{{- if .Values.serviceAccount.lvmController.create -}}
kind: ServiceAccount
apiVersion: v1
metadata:
  name: {{ .Values.serviceAccount.lvmController.name }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "lvmlocalpv.lvmController.labels" . | nindent 4 }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-provisioner-role
  labels:
    {{- include "lvmlocalpv.lvmController.labels" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumes", "services"]
    verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims/status"]
    verbs: ["update", "patch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses", "csinodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [ "storage.k8s.io" ]
    resources: [ "csistoragecapacities"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["local.openebs.io"]
    resources: ["lvmvolumes", "lvmsnapshots", "lvmnodes"]
    verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-provisioner-binding
  labels:
    {{- include "lvmlocalpv.lvmController.labels" . | nindent 4 }}
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount.lvmController.name }}
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: openebs-lvm-provisioner-role
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-snapshotter-role
  labels:
    {{- include "lvmlocalpv.lvmController.labels" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents"]
    verbs: ["create", "get", "list", "watch", "update", "delete"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents/status"]
    verbs: ["update"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots/status"]
    verbs: ["update"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["create", "list", "watch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-snapshotter-binding
  labels:
    {{- include "lvmlocalpv.lvmController.labels" . | nindent 4 }}
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount.lvmController.name }}
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: openebs-lvm-snapshotter-role
  apiGroup: rbac.authorization.k8s.io
---
{{- end }}
{{- if .Values.serviceAccount.lvmNode.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.serviceAccount.lvmNode.name }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "lvmlocalpv.lvmNode.labels" . | nindent 4 }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-driver-registrar-role
  labels:
    {{- include "lvmlocalpv.lvmNode.labels" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["persistentvolumes", "nodes", "services"]
    verbs: ["get", "list"]
  - apiGroups: ["local.openebs.io"]
    resources: ["lvmvolumes", "lvmsnapshots", "lvmnodes"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-driver-registrar-binding
  labels:
    {{- include "lvmlocalpv.lvmNode.labels" . | nindent 4 }}
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount.lvmNode.name }}
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: openebs-lvm-driver-registrar-role
  apiGroup: rbac.authorization.k8s.io

{{- if .Values.rbac.pspEnabled }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: openebs-lvm-node-role
  labels:
    {{- include "lvmlocalpv.lvmNode.labels" . | nindent 4 }}
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - openebs-lvm-node-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: openebs-lvm-node-binding
  labels:
    {{- include "lvmlocalpv.lvmNode.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openebs-lvm-node-role
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount.lvmNode.name }}
    namespace: {{ $.Release.Namespace }}
{{- end }}
{{- end }}