{{- $containerMode := .Values.containerMode }}
{{- $hasCustomResourceMeta := (and .Values.resourceMeta .Values.resourceMeta.kubernetesModeRole) }}
{{- if and (eq $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
# default permission for runner pod service account in kubernetes mode (container hook)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "gha-runner-scale-set.kubeModeRoleName" . }}
  namespace: {{ include "gha-runner-scale-set.namespace" . }}
  labels:
    {{- with .Values.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- if $hasCustomResourceMeta }}
    {{- with .Values.resourceMeta.kubernetesModeRole.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- end }}
    {{- include "gha-runner-scale-set.labels" . | nindent 4 }}
  annotations:
    {{- with .Values.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- if $hasCustomResourceMeta }}
    {{- with .Values.resourceMeta.kubernetesModeRole.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- end }}
  finalizers:
    - actions.github.com/cleanup-protection
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "create", "delete"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["get", "create"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list", "watch",]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create", "delete"]
{{- end }}