# Copyright 2022 DigitalOcean
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "validation-webhook.snapshot.storage.k8s.io"
  annotations:
    cert-manager.io/inject-ca-from: default/snapshot-validation
webhooks:
- name: "validation-webhook.snapshot.storage.k8s.io"
  rules:
  - apiGroups:   ["snapshot.storage.k8s.io"]
    apiVersions: ["v1", "v1beta1"]
    operations:  ["CREATE", "UPDATE"]
    resources:   ["volumesnapshots", "volumesnapshotcontents"]
    scope:       "*"
  clientConfig:
    service:
      namespace: "kube-system"
      name: "snapshot-validation-service"
      path: "/volumesnapshot"
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  failurePolicy: Fail
  timeoutSeconds: 5

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: snapshot-validation
  namespace: kube-system
  labels:
    app: snapshot-validation
spec:
  replicas: 1
  selector:
    matchLabels:
      app: snapshot-validation
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: snapshot-validation
    spec:
      serviceAccountName: snapshot-validation
      containers:
      - name: snapshot-validation
        image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
        imagePullPolicy: IfNotPresent
        args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
        ports:
        - containerPort: 443
        volumeMounts:
        - name: snapshot-validation-webhook-certs
          mountPath: /etc/snapshot-validation-webhook/certs
          readOnly: true
      volumes:
      - name: snapshot-validation-webhook-certs
        secret:
          secretName: snapshot-validation-secret

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: snapshot-validation
  namespace: kube-system

---

apiVersion: v1
kind: Service
metadata:
  name: snapshot-validation-service
  namespace: kube-system
spec:
  selector:
    app: snapshot-validation
  ports:
    - protocol: TCP
      port: 443

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: snapshot-validation
rules:
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses"]
    verbs: ["get", "list", "watch"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: snapshot-validation
subjects:
  - kind: ServiceAccount
    name: snapshot-validation
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: snapshot-validation
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: snapshot-validation
spec:
  dnsNames:
    - snapshot-validation-service
    - snapshot-validation-service.default.svc
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
  secretName: snapshot-validation-secret