{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Release.Name }}
rules:
- apiGroups:
  - ""
  resources:
  - users
  - groups
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - "authorization.k8s.io"
  resources:
  - selfsubjectaccessreviews
  verbs:
  - create

{{ if .Values.operator.enabled }}
- apiGroups:
  - "resources.teleport.dev"
  resources:
  - teleportroles
  - teleportroles/status
  - teleportusers
  - teleportusers/status
  - teleportgithubconnectors
  - teleportgithubconnectors/status
  - teleportoidcconnectors
  - teleportoidcconnectors/status
  - teleportsamlconnectors
  - teleportsamlconnectors/status
  - teleportloginrules
  - teleportloginrules/status
  - teleportprovisiontokens
  - teleportprovisiontokens/status
  - teleportoktaimportrules
  - teleportoktaimportrules/status
  verbs:
  - get
  - list
  - patch
  - update
  - watch

- apiGroups:
  - "coordination.k8s.io"
  resources:
  - leases
  verbs:
  - create
  - get
  - update

- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
{{- end -}}
{{- end -}}