apiVersion: v1
kind: ServiceAccount
metadata:
  name: ${EKSA_ADOT_SERVICE_ACCOUNT}
  namespace: ${EKSA_ADOT_NAMESPACE}
  annotations:
    eks.amazonaws.com/role-arn: ${IRSA_ROLEARN}
    eks.amazonaws.com/audience: "sts.amazonaws.com"
    eks.amazonaws.com/sts-regional-endpoints: "true"
    eks.amazonaws.com/token-expiration: "86400"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ${EKSA_ADOT_SERVICE_ACCOUNT}-cluster-role
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - nodes/proxy
      - services
      - endpoints
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - nonResourceURLs:
      - /metrics
    verbs:
      - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ${EKSA_ADOT_SERVICE_ACCOUNT}-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ${EKSA_ADOT_SERVICE_ACCOUNT}-cluster-role
subjects:
  - kind: ServiceAccount
    name: ${EKSA_ADOT_SERVICE_ACCOUNT}
    namespace: ${EKSA_ADOT_NAMESPACE}