---
apiVersion: v1
kind: Namespace
metadata:
  name: applications

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: apprunner
  namespace: applications

#
# When Flux reconciles a HelmRelease to a remote cluster, the list of Helm releases are created in the flux-system.
# TO facilitate this, the 'apprunner' service account is granted full access to the 'flux-system' namespace in the workload cluster.
# The actual application workloads that makeup the chart are deployed into the namespace specified by the 'targetNamespace' field in the HelmRelease resource.
#
---
apiVersion: v1
kind: Namespace
metadata:
  name: flux-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: apprunner-rolebinding
  namespace: flux-system  
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: apprunner
  namespace: applications 

---
apiVersion: v1
kind: Namespace
metadata:
  name: golang

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: apprunner-rolebinding
  namespace: golang  
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: apprunner
  namespace: applications 

---
apiVersion: v1
kind: Namespace
metadata:
  name: monitoring

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: apprunner-rolebinding
  namespace: monitoring  
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: apprunner
  namespace: applications   

#
# When Prometheus server is deployed using the prometheus-community Helm chart it creates a ClusterRole that grants permission to [get,list,watch] resources in the core API group.
# Therefore, the 'apprunner' service account should be able to create ClusterRoles and ClusterRoleBindings that can grant these permissions to a Kubernetes subject.
# In order to facilitate this, the ClusterRole below is created and bound to the 'apprunner' service account
#
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: apprunner-role
rules:
- apiGroups: 
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - get
  - list
  - watch
  - create
- apiGroups: 
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - list
  - watch
  - create  
  - bind
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  - nodes/metrics
  - services
  - endpoints
  - pods
  - ingresses
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses/status
  - ingresses
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - /metrics
  verbs:
  - get
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: apprunner-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: apprunner-role
subjects:
- kind: ServiceAccount
  name: apprunner
  namespace: applications