{{- if .Values.upgradeCRDs.enabled }}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gatekeeper-admin-upgrade-crds
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "create", "update", "patch"]
{{- end }}
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gatekeeper-admin-upgrade-crds
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
subjects:
  - kind: ServiceAccount
    name: gatekeeper-admin-upgrade-crds
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: gatekeeper-admin-upgrade-crds
  apiGroup: rbac.authorization.k8s.io
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  name: gatekeeper-admin-upgrade-crds
  namespace: '{{ .Release.Namespace }}'
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
---
apiVersion: batch/v1
kind: Job
metadata:
  name: gatekeeper-update-crds-hook
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "gatekeeper.name" . }}
    chart: {{ template "gatekeeper.name" . }}
    gatekeeper.sh/system: "yes"
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-weight: "1"
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
  backoffLimit: 0
  template:
    metadata:
      name: gatekeeper-update-crds-hook
    spec:
      serviceAccountName: gatekeeper-admin-upgrade-crds
      restartPolicy: Never
      {{- if .Values.images.pullSecrets }}
      imagePullSecrets:
        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
      {{- end }}
      containers:
      - name: crds-upgrade
        image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
        args:
        - apply
        - -f
        - crds/
        resources:
          {{- toYaml .Values.crds.resources | nindent 10 }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - all
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
      nodeSelector:
        kubernetes.io/os: linux

{{- end }}