---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "k8s-watcher.serviceAccountName" . }}
  {{- if hasKey .Values "namespace" }}
  namespace: {{ .Values.namespace }}
  {{- end }}
rules:
  - apiGroups:
    - ""
    resources:
{{- if .Values.watcher.resources.event }}
    - events
{{- end }}
{{- if .Values.watcher.resources.pod }}
    - pods
{{- end }}
{{- if .Values.watcher.resources.replicationController }}
    - replicationcontrollers
{{- end }}
{{- if .Values.watcher.resources.service }}
    - services
{{- end }}
{{- if .Values.watcher.resources.namespace }}
    - namespaces
{{- end }}
{{- if .Values.watcher.resources.configMap }}
    - configmaps
{{- end }}
{{- if .Values.watcher.resources.node }}
    - nodes
{{- end }}
{{- if .Values.watcher.resources.persistentVolume }}
    - persistentvolumes
{{- end }}
{{- if .Values.watcher.resources.persistentVolumeClaim }}
    - persistentvolumeclaims
{{- end }}
{{- if .Values.watcher.resources.serviceAccount }}
    - serviceaccounts
{{- end }}
{{- if .Values.watcher.resources.secret }}
    - secrets
{{- end }}
{{- if .Values.watcher.resources.endpoints }}
    - endpoints
{{- end }}
{{- if .Values.watcher.resources.limitRange }}
    - limitranges
{{- end }}
{{- if .Values.watcher.resources.podTemplate }}
    - podtemplates
{{- end }}
{{- if .Values.watcher.resources.resourceQuota }}
    - resourcequotas
{{- end }}
    verbs:
    - get
    - watch
    - list
  - apiGroups:
    - rbac
    - rbac.authorization.k8s.io
    resources:
    - clusterroles
{{- if .Values.watcher.resources.clusterRoleBinding }}
    - clusterrolebindings
{{- end }}
{{- if .Values.watcher.resources.roleBinding }}
    - rolebindings
{{- end }}
{{- if .Values.watcher.resources.role }}
    - roles
{{- end }}
    verbs:
    - get
    - watch
    - list
  - apiGroups: # Required as minimum installation
    - apps
    resources:
    - deployments
    - daemonsets
    - replicasets
    - statefulsets
{{- if .Values.watcher.resources.controllerRevision }}
    - controllerrevisions
{{- end }}
    verbs:
    - get
    - watch
    - list
  - apiGroups:
    - batch
    resources:
{{- if .Values.watcher.resources.job }}
    - jobs
{{- end }}
{{- if .Values.watcher.resources.cronjob }}
    - cronjobs
{{- end }}
    verbs:
    - get
    - watch
    - list
  - apiGroups:
    - extensions
    resources:
{{- if .Values.watcher.resources.ingress }}
    - ingresses
{{- end }}
{{- if .Values.watcher.resources.networkPolicy }}
    - networkpolicies
{{- end }}
{{- if .Values.watcher.resources.ingressClass }}
    - ingressclasses
{{- end }}
    verbs:
    - get
    - watch
    - list
  - apiGroups:
    - networking.k8s.io
    resources:
{{- if .Values.watcher.resources.ingress }}
    - ingresses
{{- end }}  
{{- if .Values.watcher.resources.ingressClass }}
    - ingressclasses
{{- end }}
{{- if .Values.watcher.resources.networkPolicy }}
    - networkpolicies
{{- end }}
    verbs:
    - get
    - watch
    - list    
{{- if .Values.watcher.enableAgentTaskExecution }}
  - apiGroups:
    - ""
    resources:
    - pods
{{- if .Values.watcher.allowReadingPodLogs }}
    - pods/log
{{- end }}
    verbs:
    - "get"
    - "list"
{{- end }}
  - apiGroups:
    - storage.k8s.io
    resources:
{{- if .Values.watcher.resources.storageClass }}
    - storageclasses
{{- end }}
{{- if .Values.watcher.resources.csiDriver }}
    - csidrivers
{{- end }}
{{- if .Values.watcher.resources.csiNode }}
    - csinodes
{{- end }}
{{- if .Values.watcher.resources.csiStorageCapacity }}
    - csistoragecapacities
{{- end }}
{{- if .Values.watcher.resources.volumeAttachment }}
    - volumeattachments
{{- end }}
    verbs:
    - get
    - watch
    - list
  # Required to validate if enabled CRDs are enabled on cluster
  - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - get
    - watch
    - list
{{- if .Values.watcher.resources.rollout }}
  - apiGroups:
    - argoproj.io
    resources:
    - rollouts
    - rollouts/status
    - rollouts/finalizers
    - analysistemplates
    - clusteranalysistemplates
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.metrics }}
  - apiGroups:
    - metrics.k8s.io
    resources:
    - nodes
    - pods
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.admissionRegistrationResources }}
  - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - mutatingwebhookconfigurations
    - validatingwebhookconfigurations
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.authorizationResources }}
  - apiGroups:
    - authorization.k8s.io
    resources:
    - localsubjectaccessreviews
    - selfsubjectaccessreviews
    - selfsubjectrulesreviews
    - subjectaccessreviews
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.horizontalPodAutoscaler }}
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.certificateSigningRequest }}
  - apiGroups:
    - certificates.k8s.io
    resources:
    - certificatesigningrequests
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.lease }}
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.endpointSlice }}
  - apiGroups:
    - discovery.k8s.io
    resources:
    - endpointslices
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.flowControlResources }}
  - apiGroups:
    - flowcontrol.apiserver.k8s.io
    resources:
    - flowschemas
    - prioritylevelconfigurations
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.runtimeClass }}
  - apiGroups:
    - node.k8s.io
    resources:
    - runtimeclasses
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.policyResources }}
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
    - get
    - watch
    - list
{{- end }}
{{- if .Values.watcher.resources.priorityClass }}
  - apiGroups:
    - scheduling.k8s.io
    resources:
    - priorityclasses
    verbs:
    - get
    - watch
    - list
{{- end }}
        
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "k8s-watcher.serviceAccountName" . }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "k8s-watcher.serviceAccountName" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "k8s-watcher.serviceAccountName" . }}
    {{- if hasKey .Values "namespace" }}
    namespace: {{ .Values.namespace }}
    {{- end }}