{{ if .Values.rbac.create }}
{{- $serviceName := include "jenkins.fullname" . -}}

# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $serviceName }}-schedule-agents
  namespace: {{ template "jenkins.agent.namespace" . }}
  labels:
    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    {{- if .Values.renderHelmLabels }}
    "helm.sh/chart": "{{ template "jenkins.label" .}}"
    {{- end }}
    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    "app.kubernetes.io/instance": "{{ .Release.Name }}"
    "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods", "pods/exec", "persistentvolumeclaims"]
  verbs: ["create", "delete", "deletecollection", "patch", "update"]

---

# We bind the role to the Jenkins service account. The role binding is created in the namespace
# where the agents are supposed to run.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-schedule-agents
  namespace: {{ template "jenkins.agent.namespace" . }}
  labels:
    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    {{- if .Values.renderHelmLabels }}
    "helm.sh/chart": "{{ template "jenkins.label" .}}"
    {{- end }}
    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    "app.kubernetes.io/instance": "{{ .Release.Name }}"
    "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $serviceName }}-schedule-agents
subjects:
- kind: ServiceAccount
  name: {{ template "jenkins.serviceAccountName" .}}
  namespace: {{ template "jenkins.namespace" . }}

---

{{- if .Values.rbac.readSecrets }}
# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
# as it needs permissions to get/watch/list Secrets
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "jenkins.fullname" . }}-read-secrets
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    {{- if .Values.renderHelmLabels }}
    "helm.sh/chart": "{{ template "jenkins.label" .}}"
    {{- end }}
    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    "app.kubernetes.io/instance": "{{ .Release.Name }}"
    "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-read-secrets
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    {{- if .Values.renderHelmLabels }}
    "helm.sh/chart": "{{ template "jenkins.label" .}}"
    {{- end }}
    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    "app.kubernetes.io/instance": "{{ .Release.Name }}"
    "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "jenkins.fullname" . }}-read-secrets
subjects:
  - kind: ServiceAccount
    name: {{ template "jenkins.serviceAccountName" . }}
    namespace: {{ template "jenkins.namespace" . }}

---
{{- end}}

{{- if .Values.controller.sidecars.configAutoReload.enabled }}
# The sidecar container which is responsible for reloading configuration changes
# needs permissions to watch ConfigMaps
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "jenkins.fullname" . }}-casc-reload
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    {{- if .Values.renderHelmLabels }}
    "helm.sh/chart": "{{ template "jenkins.label" .}}"
    {{- end }}
    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    "app.kubernetes.io/instance": "{{ .Release.Name }}"
    "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-watch-configmaps
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
    {{- if .Values.renderHelmLabels }}
    "helm.sh/chart": "{{ template "jenkins.label" .}}"
    {{- end }}
    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
    "app.kubernetes.io/instance": "{{ .Release.Name }}"
    "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "jenkins.fullname" . }}-casc-reload
subjects:
- kind: ServiceAccount
  name: {{ template "jenkins.serviceAccountName" . }}
  namespace: {{ template "jenkins.namespace" . }}

{{- end}}

{{ end }}