#! Copyright 2020 VMware, Inc.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

#! Give permission to various cluster-scoped objects
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
rules:
  - apiGroups: [""]
    resources: [namespaces]
    verbs: [get, list, watch]
  - apiGroups: [apiregistration.k8s.io]
    resources: [apiservices]
    verbs: [create, get, list, patch, update, watch]
  - apiGroups: [admissionregistration.k8s.io]
    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
    verbs: [get, list, watch]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding"
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: ClusterRole
  name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
  apiGroup: rbac.authorization.k8s.io

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-role"
  namespace: #@ data.values.namespace
rules:
  - apiGroups: [""]
    resources: [services]
    verbs: [create, get, list, patch, update, watch]
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  - apiGroups: [crd.pinniped.dev]
    resources: [credentialissuerconfigs]
    verbs: [create, get, list, update, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server-role-binding"
  namespace: #@ data.values.namespace
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-aggregated-api-server-role"
  apiGroup: rbac.authorization.k8s.io

#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ data.values.app_name + "-kube-system-pod-exec-role"
  namespace: kube-system
rules:
  - apiGroups: [""]
    resources: [pods]
    verbs: [get, list]
  - apiGroups: [""]
    resources: [pods/exec]
    verbs: [create]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-kube-system-pod-exec-role-binding"
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-kube-system-pod-exec-role"
  apiGroup: rbac.authorization.k8s.io

#! Allow both authenticated and unauthenticated CredentialRequests (i.e. allow all requests)
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ data.values.app_name + "-credentialrequests-cluster-role"
rules:
  - apiGroups: [pinniped.dev]
    resources: [credentialrequests]
    verbs: [create]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-credentialrequests-cluster-role-binding"
subjects:
  - kind: Group
    name: system:authenticated
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:unauthenticated
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: #@ data.values.app_name + "-credentialrequests-cluster-role"
  apiGroup: rbac.authorization.k8s.io

#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-service-account-cluster-role-binding"
  namespace: #@ data.values.namespace
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: ClusterRole
  name: system:auth-delegator
  apiGroup: rbac.authorization.k8s.io

#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding"
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: extension-apiserver-authentication-reader
  apiGroup: rbac.authorization.k8s.io

#! Give permission to list and watch ConfigMaps in kube-public
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-cluster-info-lister-watcher-role"
  namespace: kube-public
rules:
  - apiGroups: [""]
    resources: [configmaps]
    verbs: [list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-cluster-info-lister-watcher-role-binding"
  namespace: kube-public
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name + "-service-account"
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-cluster-info-lister-watcher-role"
  apiGroup: rbac.authorization.k8s.io