{{ if .Values.rbac.create }}
# This role is used to allow mail-mta-autoconfig to get namespaces and patch PVCs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Release.Name }}-role
  labels:
    {{- include "mail-mta-autoconfig.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: 
    - namespaces
    - pods
    - services
  verbs: ["get", "list", "watch"]

---
# We bind the role to the mail-mta-autoconfig ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}-binding
  labels:
    {{- include "mail-mta-autoconfig.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .Release.Name }}-role
subjects:
- kind: ServiceAccount
  name: {{ include "mail-mta-autoconfig.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{ end }}