{{- if .Values.rbac.create -}}
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
    name: {{ include "aws-node-termination-handler.fullname" . }}
    namespace: {{ .Release.Namespace }}
    labels:
        {{- include "aws-node-termination-handler.labels" . | nindent 8 }}
    {{- with .Values.annotations }}
    annotations:
        {{- toYaml . | nindent 8 }}
    {{- end }}
rules:
    - apiGroups: [""]
      resources: ["configmaps"]
      verbs: ["create", "delete", "get", "list", "patch", "watch", "update"]

    - apiGroups: [""]
      resources: ["events"]
      verbs: ["get", "list", "watch"]

    - apiGroups: [""]
      resources: ["namespaces"]
      verbs: ["get", "list", "watch"]

    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["get", "list", "watch"]

    - apiGroups: [""]
      resources: ["secrets"]
      resourceNames: ["{{ include "aws-node-termination-handler.fullname" . }}-cert"]
      verbs: ["get", "list", "watch", "update"]

    - apiGroups: ["coordination.k8s.io"]
      resources: ["leases"]
      verbs: ["create", "get", "patch", "update", "watch"]

{{- end }}