#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

#! Give permission to various cluster-scoped objects
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server"
rules:
  - apiGroups: [""]
    resources: [namespaces]
    verbs: [get, list, watch]
  - apiGroups: [apiregistration.k8s.io]
    resources: [apiservices]
    verbs: [create, get, list, patch, update, watch]
  - apiGroups: [admissionregistration.k8s.io]
    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
    verbs: [get, list, watch]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server"
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: ClusterRole
  name: #@ data.values.app_name + "-aggregated-api-server"
  apiGroup: rbac.authorization.k8s.io

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server"
  namespace: #@ data.values.namespace
rules:
  - apiGroups: [""]
    resources: [services]
    verbs: [create, get, list, patch, update, watch]
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  #! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
  - apiGroups: [""]
    resources: [pods]
    verbs: [create, get, list, patch, update, watch, delete]
  #! We need to be able to exec into pods in our namespace so we can grab the API server's private key
  - apiGroups: [""]
    resources: [pods/exec]
    verbs: [create]
  - apiGroups: [config.pinniped.dev, idp.pinniped.dev]
    resources: ["*"]
    verbs: [create, get, list, update, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-aggregated-api-server"
  namespace: #@ data.values.namespace
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-aggregated-api-server"
  apiGroup: rbac.authorization.k8s.io

#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ data.values.app_name + "-kube-system-pod-read"
  namespace: kube-system
rules:
  - apiGroups: [""]
    resources: [pods]
    verbs: [get, list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-kube-system-pod-read"
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-kube-system-pod-read"
  apiGroup: rbac.authorization.k8s.io

#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: #@ data.values.app_name + "-create-token-credential-requests"
rules:
  - apiGroups: [login.pinniped.dev]
    resources: [tokencredentialrequests]
    verbs: [create]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-create-token-credential-requests"
subjects:
  - kind: Group
    name: system:authenticated
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: system:unauthenticated
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: #@ data.values.app_name + "-create-token-credential-requests"
  apiGroup: rbac.authorization.k8s.io

#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name
  namespace: #@ data.values.namespace
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: ClusterRole
  name: system:auth-delegator
  apiGroup: rbac.authorization.k8s.io

#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-extension-apiserver-authentication-reader"
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: extension-apiserver-authentication-reader
  apiGroup: rbac.authorization.k8s.io

#! Give permission to list and watch ConfigMaps in kube-public
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-cluster-info-lister-watcher"
  namespace: kube-public
rules:
  - apiGroups: [""]
    resources: [configmaps]
    verbs: [list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ data.values.app_name + "-cluster-info-lister-watcher"
  namespace: kube-public
subjects:
  - kind: ServiceAccount
    name: #@ data.values.app_name
    namespace: #@ data.values.namespace
roleRef:
  kind: Role
  name: #@ data.values.app_name + "-cluster-info-lister-watcher"
  apiGroup: rbac.authorization.k8s.io