---
# Grant the default SA in vault-secrets-operator the permissions the Helm
# test pod needs. The test runs the VSO binary which initializes its Vault
# client cache by creating/reading a K8s Secret in this namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: vault-secrets-operator-test
  namespace: vault-secrets-operator
rules:
  - apiGroups: [""]
    resources: ["secrets", "configmaps"]
    verbs: ["create", "get", "update", "delete", "deletecollection", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["create", "get", "update", "delete", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vault-secrets-operator-test
  namespace: vault-secrets-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: vault-secrets-operator-test
subjects:
  - kind: ServiceAccount
    name: default
    namespace: vault-secrets-operator