{{- if .Values.singleNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-events-binding
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-events-role
subjects:
  - kind: ServiceAccount
    name: {{ .Values.serviceAccount }}
    namespace: {{ .Release.Namespace }}
  {{- if .Values.additionalSaNamespaces }}
  {{ $sa := .Values.serviceAccount }}
  {{- range $namespace := .Values.additionalSaNamespaces }}
  - kind: ServiceAccount
    name: {{ $sa }}
    namespace: {{ $namespace }}
  {{- end }}
  {{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-events-role
  namespace: {{ .Release.Namespace }}
rules:
  {{- with .Values.additionalServiceAccountRules }}
    {{- toYaml . | nindent 2 }}
  {{- end }}
  - apiGroups:
      - argoproj.io
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    resources:
      - workflows
      - workflows/finalizers
      - workflowtemplates
      - workflowtemplates/finalizers
      - sensors
      - sensors/finalizers
      - sensors/status
      - eventsources
      - eventsources/finalizers
      - eventsources/status
      - eventbus
      - eventbus/finalizers
      - eventbus/status
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/exec
      - configmaps
      - secrets
      - services
      - events
      - persistentvolumeclaims
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - "batch"
    resources:
      - jobs
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete
  - apiGroups:
      - "apps"
    resources:
      - deployments
      - statefulsets
    verbs:
      - create
      - get
      - list
      - watch
      - update
      - patch
      - delete

{{- end }}