{{- if .Values.crds.install }}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ include "crdInstallJob" . }}
  namespace: {{ .Release.Namespace | quote }}
  annotations:
    # create hook dependencies in the right order
    "helm.sh/hook-weight": "-1"
    {{- include "crdInstallAnnotations" . | nindent 4 }}
  labels:
    app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
    {{- include "labels.selector" . | nindent 4 }}
    role: {{ include "crdInstallSelector" . | quote }}
spec:
  ttlSecondsAfterFinished: 3600
  template:
    metadata:
      labels:
        app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
        {{- include "labels.selector" . | nindent 8 }}
    spec:
      serviceAccountName: {{ include "crdInstall" . }}
      securityContext:
        runAsUser: 1000
        runAsGroup: 2000
        {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
        {{- with .Values.crds.podSeccompProfile }}
        seccompProfile:
          {{- . | toYaml | nindent 10 }}
        {{- end }}
        {{- end }}
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      - key: node-role.kubernetes.io/control-plane
        effect: NoSchedule
      containers:
      - name: kubectl
        image: "{{ .Values.images.registry }}/giantswarm/docker-kubectl:1.23.6"
        command:
        - sh
        - -c
        - |
          set -o errexit ; set -o xtrace ; set -o nounset

          # piping stderr to stdout means kubectl's errors are surfaced
          # in the pod's logs.

          kubectl apply -f /data/ 2>&1
        securityContext:
          readOnlyRootFilesystem: true
          {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
          {{- with .Values.crds.seccompProfile }}
          seccompProfile:
            {{- . | toYaml | nindent 12 }}
          {{- end }}
          {{- end }}
        volumeMounts:
{{- range $path, $_ := .Files.Glob "crd-base/**" }}
        - name: {{ $path | base | trimSuffix ".yaml" }}
          mountPath: /data/{{ $path | base }}
          subPath: {{ $path | base }}
{{- end }}
        resources: {{- toYaml .Values.crds.resources | nindent 10 }}
      volumes:
{{ $currentScope := . }}
{{- range $path, $_ := .Files.Glob "crd-base/**" }}
    {{- with $currentScope }}
      - name: {{ $path | base | trimSuffix ".yaml" }}
        configMap:
          name: {{ include "crdInstall" . }}-{{ $path | base | trimSuffix ".yaml" }}
          items:
          - key: content
            path: {{ $path | base }}
{{- end }}
{{- end }}
      restartPolicy: Never
  backoffLimit: 4
{{- end }}