{{- if .Values.webhook.create }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: secretstore-validate
  labels:
    external-secrets.io/component: webhook
    {{- with .Values.commonLabels }}
    {{ toYaml . | nindent 4 }}
    {{- end }}
  {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
  annotations:
    cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
  {{- end }}
webhooks:
- name: "validate.secretstore.external-secrets.io"
  rules:
  - apiGroups:   ["external-secrets.io"]
    apiVersions: ["v1beta1"]
    operations:  ["CREATE", "UPDATE", "DELETE"]
    resources:   ["secretstores"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: {{ template "external-secrets.namespace" . }}
      name: {{ include "external-secrets.fullname" . }}-webhook
      path: /validate-external-secrets-io-v1beta1-secretstore
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  timeoutSeconds: 5

- name: "validate.clustersecretstore.external-secrets.io"
  rules:
  - apiGroups:   ["external-secrets.io"]
    apiVersions: ["v1beta1"]
    operations:  ["CREATE", "UPDATE", "DELETE"]
    resources:   ["clustersecretstores"]
    scope:       "Cluster"
  clientConfig:
    service:
      namespace: {{ template "external-secrets.namespace" . }}
      name: {{ include "external-secrets.fullname" . }}-webhook
      path: /validate-external-secrets-io-v1beta1-clustersecretstore
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: externalsecret-validate
  labels:
    external-secrets.io/component: webhook
    {{- with .Values.commonLabels }}
    {{ toYaml . | nindent 4 }}
    {{- end }}
  {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
  annotations:
    cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
  {{- end }}
webhooks:
- name: "validate.externalsecret.external-secrets.io"
  rules:
  - apiGroups:   ["external-secrets.io"]
    apiVersions: ["v1beta1"]
    operations:  ["CREATE", "UPDATE", "DELETE"]
    resources:   ["externalsecrets"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: {{ template "external-secrets.namespace" . }}
      name: {{ include "external-secrets.fullname" . }}-webhook
      path: /validate-external-secrets-io-v1beta1-externalsecret
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  timeoutSeconds: 5
  failurePolicy: {{ .Values.webhook.failurePolicy}}
{{- end }}