apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubeslice-preinstall
  namespace: kubeslice-system
  labels:
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-10"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeslice-preinstall-role
  namespace: kubeslice-system
  labels:
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-9"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
      - services
    verbs:
      - get
      - create
      - update
  - apiGroups:
      - ""
    resources:
      - nodes
      - pods
      - nodes/metrics
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "authentication.k8s.io"
    resources:
      - tokenreviews
    verbs:
      - create
      - update
  - apiGroups:
      - "authorization.k8s.io"
    resources:
      - subjectaccessreviews
    verbs:
      - create
      - update
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      - clusterroles
      - rolebindings
      - clusterrolebindings
    verbs:
      - get
      - create
      - update
      - patch
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
      - create
      - update
      - patch
  - apiGroups:
      - "apiregistration.k8s.io"
    resources:
      - apiservices
    verbs:
      - get
      - create
  - apiGroups:
      - "metrics.k8s.io"
    resources:
      - nodes
      - pods
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubeslice-preinstall-rolebinding
  namespace: kubeslice-system
  labels:
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-8"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeslice-preinstall-role
subjects:
  - kind: ServiceAccount
    name: kubeslice-preinstall
    namespace: kubeslice-system