{{ $tls := fromYaml ( include "appmesh-controller.gen-certs" . ) }}
{{ $fullName := ( include "appmesh-controller.fullname" . ) }}
{{ $webhookConfig := .Files.Get "webhookconfig.yaml" | fromYaml }}
---
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: MutatingWebhookConfiguration
metadata:
{{- if $.Values.enableCertManager }}
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "appmesh-controller.fullname" . }}-serving-cert
{{- end }}
  name: {{ template "appmesh-controller.fullname" . }}-mutating-webhook-configuration
  labels:
{{ include "appmesh-controller.labels" . | indent 4 }}
webhooks:
{{- range $res := $webhookConfig.customResources }}
- clientConfig:
    service:
      name: {{ $fullName }}-webhook-service
      namespace: {{ $.Release.Namespace }}
      path: /mutate-appmesh-k8s-aws-v1beta2-{{ $res.name }}
    caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
  failurePolicy: Fail
  name: m{{ $res.name }}.appmesh.k8s.aws
  rules:
  - apiGroups:
    - appmesh.k8s.aws
    apiVersions:
    - v1beta2
    operations:
    - CREATE
    - UPDATE
    resources:
    - {{ $res.resource }}
  sideEffects: None
  admissionReviewVersions:
  - v1beta1
{{- end }}
- clientConfig:
    caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
    service:
      name: {{ $fullName }}-webhook-service
      namespace: {{ $.Release.Namespace }}
      path: /mutate-v1-pod
  failurePolicy: Fail
  name: mpod.appmesh.k8s.aws
  namespaceSelector:
    matchExpressions:
      - key: appmesh.k8s.aws/sidecarInjectorWebhook
        operator: In
        values:
          - enabled
          - disabled
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
  sideEffects: None
  admissionReviewVersions:
  - v1beta1
---
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: ValidatingWebhookConfiguration
metadata:
{{- if $.Values.enableCertManager }}
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "appmesh-controller.fullname" . }}-serving-cert
{{- end }}
  name: {{ template "appmesh-controller.fullname" . }}-validating-webhook-configuration
  labels:
{{ include "appmesh-controller.labels" . | indent 4 }}
webhooks:
{{- range $res := $webhookConfig.customResources }}
- clientConfig:
    service:
      name: {{ $fullName }}-webhook-service
      namespace: {{ $.Release.Namespace }}
      path: /validate-appmesh-k8s-aws-v1beta2-{{ $res.name }}
    caBundle: {{ if not $.Values.enableCertManager -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
  failurePolicy: Fail
  name: v{{ $res.name }}.appmesh.k8s.aws
  rules:
  - apiGroups:
    - appmesh.k8s.aws
    apiVersions:
    - v1beta2
    operations:
    - CREATE
    - UPDATE
    resources:
    - {{ $res.resource }}
  sideEffects: None
  admissionReviewVersions:
  - v1beta1
{{- end }}
---
{{- if not $.Values.enableCertManager }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "appmesh-controller.fullname" . }}-webhook-server-cert
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "appmesh-controller.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
  ca.crt: {{ $tls.caCert }}
  tls.crt: {{ $tls.clientCert }}
  tls.key: {{ $tls.clientKey }}
{{- else }}
{{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
apiVersion: cert-manager.io/v1
{{- else }}
apiVersion: cert-manager.io/v1alpha2
{{- end }}
kind: Certificate
metadata:
  name: {{ template "appmesh-controller.fullname" . }}-serving-cert
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "appmesh-controller.labels" . | indent 4 }}
spec:
  dnsNames:
  - {{ template "appmesh-controller.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
  - {{ template "appmesh-controller.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: {{ template "appmesh-controller.fullname" . }}-selfsigned-issuer
  secretName: {{ template "appmesh-controller.fullname" . }}-webhook-server-cert
---
{{- if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
apiVersion: cert-manager.io/v1
{{- else }}
apiVersion: cert-manager.io/v1alpha2
{{- end }}
kind: Issuer
metadata:
  name: {{ template "appmesh-controller.fullname" . }}-selfsigned-issuer
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "appmesh-controller.labels" . | indent 4 }}
spec:
  selfSigned: {}
{{- end }}