apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Release.Name }}-{{ .Values.controller.name}}-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
- apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
  - create
- apiGroups:
  - argoproj.io
  resources:
  - workflowtemplates
  - workflowtemplates/finalizers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - argoproj.io
  resources:
  - cronworkflows
  - cronworkflows/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - list
{{- if .Values.controller.persistence }}
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  {{- if .Values.controller.persistence.postgresql }}
  - {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
  - {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
  {{- end}}
  {{- if .Values.controller.persistence.mysql }}
  - {{ .Values.controller.persistence.mysql.userNameSecret.name }}
  - {{ .Values.controller.persistence.mysql.passwordSecret.name }}
  {{- end}}
  verbs:
  - get
{{- end}}