# Define Role that allows operations on K8s pods/deployments
{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "nfsProvisioner.fullname" . }}
  {{- with .Values.nfsProvisioner.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
  {{- include "nfsProvisioner.labels" . | nindent 4 }}
rules:
  - apiGroups: ["*"]
    resources: ["nodes", "nodes/proxy"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["namespaces", "services", "pods", "pods/exec", "deployments", "deployments/finalizers", "replicationcontrollers", "replicasets", "events", "endpoints", "configmaps", "secrets", "jobs", "cronjobs"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["statefulsets", "daemonsets"]
    verbs: ["*"]
  - apiGroups: ["*"]
    resources: ["resourcequotas", "limitranges"]
    verbs: ["list", "watch"]
  - apiGroups: ["*"]
    resources: ["ingresses", "horizontalpodautoscalers", "verticalpodautoscalers", "poddisruptionbudgets", "certificatesigningrequests"]
    verbs: ["list", "watch"]
  - apiGroups: ["*"]
    resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
    verbs: ["*"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: [ "get", "list", "create", "update", "delete", "patch"]
  - apiGroups: ["openebs.io"]
    resources: [ "*"]
    verbs: ["*"]
  - nonResourceURLs: ["/metrics"]
    verbs: ["get"]

{{- if .Values.rbac.pspEnabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "nfsProvisioner.fullname" . }}-psp
  {{- with .Values.nfsProvisioner.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
  {{- include "nfsProvisioner.labels" . | nindent 4 }}
rules:
  - apiGroups: ['policy']
    resources: ['podsecuritypolicies']
    verbs:     ['use']
    resourceNames:
      - {{ include "nfsProvisioner.fullname" . }}-psp
{{- end }}
{{- end }}