---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: '{{ ansible_operator_meta.name }}'
  namespace: '{{ ansible_operator_meta.namespace }}'
  labels:
    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
{% if service_account_annotations %}
  annotations:
    {{ service_account_annotations | indent(width=4) }}
{% endif %}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: '{{ ansible_operator_meta.name }}'
  namespace: '{{ ansible_operator_meta.namespace }}'
  labels:
    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["pods/attach"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "create", "delete"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: '{{ ansible_operator_meta.name }}'
  namespace: '{{ ansible_operator_meta.namespace }}'
  labels:
    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
subjects:
- kind: ServiceAccount
  name: '{{ ansible_operator_meta.name }}'
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: '{{ ansible_operator_meta.name }}'