{{- if .Values.serviceAccount.cstorOperator.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.serviceAccount.cstorOperator.name }}
  labels:
    {{- include "cstor.common.metaLabels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
{{- end }}
{{- if .Values.rbac.create }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-cstor-operator
  {{- with .Values.serviceAccount.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "cstor.common.metaLabels" . | nindent 4 }}
rules:
  - apiGroups: ["*"]
    resources: ["nodes", "nodes/proxy"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["namespaces", "services", "pods", "deployments", "deployments/finalizers", "replicationcontrollers", "replicasets", "events", "endpoints", "configmaps", "secrets", "jobs", "cronjobs"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["statefulsets", "daemonsets"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["resourcequotas", "limitranges"]
    verbs: ["list", "watch"]
  - apiGroups: ["*"]
    resources: ["certificatesigningrequests"]
    verbs: ["list", "watch"]
  - apiGroups: ["*"]
    resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
    verbs: ["*"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: [ "get", "list", "create", "update", "delete", "patch"]
  - apiGroups: ["openebs.io"]
    resources: ["*"]
    verbs: ["*" ]
  - apiGroups: ["cstor.openebs.io"]
    resources: ["*"]
    verbs: ["*" ]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "create", "list", "delete", "update", "patch"]
  - nonResourceURLs: ["/metrics"]
    verbs: ["get"]
  - apiGroups: ["*"]
    resources: ["upgradetasks","migrationtasks"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["poddisruptionbudgets"]
    verbs: ["get", "list", "create", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: openebs-cstor-operator
  {{- with .Values.serviceAccount.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "cstor.common.metaLabels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openebs-cstor-operator
subjects:
- kind: ServiceAccount
  name: {{ .Values.serviceAccount.cstorOperator.name }}
  namespace: {{ .Release.Namespace }}
---
# Define Role that allows operations required for migration of snapshots
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-cstor-migration
  labels:
    {{- include "cstor.common.metaLabels" . | nindent 4 }}
rules:
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses"]
    verbs: ["get", "list"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents"]
    verbs: ["create", "get", "list"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots"]
    verbs: ["create", "get", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-cstor-migration
  labels:
    {{- include "cstor.common.metaLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
  name: {{ .Values.serviceAccount.cstorOperator.name }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: openebs-cstor-migration
  apiGroup: rbac.authorization.k8s.io
{{- end }}