{{ if .Values.rbac.create }}
# This role is used to allow pv-resizer to get namespaces and patch PVCs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Release.Name }}-role
  labels:
    {{- include "pv-resizer.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get"]
- apiGroups: [""]
  resources: 
    - deployments
    - statefulsets
    - persistentvolumeclaims
  verbs: ["get", "list", "patch", "update"]


# We bind the role to the pv-resizer ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}-binding
  labels:
    {{- include "pv-resizer.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ .Release.Name }}-role
subjects:
- kind: ServiceAccount
  name: {{ include "pv-resizer.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
{{ end }}