apiVersion: v1
kind: ServiceAccount
metadata:
  name: manager
  namespace: manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manager-pgbouncer
  namespace: pgbouncer
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["pgbouncer-config"]
    verbs: ["get", "patch"]
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["pgbouncer-userlist"]
    verbs: ["get", "patch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    resourceNames: ["pgbouncer"]
    verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-pgbouncer
  namespace: pgbouncer
subjects:
  - kind: ServiceAccount
    name: manager
    namespace: manager
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: manager-pgbouncer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manager-argocd
  namespace: argocd
rules:
  - apiGroups: ["argoproj.io"]
    resources: ["applications"]
    verbs: ["get", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-argocd
  namespace: argocd
subjects:
  - kind: ServiceAccount
    name: manager
    namespace: manager
roleRef:
  kind: Role
  apiGroup: rbac.authorization.k8s.io
  name: manager-argocd