apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
  name: {{ include "secrets-operator.fullname" . }}-manager-role
  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  namespace: {{ .Values.scopedNamespace | quote }}
  {{- end }}
  labels:
  {{- include "secrets-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - statefulsets
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - secrets.infisical.com
  resources:
  - clustergenerators
  - infisicaldynamicsecrets
  - infisicalpushsecrets
  - infisicalsecrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - secrets.infisical.com
  resources:
  - infisicaldynamicsecrets/finalizers
  - infisicalpushsecrets/finalizers
  - infisicalsecrets/finalizers
  verbs:
  - update
- apiGroups:
  - secrets.infisical.com
  resources:
  - infisicaldynamicsecrets/status
  - infisicalpushsecrets/status
  - infisicalsecrets/status
  verbs:
  - get
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
  name: {{ include "secrets-operator.fullname" . }}-manager-rolebinding
  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  namespace: {{ .Values.scopedNamespace | quote }}
  {{- end }}
  labels:

  {{- include "secrets-operator.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
  kind: Role
  {{- else }}
  kind: ClusterRole
  {{- end }}
  name: '{{ include "secrets-operator.fullname" . }}-manager-role'
subjects:
- kind: ServiceAccount
  name: '{{ include "secrets-operator.fullname" . }}-controller-manager'
  namespace: '{{ .Release.Namespace }}'