{{- if not .Values.disableValidatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app: '{{ template "gatekeeper.name" . }}'
    chart: '{{ template "gatekeeper.name" . }}'
    gatekeeper.sh/system: "yes"
    heritage: '{{ .Release.Service }}'
    release: '{{ .Release.Name }}'
  name: gatekeeper-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: gatekeeper-webhook-service
      namespace: '{{ .Release.Namespace }}'
      path: /v1/admit
  failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
  matchPolicy: Exact
  name: validation.gatekeeper.sh
  namespaceSelector:
    matchExpressions:
    - key: admission.gatekeeper.sh/ignore
      operator: DoesNotExist
    
    {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
    - key: {{ $key }}
      operator: NotIn
      value: {{ $value }}
    {{- end }}
  rules:
  {{- if .Values.validatingWebhookCustomRules }}
  {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }}
  {{- else }}
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    {{- if .Values.enableDeleteOperations }}
    - DELETE
    {{- end }}
    resources:
    - '*'
  {{- end }}
  sideEffects: None
  timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: gatekeeper-webhook-service
      namespace: '{{ .Release.Namespace }}'
      path: /v1/admitlabel
  failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
  matchPolicy: Exact
  name: check-ignore-label.gatekeeper.sh
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    resources:
    - namespaces
  sideEffects: None
  timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
{{- end }}