apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ template "postgres-operator-ui.name" . }}
  labels:
    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: {{ template "postgres-operator-ui.name" . }}
  labels:
    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}  
rules:
- apiGroups:
  - acid.zalan.do
  resources:
  - postgresqls
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - statefulsets
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "postgres-operator-ui.name" . }}
  labels:
    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "postgres-operator-ui.name" . }}
subjects:
- kind: ServiceAccount
# note: the cluster role binding needs to be defined
# for every namespace the operator-ui service account lives in.
  name: {{ template "postgres-operator-ui.name" . }}
  namespace: {{ .Release.Namespace }}