{{- if and .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
apiVersion: batch/v1
kind: Job
metadata:
  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
  namespace: {{ template "kube-prometheus-stack.namespace" . }}
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
spec:
  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
  # Alpha feature since k8s 1.12
  ttlSecondsAfterFinished: 0
  {{- end }}
  template:
    metadata:
      name:  {{ template "kube-prometheus-stack.fullname" . }}-admission-patch
{{- with .Values.prometheusOperator.admissionWebhooks.patch.podAnnotations }}
      annotations:
{{ toYaml .  | indent 8 }}
{{- end }}
      labels:
        app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch
{{- include "kube-prometheus-stack.labels" $ | indent 8 }}
    spec:
      {{- if .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
      priorityClassName: {{ .Values.prometheusOperator.admissionWebhooks.patch.priorityClassName }}
      {{- end }}
      containers:
        - name: patch
          {{- if .Values.prometheusOperator.admissionWebhooks.patch.image.sha }}
          image: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }}
          {{- else }}
          image: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}
          {{- end }}
          imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }}
          args:
            - patch
            - --webhook-name={{ template "kube-prometheus-stack.fullname" . }}-admission
            - --namespace={{ template "kube-prometheus-stack.namespace" . }}
            - --secret-name={{ template "kube-prometheus-stack.fullname" . }}-admission
            - --patch-failure-policy={{ .Values.prometheusOperator.admissionWebhooks.failurePolicy }}
          resources:
{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.resources | indent 12 }}
      restartPolicy: OnFailure
      serviceAccountName: {{ template "kube-prometheus-stack.fullname" . }}-admission
      {{- with .Values.prometheusOperator.admissionWebhooks.patch.nodeSelector }}
      nodeSelector:
{{ toYaml . | indent 8 }}
      {{- end }}
      {{- with .Values.prometheusOperator.admissionWebhooks.patch.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
      {{- end }}
      {{- with .Values.prometheusOperator.admissionWebhooks.patch.tolerations }}
      tolerations:
{{ toYaml . | indent 8 }}
      {{- end }}
      securityContext:
        runAsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
{{- end }}