apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: {{ .Release.Name }}
  {{- if .Values.certificates.certManager.enabled }}
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
  {{- end }}
  labels: {{ include "gmsa.chartref" . | nindent 4 }}
webhooks:
  - name: admission-webhook.windows-gmsa.sigs.k8s.io
    clientConfig:
      service:
        name: {{ .Release.Name }}
        namespace: {{.Release.Namespace}}
        path: "/mutate"
      {{- if not (.Values.certificates.certManager.enabled) }}
      caBundle: {{ template "certificates.cabundle" . }}
      {{- end }}
    rules:
      - operations: ["CREATE"]
        apiGroups: [""]
        apiVersions: ["*"]
        resources: ["pods"]
    failurePolicy: Fail
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    # don't run on ${NAMESPACE}
    namespaceSelector:
      matchExpressions:
        - key: gmsa-webhook
          operator: NotIn
          values: [disabled]