{{- if .Values.rbac.create }}
# kubernetes_plugin: Give access to stats endpoints
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: influx-stats-viewer
  labels:
    {{- include "telegraf.labels" . | nindent 4 }}
    rbac.authorization.k8s.io/aggregate-view-telegraf-stats: "true"
rules:
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["nodes", "nodes/proxy", "nodes/stats", "persistentvolumes"]
    verbs: ["get", "list", "watch"]
---
# Define global role with the default system:aggregate-to-view cluster role and the two rules we just created
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: influx:telegraf
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-view-telegraf-stats: "true"
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-to-view: "true"
rules: [] # Rules are automatically filled in by the controller manager.
{{- end }}