{{- $version := include "imageVersion" $ }}
{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ template "traefik.clusterRoleName" . }}
  labels:
    {{- include "traefik.labels" . | nindent 4 }}
    {{- range .Values.rbac.aggregateTo }}
    rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
    {{- end }}
rules:
  {{- if semverCompare ">=v3.1.0-0" $version }}
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
  {{- end }}
  {{- if (semverCompare "<v3.1.0-0" $version) }}
  - apiGroups:
      - ""
    resources:
      - endpoints
      - services
    verbs:
      - get
      - list
      - watch
    {{- if $.Values.hub.token }}
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch
    {{- end }}
  {{- else }}
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - list
      - watch
  {{- end }}
  - apiGroups:
      - ""
    resources:
      - secrets
    {{- with .Values.rbac.secretResourceNames }}
    resourceNames: {{ toYaml . | nindent 6 }}
    {{- end }}
    verbs:
      - get
      - list
      - watch
    {{- if and .Values.hub.token }}
      - update
      - create
      - delete
      - deletecollection
    {{- end }}
  {{- if .Values.podSecurityPolicy.enabled }}
  - apiGroups:
      - policy
    resourceNames:
      - {{ template "traefik.fullname" . }}
    resources:
      - podsecuritypolicies
    verbs:
      - use
  {{- end -}}
  {{- if .Values.providers.kubernetesIngress.enabled }}
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingressclasses
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  {{- end -}}
  {{- if .Values.providers.kubernetesCRD.enabled }}
  - apiGroups:
      - traefik.io
    resources:
      - ingressroutes
      - ingressroutetcps
      - ingressrouteudps
      - middlewares
      - middlewaretcps
      - serverstransports
      - serverstransporttcps
      - tlsoptions
      - tlsstores
      - traefikservices
    verbs:
      - get
      - list
      - watch
  {{- end -}}
  {{- if (.Values.providers.kubernetesGateway).enabled }}
  - apiGroups:
      - ""
    resources:
      - namespaces
    {{- if (semverCompare "<v3.1.0-0" $version) }}
      - endpoints
    {{- end }}
      - secrets
      - services
    {{- if semverCompare ">=v3.2.0-0" $version }}
      - configmaps
    {{- end }}
    verbs:
      - get
      - list
      - watch
    {{- if (semverCompare ">=v3.1.0-0" $version) }}
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - list
      - watch
    {{- end }}
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      {{- if semverCompare ">=v3.2.0-0" $version }}
      - backendtlspolicies
      {{- end }}
      - gatewayclasses
      - gateways
      {{- if semverCompare ">=v3.2.0-0" $version }}
      - grpcroutes
      {{- end }}
      - httproutes
      - referencegrants
      - tcproutes
      - tlsroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      {{- if semverCompare ">=v3.2.0-0" $version }}
      - backendtlspolicies/status
      {{- end }}
      - gatewayclasses/status
      - gateways/status
      {{- if semverCompare ">=v3.2.0-0" $version }}
      - grpcroutes/status
      {{- end }}
      - httproutes/status
      - tcproutes/status
      - tlsroutes/status
    verbs:
      - update
  {{- end }}
  {{- if .Values.hub.token }}
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  {{- end }}
  {{- if .Values.hub.token }}
    {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - list
      - watch
    {{- end }}
  - apiGroups:
      - ""
    resources:
      - namespaces
    {{- if .Values.hub.apimanagement.enabled }}
      - pods
    {{- end }}
    verbs:
      - get
      - list
    {{- if .Values.hub.apimanagement.enabled }}
      - watch
    {{- end }}
    {{- if .Values.hub.apimanagement.enabled }}
  - apiGroups:
      - hub.traefik.io
    resources:
      - accesscontrolpolicies
      - apiaccesses
      - apiportals
      - apiratelimits
      - apis
      - apiversions
      - apibundles
      - apiplans
    verbs:
      - list
      - watch
      - create
      - update
      - patch
      - delete
      - get
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - apps
    resources:
      - replicasets
    verbs:
      - get
      - list
      - watch
      {{- if (semverCompare "<v3.1.0-0" $version) }}
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - list
      - watch
      {{- end -}}
    {{- end -}}
  {{- end }}
{{- end }}