{{- if .Values.crds.install }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "crdInstall" . }}
  namespace: {{ .Release.Namespace | quote }}
  annotations:
    # create hook dependencies in the right order
    "helm.sh/hook-weight": "-3"
    {{- include "crdInstallAnnotations" . | nindent 4 }}
  labels:
    app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
    {{- include "labels.selector" . | nindent 4 }}
    role: {{ include "crdInstallSelector" . | quote }}
rules:
- apiGroups:
  - ""
  resources:
  - jobs
  verbs:
  - create
  - delete
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - delete
  - get
  - patch
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - {{ include "crdInstall" . }}
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "crdInstall" . }}
  namespace: {{ .Release.Namespace | quote }}
  annotations:
    # create hook dependencies in the right order
    "helm.sh/hook-weight": "-2"
    {{- include "crdInstallAnnotations" . | nindent 4 }}
  labels:
    app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
    {{- include "labels.common" . | nindent 4 }}
    role: {{ include "crdInstallSelector" . | quote }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "crdInstall" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "crdInstall" . }}
    namespace: {{ .Release.Namespace | quote }}
{{- end }}