apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: {{ .Release.Namespace }}
  name: {{ template "cdi.namespaceHook.name" . }}
  {{ template "cdi.namespaceHook.annotations" (dict "hookWeight" 1) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "cdi.namespaceHook.name" . }}
  {{ template "cdi.namespaceHook.annotations" (dict "hookWeight" 1) }}
rules:
  - apiGroups: [ "" ]
    resources: [ "namespaces" ]
    resourceNames:
      - {{ .Release.Namespace | quote }}
    verbs: [ "get", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "cdi.namespaceHook.name" . }}
  {{ template "cdi.namespaceHook.annotations" (dict "hookWeight" 2) }}
subjects:
  - kind: ServiceAccount
    namespace: {{ .Release.Namespace }}
    name: {{ template "cdi.namespaceHook.name" . }}
roleRef:
  kind: ClusterRole
  name: {{ template "cdi.namespaceHook.name" . }}
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  namespace: {{ .Release.Namespace }}
  name: {{ template "cdi.namespaceHook.name" . }}
  {{ template "cdi.namespaceHook.annotations" (dict "hookWeight" 3) }}
spec:
  template:
    metadata:
      name: {{ template "cdi.namespaceHook.name" . }}
    spec:
      serviceAccountName: {{ template "cdi.namespaceHook.name" . }}
      restartPolicy: {{ .Values.hookRestartPolicy }}
      containers:
        - name: {{ template "cdi.namespaceHook.name" . }}
          securityContext:
            {{- toYaml .Values.hookSecurityContext | nindent 12 }}
          image: {{ .Values.hookImage }}
          args:
            - label
            - namespace
            - {{ .Release.Namespace }}
            - cdi.kubevirt.io=