{{- /*
These are the cluster-wide rbac roles + bindings that will be used by users
who want to use telepresence once its components have been set
up in the cluster.
*/}}
{{- with .Values.clientRbac }}
{{- if (and .create (not (or .namespaces (include "traffic-manager.namespaced" $)))) }}
{{- $roleName := include "telepresence.clientRbacName" $ }}

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name:  {{ $roleName }}
  labels:
    {{- include "telepresence.labels" $ | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
{{- include "telepresence.clientRbacInterceptRules" $ }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ $roleName }}
  labels:
    {{- include "telepresence.labels" $ | nindent 4 }}
subjects:
{{ toYaml .subjects }}
roleRef:
  kind: ClusterRole
  name: {{ $roleName }}
  apiGroup: rbac.authorization.k8s.io

{{- end }}
{{- end }}