{{- if and .Values.webhook.metrics.listen.auth.enabled .Values.webhook.create .Values.webhook.serviceAccount.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "external-secrets.fullname" . }}-webhook-metrics-auth
  labels:
    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
rules:
  - apiGroups:
    - "authentication.k8s.io"
    resources:
    - "tokenreviews"
    verbs:
    - "create"
  - apiGroups:
    - "authorization.k8s.io"
    resources:
    - "subjectaccessreviews"
    verbs:
    - "create"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "external-secrets.fullname" . }}-webhook-metrics-auth
  labels:
    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "external-secrets.fullname" . }}-webhook-metrics-auth
subjects:
  - name: {{ include "external-secrets-webhook.serviceAccountName" . }}
    namespace: {{ template "external-secrets.namespace" . }}
    kind: ServiceAccount
{{- end }}