apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argo-events-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argo-events-role
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount }}
    namespace: {{ .Release.Namespace }}
  {{- if .Values.additionalSaNamespaces }}
  {{ $sa := .Values.serviceAccount }}
  {{- range $namespace := .Values.additionalSaNamespaces }}
  - kind: ServiceAccount
    name: {{ $sa }}
    namespace: {{ $namespace }}
  {{- end }}
  {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argo-events-role
rules:
  - apiGroups:
      - apiextensions.k8s.io
      - apiextensions.k8s.io/v1beta1
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    resources:
      - customresourcedefinitions
  - apiGroups:
      - argoproj.io
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    resources:
      - workflows
      - workflows/finalizers
      - workflowtemplates
      - workflowtemplates/finalizers
      - gateways
      - gateways/finalizers
      - sensors
      - sensors/finalizers
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
      - configmaps
      - secrets
      - services
      - events
      - persistentvolumeclaims
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - "batch"
    resources:
      - jobs
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - "apps/v1"
      - "apps/v1beta2"
      - "apps/v1beta1"
    resources:
      - deployments
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete