apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ template "operator.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "operator.fullname" . }}
  annotations:
    argocd.argoproj.io/sync-options: Prune=false
    helm.sh/resource-policy: keep
imagePullSecrets:
- name: container-mom-registry
---
{{- if not (contains "test" .Release.Namespace) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "operator.serviceAccountName" . }}
  labels:
    app: {{ template "operator.fullname" . }}
rules:
- apiGroups: ["container.mom"]
  resources: ["containermomdeployments"]
  verbs: ["*"]
- apiGroups: ["container.mom"]
  resources: ["templates"]
  verbs: ["*"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["services", "secrets", "configmaps"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["resourcequotas", "limitranges"]
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["*"]
- apiGroups: ["route.openshift.io"]
  resources: ["routes"]
  verbs: ["*"]
- apiGroups: ["route.openshift.io"]
  resources: ["routes/custom-host"]
  verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "operator.serviceAccountName" . }}
  labels:
    app: {{ template "operator.fullname" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "operator.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: {{ template "operator.serviceAccountName" . }}
  apiGroup: rbac.authorization.k8s.io
{{- end }}