apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gateway-cert-operator
  labels:
    app.kubernetes.io/name: gateway-cert-operator
    app.kubernetes.io/component: operator
rules:
  # Watch and read Certificates
  - apiGroups: ["cert-manager.io"]
    resources: ["certificates"]
    verbs: ["get", "list", "watch"]
  # Read and patch Gateways
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["gateways"]
    verbs: ["get", "list", "watch", "patch"]
  # Emit events
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]