# yamllint disable rule:hyphens rule:commas rule:indentation rule:brackets rule:line-length
apiVersion: v1
kind: ServiceAccount
metadata:
  name: danm-webhook
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: caas:danm-webhook
rules:
- apiGroups:
  - danm.k8s.io
  resources:
  - tenantconfigs
  verbs: [ "*" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: caas:danm-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: caas:danm-webhook
subjects:
- kind: ServiceAccount
  name: danm-webhook
  namespace: kube-system
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: danm-webhook-config
  namespace: kube-system
webhooks:
  - name: danm-netvalidation.nokia.k8s.io
    clientConfig:
      service:
        name: danm-webhook-svc
        namespace: kube-system
        path: "/netvalidation"
      # Configure your pre-generated certificate matching the details of your environment
      caBundle: <CA_BUNDLE>
    rules:
      - operations: ["CREATE","UPDATE"]
        apiGroups: ["danm.k8s.io"]
        apiVersions: ["v1"]
        resources: ["danmnets","clusternetworks","tenantnetworks"]
    failurePolicy: Fail
  - name: danm-configvalidation.nokia.k8s.io
    clientConfig:
      service:
        name: danm-webhook-svc
        namespace: kube-system
        path: "/confvalidation"
      # Configure your pre-generated certificate matching the details of your environment
      caBundle: <CA_BUNDLE>
    rules:
      - operations: ["CREATE","UPDATE"]
        apiGroups: ["danm.k8s.io"]
        apiVersions: ["v1"]
        resources: ["tenantconfigs"]
    failurePolicy: Fail
  - name: danm-netdeletion.nokia.k8s.io
    clientConfig:
      service:
        name: danm-webhook-svc
        namespace: kube-system
        path: "/netdeletion"
      # Configure your pre-generated certificate matching the details of your environment
      caBundle: <CA_BUNDLE>
    rules:
      - operations: ["DELETE"]
        apiGroups: ["danm.k8s.io"]
        apiVersions: ["v1"]
        resources: ["tenantnetworks"]
    failurePolicy: Fail
---
apiVersion: v1
kind: Service
metadata:
  name: danm-webhook-svc
  namespace: kube-system
  labels:
    danm: webhook
spec:
  ports:
  - name: webhook
    port: 443
    targetPort: 8443
  selector:
    danm: webhook
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: danm-webhook-deployment
  namespace: kube-system
  labels:
    danm: webhook
spec:
  selector:
    matchLabels:
     danm: webhook
  template:
    metadata:
      annotations:
        # Adapt to your own network environment!
        danm.k8s.io/interfaces: |
          [
            {
              "network":"flannel"
            }
          ]
      name: danm-webhook
      labels:
        danm: webhook
    spec:
      serviceAccountName: danm-webhook
      containers:
        - name: danm-webhook
          image: danm_webhook
          command: [ "/usr/local/bin/webhook", "-tls-cert-bundle=/etc/webhook/certs/danm_webhook.crt", "-tls-private-key-file=/etc/webhook/certs/danm_webhook.key", "bind-port=8443" ]
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs
              readOnly: true
      # Configure the directory holding the Webhook's server certificates
      volumes:
        - name: webhook-certs
          hostPath:
            path: /etc/kubernetes/ssl/