{{ if .Values.rbac.create }}
# This role is used to allow pv-resizer to get namespaces and patch PVCs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Release.Name }}-role
  labels:
    {{- include "pv-resizer.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: 
    - namespaces
    - pods
    - nodes
    - nodes/proxy
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "list", "patch", "update"]
- apiGroups: ["apps"]
  resources: 
    - deployments
    - deployments/scale
    - statefulsets
    - statefulsets/scale
  verbs: ["get", "list", "patch", "update"]

---
# We bind the role to the pv-resizer ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}-binding
  labels:
    {{- include "pv-resizer.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .Release.Name }}-role
subjects:
- kind: ServiceAccount
  name: {{ include "pv-resizer.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{ end }}