{{- $main := . -}}
{{- $apiDomain := include "apiDomain" . -}}

{{- $actionsAPIs    := splitList " " (include "k10.actionsAPIs" .) -}}
{{- $aggregatedAPIs := splitList " " (include "k10.aggregatedAPIs" .) -}}
{{- $appsAPIs       := splitList " " (include "k10.appsAPIs" .) -}}
{{- $authAPIs       := splitList " " (include "k10.authAPIs" .) -}}
{{- $configAPIs     := splitList " " (include "k10.configAPIs" .) -}}
{{- $distAPIs       := splitList " " (include "k10.distAPIs" .) -}}
{{- $reportingAPIs  := splitList " " (include "k10.reportingAPIs" .) -}}

{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: {{ template "serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{- if not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .) )}}
- kind: ServiceAccount
  name: {{ template "meteringServiceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
  name: {{ .Release.Name }}-admin
rules:
- apiGroups:
{{- range sortAlpha (concat $aggregatedAPIs $configAPIs $reportingAPIs) }}
  - {{ . }}.{{ $apiDomain }}
{{- end }}
  resources:
  - "*"
  verbs:
  - "*"
- apiGroups:
  - cr.kanister.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - create
  - get
  - list
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
  name: {{ .Release.Name }}-ns-admin
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
  - ""
  - "apps"
  resources:
  - deployments
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
- apiGroups:
  - "batch"
  resources:
  - jobs
  verbs:
  - get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
  name: {{ .Release.Name }}-mc-admin
rules:
- apiGroups:
{{- range sortAlpha (concat $authAPIs $configAPIs $distAPIs) }}
  - {{ . }}.{{ $apiDomain }}
{{- end }}
  resources:
  - "*"
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
  name: {{ .Release.Name }}-basic
rules:
- apiGroups:
{{- range sortAlpha $actionsAPIs }}
  - {{ . }}.{{ $apiDomain }}
{{- end }}
  resources:
  - {{ include "k10.backupActions" $main}}
  - {{ include "k10.backupActionsDetails" $main}}
  - {{ include "k10.restoreActions" $main}}
  - {{ include "k10.restoreActionsDetails" $main}}
  - {{ include "k10.exportActions" $main}}
  - {{ include "k10.exportActionsDetails" $main}}
  - {{ include "k10.cancelActions" $main}}
  verbs:
   - "*"
- apiGroups:
{{- range sortAlpha $appsAPIs }}
  - {{ . }}.{{ $apiDomain }}
{{- end }}
  resources:
  - {{ include "k10.restorePoints" $main}}
  - {{ include "k10.restorePointsDetails" $main}}
  - {{ include "k10.applications" $main}}
  - {{ include "k10.applicationsDetails" $main}}
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
{{- range sortAlpha $configAPIs }}
  - {{ . }}.{{ $apiDomain }}
{{- end }}
  resources:
  - {{ include "k10.policies" $main}}
  verbs:
  - "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
  name: {{ .Release.Name }}-config-view
rules:
- apiGroups:
{{- range sortAlpha $configAPIs }}
  - {{ . }}.{{ $apiDomain }}
{{- end }}
  resources:
  - {{ include "k10.profiles" $main}}
  - {{ include "k10.policies" $main}}
  - {{ include "k10.policypresets" $main}}
  - {{ include "k10.transformsets" $main}}
  - {{ include "k10.blueprintbindings" $main}}
  verbs:
  - get
  - list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name:  {{ .Release.Name }}-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: {{ . }}
{{- end }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-ns-admin
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name:  {{ .Release.Name }}-ns-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: {{ . }}
{{- end }}
{{- end }}
{{- if and .Values.rbac.create (not .Values.prometheus.rbac.create) }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
  name: {{ .Release.Name }}-prometheus-server
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  - nodes/metrics
  - services
  - endpoints
  - pods
  - ingresses
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses/status
  - ingresses
  verbs:
  - get
  - list
  - watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
{{ include "helm.labels" . | indent 4 }}
  name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-prometheus-server
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name:  {{ .Release.Name }}-prometheus-server
subjects:
  - kind: ServiceAccount
    name: prometheus-server
    namespace: {{ .Release.Namespace }}
{{- end }}