{{- if .Values.global.federation.createFederationSecret }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "consul.fullname" . }}-create-federation-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "consul.name" . }}
    chart: {{ template "consul.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    component: create-federation-secret
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
  {{/* Must have separate rule for create secret permissions vs update because
    can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}}
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - create
  - apiGroups: [""]
    resources:
      - secrets
    resourceNames:
      - {{ template "consul.fullname" . }}-federation
    verbs:
      - update
  {{- if .Values.global.acls.manageSystemACLs }}
  - apiGroups: [""]
    resources:
      - secrets
    resourceNames:
      - {{ template "consul.fullname" . }}-acl-replication-acl-token
    verbs:
      - get
  {{- end }}
  {{- if .Values.global.enablePodSecurityPolicies }}
  - apiGroups: ["policy"]
    resources:
      - podsecuritypolicies
    verbs:
      - use
    resourceNames:
      - {{ template "consul.fullname" . }}-create-federation-secret
  {{- end }}
{{- end }}