# Serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cpx-sidecar-injector-service-account
  namespace: {{ .Release.Namespace }}
  labels:
    app: cpx-sidecar-injector

---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cpx-sidecar-injector-istio-system
  labels:
    app: cpx-sidecar-injector
rules:
- apiGroups: ["*"]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests", "certificatesigningrequests/approval"]
  verbs: ["get", "list", "create", "watch", "delete", "update"]
- apiGroups: ["certificates.k8s.io"]
  resources: ["signers"]
  resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"]
  verbs: ["get", "list", "create", "watch", "delete", "update", "approve"]
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cpx-sidecar-injector-admin-role-binding-istio-system
  labels:
    app: cpx-sidecar-injector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cpx-sidecar-injector-istio-system
subjects:
  - kind: ServiceAccount
    name: cpx-sidecar-injector-service-account
    namespace: {{ .Release.Namespace }}
---