{{- if .Values.serviceAccount.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vals-operator
  labels:
    {{- include "vals-operator.labels" . | nindent 4 }}
rules:
  {{- if .Values.enableDbSecrets }}
- apiGroups:
  - "apps"
  resources:
  - "statefulsets"
  - "deployments"
  verbs:
  - "get"
  - "list"
  - "watch"
  - "update"
  - "delete"
  - "create"
  {{- end }}
- apiGroups:
  - ""
  resources:
  - "secrets"
  verbs:
  - "get"
  - "list"
  - "watch"
  - "update"
  - "delete"
  - "create"
- apiGroups:
  - ""
  resources:
  - "events"
  verbs:
  - "create"
  - "patch"
- apiGroups:
  - "digitalis.io"
  resources:
  - "valssecrets"
  verbs:
  - "get"
  - "list"
  - "watch"
  - "update"
  - "delete"
  - "create"
{{- if .Values.enableDbSecrets }}
- apiGroups:
  - "digitalis.io"
  resources:
  - "dbsecrets"
  verbs:
  - "get"
  - "list"
  - "watch"
  - "update"
  - "delete"
  - "create"
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vals-operator
  labels:
    {{- include "vals-operator.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vals-operator
subjects:
  - kind: ServiceAccount
    name: {{ include "vals-operator.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "vals-operator.serviceAccountName" . }}
  labels:
    {{- include "vals-operator.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
{{- end }}