{{- if .Values.annotateKubeSystemNameSpace }}
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
  name: kiam-namespace-annotate
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
  name: kiam-namespace-annotate
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - update
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
  name: kiam-namespace-annotate
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kiam-namespace-annotate
subjects:
  - kind: ServiceAccount
    name: kiam-namespace-annotate
    namespace: kube-system
---
apiVersion: batch/v1
kind: Job
metadata:
  name: kiam-kube-system-ns-annotation
  namespace: kube-system
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/hook-delete-policy: HookSucceeded
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
  template:
    spec:
      serviceAccountName: kiam-namespace-annotate
      containers:
        - name: kubectl
          image: "bitnami/kubectl:latest"
          imagePullPolicy: "IfNotPresent"
          command:
          - /bin/sh
          - -c
          - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*'
      restartPolicy: Never
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
{{- end }}