{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "external-secrets.fullname" . }}-controller
  labels:
    {{- include "external-secrets.labels" . | nindent 4 }}
rules:
  - apiGroups:
    - "external-secrets.io"
    resources:
    - "secretstores"
    - "clustersecretstores"
    - "externalsecrets"
    verbs:
    - "get"
    - "list"
    - "watch"
  - apiGroups:
    - "external-secrets.io"
    resources:
    - "externalsecrets"
    - "externalsecrets/status"
    - "externalsecrets/finalizers"
    verbs:
    - "update"
    - "patch"
  - apiGroups:
    - ""
    resources:
    - "serviceaccounts"
    verbs:
    - "get"
    - "list"
    - "watch"
  - apiGroups:
    - ""
    resources:
    - "configmaps"
    verbs:
    - "get"
    - "list"
    - "watch"
  - apiGroups:
    - ""
    resources:
    - "secrets"
    verbs:
    - "get"
    - "list"
    - "watch"
    - "create"
    - "update"
    - "delete"
    - "patch"
  - apiGroups:
    - ""
    resources:
    - "serviceaccounts/token"
    verbs:
    - "create"
  - apiGroups:
    - ""
    resources:
    - "events"
    verbs:
    - "create"
    - "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "external-secrets.fullname" . }}-view
  labels:
    {{- include "external-secrets.labels" . | nindent 4 }}
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - "external-secrets.io"
    resources:
      - "externalsecrets"
      - "secretstores"
      - "clustersecretstores"
    verbs:
      - "get"
      - "watch"
      - "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "external-secrets.fullname" . }}-edit
  labels:
    {{- include "external-secrets.labels" . | nindent 4 }}
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
  - apiGroups:
      - "external-secrets.io"
    resources:
      - "externalsecrets"
      - "secretstores"
      - "clustersecretstores"
    verbs:
      - "create"
      - "delete"
      - "deletecollection"
      - "patch"
      - "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "external-secrets.fullname" . }}-controller
  labels:
    {{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "external-secrets.fullname" . }}-controller
subjects:
  - name: {{ include "external-secrets.serviceAccountName" . }}
    namespace: {{ .Release.Namespace | quote }}
    kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "external-secrets.fullname" . }}-leaderelection
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "external-secrets.labels" . | nindent 4 }}
rules:
  - apiGroups:
    - ""
    resources:
    - "configmaps"
    resourceNames:
    - "external-secrets-controller"
    verbs:
    - "get"
    - "update"
    - "patch"
  - apiGroups:
    - ""
    resources:
    - "configmaps"
    verbs:
    - "create"
  - apiGroups:
    - "coordination.k8s.io"
    resources:
    - "leases"
    verbs:
    - "get"
    - "create"
    - "update"
    - "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "external-secrets.fullname" . }}-leaderelection
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "external-secrets.fullname" . }}-leaderelection
subjects:
  - kind: ServiceAccount
    name: {{ include "external-secrets.serviceAccountName" . }}
    namespace: {{ .Release.Namespace | quote }}
{{- end }}