# Copyright 2022 DigitalOcean
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "validation-webhook.snapshot.storage.k8s.io"
webhooks:
  - name: "validation-webhook.snapshot.storage.k8s.io"
    rules:
      - apiGroups:   ["snapshot.storage.k8s.io"]
        apiVersions: ["v1", "v1beta1"]
        operations:  ["CREATE", "UPDATE"]
        resources:   ["volumesnapshots", "volumesnapshotcontents"]
        scope:       "*"
    clientConfig:
      service:
        namespace: "kube-system"
        name: "snapshot-validation-service"
        path: "/volumesnapshot"
      # XXX Uncomment and populate the CA bundle field accordingly if a dedicated
      # CA is to be used.
      # caBundle: ${CA_BUNDLE}
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    failurePolicy: Fail
    timeoutSeconds: 5

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: snapshot-validation
  namespace: kube-system
  labels:
    app: snapshot-validation
spec:
  replicas: 1
  selector:
    matchLabels:
      app: snapshot-validation
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: snapshot-validation
    spec:
      serviceAccountName: snapshot-validation
      containers:
        - name: snapshot-validation
          image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
          imagePullPolicy: IfNotPresent
          args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
          ports:
            - containerPort: 443
          volumeMounts:
            - name: snapshot-validation-webhook-certs
              mountPath: /etc/snapshot-validation-webhook/certs
              readOnly: true
      volumes:
        - name: snapshot-validation-webhook-certs
          secret:
            # XXX Populate the secret properly with a certificate and key
            secretName: snapshot-validation-secret

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: snapshot-validation
  namespace: kube-system

---

apiVersion: v1
kind: Service
metadata:
  name: snapshot-validation-service
  namespace: kube-system
spec:
  selector:
    app: snapshot-validation
  ports:
    - protocol: TCP
      port: 443

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: snapshot-validation
rules:
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses"]
    verbs: ["get", "list", "watch"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: snapshot-validation
subjects:
  - kind: ServiceAccount
    name: snapshot-validation
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: snapshot-validation
  apiGroup: rbac.authorization.k8s.io