{{- if and .Values.container.enabled .Values.container.autoDeploymentUpdate }}
{{- $name := (printf "%s-injector" (include "falcon-sensor.name" .)) -}}
{{- $fullName := (printf "%s.%s.svc" $name .Release.Namespace) -}}
{{- $caCert := "" -}}
{{- $tlsca := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace $name).webhooks -}}
{{- if kindIs "slice" $tlsca }}
{{- $ca := dict }}
{{- range $index, $wca := $tlsca -}}
  {{- $ca = dict "Cert" ($wca.clientConfig.caBundle | b64dec) }}
{{- end }}
{{- $caCert := $ca.Cert | b64enc }}
{{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: {{ include "falcon-sensor.name" . }}-injector
  labels:
    app: {{ include "falcon-sensor.name" . }}
    app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/component: "container_sensor"
    crowdstrike.com/provider: crowdstrike
    helm.sh/chart: {{ include "falcon-sensor.chart" . }}
  annotations:
    "helm.sh/hook": pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
webhooks:
  - name: {{ $name }}.{{ .Release.Namespace }}.svc
    failurePolicy: Ignore
    admissionReviewVersions:
      - v1
    {{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 22 }}
      - v1beta1
    {{- end }}
    sideEffects: None
    namespaceSelector:
      matchExpressions:
      - key: {{ .Values.container.namespaceLabelKey }}
        operator: {{ if .Values.container.disableNSInjection }}In{{ else }}NotIn{{- end }}
        values:
          - {{ if .Values.container.disableNSInjection }}enabled{{ else }}disabled{{- end }}
    {{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 22 }}
      - key: "name"
    {{- else }}
      - key: kubernetes.io/metadata.name
    {{- end }}
        operator: "NotIn"
        values:
        - {{ .Release.Namespace }}
    clientConfig:
      {{- if .Values.container.domainName }}
      url: https://{{ $fullName }}:443/mutate
      {{- else }}
      service:
        name: {{ include "falcon-sensor.name" . }}-injector
        namespace: {{ .Release.Namespace }}
        path: "/mutate"
      {{- end }}
      caBundle: {{ $caCert }}
    rules:
      - operations:
          - CREATE
        apiGroups:
          - ""
        apiVersions:
          - v1
        resources:
          - pods
    timeoutSeconds: 30
{{- end }}