local kube = import "../../../kube/kube.libsonnet";
{
    local top = self,
    crs: {
        cainjector: kube.ClusterRole("cert-manager-cainjector") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["get", "create", "update", "patch"],
                },
                {
                    apiGroups: ["admissionregistration.k8s.io"],
                    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
                    verbs: ["get", "list", "watch", "update"],
                },
                {
                    apiGroups: ["apiregistration.k8s.io"],
                    resources: ["apiservices"],
                    verbs: ["get", "list", "watch", "update"],
                },
                {
                    apiGroups: ["apiextensions.k8s.io"],
                    resources: ["customresourcedefinitions"],
                    verbs: ["get", "list", "watch", "update"],
                },
                {
                    apiGroups: ["auditregistration.k8s.io"],
                    resources: ["auditsinks"],
                    verbs: ["get", "list", "watch", "update"],
                },
            ],
        },
        controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["issuers", "issuers/status"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["issuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch", "create", "update", "delete"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["create", "patch"],
                },
            ],
        },
        controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["clusterissuers", "clusterissuers/status"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["clusterissuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch", "create", "update", "delete"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["create", "patch"],
                },
            ],
        },
        controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates/finalizers", "certificaterequests/finalizers"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["orders"],
                    verbs: ["create", "delete", "get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch", "create", "update", "delete"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["create", "patch"],
                },
            ],
        },
        controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
            rules: [
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["orders", "orders/status"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["orders", "challenges"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["clusterissuers", "issuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["challenges"],
                    verbs: ["create", "delete"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["orders/finalizers"],
                    verbs: ["update"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["create", "patch"],
                },
            ],
        },
        controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
            rules: [
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["challenges", "challenges/status"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["challenges"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["issuers", "clusterissuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["create", "patch"],
                },
                {
                    apiGroups: [""],
                    resources: ["pods", "services"],
                    verbs: ["get", "list", "watch", "create", "delete"],
                },
                {
                    apiGroups: ["networking.k8s.io"],
                    resources: ["ingresses"],
                    verbs: ["get", "list", "watch", "create", "delete", "update"],
                },
                {
                    apiGroups: ["networking.x-k8s.io"],
                    resources: ["httproutes"],
                    verbs: ["get", "list", "watch", "create", "delete", "update"],
                },
                {
                    apiGroups: ["route.openshift.io"],
                    resources: ["routes/custom-host"],
                    verbs: ["create"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["challenges/finalizers"],
                    verbs: ["update"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch"],
                },
            ],
        },
        controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates", "certificaterequests"],
                    verbs: ["create", "update", "delete"],
                },
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["networking.k8s.io"],
                    resources: ["ingresses"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["networking.k8s.io"],
                    resources: ["ingresses/finalizers"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["networking.x-k8s.io"],
                    resources: ["gateways", "httproutes"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["networking.x-k8s.io"],
                    resources: ["gateways/finalizers", "httproutes/finalizers"],
                    verbs: ["update"],
                },
                {
                    apiGroups: [""],
                    resources: ["events"],
                    verbs: ["create", "patch"],
                },
            ],
        },
        view: kube.ClusterRole("cert-manager-view") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates", "certificaterequests", "issuers"],
                    verbs: ["get", "list", "watch"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["challenges", "orders"],
                    verbs: ["get", "list", "watch"],
                },
            ],
        },
        edit: kube.ClusterRole("cert-manager-edit") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["certificates", "certificaterequests", "issuers"],
                    verbs: ["create", "delete", "deletecollection", "patch", "update"],
                },
                {
                    apiGroups: ["acme.cert-manager.io"],
                    resources: ["challenges", "orders"],
                    verbs: ["create", "delete", "deletecollection", "patch", "update"],
                },
            ],
        },
        controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
            rules: [
                {
                    apiGroups: ["cert-manager.io"],
                    resources: ["signers"],
                    verbs: ["approve"],
                },
            ],
        },
        controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
            rules: [
                {
                    apiGroups: ["certificates.k8s.io"],
                    resources: ["certificatesigningrequests"],
                    verbs: ["get", "list", "watch", "update"],
                },
                {
                    apiGroups: ["certificates.k8s.io"],
                    resources: ["certificatesigningrequests/status"],
                    verbs: ["update"],
                },
                {
                    apiGroups: ["certificates.k8s.io"],
                    resources: ["signers"],
                    verbs: ["sign"],
                },
                {
                    apiGroups: ["authorization.k8s.io"],
                    resources: ["subjectaccessreviews"],
                    verbs: ["create"],
                },
            ],
        },
        webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
            rules: [
                {
                    apiGroups: ["authorization.k8s.io"],
                    resources: ["subjectaccessreviews"],
                    verbs: ["create"],
                },
            ],
        },
    },
    crbs: {
        cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
            roleRef_: top.crs.cainjector,
            subjects_: [top.sas.cainjector],
        },
        controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
            roleRef_: top.crs.controllerIssuers,
            subjects_: [top.sas.certManager],
        },
        controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
            roleRef_: top.crs.controllerClusterissuers,
            subjects_: [top.sas.certManager],
        },
        controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
            roleRef_: top.crs.controllerCertificates,
            subjects_: [top.sas.certManager],
        },
        controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
            roleRef_: top.crs.controllerOrders,
            subjects_: [top.sas.certManager],
        },
        controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
            roleRef_: top.crs.controllerChallenges,
            subjects_: [top.sas.certManager],
        },
        controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
            roleRef_: top.crs.controllerIngressShim,
            subjects_: [top.sas.certManager],
        },
        controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
            roleRef_: top.crs.controllerApproveCertManagerIo,
            subjects_: [top.sas.certManager],
        },
        controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
            roleRef_: top.crs.controllerCertificatesigningrequests,
            subjects_: [top.sas.certManager],
        },
        webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
            roleRef_: top.crs.webhookSubjectaccessreviews,
            subjects_: [top.sas.webhook],
        },
    },
    roles: {
        cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
            metadata+: top.env.metadata {
                namespace: "kube-system",
            },
            rules: [
                {
                    apiGroups: [""],
                    resources: ["configmaps"],
                    verbs: ["get", "update", "patch"],
                },
                {
                    apiGroups: [""],
                    resources: ["configmaps"],
                    verbs: ["create"],
                },
                {
                    apiGroups: ["coordination.k8s.io"],
                    resources: ["leases"],
                    verbs: ["get", "update", "patch"],
                },
                {
                    apiGroups: ["coordination.k8s.io"],
                    resources: ["leases"],
                    verbs: ["create"],
                }
            ],
        },
        leaderelection: kube.Role("cert-manager:leaderelection") {
            metadata+: top.env.metadata {
                namespace: "kube-system",
            },
            rules: [
                {
                    apiGroups: [""],
                    resources: ["configmaps"],
                    verbs: ["get", "update", "patch"],
                },
                {
                    apiGroups: [""],
                    resources: ["configmaps"],
                    verbs: ["create"],
                },
                {
                    apiGroups: ["coordination.k8s.io"],
                    resources: ["leases"],
                    verbs: ["get", "update", "patch"],
                },
                {
                    apiGroups: ["coordination.k8s.io"],
                    resources: ["leases"],
                    verbs: ["create"],
                },
            ],
        },
        webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
            metadata+: top.env.metadata,
            rules: [
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["get", "list", "watch", "update"],
                },
                {
                    apiGroups: [""],
                    resources: ["secrets"],
                    verbs: ["create"],
                },
            ],
        },
    },
    rbs: {
        cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
            metadata+: {
                namespace: "kube-system",
            },
            roleRef_: top.roles.cainjectorLeaderelection,
            subjects_: [top.sas.cainjector],
        },
        leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
            metadata+: {
                namespace: "kube-system",
            },
            roleRef_: top.roles.leaderelection,
            subjects_: [top.sas.certManager],
        },
        webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
            metadata+: {
                namespace: top.env.metadata.namespace,
            },
            roleRef_: top.roles.webhookDynamicServing,
            subjects_: [top.sas.webhook],
        },
    },
}