{{- if .Values.createServiceAccount }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ .Release.Name }}-holmes-cluster-role
  namespace : {{ .Release.Namespace }}
rules:
  {{- if .Values.customClusterRoleRules }}
{{ toYaml .Values.customClusterRoleRules | indent 2 }}
  {{- end }}
  - apiGroups:
      - "storage.k8s.io"
    resources:
      - storageclasses
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - "metrics.k8s.io"
    resources:
      - pods
      - nodes
    verbs:
      - get
      - list
  - apiGroups:
      - ""
    resources:
      - configmaps
      - daemonsets
      - deployments
      - events
      - namespaces
      - persistentvolumes
      - persistentvolumeclaims
      - pods
      - pods/status
      - pods/log
      - replicasets
      - replicationcontrollers
      - services
      - serviceaccounts
      - endpoints
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - "apiregistration.k8s.io"
    resources:
      - apiservices
    verbs:
      - get
      - list

  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      - clusterroles
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "autoscaling"
    resources:
      - horizontalpodautoscalers
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - deployments
      - deployments/scale
      - ingresses
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - "events.k8s.io"
    resources:
      - events
    verbs:
      - get
      - list

  - apiGroups:
      - "apiextensions.k8s.io"
    resources:
      - "customresourcedefinitions"
    verbs:
      - "list"
      - "get"

  - apiGroups:
      - networking.k8s.io
    resources:
    - ingresses
    - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
      - get
      - list
  - apiGroups:
      - "policy"
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
      - get
      - list
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
    - clusterroles
    - clusterrolebindings
    - roles
    - rolebindings
    verbs:
      - get
      - list
{{- if .Values.openshift }}
  - apiGroups:
    - apps.openshift.io
    resources:
    - deploymentconfigs
    verbs:
    - get
    - list
    - watch
{{- end }}
  # Prometheus CRDs
  - apiGroups:
      - monitoring.coreos.com
    resources:
      - alertmanagers
      - alertmanagers/finalizers
      - alertmanagers/status
      - alertmanagerconfigs
      - prometheuses
      - prometheuses/finalizers
      - prometheuses/status
      - prometheusagents
      - prometheusagents/finalizers
      - prometheusagents/status
      - thanosrulers
      - thanosrulers/finalizers
      - thanosrulers/status
      - scrapeconfigs
      - servicemonitors
      - podmonitors
      - probes
      - prometheusrules
    verbs:
      - get
      - list
      - watch
{{- if .Values.crdPermissions.argo }}
  - apiGroups:
      - argoproj.io
    resources:
      - applications
      - applicationsets
      - appprojects
      - workflows
      - workflowtemplates
      - cronworkflows
      - rollouts
      - analysisruns
      - analysistemplates
      - experiments
      - eventsources
      - sensors
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.flux }}
  - apiGroups:
      - source.toolkit.fluxcd.io
    resources:
      - gitrepositories
      - helmrepositories
      - helmcharts
      - buckets
      - ocirepositories
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - kustomize.toolkit.fluxcd.io
    resources:
      - kustomizations
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - helm.toolkit.fluxcd.io
    resources:
      - helmreleases
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - notification.toolkit.fluxcd.io
    resources:
      - alerts
      - providers
      - receivers
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.kafka }}
  - apiGroups:
      - kafka.strimzi.io
    resources:
      - kafkas
      - kafkatopics
      - kafkausers
      - kafkaconnects
      - kafkaconnectors
      - kafkamirrormakers
      - kafkabridges
      - kafkarebalances
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.keda }}
  - apiGroups:
      - keda.sh
    resources:
      - scaledobjects
      - scaledjobs
      - triggerauthentications
      - clustertriggerauthentications
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.crossplane }}
  - apiGroups:
      - pkg.crossplane.io
    resources:
      - providers
      - configurations
      - functions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apiextensions.crossplane.io
    resources:
      - compositions
      - compositeresourcedefinitions
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.istio }}
  - apiGroups:
      - networking.istio.io
    resources:
      - virtualservices
      - destinationrules
      - gateways
      - serviceentries
      - sidecars
      - workloadentries
      - workloadgroups
      - proxyconfigs
      - envoyfilters
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - telemetry.istio.io
    resources:
      - telemetries
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.gatewayApi }}
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      - gatewayclasses
      - gateways
      - httproutes
      - tcproutes
      - tlsroutes
      - udproutes
      - grpcroutes
      - referencegrants
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.velero }}
  - apiGroups:
      - velero.io
    resources:
      - backups
      - restores
      - schedules
      - backupstoragelocations
      - volumesnapshotlocations
      - podvolumebackups
      - podvolumerestores
      - downloadrequests
      - deletebackuprequests
      - serverstatusrequests
    verbs:
      - get
      - list
      - watch
{{- end }}
{{- if .Values.crdPermissions.externalSecrets }}
  - apiGroups:
      - external-secrets.io
    resources:
      - externalsecrets
      - secretstores
      - clustersecretstores
      - clusterexternalsecrets
    verbs:
      - get
      - list
      - watch
{{- end }}

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "holmes.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  {{- if .Values.serviceAccount.annotations }}
  annotations:
  {{- with .Values.serviceAccount.annotations }}
    {{- toYaml . | nindent 4}}
  {{- end }}
  {{- end }}
{{- if .Values.serviceAccount.imagePullSecrets }}
imagePullSecrets:
{{- toYaml .Values.serviceAccount.imagePullSecrets | nindent 2}}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}-holmes-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .Release.Name }}-holmes-cluster-role
subjects:
  - kind: ServiceAccount
    name: {{ include "holmes.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
{{- if .Values.openshift }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ .Release.Name }}-holmes-cluster-monitoring
subjects:
  - kind: ServiceAccount
    name: {{ include "holmes.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-monitoring-view
{{- end }}
{{- end }}