{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ include "ingress-nginx.fullname" . }}-admission-create
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: admission-webhook
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
  # Alpha feature since k8s 1.12
  ttlSecondsAfterFinished: 0
{{- end }}
  template:
    metadata:
      name: {{ include "ingress-nginx.fullname" . }}-admission-create
    {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
      annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
    {{- end }}
      labels:
        {{- include "ingress-nginx.labels" . | nindent 8 }}
        app.kubernetes.io/component: admission-webhook
    spec:
    {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
      priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
    {{- end }}
    {{- if .Values.imagePullSecrets }}
      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
    {{- end }}
      containers:
        - name: create
          image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
          imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
          args:
            - create
            - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
            - --namespace={{ .Release.Namespace }}
            - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
      restartPolicy: OnFailure
      serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
    {{- end }}
    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
    {{- end }}
      securityContext:
        runAsNonRoot: true
        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
{{- end }}