feat(rbac): add missing service account roles

Author: skipi

ee/rbac/assets/permissions.yaml

@@ -70,6 +70,10 @@ permissions:
       description: "View the existing dashboards within the organization."
     - name: "organization.dashboards.manage"
       description: "Create new dashboard views."
+    - name: "organization.service_accounts.view"
+      description: "View service accounts within the organization."
+    - name: "organization.service_accounts.manage"
+      description: "Manage service accounts within the organization."
   project:
     - name: "project.view"
       description: "Access the project. This permission is needed to see any page within the project."
@@ -133,3 +137,7 @@ permissions:
       description: "Manually stop running jobs or workflows."
     - name: "project.job.attach"
       description: "SSH into the running job, or start a debug session."
+    - name: "project.service_accounts.view"
+      description: "View service accounts within the project."
+    - name: "project.service_accounts.manage"
+      description: "Manage service accounts within the project."

ee/rbac/assets/roles.yaml

@@ -39,6 +39,8 @@ roles:
         - "organization.custom_roles.view"
         - "organization.dashboards.view"
         - "organization.dashboards.manage"
+        - "organization.service_accounts.view"
+        - "organization.service_accounts.manage"
     - name: "Admin"
       description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
       maps_to: "Admin"
@@ -77,6 +79,8 @@ roles:
         - "organization.dashboards.view"
         - "organization.dashboards.manage"
         - "project.delete"
+        - "organization.service_accounts.view"
+        - "organization.service_accounts.manage"
     - name: "Member"
       description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."
       permissions:
@@ -129,6 +133,8 @@ roles:
         - "project.job.rerun"
         - "project.job.stop"
         - "project.job.attach"
+        - "project.service_accounts.view"
+        - "project.service_accounts.manage"
     - name: "Contributor"
       description: "Contributors can manually run, stop, or edit workflows. They can view job logs, start debug sessions and SSH into the machines. Additionally, they can view secrets, schedulers, and notifications used within the projects but can't modify them."
       permissions:

helm-chart/templates/configmaps/features.yaml

@@ -112,6 +112,8 @@ data:
       enabled: true
     wf_editor_via_jobs:
       enabled: true
+    service_accounts:
+      enabled: true
 {{- else }}
   features.yml: |-
     activity_monitor:
@@ -216,4 +218,6 @@ data:
       enabled: true
     new_project_onboarding:
       enabled: true
+    service_accounts:
+      enabled: true
 {{- end }}

helm-chart/templates/configmaps/permissions.yaml

@@ -50,6 +50,10 @@ data:
           description: "Create new dashboard views."
         - name: "organization.instance_git_integration.manage"
           description: "Manage the instance Git integration settings."
+        - name: "organization.service_accounts.view"
+          description: "View service accounts within the organization."
+        - name: "organization.service_accounts.manage"
+          description: "Manage service accounts within the organization."
       project:
         - name: "project.view"
           description: "Access the project. This permission is needed to see any page within the project."
@@ -109,6 +113,10 @@ data:
           description: "Manually stop running jobs or workflows."
         - name: "project.job.attach"
           description: "SSH into the running job, or start a debug session."
+        - name: "project.service_accounts.view"
+          description: "View service accounts within the project."
+        - name: "project.service_accounts.manage"
+          description: "Manage service accounts within the project."
 {{- end }}
 {{- if eq .Values.global.edition "ee" }}
   permissions.yaml: |-
@@ -186,6 +194,10 @@ data:
           description: "Create new dashboard views."
         - name: "organization.instance_git_integration.manage"
           description: "Manage the instance Git integration settings."
+        - name: "organization.service_accounts.view"
+          description: "View service accounts within the organization."
+        - name: "organization.service_accounts.manage"
+          description: "Manage service accounts within the organization."
       project:
         - name: "project.view"
           description: "Access the project. This permission is needed to see any page within the project."
@@ -249,4 +261,9 @@ data:
           description: "Manually stop running jobs or workflows."
         - name: "project.job.attach"
           description: "SSH into the running job, or start a debug session."
-{{- end }}
+        - name: "project.service_accounts.view"
+          description: "View service accounts within the project."
+        - name: "project.service_accounts.manage"
+          description: "Manage service accounts within the project."
+
+{{- end }}

helm-chart/templates/configmaps/roles.yaml

@@ -33,6 +33,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "organization.instance_git_integration.manage"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Admin"
           description: "Admins can modify settings within the organization or any of its projects. However, they do not have access to billing information, and they cannot change general organization details, such as the organization name and URL."
           maps_to: "Admin"
@@ -57,6 +59,8 @@ data:
             - "organization.dashboards.view"
             - "organization.dashboards.manage"
             - "project.delete"
+            - "organization.service_accounts.view"
+            - "organization.service_accounts.manage"
         - name: "Member"
           description: "Members can access the organization's homepage and the projects they are assigned to. However, they are not able to modify any settings."
           permissions:
@@ -287,6 +291,8 @@ data:
             - "project.job.rerun"
             - "project.job.stop"
             - "project.job.attach"
+            - "project.service_accounts.view"
+            - "project.service_accounts.manage"
         - name: "Contributor"
           description: "Contributors can manually run, stop, or edit workflows. They can view job logs, start debug sessions and SSH into the machines. Additionally, they can view secrets, schedulers, and notifications used within the projects but can't modify them."
           permissions: