{{- include "nplus.init" $ -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .component.fullName }}-svc-account
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
  annotations:
    {{- include "nplus.argoSharedResource" . | nindent 4 }}
    {{- include "nplus.annotations" . | nindent 4 }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ .component.fullName }}-role
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
  annotations:
    {{- include "nplus.argoSharedResource" . | nindent 4 }}
    {{- include "nplus.annotations" . | nindent 4 }}

rules:
  - apiGroups: [""]
    resources: ["pods", "secrets","serviceaccounts", "persistentvolumeclaims", "configmaps", "services", "replicationcontrollers", "pods/log"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["Role", "roles", "rolebindings"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["create", "get", "update", "patch", "delete", "list", "watch"]

  - apiGroups: ["nplus.cloud"]
    resources: ["components", "instances"]
    verbs: ["get", "update", "patch", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ .component.fullName }}-role-binding
  {{- if .this.utils.includeNamespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    {{- include "nplus.instanceLabels" . | nindent 4 }}
  annotations:
    {{- include "nplus.argoSharedResource" . | nindent 4 }}
    {{- include "nplus.annotations" . | nindent 4 }}

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ .component.fullName }}-role
subjects:
- kind: ServiceAccount
  name: {{ .component.fullName }}-svc-account