apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: webhookd

- apiVersion: extensions/v1beta1
  kind: Deployment
  metadata:
    labels:
      app: webhookd
    name: webhookd
  spec:
    replicas: 1
    selector:
      matchLabels:
        app: webhookd
    template:
      metadata:
        labels:
          app: webhookd
      spec:
        serviceAccountName: webhookd
        containers:
        - image: valercara/webhookd-extras
          imagePullPolicy: Always
          name: webhookd
          env:
            - name: APP_DEBUG
              value: "true"
            - name: APP_SCRIPTS_GIT_URL
              value: "https://github.com/valer-cara/webhookd-scripts"

              # This here is just a hack: Fake ssh-key file here, just to make that validation in entrypoint.sh pass. No need to worry :)
            - name: APP_SCRIPTS_GIT_KEY
              value: "/etc/hostname"

          ports:
          - containerPort: 8080
            protocol: TCP

          # Just in case scripts go berserk
          resources:
            limits:
              cpu: 500m
              memory: 300Mi
            requests:
              cpu: 200m
              memory: 100Mi

- apiVersion: v1
  kind: Service
  metadata:
    labels:
      app: webhookd
    name: webhookd
  spec:
    ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 8080
    selector:
      app: webhookd
    type: ClusterIP

- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
      kubernetes.io/tls-acme: "true"

      nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
      nginx.ingress.kubernetes.io/auth-secret: http-auth-webhookd
      nginx.ingress.kubernetes.io/auth-type: basic
    labels:
      app: webhookd
    name: webhookd
  spec:
    rules:
      # Edit me. You'd need to take care of registering the subdomain + optionally issuing a TLS certificate for it.
      # I use external-dns (which is a bit obsolete i think) + cert-manager to handle this automatically when new Ingresses are registered.
    - host: hook.mydomain.com
      http:
        paths:
        - backend:
            serviceName: webhookd
            servicePort: 80
          path: /
    tls:
    - hosts:
      - hook.mydomain.com
      secretName: tls-hook

- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: webhookd
  rules:
  - apiGroups: ["extensions"]
    resources:
    - deployments
    resourceNames:
    - my-deploy
    verbs:
    - patch
    - get
  # There's NO NEED to list deployments, only get/patch specific ones
  #- apiGroups: ["extensions"]
  #  resources:
  #  - deployments
  #  verbs:
  #  - list

- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: webhookd
    # Edit me: you'll have to match this to the namespace of your deployment so webhookd can patch it
    namespace: default
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: webhookd
  subjects:
  - kind: ServiceAccount
    name: webhookd