{{- if .Values.etcd.deploy }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    {{- include "etcd.labels" . | nindent 4 }}
  name: etcd-gen-certs-role
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-5"
  namespace: {{ .Release.Namespace }}
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - delete
    resourceNames:
      - {{ include "etcd.caSecretName" . }}
      - {{ include "etcd.clientSecretName" . }}
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
  - apiGroups:
      - apps
    resources:
      - statefulsets
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    {{- include "etcd.labels" . | nindent 4 }}
  name: etcd-gen-certs-rolebiding
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "-5"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: etcd-gen-certs-role
subjects:
  - kind: ServiceAccount
    name: {{ include "etcd.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
{{- end }}