{{- if .Values.rbac.create -}}

# Roles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "metallb.fullname" . }}:controller
  labels:
    heritage: {{ .Release.Service | quote }}
    release: {{ .Release.Name | quote }}
    chart: {{ template "metallb.chart" . }}
    app: {{ template "metallb.name" . }}
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["services/status"]
  verbs: ["update"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "metallb.fullname" . }}:speaker
  labels:
    heritage: {{ .Release.Service | quote }}
    release: {{ .Release.Name | quote }}
    chart: {{ template "metallb.chart" . }}
    app: {{ template "metallb.name" . }}
rules:
- apiGroups: [""]
  resources: ["services", "endpoints", "nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
{{- if .Values.psp.create }}
- apiGroups: ["extensions"]
  resources: ["podsecuritypolicies"]
  resourceNames: [{{ printf "%s-speaker" (include "metallb.fullname" .) | quote}}]
  verbs: ["use"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "metallb.fullname" . }}-config-watcher
  labels:
    heritage: {{ .Release.Service | quote }}
    release: {{ .Release.Name | quote }}
    chart: {{ template "metallb.chart" . }}
    app: {{ template "metallb.name" . }}
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
---

## Role bindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}:controller
  labels:
    heritage: {{ .Release.Service | quote }}
    release: {{ .Release.Name | quote }}
    chart: {{ template "metallb.chart" . }}
    app: {{ template "metallb.name" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.controllerServiceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "metallb.fullname" . }}:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}:speaker
  labels:
    heritage: {{ .Release.Service | quote }}
    release: {{ .Release.Name | quote }}
    chart: {{ template "metallb.chart" . }}
    app: {{ template "metallb.name" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.speakerServiceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "metallb.fullname" . }}:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}-config-watcher
  labels:
    heritage: {{ .Release.Service | quote }}
    release: {{ .Release.Name | quote }}
    chart: {{ template "metallb.chart" . }}
    app: {{ template "metallb.name" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.controllerServiceAccountName" . }}
- kind: ServiceAccount
  name: {{ template "metallb.speakerServiceAccountName" . }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "metallb.fullname" . }}-config-watcher
{{- end -}}