{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $caCert := "" -}}
{{- $caKey := "" -}}
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}}
{{- $ca := genCA "kong-admission-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{- $caCert = $ca.Cert -}}
{{- $caKey = $ca.Key -}}

{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- end }}
{{- if $caSecret }}
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
{{- end }}
{{- end }}
kind: ValidatingWebhookConfiguration
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
metadata:
  name: {{ template "kong.fullname" . }}-validations
  namespace: {{ template "kong.namespace" . }}
  labels:
    {{- include "kong.metaLabels" . | nindent 4 }}
  {{- if .Values.ingressController.admissionWebhook.annotations }}
  annotations:
  {{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }}
    {{ $key }}: {{ $value | quote }}
  {{- end }}
  {{- end }}
webhooks:
- name: validations.kong.konghq.com
  {{- with .Values.ingressController.admissionWebhook.namespaceSelector }}
  namespaceSelector:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }}
  timeoutSeconds: {{ . }}
  {{- end }}
  objectSelector:
    matchExpressions:
    - key: owner
      operator: NotIn
      values:
      - helm
  failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
  sideEffects: None
  admissionReviewVersions: ["v1beta1"]
  rules:
  - apiGroups:
    - configuration.konghq.com
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    resources:
    - kongconsumers
    - kongplugins
{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
    - kongclusterplugins
{{- end }}
{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
    - kongingresses
{{- end }}
  - apiGroups:
    - ''
    apiVersions:
    - 'v1'
    operations:
{{- if (semverCompare ">= 2.12.1" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
    - CREATE
{{- end }}
    - UPDATE
    resources:
    - secrets
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
    - services
{{- end }}
{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
  - apiGroups:
    - networking.k8s.io
    apiVersions:
      - 'v1'
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  - apiGroups:
    - gateway.networking.k8s.io
    apiVersions:
    - 'v1alpha2'
    - 'v1beta1'
{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
    - 'v1'
{{- end }}
    operations:
    - CREATE
    - UPDATE
    resources:
    - gateways
    - httproutes
{{- end }}
  clientConfig:
    {{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
    caBundle: {{ b64enc $caCert }}
    {{- else }}
    {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }}
    caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }}
    {{- end }}
    {{- end }}
    service:
      name: {{ template "kong.service.validationWebhook" . }}
      namespace: {{ template "kong.namespace" . }}
---
apiVersion: v1
kind: Service
metadata:
  name: {{ template "kong.service.validationWebhook" . }}
  namespace: {{ template "kong.namespace" . }}
  labels:
    {{- include "kong.metaLabels" . | nindent 4 }}
    {{- if .Values.ingressController.admissionWebhook.service.labels }}
      {{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }}
    {{- end }}
spec:
  ports:
  - name: webhook
    port: 443
    protocol: TCP
    targetPort: webhook
  selector:
    {{- include "kong.metaLabels" . | nindent 4 }}
    app.kubernetes.io/component: app
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair
  namespace:  {{ template "kong.namespace" . }}
  labels:
    {{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
    tls.crt: {{ b64enc $caCert  }}
    tls.key: {{ b64enc $caKey  }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "kong.fullname" . }}-validation-webhook-keypair
  namespace:  {{ template "kong.namespace" . }}
  labels:
    {{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
  tls.crt: {{ b64enc $certCert }}
  tls.key: {{ b64enc $certKey }}
{{- end }}
{{- end }}