{{- if and .Values.webhook.enable .Values.webhook.mutate -}}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: polaris-mutate-webhook
  annotations:
    {{- if not .Values.webhook.secretName }}
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert
    {{- end }}
    {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    {{- if .Values.webhook.caBundle }}
    caBundle: {{ .Values.webhook.caBundle | quote }}
    {{- end }}
    service:
      name: {{ include "polaris.fullname" . }}-webhook
      namespace: {{ .Release.Namespace }}
      path: /mutate
      port: 443
  failurePolicy: {{ .Values.webhook.failurePolicy }}
  matchPolicy: {{ .Values.webhook.matchPolicy }}
  name: polaris.fairwinds.com
  namespaceSelector:
    {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }}
  objectSelector:
    {{ .Values.webhook.objectSelector | toYaml | nindent 4 }}
  rules:
  {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }}
  sideEffects: None
  timeoutSeconds: 10
{{- end -}}