kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
metadata:
  name: {{ .Chart.Name }}
  labels:
    app: {{ template "notary-admission.name" . }}
    chart: {{ template "notary-admission.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    billing: {{ .Values.labels.billing }}
    env: {{ .Values.labels.env }}
    owner: {{ .Values.labels.owner }}
webhooks:
  - name: workloads.{{ .Chart.Name }}.aws.com
    failurePolicy: {{ .Values.admission.failurePolicy }}
    namespaceSelector:
      matchExpressions:
      - key: "{{ .Chart.Name }}-ignore"
        operator: NotIn
        values:
        - ignore
    rules:
      - operations: {{ toYaml .Values.admission.operations | nindent 8 }}
        apiGroups: ["*"]
        apiVersions: {{ toYaml .Values.admission.apiVersions | nindent 8 }}
        resources: {{ toYaml .Values.admission.resources | nindent 8 }}
    clientConfig:
      caBundle: {{ .Values.server.tls.secrets.cabundle }}
      service:
        namespace: {{ .Chart.Name }}
        name: {{ .Chart.Name }}
        path: {{ .Values.server.endpoints.validation }}
        port: {{ .Values.service.ports.https }}
    admissionReviewVersions: {{ toYaml .Values.admission.reviewVersions | nindent 4 }}
    sideEffects: None