#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ data.values.app_name
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
rules:
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  - apiGroups: [config.pinniped.dev]
    resources: [oidcproviderconfigs]
    verbs: [update, get, list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name
  namespace: #@ data.values.namespace
  labels:
    app: #@ data.values.app_name
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name
  apiGroup: rbac.authorization.k8s.io