apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argo-events-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-events-role
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount }}
    namespace: {{ .Release.Namespace }}
  {{- if .Values.additionalSaNamespaces }}
  {{ $sa := .Values.serviceAccount }}
  {{- range $namespace := .Values.additionalSaNamespaces }}
  - kind: ServiceAccount
    name: {{ $sa }}
    namespace: {{ $namespace }}
  {{- end }}
  {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argo-events-role
rules:
{{- if .Values.additionalServiceAccountRules }}
{{ .Values.additionalServiceAccountRules | toYaml | nindent 2}}
{{- end }}
  - apiGroups:
      - argoproj.io
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    resources:
      - workflows
      - workflows/finalizers
      - workflowtemplates
      - workflowtemplates/finalizers
      - gateways
      - gateways/finalizers
      - sensors
      - sensors/finalizers
      - eventsources
      - eventsources/finalizers
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
      - configmaps
      - secrets
      - services
      - events
      - persistentvolumeclaims
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - "batch"
    resources:
      - jobs
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - "apps"
    resources:
      - deployments
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete