{{- if .Values.gitops.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gitjob rules: - apiGroups: - "batch" resources: - 'jobs' verbs: - '*' - apiGroups: - "" resources: - 'pods' verbs: - 'list' - 'get' - 'watch' - apiGroups: - "" resources: - 'secrets' verbs: - '*' - apiGroups: - "" resources: - 'configmaps' verbs: - '*' - apiGroups: - "fleet.cattle.io" resources: - "gitrepos" - "gitrepos/status" verbs: - "*" - apiGroups: - "fleet.cattle.io" resources: - "gitreporestrictions" verbs: - list - get - watch - apiGroups: - "fleet.cattle.io" resources: - "bundles" - "bundledeployments" - "imagescans" - "contents" verbs: - list - delete - get - watch - update - apiGroups: - "" resources: - 'events' verbs: - '*' - apiGroups: - "" resources: - serviceaccounts verbs: - "create" - apiGroups: - "" resources: - namespaces verbs: - "create" - "delete" - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - escalate - create - bind - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gitjob-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: gitjob subjects: - kind: ServiceAccount name: gitjob namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: gitjob rules: - apiGroups: - "coordination.k8s.io" resources: - "leases" verbs: - "*" --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: gitjob roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: gitjob subjects: - kind: ServiceAccount name: gitjob {{- end }}