apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "flink-kube-operator.serviceAccountName" . }}
  labels:
    {{- include "flink-kube-operator.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - flink.logicamp.tech  # API group of the FlinkJob CRD
    resources:
      - flink-jobs           # The plural name of your custom resource
    verbs:
      - get
      - list
      - create
      - update
      - delete
      - patch
      - watch
  - apiGroups: [""]
    resources: ["configmaps", "pods", "services"]
    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
  - apiGroups: ["apps"]
    resources: ["statefulsets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "flink-kube-operator.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}  # Namespace where the RoleBinding is created
  labels:
    {{- include "flink-kube-operator.labels" . | nindent 4 }}
subjects:
  - kind: ServiceAccount
    name: {{ include "flink-kube-operator.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}  # Ensure that the service account is in the same namespace
roleRef:
  kind: Role
  name: {{ include "flink-kube-operator.serviceAccountName" . }}
  apiGroup: rbac.authorization.k8s.io