#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
rules:
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  - apiGroups: [config.supervisor.pinniped.dev]
    resources: [oidcproviders]
    verbs: [update, get, list, watch]
  - apiGroups: [idp.supervisor.pinniped.dev]
    resources: [upstreamoidcproviders]
    verbs: [get, list, watch]
  - apiGroups: [idp.supervisor.pinniped.dev]
    resources: [upstreamoidcproviders/status]
    verbs: [get, patch, update]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: #@ defaultResourceName()
  apiGroup: rbac.authorization.k8s.io