{{- if .Values.upgradeCRDs.enabled }}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gatekeeper-admin-upgrade-crds
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
rules:
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "create", "update", "patch"]
{{- with .Values.upgradeCRDs.extraRules }}
  {{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gatekeeper-admin-upgrade-crds
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
subjects:
  - kind: ServiceAccount
    name: gatekeeper-admin-upgrade-crds
    namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: gatekeeper-admin-upgrade-crds
  apiGroup: rbac.authorization.k8s.io
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  name: gatekeeper-admin-upgrade-crds
  namespace: '{{ .Release.Namespace }}'
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
    helm.sh/hook-weight: "1"
---
apiVersion: batch/v1
kind: Job
metadata:
  name: gatekeeper-update-crds-hook
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "gatekeeper.name" . }}
    chart: {{ template "gatekeeper.name" . }}
    gatekeeper.sh/system: "yes"
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-weight: "1"
    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
  backoffLimit: 0
  template:
    metadata:
      name: gatekeeper-update-crds-hook
      annotations:
        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
      labels:
        {{- include "gatekeeper.podLabels" . }}
        app: '{{ template "gatekeeper.name" . }}'
        chart: '{{ template "gatekeeper.name" . }}'
        gatekeeper.sh/system: "yes"
        heritage: '{{ .Release.Service }}'
        release: '{{ .Release.Name }}'
    spec:
      serviceAccountName: gatekeeper-admin-upgrade-crds
      restartPolicy: Never
      {{- if .Values.images.pullSecrets }}
      imagePullSecrets:
        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
      {{- end }}
      containers:
      - name: crds-upgrade
        image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
        args:
        - apply
        - -f
        - crds/
        resources:
          {{- toYaml .Values.crds.resources | nindent 10 }}
        securityContext:
          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
          seccompProfile:
            type: RuntimeDefault
          {{- end }}
          {{- toYaml .Values.crds.securityContext | nindent 10 }}
      {{- with .Values.crds }}
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
      affinity:
        {{- toYaml .affinity | nindent 8 }}
      {{- end }}
{{- end }}