{{- if not .Values.dnsimple.existingTokenSecret -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "dnsimple-webhook.tokenSecretName" . }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  token: {{ .Values.dnsimple.token | b64enc }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:secret-reader
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
rules:
- apiGroups: [""] # indicates the core API group
  resources: ["secrets"]
  resourceNames: ["{{ include "dnsimple-webhook.tokenSecretName" . }}"]
  verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:secret-reader
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
subjects:
 - apiGroup: ""
   kind: ServiceAccount
   name: {{ include "dnsimple-webhook.fullname" . }}
   namespace: {{ .Release.Namespace }}
roleRef:
  kind: Role
  name: {{ include "dnsimple-webhook.fullname" . }}:secret-reader
  apiGroup: rbac.authorization.k8s.io