{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.controllerRole .Values.global.secretsBackend.vault.controller.tlsCert.secretName  .Values.global.secretsBackend.vault.controller.caCert.secretName) -}}
{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "consul.fullname" . }}-webhook-cert-manager
  labels:
    app: {{ template "consul.name" . }}
    chart: {{ template "consul.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    component: webhook-cert-manager
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - get
  - list
  - watch
  - patch
- apiGroups:
  - apps
  resources:
  - deployments
  resourceNames:
  - {{ template "consul.fullname" . }}-webhook-cert-manager
  verbs:
  - get
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - {{ template "consul.fullname" . }}-webhook-cert-manager
  verbs:
  - use
{{- end }}
{{- end }}