{{- if .Values.watcher.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "hydra.serviceAccountName" . }}-watcher
  {{- if .Release.Namespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
  labels:
    app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
    app.kubernetes.io/instance: {{ .Release.Name }}
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "hydra.fullname" . }}-watcher
  namespace: {{ .Release.Namespace }}
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: 
      - list
      - watch
      - get
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs:
      - get
      - list
      - patch
      - update
      - watch
    resourceNames:
      - {{ include "hydra.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "hydra.fullname" . }}-watcher
  {{- if .Release.Namespace }}
  namespace: {{ .Release.Namespace }}
  {{- end }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "hydra.fullname" . }}-watcher
subjects:
  - kind: ServiceAccount
    name: {{ include "hydra.fullname" . }}-watcher
    namespace: {{ .Release.Namespace }}
{{- end }}