{{- if .Values.rbac.create }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "nginx-ingress.name" . }}
  labels:
    {{- include "nginx-ingress.labels" . | nindent 4 }}
rules:
{{- if .Values.controller.appprotect.enable }}
- apiGroups:
  - appprotect.f5.com
  resources:
  - appolicies
  - aplogconfs
  - apusersigs
  verbs:
  - get
  - watch
  - list
{{- end }}
{{- if .Values.controller.appprotectdos.enable }}
- apiGroups:
    - appprotectdos.f5.com
  resources:
    - apdospolicies
    - apdoslogconfs
    - dosprotectedresources
  verbs:
    - get
    - watch
    - list
{{- end }}
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
{{- if .Values.controller.reportIngressStatus.enableLeaderElection }}
  - update
  - create
{{- end }}
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - list
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - update
  - create
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
{{- if .Values.controller.reportIngressStatus.enable }}
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
{{- end }}
{{- if .Values.controller.enableCustomResources }}
- apiGroups:
  - k8s.nginx.org
  resources:
  - virtualservers
  - virtualserverroutes
  - globalconfigurations
  - transportservers
  - policies
  verbs:
  - list
  - watch
  - get
- apiGroups:
  - k8s.nginx.org
  resources:
  - virtualservers/status
  - virtualserverroutes/status
  - policies/status
  - transportservers/status
  verbs:
  - update
{{- end }}
{{- if .Values.controller.reportIngressStatus.ingressLink }}
- apiGroups:
  - cis.f5.com
  resources:
  - ingresslinks
  verbs:
  - list
  - watch
  - get
{{- end }}
{{- if .Values.controller.enableCertManager }}
- apiGroups:
  - cert-manager.io
  resources:
  - certificates
  verbs:
  - list
  - watch
  - get
  - update
  - create
  - delete
{{- end }}
{{- if .Values.controller.enableExternalDNS }}
- apiGroups:
    - externaldns.nginx.org
  resources:
    - dnsendpoints
  verbs:
    - list
    - watch
    - get
    - update
    - create
    - delete
- apiGroups:
  - externaldns.nginx.org
  resources:
  - dnsendpoints/status
  verbs:
  - update
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "nginx-ingress.name" . }}
  labels:
    {{- include "nginx-ingress.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
  name: {{ include "nginx-ingress.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: {{ include "nginx-ingress.name" . }}
  apiGroup: rbac.authorization.k8s.io
{{- end }}