{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}
  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
  name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
---
# This ClusterRoleBinding allows the auth service-account to validate Kubernetes tokens
# This is required for proxies to join using their Kubernetes tokens
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}-auth
  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: {{ include "teleport-cluster.auth.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{- end }}