" -}}
@@ -43,6 +46,12 @@ super-admin: 3
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 
+{{- define "cozy-lib.rbac.serviceAccountSubject" -}}
+- kind: ServiceAccount
+  name: {{ . }}
+  namespace: {{ . }}
+{{- end }}
+
 {{- /* 
   A helper function to get a list of groups that should have access, given a
   minimal access level and the tenant. Invoked as:
@@ -75,12 +84,23 @@ super-admin: 3
 {{- define "cozy-lib.rbac.subjectsForTenantAndAccessLevel" }}
 {{-   include "cozy-lib.checkInput" . }}
 {{-   $level := index . 0 }}
-{{-   $global := index . 1 }}
+{{-   $tenant := index . 1 }}
 {{-   $levels := include "cozy-lib.rbac.accessLevelsAtOrAbove" $level | fromYamlArray }}
-{{-   $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $global.Release.Namespace | fromYamlArray }}
-{{-   range $l := $levels }}
-{{-     range $t := $tenants }}
+{{-   $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $tenant | fromYamlArray }}
+{{-   range $t := $tenants }}
+{{-     include "cozy-lib.rbac.serviceAccountSubject" $t }}{{ printf "\n" }}
+{{-     range $l := $levels }}
 {{-       include "cozy-lib.rbac.groupSubject" (printf "%s-%s" $t $l) }}{{ printf "\n" }}
 {{-     end }}
 {{-   end}}
 {{- end }}
+
+{{- define "cozy-lib.rbac.subjectsForTenant" }}
+{{-   include "cozy-lib.checkInput" . }}
+{{-   $level := index . 0 }}
+{{-   $tenant := index . 1 }}
+{{-   $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $tenant | fromYamlArray }}
+{{-   range $t := $tenants }}
+{{-     include "cozy-lib.rbac.groupSubject" (printf "%s-%s" $t $level) }}{{ printf "\n" }}
+{{-   end}}
+{{- end }}