{{- if .Values.hub.token -}}
{{- if .Values.hub.apimanagement.enabled }}
{{- $cert := include "traefik-hub.webhook_cert" . | fromYaml }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: hub-agent-cert
  namespace: {{ template "traefik.namespace" . }}
  labels:
  {{- include "traefik.labels" . | nindent 4 }}
data:
  tls.crt: {{ $cert.Cert }}
  tls.key: {{ $cert.Key  }}

---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: hub-acp
  labels:
  {{- include "traefik.labels" . | nindent 4 }}
webhooks:
  - name: admission.traefik.svc
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /acp
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - accesscontrolpolicies

---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: hub-api
  labels:
  {{- include "traefik.labels" . | nindent 4 }}
webhooks:
  - name: hub-agent.traefik.portal
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /api-portal
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - apiportals
  - name: hub-agent.traefik.api
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /api
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - apis
  - name: hub-agent.traefik.access
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /api-access
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - apiaccesses
  - name: hub-agent.traefik.plan
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /api-plan
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - apiplans
  - name: hub-agent.traefik.bundle
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /api-bundle
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - apibundles
  - name: hub-agent.traefik.version
    clientConfig:
      service:
        name: admission
        namespace: {{ template "traefik.namespace" . }}
        path: /api-version
      caBundle: {{ $cert.Cert }}
    sideEffects: None
    admissionReviewVersions:
      - v1
    rules:
      - operations:
          - CREATE
          - UPDATE
          - DELETE
        apiGroups:
          - hub.traefik.io
        apiVersions:
          - v1alpha1
        resources:
          - apiversions

---
apiVersion: v1
kind: Service
metadata:
  name: admission
  namespace: {{ template "traefik.namespace" . }}
  labels:
  {{- include "traefik.labels" . | nindent 4 }}
spec:
  ports:
    - name: https
      port: 443
      targetPort: admission
  selector:
  {{- include "traefik.labelselector" . | nindent 4 }}
{{- end -}}
{{- end -}}