{{- if and (not .Values.createClusterScopedResources) (.Values.config.metrics.secureMode.enabled) -}}
{{ fail "createClusterScopedResources is required to set config.metrics.secureMode.enabled to true" }}
{{- end }}
{{- if .Values.createClusterScopedResources -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "eck-operator.fullname" . }}
  labels:
    {{- include "eck-operator.labels" . | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" . | toYaml | indent 2 }}
{{ template "eck-operator.clusterWideRbacRules" . | toYaml | indent 2 }}
{{ if .Values.config.exposedNodeLabels }}
{{ template "eck-operator.readNodeLabelsRbacRule" . | toYaml | indent 2 }}
{{ end -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "{{ include "eck-operator.name" . }}-view"
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    {{- include "eck-operator.labels" . | nindent 4 }}
rules:
  - apiGroups: ["elasticsearch.k8s.elastic.co"]
    resources: ["elasticsearches"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["autoscaling.k8s.elastic.co"]
    resources: ["elasticsearchautoscalers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apm.k8s.elastic.co"]
    resources: ["apmservers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["kibana.k8s.elastic.co"]
    resources: ["kibanas"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["enterprisesearch.k8s.elastic.co"]
    resources: ["enterprisesearches"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["beat.k8s.elastic.co"]
    resources: ["beats"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["agent.k8s.elastic.co"]
    resources: ["agents"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["maps.k8s.elastic.co"]
    resources: ["elasticmapsservers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
    resources: ["stackconfigpolicies"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["logstash.k8s.elastic.co"]
    resources: ["logstashes"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "{{ include "eck-operator.name" . }}-edit"
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    {{- include "eck-operator.labels" . | nindent 4 }}
rules:
  - apiGroups: ["elasticsearch.k8s.elastic.co"]
    resources: ["elasticsearches"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["autoscaling.k8s.elastic.co"]
    resources: ["elasticsearchautoscalers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["apm.k8s.elastic.co"]
    resources: ["apmservers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["kibana.k8s.elastic.co"]
    resources: ["kibanas"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["enterprisesearch.k8s.elastic.co"]
    resources: ["enterprisesearches"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["beat.k8s.elastic.co"]
    resources: ["beats"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["agent.k8s.elastic.co"]
    resources: ["agents"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["maps.k8s.elastic.co"]
    resources: ["elasticmapsservers"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
    resources: ["stackconfigpolicies"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["logstash.k8s.elastic.co"]
    resources: ["logstashes"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
{{- if .Values.config.metrics.secureMode.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    {{- include "eck-operator.labels" . | nindent 4 }}
  name: "{{ include "eck-operator.fullname" . }}-metrics-auth-role"
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
{{- end }}
{{- end -}}