{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.serviceAccount.name }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/component: vaultwarden
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "vaultwarden.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/component: vaultwarden
rules:
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "vaultwarden.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/component: vaultwarden
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "vaultwarden.fullname" . }}
subjects:
- kind: ServiceAccount
  name: {{ .Values.serviceAccount.name }}
{{- end }}