{{- if and .Values.api7.enabled .Values.serviceAccount.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "api7ee.fullname" . }}-adc
  labels:
    {{- include "api7ee.labels" . | nindent 4 }}
rules:
  # Allow reading secrets (for certificates)
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]
  # Allow reading services and endpoints for service discovery
  - apiGroups: [""]
    resources: ["services", "endpoints"]
    verbs: ["get", "list", "watch"]
  # Allow reading pods for health checks
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "api7ee.fullname" . }}-adc
  labels:
    {{- include "api7ee.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "api7ee.fullname" . }}-adc
subjects:
  - kind: ServiceAccount
    name: {{ include "api7ee.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
{{- end }}