kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "nudgebee-agent.fullname" . }}-runner-cluster-role
  namespace : {{ .Release.Namespace }}
  {{ if .Values.runner.serviceAccount.annotations }}
  annotations:
    {{ toYaml .Values.runner.serviceAccount.annotations | indent 4 }}
  {{- end }}
rules:
  {{- if .Values.runner.customClusterRoleRules }}
{{ toYaml .Values.runner.customClusterRoleRules | indent 2 }}
  {{- end }}
  - apiGroups:
      - ""
    resources:
      - configmaps
      - daemonsets
      - deployments
      - events
      - namespaces
      - persistentvolumes
      - persistentvolumeclaims
      - pods
      - pods/status
      - pods/exec
      - pods/log
      - replicasets
      - replicationcontrollers
      - services
      - serviceaccounts
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
      - patch

  - apiGroups:
      - ""
    resources:
      - configmaps
      - persistentvolumes
      - persistentvolumeclaims
      - pods
      - pods/status
      - pods/exec
      - pods/log
      - pods/eviction
      - pods/ephemeralcontainers
    verbs:
      - delete
      - create
      - patch
      - update

  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - create
      - list
      - get

  - apiGroups:
      - "apiregistration.k8s.io"
    resources:
      - apiservices
    verbs:
      - get
      - list

  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      - clusterroles
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "autoscaling"
    resources:
      - horizontalpodautoscalers
    verbs:
      - get
      - list
      - watch
      - patch
      - update

  - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
    verbs:
      - get
      - list
      - watch
      - patch
      - update
      - delete
      - put

  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - deployments
      - deployments/scale
      - ingresses
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
    verbs:
      - get
      - list
      - watch
      - patch
      - update

  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - get
      - list
      - watch
      - patch
      - delete
      - create

  - apiGroups:
      - "events.k8s.io"
    resources:
      - events
    verbs:
      - get
      - list

  - apiGroups:
      - networking.k8s.io
    resources:
    - ingresses
    - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
      - get
      - list
  - apiGroups:
      - "policy"
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
      - get
      - list
      - update
      - patch
  
  # Resources affected by API deprecations/deletions
  - apiGroups:
      - "scheduling.k8s.io"
    resources:
      - priorityclasses
    verbs:
      - get
      - list
      - watch
  
  - apiGroups:
      - "storage.k8s.io"
    resources:
      - storageclasses
      - volumeattachments
      - csidrivers
      - csinodes
      - csistoragecapacities
    verbs:
      - get
      - list
      - watch
  
  - apiGroups:
      - "coordination.k8s.io"
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
  
  - apiGroups:
      - "discovery.k8s.io"
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch
  
  - apiGroups:
      - "node.k8s.io"
    resources:
      - runtimeclasses
    verbs:
      - get
      - list
      - watch
  
  - apiGroups:
      - "admissionregistration.k8s.io"
    resources:
      - mutatingwebhookconfigurations
      - validatingwebhookconfigurations
    verbs:
      - get
      - list
      - watch
  
  - apiGroups:
      - "flowcontrol.apiserver.k8s.io"
    resources:
      - flowschemas
      - prioritylevelconfigurations
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
    - clusterroles
    - clusterrolebindings
    - roles
    - rolebindings
    verbs:
      - get
      - list

  - apiGroups:
      - cert-manager.io
    resources:
      - certificates
    verbs:
      - get
      - list
      - watch

  - apiGroups:
      - "monitoring.coreos.com"
    resources:
      - prometheusrules
    verbs:
      - get
      - list
      - delete
      - create
      - patch
      - update
      
  - apiGroups: ["metrics.k8s.io"]
    resources:
    - pods
    - nodes
    verbs:     ["get", "list"]
{{- if (.Capabilities.APIVersions.Has "argoproj.io/v1alpha1/Rollout") }}
  - apiGroups:
    - argoproj.io
    resources:
    - rollouts
    verbs:
    - get
    - list
    - patch
    - update
{{- end }}

{{- if or (.Capabilities.APIVersions.Has "karpenter.sh/v1beta1/NodePool") (.Capabilities.APIVersions.Has "karpenter.sh/v1/NodePool") }}
  - apiGroups: 
    - karpenter.sh
    resources: 
    - nodepools
    - nodepools/status
    - nodeclaims
    - nodeclaims/status
    verbs: 
    - get 
    - list
    - watch
    - create
    - delete
    - patch
    - update
{{- end }}

{{- if or (.Capabilities.APIVersions.Has "karpenter.k8s.aws/v1beta1/EC2NodeClass") (.Capabilities.APIVersions.Has "karpenter.k8s.aws/v1/EC2NodeClass") }}
  - apiGroups: 
    - karpenter.k8s.aws
    resources: 
    - ec2nodeclasses
    verbs: 
    - get 
    - list
    - watch
    - create
    - delete
    - update
    - patch
{{- end }}

{{- if .Capabilities.APIVersions.Has "karpenter.azure.com/v1alpha2/AKSNodeClass" }}
  - apiGroups: 
    - karpenter.azure.com
    resources: 
    - aksnodeclasses
    verbs: 
    - get 
    - list
    - watch
    - create
    - delete
    - update
    - patch
{{- end }}

{{- if .Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1/VolumeSnapshot" }}
  - apiGroups:
      - snapshot.storage.k8s.io
    resources:
      - volumesnapshots
    verbs:
      - get
      - list
      - watch
      - create
      - update
{{- end }}

{{- if .Values.openshift.enabled }}
  - apiGroups:
    - security.openshift.io
    resources:
    - securitycontextconstraints
    verbs:
    - use
    resourceNames:
    - {{ if .Values.openshift.createScc }}"{{ include "nudgebee-agent.fullname" . }}-scc"{{ else }}{{ .Values.openshift.sccName | quote }}{{ end }}
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    - prometheusrules
    - alertmanagers
    - silences
    - podmonitors
    verbs: 
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
    - deletecollection
{{- if .Values.openshift.createPrivilegedScc }}
    - {{ include "nudgebee-agent.fullname" . }}-scc-privileged
{{- end }}
{{- if .Values.openshift.privilegedSccName }}
    - {{ .Values.openshift.privilegedSccName }}
{{- end }}
{{- end }}

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "nudgebee-agent.fullname" . }}-runner-service-account
  namespace: {{ .Release.Namespace }}
{{- if .Values.runnerServiceAccount.imagePullSecrets }}
imagePullSecrets:
{{- toYaml .Values.runnerServiceAccount.imagePullSecrets | nindent 2}}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "nudgebee-agent.fullname" . }}-runner-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "nudgebee-agent.fullname" . }}-runner-cluster-role
subjects:
  - kind: ServiceAccount
    name: {{ include "nudgebee-agent.fullname" . }}-runner-service-account
    namespace: {{ .Release.Namespace }}