{{- if and .Values.rbac.create .Values.apiProxy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ printf "%s-api-proxy" ( include "pomerium.fullname" . ) }}
  labels:
    app.kubernetes.io/name: {{ template "pomerium.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
  annotations:
{{- if .Values.annotations }}
 {{- range $key, $value := .Values.annotations }}
   {{ $key }}: {{ $value | quote }}
 {{- end }}
{{- end }}
rules:
  - apiGroups:
      - ""
    resources:
      - users
      - groups
      - serviceaccounts
    verbs:
      - impersonate
  - apiGroups:
      - "authorization.k8s.io"
    resources:
      - selfsubjectaccessreviews
    verbs:
      - create
{{- end }}
---
{{ if and .Values.rbac.create .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "pomerium.ingressController.fullname" . }}
  labels:
    app.kubernetes.io/name: {{ template "pomerium.ingressController.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: ingressController
  annotations:
 {{- if .Values.ingressController.deployment.annotations }}
 {{- range $key, $value := .Values.ingressController.deployment.annotations }}
   {{ $key }}: {{ $value | quote }}
 {{- end }}
{{- else if .Values.annotations }}
 {{- range $key, $value := .Values.annotations }}
   {{ $key }}: {{ $value | quote }}
 {{- end }}
{{- end }}
rules:
  - apiGroups:
      - ""
    resources:
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - "networking.k8s.io" # k8s 1.14+
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
{{- end }}