---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.operator.name }}
  namespace: {{ .Release.Namespace }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
metadata:
  name: {{ .Values.operator.name }}
  {{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
  namespace: {{ .Values.operator.watchNamespace }}
  {{- else }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - services
  - configmaps
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apps
  resources:
  - statefulsets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - mongodbcommunity.mongodb.com
  resources:
  - mongodbcommunity
  - mongodbcommunity/status
  - mongodbcommunity/spec
  - mongodbcommunity/finalizers
  verbs:
  - get
  - patch
  - list
  - update
  - watch

---
kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ .Values.operator.name }}
  {{- if ne (.Values.operator.watchNamespace | default "*") "*" }}
  namespace: {{ .Values.operator.watchNamespace }}
  {{- else }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
subjects:
- kind: ServiceAccount
  name: {{ .Values.operator.name }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
  name: {{ .Values.operator.name }}
  apiGroup: rbac.authorization.k8s.io