# Copyright 2021 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: minikube-gcp-auth-certs
  namespace: gcp-auth
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: minikube-gcp-auth-certs
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - list
      - get
      - create
      - delete
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - mutatingwebhookconfigurations
    verbs:
      - get
      - update
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - list
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: minikube-gcp-auth-certs
  namespace: metadata
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: minikube-gcp-auth-certs
subjects:
  - kind: ServiceAccount
    name: minikube-gcp-auth-certs
    namespace: gcp-auth
---
apiVersion: batch/v1
kind: Job
metadata:
  name: gcp-auth-certs-create
  namespace: gcp-auth
spec:
  ttlSecondsAfterFinished: 30
  template:
    metadata:
      name: gcp-auth-certs-create
    spec:
      serviceAccountName: minikube-gcp-auth-certs
      containers:
        - name: create
          image: {{.CustomRegistries.KubeWebhookCertgen | default .ImageRepository | default .Registries.KubeWebhookCertgen}}{{.Images.KubeWebhookCertgen}}
          imagePullPolicy: IfNotPresent
          args:
            - create
            - --host=gcp-auth,gcp-auth.gcp-auth,gcp-auth.gcp-auth.svc
            - --namespace=gcp-auth
            - --secret-name=gcp-auth-certs
      restartPolicy: OnFailure
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gcp-auth
  namespace: gcp-auth
spec:
  selector:
    matchLabels:
      app: gcp-auth
  template:
    metadata:
      labels:
        app: gcp-auth
        kubernetes.io/minikube-addons: gcp-auth
    spec:
      serviceAccountName: minikube-gcp-auth-certs
      containers:
        - name: gcp-auth
          image: {{.CustomRegistries.GCPAuthWebhook | default .ImageRepository | default .Registries.GCPAuthWebhook}}{{.Images.GCPAuthWebhook}}
          imagePullPolicy: IfNotPresent
          env:
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /google-app-creds.json
          - name: MOCK_GOOGLE_TOKEN
            value: "{{.Environment.MockGoogleToken}}"
          ports:
            - containerPort: 8443
          volumeMounts:
          - name: webhook-certs
            mountPath: /etc/webhook/certs
            readOnly: true
          - name: gcp-project
            mountPath: /var/lib/minikube/google_cloud_project
            readOnly: true
          - name: gcp-creds
            mountPath: /google-app-creds.json
            readOnly: true
      volumes:
      - name: webhook-certs
        secret:
          secretName: gcp-auth-certs
      - name: gcp-project
        hostPath:
          path: /var/lib/minikube/google_cloud_project
          type: File
      - name: gcp-creds
        hostPath:
          path: /var/lib/minikube/google_application_credentials.json
          type: File
---
apiVersion: batch/v1
kind: Job
metadata:
  name: gcp-auth-certs-patch
  namespace: gcp-auth
spec:
  ttlSecondsAfterFinished: 30
  template:
    metadata:
      name: gcp-auth-certs-patch
    spec:
      serviceAccountName: minikube-gcp-auth-certs
      containers:
        - name: patch
          image: {{.CustomRegistries.KubeWebhookCertgen | default .ImageRepository | default .Registries.KubeWebhookCertgen}}{{.Images.KubeWebhookCertgen}}
          imagePullPolicy: IfNotPresent
          args:
            - patch
            - --secret-name=gcp-auth-certs
            - --namespace=gcp-auth
            - --patch-validating=false
            - --webhook-name=gcp-auth-webhook-cfg
      restartPolicy: OnFailure
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: gcp-auth-webhook-cfg
  labels:
    app: gcp-auth
webhooks:
- name: gcp-auth-mutate.k8s.io
  failurePolicy: Ignore
  objectSelector:
    matchExpressions:
      - key: gcp-auth-skip-secret
        operator: DoesNotExist
  namespaceSelector:
    matchExpressions:
      - key: name
        operator: NotIn
        values:
        - kube-system
  sideEffects: None
  admissionReviewVersions: ["v1","v1beta1"]
  clientConfig:
    service:
      name: gcp-auth
      namespace: gcp-auth
      path: "/mutate"
  rules:
  - operations: ["CREATE"]
    apiGroups: ["*"]
    apiVersions: ["*"]
    resources: ["pods"]
    scope: "*"
- name: gcp-auth-mutate-sa.k8s.io
  failurePolicy: Ignore
  sideEffects: None
  admissionReviewVersions: ["v1","v1beta1"]
  clientConfig:
    service:
      name: gcp-auth
      namespace: gcp-auth
      path: "/mutate/sa"
  rules:
  - operations: ["CREATE"]
    apiGroups: ["*"]
    apiVersions: ["*"]
    resources: ["serviceaccounts"]
    scope: "*"