delete rio, rancher-operator, rancher-operator-crd and rancher-external-ip-webhook

2021-06-24 14:04:25 -07:00 · 2021-06-24 14:04:25 -07:00 · 143c0fecb4
parent e84978f0a5
commit 143c0fecb4
70 changed files with 0 additions and 5845 deletions
--- a/assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.0+up0.1.6.tgz
+++ b/assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.0+up0.1.6.tgz
--- a/assets/rancher-operator-crd/rancher-operator-crd-100.0.0+up0.1.4.tgz
+++ b/assets/rancher-operator-crd/rancher-operator-crd-100.0.0+up0.1.4.tgz
--- a/assets/rancher-operator/rancher-operator-100.0.0+up0.1.4.tgz
+++ b/assets/rancher-operator/rancher-operator-100.0.0+up0.1.4.tgz
--- a/assets/rio/rio-100.0.0.tgz
+++ b/assets/rio/rio-100.0.0.tgz
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/.helmignore
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/.helmignore
@ -1,21 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/Chart.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/Chart.yaml
@ -1,24 +0,0 @@
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/display-name: External IP Webhook
  catalog.cattle.io/namespace: cattle-externalip-system
  catalog.cattle.io/os: linux
  catalog.cattle.io/release-name: rancher-external-ip-webhook
  catalog.cattle.io/ui-component: rancher-external-ip-webhook
 apiVersion: v1
 appVersion: v0.1.6
 description: |
  Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
 home: https://github.com/rancher/externalip-webhook
 keywords:
 - cve
 - externalip
 - webhook
 - security
 maintainers:
 - email: raul@rancher.com
  name: rawmind0
 name: rancher-external-ip-webhook
 sources:
 - https://github.com/rancher/externalip-webhook
 version: 100.0.0+up0.1.6
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/README.md
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/README.md
@ -1,69 +0,0 @@
 # externalip-webhook
 ## Chart Details
 This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It's required to mitigate k8s CVE-2020-8554.
 ## Installing the Chart
 To install the chart with the release name `rancher-external-ip-webhook`:
 ```bash
 $ helm repo add rancher-chart https://charts.rancher.io
 $ helm repo update
 $ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
 ```
 ## Configuration
 The following table lists the configurable parameters of the externalip-webhook chart and their default values.
 | Parameter                            | Description                                                                                                                | Default                                            |
 | ----------------------------------   | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
 | `allowedExternalIPCidrs`             | Set allowed external IP CIDRs separated by a comma                                                                         | `""`                                               |
 | `certificates.caBundle`              | If cert-manager integration is disabled, add here self signed ca.crt in base64 format                                      | `""`                                               |
 | `certificates.certManager.enabled`   | Enable cert manager integration. Cert manager should be already installed at the k8s cluster                               | `true`                                               |
 | `certificates.certManager.version`   | Cert manager version to use                                                                                                | `""`                                               |
 | `certificates.secretName`            | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace  | `"webhook-server-cert"`                         |
 | `global.systemDefaultRegistry`       | Pull docker images from systemDefaultRegistry                                                                              | `""`                                               |
 | `image.pullPolicy`                   | Webhook server docker pull policy                                                                                          | `"IfNotPresent"`                                |
 | `image.pullSecrets`                  | Webhook server docker pull secret                                                                                          | `""`                                               |
 | `image.repository`                   | Webhook server docker image repository                                                                                     | `"rancher/externalip-webhook"`                           |
 | `image.tag`                          | Webhook server docker image tag  Defaults to                                                                               | `".Chart.appVersion"`                           |
 | `metrics.enabled`                    | Enable metrics endpoint                                                                                                    | `false`                                               |
 | `metrics.port`                       | Webhook metrics pod port                                                                                                   | `8443`                                               |
 | `metrics.prometheusExport`           | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false`                                               |
 | `metrics.authProxy.enabled`          | Enable auth proxy for metrics endpoint                                                                                     | `false`                                               |
 | `metrics.authProxy.port`             | Webhook auth proxy pod port                                                                                                | `8080`                                               |
 | `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy                                                                                      | `"IfNotPresent"`                                               |
 | `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets                                                                                     | `""`                                               |
 | `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository                                                                                 | `"gcr.io/kubebuilder/kube-rbac-proxy"`                  |
