apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tls-sync-wildcard
  labels:
    app: tls-sync-wildcard
rules:
  # Permissions pour lire les certificats et secrets dans le namespace source
  - apiGroups:
      - cert-manager.io
    resources:
      - certificates
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
  # Permissions pour créer et gérer les secrets dans tous les namespaces
  - apiGroups:
      - ""
    resources:
      - secrets
      - namespaces
    verbs:
      - get
      - list
      - create
      - update
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tls-sync-wildcard
  labels:
    app: tls-sync-wildcard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tls-sync-wildcard
subjects:
  - kind: ServiceAccount
    name: tls-sync-wildcard
    namespace: {{ .Values.tlsSync.sourceNamespace }}