apiVersion: apps/v1
kind: Deployment
metadata:
  name: inject-ds-webhook
  namespace: gps-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: inject-ds-webhook
  template:
    metadata:
      labels:
        app: inject-ds-webhook
    spec:
      serviceAccountName: inject-ds-webhook
      containers:
      - name: webhook
        image: REPO_PLACEHOLDER/webhook:latest
        args:
        - --target-namespace=gps-system
        - --target-daemonsets=test-daemonset
        ports:
        - containerPort: 9443
          name: webhook-api
        volumeMounts:
        - name: webhook-certs
          mountPath: /tmp/k8s-webhook-server/serving-certs
          readOnly: true
      volumes:
      - name: webhook-certs
        secret:
          secretName: inject-ds-webhook-certs
---
apiVersion: v1
kind: Service
metadata:
  name: inject-ds-webhook
  namespace: gps-system
spec:
  ports:
  - port: 443
    targetPort: 9443
  selector:
    app: inject-ds-webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: inject-ds-webhook
webhooks:
- name: inject-ds.example.com
  clientConfig:
    service:
      name: inject-ds-webhook
      namespace: gps-system
      path: "/mutate-pod"
    caBundle: Cg==
  rules:
  - operations: ["CREATE"]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
  admissionReviewVersions: ["v1"]
  sideEffects: None
  namespaceSelector:
    matchLabels:
      kubernetes.io/metadata.name: gps-system
  objectSelector:
    matchExpressions:
    - key: app
      operator: NotIn
      values: ["inject-ds-webhook"]