{{- if and .Values.clusterInstall .Values.controller.createClusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "argo-rollouts.fullname" . }}
  labels:
    app.kubernetes.io/component: {{ .Values.controller.component }}
    {{- include "argo-rollouts.labels" . | nindent 4 }}
rules:
- apiGroups:
  - argoproj.io
  resources:
  - rollouts
  - rollouts/status
  - rollouts/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
- apiGroups:
  - argoproj.io
  resources:
  - analysisruns
  - analysisruns/finalizers
  - experiments
  - experiments/finalizers
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups:
  - argoproj.io
  resources:
  - analysistemplates
  - clusteranalysistemplates
  verbs:
  - get
  - list
  - watch
# replicaset access needed for managing ReplicaSets
- apiGroups:
  - apps
  resources:
  - replicasets
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
# deployments and podtemplates read access needed for workload reference support
- apiGroups:
  - ""
  - apps
  resources:
  - deployments
  - podtemplates
  verbs:
  - get
  - list
  - watch
# services patch needed to update selector of canary/stable/active/preview services
# services create needed to create and delete services for experiments
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - patch
  - create
  - delete
# leases create/get/update needed for leader election
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - update
# secret access to run analysis templates which reference secrets, allow init containers to manipulate secrets
- apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - patch
  - update
# pod list/update needed for updating ephemeral data
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
  - update
# pods eviction needed for restart
- apiGroups:
  - ""
  resources:
  - pods/eviction
  verbs:
  - create
# event write needed for emitting events
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - update
  - patch
# ingress patch needed for managing ingress annotations, create needed for nginx canary
- apiGroups:
  - networking.k8s.io
  - extensions
  resources:
  - ingresses
  verbs:
  - create
  - get
  - list
  - watch
  - patch
# job access needed for analysis template job metrics
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
# virtualservice/destinationrule access needed for using the Istio provider
- apiGroups:
  - networking.istio.io
  resources:
  - virtualservices
  - destinationrules
  verbs:
  - watch
  - get
  - update
  - patch
  - list
# trafficsplit access needed for using the SMI provider
- apiGroups:
  - split.smi-spec.io
  resources:
  - trafficsplits
  verbs:
  - create
  - watch
  - get
  - update
  - patch
# ambassador access needed for Ambassador provider
- apiGroups:
  - getambassador.io
  - x.getambassador.io
  resources:
  - mappings
  - ambassadormappings
  verbs:
  - create
  - watch
  - get
  - update
  - list
  - delete
# Endpoints and TargetGroupBindings needed for ALB target group verification
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
- apiGroups:
  - elbv2.k8s.aws
  resources:
  - targetgroupbindings
  verbs:
  - list
  - get
# AppMesh virtualservices/virtualrouter CRD read-only access needed for using the App Mesh provider
- apiGroups:
  - appmesh.k8s.aws
  resources:
  - virtualservices
  verbs:
  - watch
  - get
  - list
# AppMesh virtualnode CRD r/w access needed for using the App Mesh provider
- apiGroups:
  - appmesh.k8s.aws
  resources:
  - virtualnodes
  - virtualrouters
  verbs:
  - watch
  - get
  - list
  - update
  - patch
{{- end }}