{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "metallb.fullname" . }}:controller
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["services", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list"]
- apiGroups: [""]
  resources: ["services/status"]
  verbs: ["update"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
  resourceNames: ["metallb-webhook-configuration"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
  verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  resourceNames: ["bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
    "bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["list", "watch"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "metallb.fullname" . }}:speaker
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["services", "endpoints", "nodes", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
  resources: ["endpointslices"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
- apiGroups: ["metallb.io"]
  resources: ["servicel2statuses","servicel2statuses/status"]
  verbs: ["*"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
{{- end }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
- apiGroups: ["frrk8s.metallb.io"]
  resources: ["frrconfigurations"]
  verbs: ["get", "list", "watch","create","update"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "metallb.fullname" . }}-pod-lister
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "get"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bfdprofiles"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bgppeers"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["l2advertisements"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bgpadvertisements"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["ipaddresspools"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["communities"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "metallb.fullname" . }}-controller
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
{{- if .Values.speaker.memberlist.enabled }}
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "get", "list", "watch"]
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: [{{ include "metallb.secretName" . | quote }}]
  verbs: ["list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
  verbs: ["get"]
{{- end }}
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["ipaddresspools"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bgppeers"]
  verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
  resources: ["bgpadvertisements"]
  verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
  resources: ["l2advertisements"]
  verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
  resources: ["communities"]
  verbs: ["get", "list","watch"]
- apiGroups: ["metallb.io"]
  resources: ["bfdprofiles"]
  verbs: ["get", "list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}:controller
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.controller.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "metallb.fullname" . }}:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}:speaker
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.speaker.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "metallb.fullname" . }}:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "metallb.fullname" . }}-pod-lister
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "metallb.fullname" . }}-pod-lister
subjects:
- kind: ServiceAccount
  name: {{ include "metallb.speaker.serviceAccountName" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "metallb.fullname" . }}-controller
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "metallb.fullname" . }}-controller
subjects:
- kind: ServiceAccount
  name: {{ include "metallb.controller.serviceAccountName" . }}
{{- end -}}