{{ $tls := fromYaml ( include "secret-inject.gen-certs" . ) }}
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: aws-secret-inject
webhooks:
  - name: aws-secret-inject.aws.amazon.com
    clientConfig:
      service:
        name: "secret-inject"
        namespace: {{ .Release.Namespace }}
        path: "/mutating-pods"
      caBundle: {{ $tls.caCert }}
    rules:
      - operations: ["CREATE","UPDATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: Ignore
    admissionReviewVersions: ["v1beta1"]
    timeoutSeconds: 5
---
apiVersion: v1
kind: Secret
metadata:
  name: "secret-inject-tls"
type: kubernetes.io/tls
data:
  tls.crt: {{ $tls.clientCert }}
  tls.key: {{ $tls.clientKey }}