{{- if not .Values.disableMutation }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}
  labels:
    app: '{{ template "gatekeeper.name" . }}'
    chart: '{{ template "gatekeeper.name" . }}'
    gatekeeper.sh/system: "yes"
    heritage: '{{ .Release.Service }}'
    release: '{{ .Release.Name }}'
  name: gatekeeper-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: gatekeeper-webhook-service
      namespace: '{{ .Release.Namespace }}'
      path: /v1/mutate
  failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
  matchPolicy: Exact
  name: mutation.gatekeeper.sh
  namespaceSelector:
    matchExpressions:
    - key: admission.gatekeeper.sh/ignore
      operator: DoesNotExist
    
    {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
    - key: {{ $key }}
      operator: NotIn
      values:
      {{- range $value }}
      - {{ . }}
      {{- end }}
    {{- end }}
  objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }}
  reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }}
  rules:
  {{- if .Values.mutatingWebhookCustomRules }}
  {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }}
  {{- else }}
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    resources:
    - '*'
  {{- end }}
  sideEffects: None
  timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }}
{{- end }}