{{- if not .Values.rbacRole }}
kind: ClusterRole
{{- else }}
kind: Role
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
{{- if .Values.rbacRole }}
  namespace: {{ .Release.Namespace }}
{{- end }}
rules:
  - apiGroups: [""]
{{- if .Values.openshift }}
    resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"]
{{- else }}
    resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"]
{{- end }}
    verbs: ["get", "list", "watch"]
  # services/status is needed to update the loadbalancer IP in service status for integrating
  # service of type LoadBalancer with external-dns
  - apiGroups: [""]
    resources: ["services/status"]
    verbs: ["patch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions","networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["patch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["citrix.com"]
    resources: ["rewritepolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"]
    verbs: ["get", "list", "watch", "create", "delete", "patch"]
  - apiGroups: ["citrix.com"]
    resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"]
    verbs: ["patch"]
  - apiGroups: ["citrix.com"]
    resources: ["vips"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["crd.projectcalico.org"]
    resources: ["ipamblocks"]
    verbs: ["get", "list", "watch"]
{{- if .Values.openshift }}
  - apiGroups: ["route.openshift.io"]
    resources: ["routes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["network.openshift.io"]
    resources: ["hostsubnets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["config.openshift.io"]
    resources: ["networks"]
    verbs: ["get", "list"]
{{- end }}

---

{{- if not .Values.rbacRole }}
kind: ClusterRoleBinding
{{- else }}
kind: RoleBinding
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
{{- if .Values.rbacRole }}
  namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
{{- if not .Values.rbacRole }}
  kind: ClusterRole
{{- else }}
  kind: Role
{{- end }}
  name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
  name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "citrix-ingress-controller.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{.}}
{{- end }}
{{- end }}