{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }}
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-prometheus-role-binding
  annotations:
    policies.kyverno.io/title: Add Prometheus RoleBinding
    policies.kyverno.io/category: Monitoring
    policies.kyverno.io/subject: RoleBinding
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: >-
      This policy is responsible for ensuring that a RoleBinding for the prometheus
      monitoring instances is created to enable monitoring of  the namespace in
      question.
  labels:
    app.kubernetes.io/component: prometheus
    app.kubernetes.io/name: prometheus
    app.kubernetes.io/part-of: {{ $.Chart.Name }}
    app.kubernetes.io/managed-by: {{ $.Release.Service }}
    app.kubernetes.io/version: {{ $.Chart.Version }}
spec:
  background: true
  generateExisting: true
  rules:
    - name: generate-prometheus-binding
      match:
        any:
        - resources:
            kinds:
              - Namespace
      generate:
        synchronize: true
        apiVersion: rbac.authorization.k8s.io/v1
        kind: RoleBinding
        name: prometheus-k8s
        namespace: "{{ `{{` }}request.object.metadata.name }}"
        data:
          metadata:
            labels:
              app.kubernetes.io/component: prometheus
              app.kubernetes.io/name: prometheus
              app.kubernetes.io/part-of: {{ $.Chart.Name }}
              app.kubernetes.io/version: {{ $.Chart.Version }}
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: Role
            name: prometheus-k8s
          subjects:
          - kind: ServiceAccount
            name: prometheus-k8s
            namespace: "{{ .Values.nfc_monitoring.prometheus.namespace }}"
{{ end }}