---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: authentik
  namespace: ##NAMESPACE##
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: authentik
  namespace: ##NAMESPACE##
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: authentik
subjects:
  - kind: ServiceAccount
    name: authentik
    namespace: ##NAMESPACE##
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: authentik
  namespace: ##NAMESPACE##
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
      - services
      - configmaps
    verbs:
      - get
      - create
      - delete
      - list
      - patch
  - apiGroups:
      - extensions
      - apps
    resources:
      - deployments
    verbs:
      - get
      - create
      - delete
      - list
      - patch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - create
      - delete
      - list
      - patch
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
    verbs:
      - get
      - create
      - delete
      - list
      - patch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: authentik
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: authentik
subjects:
  - kind: ServiceAccount
    name: authentik
    namespace: ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: authentik
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - list