resource "kubernetes_namespace" "prometheus" {
  metadata {
    name = "prometheus"
  }
}

resource "kubernetes_service_account" "prometheus" {
  metadata {
    name      = "prometheus"
    namespace = kubernetes_namespace.prometheus.metadata.0.name
  }
  automount_service_account_token = false
}

resource "kubernetes_cluster_role_binding" "prometheus" {
  metadata {
    name = "prometheus"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = kubernetes_cluster_role.prometheus.metadata.0.name
  }
  subject {
    kind      = "ServiceAccount"
    name      = kubernetes_service_account.prometheus.metadata.0.name
    namespace = kubernetes_service_account.prometheus.metadata.0.namespace
  }
}

resource "kubernetes_cluster_role" "prometheus" {
  metadata {
    name = "prometheus"
  }
  rule {
    api_groups = [""]
    resources = [
      "nodes",
      "nodes/metrics",
      "nodes/proxy",
      "services",
      "endpoints",
      "pods",
    ]
    verbs = ["get", "list", "watch"]
  }
  rule {
    api_groups = [""]
    resources = [
      "configmaps",
    ]
    verbs = ["get"]
  }

  rule {
    api_groups = ["networking.k8s.io"]
    resources = [
      "ingresses",
    ]
    verbs = ["get", "list", "watch"]
  }

  rule {
    api_groups = [""]
    resources = [
      "pods/proxy",
      "services/proxy",
    ]
    verbs = ["get", "list", "watch"]
  }

  rule {
    non_resource_urls = [
      "/metrics",
    ]
    verbs = ["get"]
  }
}