{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: backstage-environment-manager
  labels:
    {{- include "backstage.labels" . | nindent 4 }}
rules:
  # Namespace management for environment lifecycle
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch", "delete"]

  # Read access to environment resources for display
  - apiGroups: [""]
    resources: ["resourcequotas", "limitranges", "pods", "services"]
    verbs: ["get", "list", "watch"]

  - apiGroups: ["apps"]
    resources: ["deployments", "replicasets"]
    verbs: ["get", "list", "watch"]

  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies"]
    verbs: ["get", "list", "watch"]

  # ArgoCD Applications - for cleanup when deleting environments
  - apiGroups: ["argoproj.io"]
    resources: ["applications"]
    verbs: ["get", "list", "watch", "delete"]

  # Argo Workflows - for monitoring environment provisioning status
  - apiGroups: ["argoproj.io"]
    resources: ["workflows"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: backstage-environment-manager-binding
  labels:
    {{- include "backstage.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: backstage-environment-manager
subjects:
  - kind: ServiceAccount
    name: {{ include "backstage.serviceAccountName" . }}
    namespace: {{ .Values.namespaceOverride }}
{{- end }}