{{- if ( and .Values.inboundWorker.serviceAccount.enabled ( not .Values.inboundWorker.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ template "inbound-worker.name" . }}-role
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - list
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
      - get
      - update
      - delete
      - patch
  {{- if eq  (include "parent.dataplaneMode" . ) "shared" }}
  - apiGroups:
      - operator.fusion.axway.com
    resources:
      - orchestrators
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  {{- end }}
{{- end }}