{{- if and .Values.global.rbac.create .Values.global.rbac.userRoles.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "project-prometheus-stack.fullname" . }}-admin
  namespace: {{ template "project-prometheus-stack.namespace" . }}
  labels: {{ include "project-prometheus-stack.labels" . | nindent 4 }}
    helm.cattle.io/project-helm-chart-role: {{ .Release.Name }}
    {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
    helm.cattle.io/project-helm-chart-role-aggregate-from: admin
    {{- end }}
rules:
- apiGroups:
  - ""
  resources:
  - services/proxy
  resourceNames:
  - "http:{{ template "project-prometheus-stack.fullname" . }}-prometheus:{{ .Values.prometheus.service.port }}"
  - "https:{{ template "project-prometheus-stack.fullname" . }}-prometheus:{{ .Values.prometheus.service.port }}"
  - "http:{{ template "project-prometheus-stack.fullname" . }}-alertmanager:{{ .Values.alertmanager.service.port }}"
  - "https:{{ template "project-prometheus-stack.fullname" . }}-alertmanager:{{ .Values.alertmanager.service.port }}"
  - "http:{{ include "call-nested" (list . "grafana" "grafana.fullname") }}:{{ .Values.grafana.service.port }}"
  - "https:{{ include "call-nested" (list . "grafana" "grafana.fullname") }}:{{ .Values.grafana.service.port }}"
  verbs:
  - 'get'
- apiGroups:
  - ""
  resources:
  - endpoints
  resourceNames:
  - {{ template "project-prometheus-stack.fullname" . }}-prometheus
  - {{ template "project-prometheus-stack.fullname" . }}-alertmanager
  - {{ include "call-nested" (list . "grafana" "grafana.fullname") }}
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - "secrets"
  resourceNames:
  - {{ printf "%s-alertmanager-secret" (include "project-prometheus-stack.fullname" .) }}
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "project-prometheus-stack.fullname" . }}-edit
  namespace: {{ template "project-prometheus-stack.namespace" . }}
  labels: {{ include "project-prometheus-stack.labels" . | nindent 4 }}
    helm.cattle.io/project-helm-chart-role: {{ .Release.Name }}
    {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
    helm.cattle.io/project-helm-chart-role-aggregate-from: edit
    {{- end }}
rules:
- apiGroups:
  - ""
  resources:
  - services/proxy
  resourceNames:
  - "http:{{ template "project-prometheus-stack.fullname" . }}-prometheus:{{ .Values.prometheus.service.port }}"
  - "https:{{ template "project-prometheus-stack.fullname" . }}-prometheus:{{ .Values.prometheus.service.port }}"
  - "http:{{ template "project-prometheus-stack.fullname" . }}-alertmanager:{{ .Values.alertmanager.service.port }}"
  - "https:{{ template "project-prometheus-stack.fullname" . }}-alertmanager:{{ .Values.alertmanager.service.port }}"
  - "http:{{ include "call-nested" (list . "grafana" "grafana.fullname") }}:{{ .Values.grafana.service.port }}"
  - "https:{{ include "call-nested" (list . "grafana" "grafana.fullname") }}:{{ .Values.grafana.service.port }}"
  verbs:
  - 'get'
- apiGroups:
  - ""
  resources:
  - endpoints
  resourceNames:
  - {{ template "project-prometheus-stack.fullname" . }}-prometheus
  - {{ template "project-prometheus-stack.fullname" . }}-alertmanager
  - {{ include "call-nested" (list . "grafana" "grafana.fullname") }}
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - "secrets"
  resourceNames:
  - {{ printf "%s-alertmanager-secret" (include "project-prometheus-stack.fullname" .) }}
  verbs:
  - get
  - list
  - watch
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "project-prometheus-stack.fullname" . }}-view
  namespace: {{ template "project-prometheus-stack.namespace" . }}
  labels: {{ include "project-prometheus-stack.labels" . | nindent 4 }}
    helm.cattle.io/project-helm-chart-role: {{ .Release.Name }}
    {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
    helm.cattle.io/project-helm-chart-role-aggregate-from: view
    {{- end }}
rules:
- apiGroups:
  - ""
  resources:
  - services/proxy
  resourceNames:
  - "http:{{ template "project-prometheus-stack.fullname" . }}-prometheus:{{ .Values.prometheus.service.port }}"
  - "https:{{ template "project-prometheus-stack.fullname" . }}-prometheus:{{ .Values.prometheus.service.port }}"
  - "http:{{ template "project-prometheus-stack.fullname" . }}-alertmanager:{{ .Values.alertmanager.service.port }}"
  - "https:{{ template "project-prometheus-stack.fullname" . }}-alertmanager:{{ .Values.alertmanager.service.port }}"
  - "http:{{ include "call-nested" (list . "grafana" "grafana.fullname") }}:{{ .Values.grafana.service.port }}"
  - "https:{{ include "call-nested" (list . "grafana" "grafana.fullname") }}:{{ .Values.grafana.service.port }}"
  verbs:
  - 'get'
- apiGroups:
  - ""
  resources:
  - endpoints
  resourceNames:
  - {{ template "project-prometheus-stack.fullname" . }}-prometheus
  - {{ template "project-prometheus-stack.fullname" . }}-alertmanager
  - {{ include "call-nested" (list . "grafana" "grafana.fullname") }}
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - "secrets"
  resourceNames:
  - {{ printf "%s-alertmanager-secret" (include "project-prometheus-stack.fullname" .) }}
  verbs:
  - get
  - list
  - watch
{{- end }}