{{- with .Values.clientRbac }}
{{- if .create }}
{{- /*
Client must have the following RBAC in the traffic-manager.namespace to establish
a port-forward to the traffic-manager pod.
*/}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name:  traffic-manager-connect
  namespace: {{ include "traffic-manager.namespace" $ }}
  labels:
    {{- include "telepresence.labels" $ | nindent 4 }}
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["services"]
    resourceNames:
      - {{ include "traffic-manager.name" $ }}
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods/portforward"]
    verbs: ["create"]
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: traffic-manager-connect
  namespace: {{ include "traffic-manager.namespace" $ }}
  labels:
    {{- include "telepresence.labels" $ | nindent 4 }}
subjects:
{{ toYaml .subjects }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  name: traffic-manager-connect
  kind: Role

{{- end }}
{{- end }}