{{- $saName := print (include "neo4j.fullname" .) "-sa" -}}
{{- if .Values.serviceAccount.create -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
    {{- if .Values.serviceAccount.annotations }}
    annotations:
      {{-  range $key, $value := .Values.serviceAccount.annotations }}
      {{ $key }}: "{{ $value }}"
      {{- end }}
    {{- end }}
    name: {{ default $saName .Values.serviceAccount.name  }}
    {{ printf "\n" }}
{{- end }}
{{- if .Values.rbac.create -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
    name: {{ template "neo4j.fullname" . }}-service-reader
rules:
    - apiGroups: [""] # "" indicates the core API group
      resources: ["services"]
      verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: {{ template "neo4j.fullname" . }}-sa-to-service-reader-binding
subjects:
    - kind: ServiceAccount
      name: {{ default $saName .Values.serviceAccount.name  }}
roleRef:
    # "roleRef" specifies the binding to a Role / ClusterRole
    kind: Role # this must be Role or ClusterRole
    name: {{ template "neo4j.fullname" . }}-service-reader # this must match the name of the Role or ClusterRole you wish to bind to
    apiGroup: rbac.authorization.k8s.io
{{- end}}