################################################################################
#   Copyright (c) 2019-2020 AT&T Intellectual Property.                        #
#                                                                              #
#   Licensed under the Apache License, Version 2.0 (the "License");            #
#   you may not use this file except in compliance with the License.           #
#   You may obtain a copy of the License at                                    #
#                                                                              #
#       http://www.apache.org/licenses/LICENSE-2.0                             #
#                                                                              #
#   Unless required by applicable law or agreed to in writing, software        #
#   distributed under the License is distributed on an "AS IS" BASIS,          #
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
#   See the License for the specific language governing permissions and        #
#   limitations under the License.                                             #
################################################################################

{{- $tillerKey := .Values.appmgr.tillerkey | default "ricxapp" }}
{{- $topCtx :=  . }}
{{- $ctx := dict "ctx" $topCtx "key" $tillerKey }}
{{- $certName := include "common.tillerHelmClientTLSSecret" $ctx }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "common.serviceaccountname.appmgr" . }}
  namespace: {{ include "common.namespace.platform" . }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
  namespace: {{ include "common.tillerDeployNameSpace" $ctx }}
rules:
- apiGroups: [""]
  resources: ["pods/portforward"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["pods", "configmaps", "deployments", "services"]
  verbs: ["get", "list", "create", "delete"]
{{- if or (eq (include "common.tillerTLSVerify" $ctx) "true" )  (eq (include "common.tillerTLSAuthenticate" $ctx) "true") }}
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: [ {{ include "common.tillerHelmClientTLSSecret" $ctx | quote }} ]
  verbs: ["get"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
  namespace: {{ include "common.tillerDeployNameSpace" $ctx }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access
subjects:
  - kind: ServiceAccount
    name: {{ include "common.serviceaccountname.appmgr" . }}
    namespace: {{ include "common.namespace.platform" . }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
  namespace: {{ include "common.tillerNameSpace" $ctx }}
rules:
- apiGroups: [""]
  resources: ["configmaps", "endpoints"]
  verbs: ["get", "list", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.namespace.xapp" . }}-getappconfig
  namespace: {{ include "common.tillerNameSpace" $ctx }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
subjects:
  - kind: ServiceAccount
    name: {{ include "common.serviceaccountname.appmgr" . }}
    namespace: {{ include "common.namespace.platform" . }}