 | `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag                                                                                        | `"v0.5.0"`                                               |
 | `metrics.authProxy.resources.limits.cpu`      | Webhook auth proxy resource cpu limit                                                                             | `"100m"`                                               |
 | `metrics.authProxy.resources.limits.memory`   | Webhook auth proxy resource memory limit                                                                          | `"30Mi"`                                               |
 | `metrics.authProxy.resources.requests.cpu`    | Webhook auth proxy wesource cpu reservation                                                                       | `"100m"`                                               |
 | `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation                                                                    | `"20Mi"`                                               |
 | `nodeSelector`                       | Node labels for pod assignment                                                                                             | `{}`                                               |
 | `rbac.apiVersion`                    | Rbac API version to use                                                                                                    | `"v1"`                                               |
 | `resources.limits.cpu`               | Resource cpu limit                                                                                                         | `"100m"`                                               |
 | `resources.limits.memory`            | Resource memory limit                                                                                                      | `"30Mi"`                                               |
 | `resources.requests.cpu`             | Resource cpu reservation                                                                                                   | `"100m"`                                               |
 | `resources.requests.memory`          | Resource memory reservation                                                                                                | `"20Mi"`                                               |
 | `service.metricsPort`                | Webhook metrics service port                                                                                               | `8443`                                               |
 | `service.webhookPort`                | Webhook server service port                                                                                                | `443`                                               |
 | `serviceAccountName`                 | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false                                                 | `"default"`                                               |
 | `tolerations`                        | List of node taints to tolerate (requires Kubernetes >= 1.6)                                                               | `[]`                                               |
 | `webhookPort`                        | Webhook server pod port                                                                                                    | `9443`                                               |
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
 Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
 ```bash
 $ helm repo add rancher-chart https://charts.rancher.io
 $ helm repo update
 $ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
 ```
 > **Tip**: You can use the default [values.yaml](https://github.com/rancher/externalip-webhook/blob/master/chart/values.yaml)
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/app-README.md
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/app-README.md
@ -1,12 +0,0 @@
 # externalip-webhook
 This chart was created to mitigate [CVE-2020-8554](https://www.cvedetails.com/cve/CVE-2020-8554/)
 External IP Webhook is a validating k8s webhook which prevents services from using random external IPs. 
 Cluster administrators can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter. The webhook will only allow services which either don’t set external IP, or whose external IPs are within the range specified by the administrator.
 External IP Webhook certificates are required. They can be generated in 2 ways:
 * cert-manager: This is the default chart configuration. Cert manager should be already installed at the k8s cluster
 * uploading certs: Disable `Cert Manager integration` and set `Secret name` and `CA Bundle` at  `Certificates` section.
 For more information, review the Helm README of this chart.
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/questions.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/questions.yaml
@ -1,26 +0,0 @@
 questions: 
 # allowedExternalIPCidrs
 - variable: allowedExternalIPCidrs
  label: Allowed external IP cidrs
  description: Set allowed external IP CIDRs separated by a comma
  type: string
  group: Configuration
 - variable: certificates.certManager.enabled
  default: true
  description: Enable cert manager integration. Cert manager should be already installed
  label: Enable Cert Manager integration
  type: boolean
  group: "Certificates"
  show_subquestion_if: false
  subquestions:
  - variable: certificates.secretName
    default: webhook-server-cert
    description: Use certificates from secret. Secret should exists in the app namespace, with certs data (ca.crt, tls.crt & tls.key)
    label: Secret name
    type: string
    required: true
  - variable: certificates.caBundle
    description: Use self signed CA Bundle. It should be provided in base64 format
    label: CA Bundle
    type: string
    required: true
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/NOTES.txt
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/NOTES.txt
@ -1,3 +0,0 @@
 To verify that externalip-webhook has started, run:
  kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "externalip-webhook.name" . }},release={{ .Release.Name }}"
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/_helpers.tpl
