{{- if not .Values.clusterInstall }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "argo-rollouts.fullname" . }}
  labels:
    app.kubernetes.io/component: {{ .Values.controller.component }}
    {{- include "argo-rollouts.labels" . | nindent 4 }}
rules:
- apiGroups:
  - argoproj.io
  resources:
  - rollouts
  - rollouts/status
  - rollouts/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - patch
- apiGroups:
  - argoproj.io
  resources:
  - analysisruns
  - analysisruns/finalizers
  - experiments
  - experiments/finalizers
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups:
  - argoproj.io
  resources:
  - analysistemplates
  - clusteranalysistemplates
  verbs:
  - get
  - list
  - watch
# replicaset access needed for managing ReplicaSets
- apiGroups:
  - apps
  resources:
  - replicasets
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
# services patch needed to update selector of canary/stable/active/preview services
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - patch
# secret read access to run analysis templates which reference secrets
# configmap access to read notification-engine configuration
- apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  verbs:
  - get
  - list
  - watch
# pod list/update needed for updating ephemeral data
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
  - update
# pods eviction needed for restart
- apiGroups:
  - ""
  resources:
  - pods/eviction
  verbs:
  - create
# event write needed for emitting events
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - update
  - patch
# ingress patch needed for managing ingress annotations, create needed for nginx canary
- apiGroups:
  - networking.k8s.io
  - extensions
  resources:
  - ingresses
  verbs:
  - create
  - get
  - list
  - watch
  - patch
# job access needed for analysis template job metrics
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
# virtualservice access needed for using the Istio provider
- apiGroups:
  - networking.istio.io
  resources:
  - virtualservices
  verbs:
  - watch
  - get
  - update
  - list
# trafficsplit access needed for using the SMI provider
- apiGroups:
  - split.smi-spec.io
  resources:
  - trafficsplits
  verbs:
  - create
  - watch
  - get
  - update
  - patch
{{- end }}