{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}

{{- if and .Values.rbac.create .Values.rbac.clusterRole }}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRole
metadata:
  name: {{ template "common.names.fullname.namespace" . }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
  {{- end }}
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - pods
      - nodes
      - endpoints
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - "networking.k8s.io"
      - getambassador.io
    resources:
      - ingresses
      - hosts
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - route.openshift.io
    resources:
      - routes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.istio.io
    resources:
      - gateways
      - virtualservices
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - zalando.org
    resources:
      - routegroups
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - zalando.org
    resources:
      - routegroups/status
    verbs:
      - patch
      - update
  - apiGroups:
      - projectcontour.io
    resources:
      - httpproxies
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - gloo.solo.io
      - gateway.solo.io
    resources:
      - proxies
      - virtualservices
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - configuration.konghq.com
    resources:
      - tcpingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      - gateways
      - httproutes
      - tlsroutes
      - tcproutes
      - udproutes
      - grpcroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - cis.f5.com
    resources:
      - virtualservers
    verbs:
      - get
      - watch
      - list
  {{- if has "traefik-proxy" .Values.sources }}
  - apiGroups: 
      - traefik.containo.us
      - traefik.io
    resources: 
      - ingressroutes
      - ingressroutetcps
      - ingressrouteudps
    verbs: 
      - get
      - watch
      - list
  {{- end }}
  {{- if or .Values.crd.create .Values.crd.apiversion }}
  - apiGroups:
      {{- if .Values.crd.create }}
      - externaldns.k8s.io
      {{- else }}
      - {{ $api := splitn "/" 2 .Values.crd.apiversion }}{{ $api._0 }}
      {{- end }}
    resources:
      {{- if .Values.crd.create }}
      - dnsendpoints
      {{- else }}
      - {{ printf "%ss" (.Values.crd.kind | lower) }}
      {{- end }}
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      {{- if .Values.crd.create }}
      - externaldns.k8s.io
      {{- else }}
      - {{ $api := splitn "/" 2 .Values.crd.apiversion }}{{ $api._0 }}
      {{- end }}
    resources:
      {{- if .Values.crd.create }}
      - dnsendpoints/status
      {{- else }}
      - {{ printf "%ss/status" (.Values.crd.kind | lower) }}
      {{- end }}
    verbs:
      - update
  {{- end }}
{{- end }}