#@ load("@ytt:data", "data")

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
rules:
  - apiGroups: [""]
    resources: [namespaces]
    verbs: [get, list, watch]
  - apiGroups: [apiregistration.k8s.io]
    resources: [apiservices]
    verbs: [create, get, list, patch, update, watch]
  - apiGroups: [admissionregistration.k8s.io]
    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
    verbs: [get, list, watch]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding"
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: ClusterRole
  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-role"
  namespace: #@ data.values.namespace
rules:
  - apiGroups: [""]
    resources: [services]
    verbs: [create, get, list, patch, update, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-role-binding"
  namespace: #@ data.values.namespace
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-aggregated-api-server-role"
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ data.values.app_name + "-loginrequests-cluster-role"
rules:
  - apiGroups: [placeholder.suzerain-io.github.io]
    resources: [loginrequests]
    verbs: [create]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-loginrequests-cluster-role-binding"
subjects:
  #! both authenticated and unauthenticated requests (i.e. all requests) should be allowed
  - kind: Group
    name: system:authenticated
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:unauthenticated
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: #@ data.values.app_name + "-loginrequests-cluster-role"
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-service-account-cluster-role-binding"
  namespace: #@ data.values.namespace
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: ClusterRole
  #! give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
  name: system:auth-delegator
  apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding"
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  #! give permissions for a special configmap of CA bundles that is needed by aggregated api servers
  name: extension-apiserver-authentication-reader
  apiGroup: rbac.authorization.k8s.io