---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Release.Name }}-init
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "-100"
{{- if or .Values.serviceAccount.repoCredentials .Values.imagePullSecrets }}
imagePullSecrets:
{{- with .Values.serviceAccount.repoCredentials }}
{{- range . }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.imagePullSecrets }}
{{ . | toYaml }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "-100"
  name: {{ .Release.Name }}-init
{{- with .Values.clusterOwnerRefereces }}
  ownerReferences:
    {{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["apiextensions.k8s.io"]
  resources:
  - customresourcedefinitions
  verbs:
  - create
- apiGroups: ["apiextensions.k8s.io"]
  resources:
  - customresourcedefinitions
  resourceNames:
  - sgconfigs.stackgres.io
  verbs:
  - get
  - update
{{- if eq "true" (include "unmodificableWebapiAdminClusterRoleBinding" .) }}
- apiGroups: ["rbac.authorization.k8s.io"]
  resources:
  - clusterrolebindings
  resourceNames:
  - stackgres-restapi-admin
  verbs:
  - get
  - delete
{{- end }}
{{- if .Values.allowedNamespaces }}
{{- $allowedNamespaces := regexSplit " " (include "allowedNamespaces" .) -1 }}
- apiGroups: [""]
  resources: ["namespaces"]
  verbs:
  - patch
  - get
  resourceNames:
  {{- with $allowedNamespaces }}
  {{ toYaml . | nindent 2 }}
  {{- end }}
{{- end }}
{{- if or .Values.disableClusterRole .Values.disableCrdsAndWebhooksUpdate }}
- apiGroups: ["apiextensions.k8s.io"]
  resources:
  - customresourcedefinitions
  resourceNames:
  - sgconfigs.stackgres.io
  - sgclusters.stackgres.io
  - sginstanceprofiles.stackgres.io
  - sgpgconfigs.stackgres.io
  - sgpoolconfigs.stackgres.io
  - sgbackups.stackgres.io
  - sgbackupconfigs.stackgres.io
  - sgobjectstorages.stackgres.io
  - sgdbops.stackgres.io
  - sgdistributedlogs.stackgres.io
  - sgshardedclusters.stackgres.io
  - sgshardedbackups.stackgres.io
  - sgshardeddbops.stackgres.io
  - sgscripts.stackgres.io
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - stackgres.io
  resources:
  - sgclusters
  - sgpgconfigs
  - sginstanceprofiles
  - sgpoolconfigs
  - sgbackupconfigs
  - sgbackups
  - sgdistributedlogs
  - sgdbops
  - sgobjectstorages
  - sgscripts
  - sgshardedclusters
  - sgshardedbackups
  - sgshardeddbops
  - sgconfigs
  verbs:
  - get
  - list
  - update
  - patch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  resourceNames:
  - {{ .Release.Name }}
  verbs:
  - get
  - patch
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ .Release.Name }}-init
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "-100"
{{- with .Values.clusterOwnerRefereces }}
  ownerReferences:
    {{- toYaml . | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
  name: {{ .Release.Name }}-init
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: {{ .Release.Name }}-init
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "-100"
  name: {{ .Release.Name }}-init
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["stackgres.io"]
  resources:
  - sgconfigs
  verbs:
  - create
- apiGroups: ["stackgres.io"]
  resources:
  - sgconfigs
  resourceNames:
  - {{ .Release.Name }}
  verbs:
  - get
  - update
  - patch
  - delete
{{- if or .Values.disableClusterRole .Values.disableCrdsAndWebhooksUpdate }}
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - {{ default (.Values.cert).secretName (printf "%s-certs" .Release.Name) }}
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - stackgres.io
  resources:
  - sgconfigs/status
  resourceNames:
  - {{ .Release.Name }}
  verbs:
  - update
  - patch
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
{{- with .Values.clusterOwnerRefereces }}
  ownerReferences:
    {{- toYaml . | nindent 4 }}
{{- end }}
  name: {{ .Release.Name }}-init
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade,post-delete
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    "helm.sh/hook-weight": "-100"
subjects:
- kind: ServiceAccount
  name: {{ .Release.Name }}-init
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: Role
  name: {{ .Release.Name }}-init
  apiGroup: rbac.authorization.k8s.io