---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pre-install
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pre-install.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
rules:
- apiGroups:
  - ''
  resources:
  - namespaces
  verbs:
  - get
  - list
  - patch
{{- if eq .Values.environment "openshift" }}
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  resourceNames:
  - pre-install-permissions.builtin.nsm.nginx
  verbs:
  - use
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: pre-install-permissions.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
  type: MustRunAs
runAsUser:
  type: RunAsAny
readOnlyRootFilesystem: false
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pre-install.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pre-install.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
  name: pre-install
  namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "registry-key-name" . }}
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
data:
  .dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: label-namespace
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "0"
spec:
  template:
    metadata:
      name: label-namespace
    spec:
      restartPolicy: Never
      serviceAccountName: pre-install
      containers:
      - name: label-namespace
        image: {{ include "hook.image-server" . }}/kubectl
        imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
        securityContext:
          runAsUser: 0
        command:
        - /bin/sh
        - -c
        - |
          kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false
          kubectl label namespace {{ .Release.Namespace }} --overwrite injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh
          {{- if .Values.rancher }}
          kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false
          for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
            case "$ns" in
              cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;;
            esac
          done
          {{- end }}