#apiVersion: policy/v1beta1
#kind: PodSecurityPolicy
#metadata:
#  name: longhorn-uninstall-psp
#spec:
#  privileged: true
#  allowPrivilegeEscalation: true
#  requiredDropCapabilities:
#  - NET_RAW
#  allowedCapabilities:
#  - SYS_ADMIN
#  hostNetwork: false
#  hostIPC: false
#  hostPID: true
#  runAsUser:
#    rule: RunAsAny
#  seLinux:
#    rule: RunAsAny
#  fsGroup:
#    rule: RunAsAny
#  supplementalGroups:
#    rule: RunAsAny
#  volumes:
#  - configMap
#  - downwardAPI
#  - emptyDir
#  - secret
#  - projected
#  - hostPath
#---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: longhorn-uninstall-service-account
  namespace: longhorn-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: longhorn-uninstall-role
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - "*"
  - apiGroups: [""]
    resources: ["pods", "persistentvolumes", "persistentvolumeclaims", "nodes", "configmaps", "secrets", "services", "endpoints"]
    verbs: ["*"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "statefulsets", "deployments"]
    verbs: ["*"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["*"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["*"]
  - apiGroups: ["scheduling.k8s.io"]
    resources: ["priorityclasses"]
    verbs: ["watch", "list"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["csidrivers", "storageclasses", "volumeattachments"]
    verbs: ["*"]
  - apiGroups: ["longhorn.io"]
    resources: ["volumes", "engines", "replicas", "settings", "engineimages", "nodes", "instancemanagers", "sharemanagers",
                "backingimages", "backingimagemanagers", "backingimagedatasources", "backuptargets", "backupvolumes", "backups",
                "recurringjobs", "orphans", "snapshots", "supportbundles", "systembackups", "systemrestores", "volumeattachments", "backupbackingimages"]
    verbs: ["*"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["*"]
  #  - apiGroups: ["policy"]
  #    resources: ["podsecuritypolicies"]
  #    verbs: ["use"]
  #    resourceNames: ["longhorn-uninstall-psp"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
    verbs: ["get", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: longhorn-uninstall-bind
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: longhorn-uninstall-role
subjects:
  - kind: ServiceAccount
    name: longhorn-uninstall-service-account
    namespace: longhorn-system
---
apiVersion: batch/v1
kind: Job
metadata:
  name: longhorn-uninstall
  namespace: longhorn-system
spec:
  activeDeadlineSeconds: 900
  backoffLimit: 1
  template:
    metadata:
      name: longhorn-uninstall
    spec:
      containers:
        - name: longhorn-uninstall
          image: longhornio/longhorn-manager:master-head
          imagePullPolicy: IfNotPresent
          command:
            - longhorn-manager
            - uninstall
            - --force
          env:
            - name: LONGHORN_NAMESPACE
              value: longhorn-system
      restartPolicy: Never
      serviceAccountName: longhorn-uninstall-service-account
#      imagePullSecrets:
#      - name: ""
#      priorityClassName:
#      tolerations:
#        - key: "key"
#          operator: "Equal"
#          value: "value"
#          effect: "NoSchedule"
#      nodeSelector:
#        label-key1: "label-value1"
#        label-key2: "label-value2"