apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  namespace: {{ .Release.Namespace }}
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
      - pods
      - configmaps
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - kuma.io
    resources:
      - dataplanes
      - dataplaneinsights
      - meshes
      - zones
      - zoneinsights
      - zoneingresses
      - zoneingressinsights
      - meshinsights
      - serviceinsights
      - proxytemplates
      - ratelimits
      - trafficpermissions
      - trafficroutes
      - timeouts
      - retries
      - circuitbreakers
      - virtualoutbounds
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - kuma.io
    resources:
      - externalservices
      - faultinjections
      - healthchecks
      - trafficlogs
      - traffictraces
    verbs:
      - get
      - list
      - watch
      {{- if eq .Values.controlPlane.mode "zone" }}
      - create
      - update
      - patch
      - delete
  {{- end }}
  {{- if .Values.cni.enabled }}
  - apiGroups:
      - k8s.cni.cncf.io
    resources:
      - network-attachment-definitions
    verbs:
      - get
      - list
      - watch
      - create
      - delete
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - watch
  {{- end }}
  - apiGroups:
      - ""
    resources:
      - pods/finalizers
    verbs:
      - "*"
  - apiGroups:
      - kuma.io
    resources:
      - meshes/finalizers
    verbs:
      - "*"
  - apiGroups:
      - kuma.io
    resources:
      - dataplanes/finalizers
    verbs:
      - "*"
  # validate k8s token before issuing mTLS cert
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "kuma.name" . }}-control-plane
subjects:
  - kind: ServiceAccount
    name: {{ include "kuma.name" . }}-control-plane
    namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  namespace: {{ .Release.Namespace }}
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "kuma.name" . }}-control-plane
subjects:
  - kind: ServiceAccount
    name: {{ include "kuma.name" . }}-control-plane
    namespace: {{ .Release.Namespace }}