apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tolerator-certificate
  namespace: tolerator
spec:
  dnsNames:
  - tolerator.tolerator.svc
  issuerRef:
    name: selfsigned
  secretName: tolerator-webhook-certificate
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: tolerator
spec:
  selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: tolerator-webhook
  annotations:
    cert-manager.io/inject-ca-from: tolerator/tolerator-certificate
webhooks:
- name: tolerator.tolerator.svc
  admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: tolerator
      namespace: tolerator
      port: 443
      path: /inject
  failurePolicy: Ignore
  matchPolicy: Equivalent
  namespaceSelector:
    matchExpressions:
    - key: webhook
      operator: NotIn
      values:
      - tolerator
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - resources:
    - pods
    apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    scope: '*'
  sideEffects: None