apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gatekeeper-admin-upgrade-crds
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gatekeeper-admin-upgrade-crds
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
subjects:
  - kind: ServiceAccount
    name: gatekeeper-admin-upgrade-crds
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: gatekeeper-admin-upgrade-crds
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  name: gatekeeper-admin-upgrade-crds
  namespace: '{{ .Release.Namespace }}'
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
---
apiVersion: batch/v1
kind: Job
metadata:
  name: gatekeeper-update-crds-hook
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "gatekeeper.name" . }}
    chart: {{ template "gatekeeper.name" . }}
    gatekeeper.sh/system: "yes"
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-weight: "1"
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
  backoffLimit: 0
  template:
    metadata:
      name: gatekeeper-update-crds-hook
    spec:
      serviceAccountName: gatekeeper-admin-upgrade-crds
      restartPolicy: Never
      containers:
      - name: crds-upgrade
        image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
        args:
        - apply
        - -f
        - crds/
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}