{{- if and .Values.controller.rbac.create .Values.controller.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "goldilocks.fullname" . }}-controller
  labels:
    app.kubernetes.io/name: {{ include "goldilocks.name" . }}
    helm.sh/chart: {{ include "goldilocks.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/component: controller
rules:
  - apiGroups:
      - 'apps'
    resources:
      - '*'
    verbs:
      - 'get'
      - 'list'
      - 'watch'
  - apiGroups:
      - 'batch'
    resources:
      - 'cronjobs'
      - 'jobs'
    verbs:
      - 'get'
      - 'list'
      - 'watch'
  - apiGroups:
      - ''
    resources:
      - 'namespaces'
      - 'pods'
    verbs:
      - 'get'
      - 'list'
      - 'watch'
  - apiGroups:
      - 'autoscaling.k8s.io'
    resources:
      - 'verticalpodautoscalers'
    verbs:
      - 'get'
      - 'list'
      - 'create'
      - 'delete'
      - 'update'
  {{- if .Values.controller.rbac.enableArgoproj }}
  - apiGroups:
      - 'argoproj.io'
    resources:
      - rollouts
    verbs:
      - 'get'
      - 'list'
      - 'watch'
  {{- end }}
  {{- if .Values.controller.rbac.extraRules -}}
  {{ toYaml .Values.controller.rbac.extraRules | nindent 2 }}
  {{- end }}
{{- end }}