{{ if .Values.rbac.create }}
{{- $serviceName := include "jenkins.fullname" . -}}

# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $serviceName }}-schedule-agents
  namespace: {{ template "jenkins.agent.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods", "pods/exec", "persistentvolumeclaims"]
  verbs: ["create", "delete", "deletecollection", "patch", "update"]

---

# We bind the role to the Jenkins service account. The role binding is created in the namespace
# where the agents are supposed to run.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-schedule-agents
  namespace: {{ template "jenkins.agent.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $serviceName }}-schedule-agents
subjects:
- kind: ServiceAccount
  name: {{ template "jenkins.serviceAccountName" .}}
  namespace: {{ template "jenkins.namespace" . }}

---

{{- if .Values.rbac.readSecrets }}
# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
# as it needs permissions to get/watch/list Secrets
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "jenkins.fullname" . }}-read-secrets
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-read-secrets
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "jenkins.fullname" . }}-read-secrets
subjects:
  - kind: ServiceAccount
    name: {{ template "jenkins.serviceAccountName" . }}
    namespace: {{ template "jenkins.namespace" . }}

---
{{- end}}

{{- if .Values.rbac.useOpenShiftNonRootSCC }}
# This is needed if you are running on OpenShift and using the default
# containerSecurityContext in the chart. It grants the Jenkins service account
# permission to use the "nonroot" and "nonroot-v2" SecurityContextConstraints.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $serviceName }}-use-nonroot-scc
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
rules:
  - apiGroups: ["security.openshift.io"]
    resources: ["securitycontextconstraints"]
    resourceNames: ["nonroot", "nonroot-v2"]
    verbs: ["use"]
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-use-nonroot-scc
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "jenkins.fullname" . }}-use-nonroot-scc
subjects:
  - kind: ServiceAccount
    name: {{ template "jenkins.serviceAccountName" . }}
    namespace: {{ template "jenkins.namespace" . }}

---
{{- end}}

{{- if .Values.controller.sidecars.configAutoReload.enabled }}
# The sidecar container which is responsible for reloading configuration changes
# needs permissions to watch ConfigMaps
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "jenkins.fullname" . }}-casc-reload
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $serviceName }}-watch-configmaps
  namespace: {{ template "jenkins.namespace" . }}
  labels:
    {{- include "jenkins.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "jenkins.fullname" . }}-casc-reload
subjects:
- kind: ServiceAccount
  name: {{ template "jenkins.serviceAccountName" . }}
  namespace: {{ template "jenkins.namespace" . }}

{{- end}}

{{ end }}