{{- if and .Values.enabledRBAC (not .Values.serviceAccountName) }}
apiVersion: {{ template "rbac_api_version" . }}
kind: ClusterRole
metadata:
  labels:
    app: {{ template "app.name" . }}
    chart: {{ template "app.version" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "app.fullname" . }}
rules:
- apiGroups: 
  - ""
  resources:
  - namespaces
  - nodes
  - pods
  - services
  - resourcequotas
  - replicationcontrollers
  - limitranges
  - persistentvolumeclaims
  - persistentvolumes
  - endpoints
  - configmaps
  - secrets
  verbs: 
  - "list"
  - "watch"
- apiGroups: 
  - "extensions"
  - "apps"
  resources:
  - daemonsets
  - deployments
  - replicasets
  verbs: 
  - "list"
  - "watch"
- apiGroups: 
  - "apps"
  resources:
  - statefulsets
  - deployments
  verbs: 
  - "list"
  - "watch"
- apiGroups: 
  - "batch"
  resources:
  - cronjobs
  - jobs
  verbs: 
  - "list"
  - "watch"
- apiGroups: 
  - "autoscaling"
  resources:
  - horizontalpodautoscalers
  verbs: 
  - "list"
  - "watch"
- apiGroups:
  - "policy"
  resources:
  - "poddisruptionbudgets"
  verbs: 
  - "list"
  - "watch"
- apiGroups: 
  - "extensions"
  - "networking.k8s.io"
  resources:
  - ingresses
  verbs:
  - "list"
  - "watch"
- apiGroups: 
  - "certificates.k8s.io"
  resources:
  - certificatesigningrequests
  verbs:
  - "list"
  - "watch"
- apiGroups: 
  - "storage.k8s.io"
  resources:
    - storageclasses
  verbs: 
  - "list"
  - "watch"

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: {{ template "app.name" . }}
    chart: {{ template "app.version" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "app.fullname" . }}
imagePullSecrets: 
{{ toYaml .Values.image.pullSecrets | indent 2 }}

---
apiVersion: {{ template "rbac_api_version" . }}
kind: ClusterRoleBinding
metadata:
  labels:
    app: {{ template "app.name" . }}
    chart: {{ template "app.version" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "app.fullname" . }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "app.fullname" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "app.fullname" . }}
  namespace: {{ .Release.Namespace }}
{{- end }}