{{- if and (hasKey .Values "tls") (hasKey .Values.tls "enabled") .Values.tls.enabled }}
# This role binding allows the router to access secrets in the openshift-ingress namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "landing.name" . }}-router-tls
  labels:
    app: {{ template "landing.name" . }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: router
  namespace: openshift-ingress

# Create a role for our service account to copy secrets to openshift-ingress namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "landing.name" . }}-cert-sync
  labels:
    app: {{ template "landing.name" . }}
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "update", "patch", "apply"]
  # Need to access secrets in both the landing namespace and openshift-ingress
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get"]
# Add permissions for routes
- apiGroups: ["route.openshift.io"]
  resources: ["routes"]
  verbs: ["get", "list", "watch", "update", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "landing.name" . }}-cert-sync
  labels:
    app: {{ template "landing.name" . }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "landing.name" . }}-cert-sync
subjects:
- kind: ServiceAccount
  name: {{ .Values.serviceAccount.name }}
  namespace: {{ .Release.Namespace }}
{{- end }}