# ============LICENSE_START=======================================================
# oom-certservice-k8s-external-provider
# ================================================================================
# Copyright (c) 2019 Smallstep Labs, Inc.
# Modifications copyright (C) 2020 Nokia. All rights reserved.
# ================================================================================
# This source code was copied from the following git repository:
# https://github.com/smallstep/step-issuer
# The source code was modified for usage in the ONAP project.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
#

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cmpv2-issuer-leader-election-role
  namespace: onap
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - configmaps/status
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cmpv2-issuer-manager-role
rules:
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - cert-manager.io
    resources:
      - certificaterequests
    verbs:
      - get
      - list
      - update
      - watch
  - apiGroups:
      - cert-manager.io
    resources:
      - certificaterequests/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - certmanager.onap.org
    resources:
      - cmpv2issuers
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - certmanager.onap.org
    resources:
      - cmpv2issuers/status
    verbs:
      - get
      - patch
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cmpv2-issuer-proxy-role
rules:
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cmpv2-issuer-leader-election-rolebinding
  namespace: onap
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cmpv2-issuer-leader-election-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: onap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cmpv2-issuer-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cmpv2-issuer-manager-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: onap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cmpv2-issuer-proxy-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cmpv2-issuer-proxy-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: onap