{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $gateway.name }}-sds
  namespace: {{ .Release.Namespace }}
  labels:
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" | quote }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
rules:

  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
  // +optional
  optional string evaluationError = 3;
}

  experimental:
    stableValidationPolicy: false

  global:
    # Used to locate istiod.
    istioNamespace: istio-system
    # List of cert-signers to allow "approve" action in the istio cluster role
    #
    # certSigners:
    #   - clusterissuers.cert-manager.io/istio-ca
    certSigners: []
    # enable pod disruption budget for the control plane, which is used to

  // +optional
  repeated string nonResourceURLs = 5;
}

// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
message Role {
  // Standard object's metadata.
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Rules holds all the PolicyRules for this Role
  // +optional
  repeated PolicyRule rules = 2;
}

    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "EgressGateways"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $gateway.name }}-sds
subjects:
- kind: ServiceAccount
  name: {{ $gateway.name }}-service-account

	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/role.yaml > manifests/charts/istiod-remote/templates/role.yaml
	sed -e '1 i {{- if .Values.global.configCluster }}' -e '$$ a {{- end }}' manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml > manifests/charts/istiod-remote/templates/rolebinding.yaml

  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
  // +optional
  optional string evaluationError = 3;
}

    return 9
  fi
  # Workaround kind issue causing taints to not be removed in 1.24
  kubectl taint nodes "${NAME}"-control-plane node-role.kubernetes.io/control-plane- 2>/dev/null || true

  # Determine what CNI to install
  case "${KUBERNETES_CNI:-}" in 

    "calico")
      echo "Installing Calico CNI"

  // +optional
  repeated string nonResourceURLs = 6;
}

// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
message Role {
  // Standard object's metadata.
  // +optional

  // +optional
  repeated string nonResourceURLs = 5;
}

// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
message Role {
  // Standard object's metadata.
  // +optional