apiVersion: apps/v1
kind: Deployment
metadata:
  name: APP
  namespace: NAMESPACE
  labels:
    app: APP
spec:
  replicas: 1
  selector:
    matchLabels:
      app: APP
  template:
    metadata:
      labels:
        app: APP
    spec:
      containers:
        - name: APP
          image: registry.yoshino-s.xyz/yoshino-s/cilium-envoy-hook:latest
          imagePullPolicy: Always
          args:
            - --tls-cert-file-path=/etc/webhook/certs/cert.pem
            - --tls-key-file-path=/etc/webhook/certs/key.pem
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs
              readOnly: true
      volumes:
        - name: webhook-certs
          secret:
            secretName: APP-certs
---
apiVersion: v1
kind: Service
metadata:
  name: APP
  namespace: NAMESPACE
  labels:
    app: APP
spec:
  ports:
  - name: http
    port: 443
    targetPort: 8080
  - name: metrics
    port: 8081
    targetPort: 8081
  selector:
    app: APP
---
apiVersion: v1
data:
  cert.pem: CA_BUNDLE
  key.pem: KEY_PEM
kind: Secret
metadata:
  creationTimestamp: null
  name: APP-certs
  namespace: NAMESPACE
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: APP
  labels:
    app: APP
    kind: mutator
webhooks:
  - name: mutator.APP.io
    admissionReviewVersions: ["v1"]
    sideEffects: None
    clientConfig:
      service:
        name: APP
        namespace: NAMESPACE
        path: /
      caBundle: CA_BUNDLE
    rules:
      - operations: ["UPDATE", "CREATE"]
        apiGroups: ["cilium.io"]
        apiVersions: ["v2"]
        resources: ["ciliumenvoyconfigs"]