{{- if .Values.terminatingGateways.enabled }}

{{- $root := . }}
{{- $defaults := .Values.terminatingGateways.defaults }}

{{- range .Values.terminatingGateways.gateways }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name:  {{ template "consul.fullname" $root }}-{{ .name }}
  namespace: {{ $root.Release.Namespace }}
  labels:
    app: {{ template "consul.name" $root }}
    chart: {{ template "consul.chart" $root }}
    heritage: {{ $root.Release.Service }}
    release: {{ $root.Release.Name }}
    component: terminating-gateway
    terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }}
{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }}
rules:
{{- if $root.Values.global.enablePodSecurityPolicies }}
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    resourceNames:
      -  {{ template "consul.fullname" $root }}-{{ .name }}
    verbs:
      - use
{{- end }}
{{- if $root.Values.global.acls.manageSystemACLs }}
  - apiGroups: [""]
    resources:
      - secrets
    resourceNames:
      -  {{ template "consul.fullname" $root }}-{{ .name }}-acl-token
    verbs:
      - get
{{- end }}
{{- else }}
rules: []
{{- end }}
---
{{- end }}
{{- end }}