{{- $ca := genCA "admission-controller-ca" 3650 -}}
{{- $cn := printf "kubeslice-webhook-service" -}}
{{- $altName1 := printf "%s.%s.svc" $cn .Release.Namespace }}
{{- $altName2 := printf "%s.%s.svc.cluster.local" $cn .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca -}}
apiVersion: v1
kind: Secret
metadata:
  name: kubeslice-admission-webhook-certs
  namespace: {{ .Release.Namespace }}
type: Opaque
data:
  tls.crt: {{ $cert.Cert | b64enc }}
  tls.key: {{ $cert.Key | b64enc }}
---
apiVersion: v1
kind: Service
metadata:
  name: kubeslice-webhook-service
  namespace: {{ .Release.Namespace }}
spec:
  ports:
  - port: 443
    targetPort: 9443
  selector:
    control-plane: controller-manager
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  creationTimestamp: null
  name: kubeslice-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    caBundle: {{ $ca.Cert | b64enc }}
    service:
      name: kubeslice-webhook-service
      namespace: {{ .Release.Namespace }}
      path: /mutate-webhook
  failurePolicy: Fail
  name: webhook.kubeslice.io
  rules:
  - apiGroups:
    - ""
    - apps
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - pods
    - deployments
    - statefulsets
    - daemonsets
  sideEffects: NoneOnDryRun
  namespaceSelector:
    matchExpressions:
    - key: kubeslice.io/slice
      operator: Exists
    - key: name
      operator: NotIn
      values:
        - kube-system
        - spire
        - {{ .Release.Namespace | quote}}
        - {{ .Values.controllerNamespace | quote }}
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
        - kube-system
        - spire
        - {{ .Release.Namespace | quote }}
        - {{ .Values.controllerNamespace | quote }}