---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: {{ .Values.pipelineRunNamespace }}
  name: secret-manager
  labels:
    {{- include "tekton-pipelines.labels" . | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["secrets", "configmaps"]
    verbs: ["*"]
  - apiGroups: 
      - helm.toolkit.fluxcd.io
      - source.toolkit.fluxcd.io
    resources: ["*"]
    verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-manager
  namespace: {{ .Values.pipelineRunNamespace }}
  labels:
    {{- include "tekton-pipelines.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: secret-manager
  namespace: {{ .Values.pipelineRunNamespace }}
  labels:
    {{- include "tekton-pipelines.labels" . | nindent 4 }}
subjects:
  - kind: ServiceAccount
    name: secret-manager
    namespace: {{ .Values.pipelineRunNamespace }}
roleRef:
  kind: ClusterRole
  name: secret-manager
  apiGroup: rbac.authorization.k8s.io