{{- if .Values.serviceAccount.create -}}
# WARNING: This ClusterRole grants broad read + exec access across the cluster.
# It is intentionally permissive for lab/troubleshooting use.
# Review and restrict these permissions before using in a production environment.
#
# Future auth integration note:
# When oauth2-proxy is added in front of ttyd, consider scoping this role
# further to match the actual user's identity or group permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "ttyd.fullname" . }}
  labels:
    {{- include "ttyd.labels" . | nindent 4 }}
rules:
  # Core workload resources — read + basic management for kubectl troubleshooting
  - apiGroups: [""]
    resources:
      - pods
      - pods/log
      - services
      - endpoints
      - configmaps
      - secrets        # WARNING: includes secret read access; tighten in production
      - events
      - namespaces
      - nodes
      - persistentvolumeclaims
      - persistentvolumes
      - replicationcontrollers
      - serviceaccounts
    verbs: ["get", "list", "watch"]

  # Pod exec and log streaming (needed for `kubectl exec` and `kubectl logs -f`)
  - apiGroups: [""]
    resources:
      - pods/exec
      - pods/attach
      - pods/portforward
    verbs: ["create"]

  # Pod and service management (basic ops for lab use)
  - apiGroups: [""]
    resources:
      - pods
      - services
      - configmaps
    verbs: ["delete", "patch", "update"]

  # Apps resources
  - apiGroups: ["apps"]
    resources:
      - deployments
      - replicasets
      - statefulsets
      - daemonsets
    verbs: ["get", "list", "watch", "patch", "delete"]

  # Batch resources
  - apiGroups: ["batch"]
    resources:
      - jobs
      - cronjobs
    verbs: ["get", "list", "watch", "delete"]

  # Networking resources
  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
      - ingressclasses
    verbs: ["get", "list", "watch"]

  # RBAC resources (read-only, for inspection purposes)
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs: ["get", "list", "watch"]

  # Storage classes (read-only)
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["get", "list", "watch"]

  # Metrics (optional, useful for `kubectl top`)
  - apiGroups: ["metrics.k8s.io"]
    resources:
      - pods
      - nodes
    verbs: ["get", "list", "watch"]
{{- end }}