{{- if .Values.collector.enabled -}}
---
###
### collector RBAC
###
kind: ServiceAccount
apiVersion: v1
metadata:
  name: collector
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: collector
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "replicasets", "statefulsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
  resources: ["cronjobs", "jobs"]
  verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: collector
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
subjects:
- kind: ServiceAccount
  name: collector
  namespace: {{.Release.Namespace}}
roleRef:
  kind: ClusterRole
  name: collector
  apiGroup: rbac.authorization.k8s.io
{{ end -}}
---
###
### Jaeger Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: linkerd-jaeger-injector
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: linkerd-jaeger-injector
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
subjects:
- kind: ServiceAccount
  name: jaeger-injector
  namespace: {{.Release.Namespace}}
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: linkerd-jaeger-injector
  apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: jaeger-injector
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
---
{{- $host := printf "jaeger-injector.%s.svc" .Release.Namespace }}
{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
{{- if (not .Values.webhook.externalSecret) }}
kind: Secret
apiVersion: v1
metadata:
  name: jaeger-injector-k8s-tls
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
type: kubernetes.io/tls
data:
  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.webhook.crtPEM)) (empty .Values.webhook.crtPEM) }}
  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.webhook.keyPEM)) (empty .Values.webhook.keyPEM) }}
---
{{- end }}
{{- include "linkerd.webhook.validation" .Values.webhook }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: linkerd-jaeger-injector-webhook-config
  {{- if or (.Values.webhook.injectCaFrom) (.Values.webhook.injectCaFromSecret) }}
  annotations:
  {{- if .Values.webhook.injectCaFrom }}
    cert-manager.io/inject-ca-from: {{ .Values.webhook.injectCaFrom }}
  {{- end }}
  {{- if .Values.webhook.injectCaFromSecret }}
    cert-manager.io/inject-ca-from-secret: {{ .Values.webhook.injectCaFromSecret }}
  {{- end }}
  {{- end }}
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
webhooks:
- name: jaeger-injector.linkerd.io
  {{- if .Values.webhook.namespaceSelector }}
  namespaceSelector:
{{ toYaml .Values.webhook.namespaceSelector | trim | indent 4 -}}
  {{- end }}
  {{- if .Values.webhook.objectSelector }}
  objectSelector:
{{ toYaml .Values.webhook.objectSelector | trim | indent 4 -}}
  {{- end }}
  clientConfig:
    service:
      name: jaeger-injector
      namespace: {{ .Release.Namespace }}
      path: "/"
    {{- if and (empty .Values.webhook.injectCaFrom) (empty .Values.webhook.injectCaFromSecret) }}
    caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.webhook.caBundle)) (empty .Values.webhook.caBundle) }}
    {{- end }}
  failurePolicy: {{.Values.webhook.failurePolicy}}
  admissionReviewVersions: ["v1", "v1beta1"]
  reinvocationPolicy: IfNeeded
  rules:
  - operations: [ "CREATE" ]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
    scope: "Namespaced"
  sideEffects: None
{{ if .Values.jaeger.enabled -}}
---
###
### jaeger RBAC
###
kind: ServiceAccount
apiVersion: v1
metadata:
  name: jaeger
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/extension: jaeger
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
{{ end -}}