{{- if and .Values.prometheusOperator.admissionWebhooks.enabled }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name:  {{ template "kube-prometheus-stack.fullname" . }}-admission
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled }}
  annotations:
    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-root-cert" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }}
    cert-manager.io/inject-ca-from: {{ printf "%s/%s-root-cert" .Release.Namespace (include "kube-prometheus-stack.fullname" .) | quote }}
{{- end }}
  labels:
    app: {{ template "kube-prometheus-stack.name" $ }}-admission
{{- include "kube-prometheus-stack.labels" $ | indent 4 }}
webhooks:
  - name: prometheusrulemutate.monitoring.coreos.com
    {{- if .Values.prometheusOperator.admissionWebhooks.patch.enabled  }}
    failurePolicy: Ignore
    {{- else }}
    failurePolicy: {{ .Values.prometheusOperator.admissionWebhooks.failurePolicy }}
    {{- end }}
    rules:
      - apiGroups:
          - monitoring.coreos.com
        apiVersions:
          - "*"
        resources:
          - prometheusrules
        operations:
          - CREATE
          - UPDATE
    clientConfig:
      service:
        namespace: {{ template "kube-prometheus-stack.namespace" . }}
        name: {{ template "kube-prometheus-stack.operator.fullname" $ }}
        path: /admission-prometheusrules/validate
      {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
      caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }}
      {{- end }}
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
{{- end }}