{{- if .Values.controller.admissionWebhooks.enabled -}}
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  {{- if .Values.controller.admissionWebhooks.annotations }}
  annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
  {{- end }}
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: admission-webhook
    {{- with .Values.controller.admissionWebhooks.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  name: {{ include "ingress-nginx.fullname" . }}-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: {{ .Values.controller.admissionWebhooks.failurePolicy | default "Fail" }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: {{ .Release.Namespace | quote }}
        name: {{ include "ingress-nginx.controller.fullname" . }}-admission
        path: /networking/v1/ingresses
    {{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
    timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}
    {{- end }}
    {{- if .Values.controller.admissionWebhooks.namespaceSelector }}
    namespaceSelector: {{ toYaml .Values.controller.admissionWebhooks.namespaceSelector | nindent 6 }}
    {{- end }}
    {{- if .Values.controller.admissionWebhooks.objectSelector }}
    objectSelector: {{ toYaml .Values.controller.admissionWebhooks.objectSelector | nindent 6 }}
    {{- end }}
{{- end }}