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/_helpers.tpl
@ -1,50 +0,0 @@
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "externalip-webhook.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
 {{- define "externalip-webhook.fullname" -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- if ne $name .Release.Name -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s" $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
 {{/* Generate basic labels */}}
 {{- define "externalip-webhook.labels" }}
 app: {{ template "externalip-webhook.name" . }}
 heritage: {{.Release.Service }}
 release: {{.Release.Name }}
 {{- end }}
 {{/*
 Windows cluster will add default taint for linux nodes, 
 add below linux tolerations to workloads could be scheduled to those linux nodes
 */}}
 {{- define "linux-node-tolerations" -}}
 - key: "cattle.io/os"
  value: "linux"
  effect: "NoSchedule"
  operator: "Equal"
 {{- end -}}
 {{- define "linux-node-selector" -}}
 kubernetes.io/os: linux
 {{- end -}}
 {{- define "system_default_registry" -}}
 {{- if .Values.global.systemDefaultRegistry -}}
 {{- printf "%s/" .Values.global.systemDefaultRegistry -}}
 {{- else -}}
 {{- "" -}}
 {{- end -}}
 {{- end -}}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/admissionregistration.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/admissionregistration.yaml
@ -1,30 +0,0 @@
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
 {{- if .Values.certificates.certManager.enabled }}
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "externalip-webhook.fullname" . }}-server-cert
 {{- end }}
  creationTimestamp: null
  name: {{ template "externalip-webhook.fullname" . }}-validating-webhook-configuration
 webhooks:
 - clientConfig:
 {{- if not (.Values.certificates.certManager.enabled) }}
    caBundle: {{ .Values.certificates.caBundle }}
 {{- end }}
    service:
      name: {{ template "externalip-webhook.fullname" . }}
      namespace: {{ .Release.Namespace }}
      path: /validate-service
  failurePolicy: Ignore
  name: {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - services
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/clusterrole.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/clusterrole.yaml
@ -1,33 +0,0 @@
 {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) -}}
 apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
 kind: ClusterRole
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-proxy-role
 rules:
 - apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
 - apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
 ---
 apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
 kind: ClusterRole
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-metrics-reader
 rules:
 - nonResourceURLs:
  - /metrics
  verbs:
  - get
 {{- end -}}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/clusterrolebinding.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/clusterrolebinding.yaml
@ -1,31 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
 kind: ClusterRoleBinding
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-cluster-view
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
 subjects:
 - kind: ServiceAccount
  name: {{ template "externalip-webhook.fullname" . }}
  namespace: {{ .Release.Namespace }}
 {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }}
 ---
 apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
 kind: ClusterRoleBinding
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-proxy-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "externalip-webhook.fullname" . }}-proxy-role
 subjects:
 - kind: ServiceAccount
  name: {{ template "externalip-webhook.fullname" . }}
  namespace: {{ .Release.Namespace }}
 {{- end }}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/deployment.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/deployment.yaml
@ -1,107 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  replicas: {{ .Values.replicas }}
  selector:
    matchLabels:
      app: {{ template "externalip-webhook.name" . }}
  template:
    metadata:
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: runtime/default
      labels: {{ include "externalip-webhook.labels" . | indent 8 }}
        chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    spec:
      containers:
      {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }}
      - name: {{ template "externalip-webhook.fullname" . }}-auth-proxy
        args:
        - --secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}
        - --upstream=http://127.0.0.1:{{ .Values.metrics.authProxy.port }}/
        - --logtostderr=true
        - --v=10
        image: {{ template "system_default_registry" . }}{{ .Values.metrics.authProxy.image.repository}}:{{ .Values.metrics.authProxy.image.tag }}
        imagePullPolicy: "{{ .Values.metrics.authProxy.image.pullPolicy }}"
        ports:
        - containerPort: {{ .Values.metrics.port }}
          name: webhook-metrics
          protocol: TCP
        resources:
 {{ toYaml .Values.metrics.authProxy.resources | indent 10 }}
        readinessProbe:
          tcpSocket:
            port: webhook-metrics
          initialDelaySeconds: 5
          periodSeconds: 10
        livenessProbe:
          tcpSocket:
            port: webhook-metrics
          initialDelaySeconds: 5
          failureThreshold: 10
          periodSeconds: 30
      {{- end }}
      - name: {{ template "externalip-webhook.fullname" . }}
        image: {{ template "system_default_registry" . }}{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }}
        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
        command:
        - /webhook
        args:
        - --webhook-port={{ .Values.webhookPort }}
        {{- if .Values.allowedExternalIPCidrs }}
        - --allowed-external-ip-cidrs={{ .Values.allowedExternalIPCidrs }}
        {{- end }}
        {{- if .Values.metrics.enabled }}
          {{- if .Values.metrics.authProxy.enabled }}
        - --metrics-addr=127.0.0.1:{{ .Values.metrics.authProxy.port }}
          {{- else }}
        - --metrics-addr=0.0.0.0:{{ .Values.metrics.port }}
          {{- end }}
        {{- end }}
        ports:
        - containerPort: {{ .Values.webhookPort }}
          name: webhook-server
          protocol: TCP
        {{- if and (.Values.metrics.enabled) (not (.Values.metrics.authProxy.enabled)) }}
        - containerPort: {{ .Values.metrics.port }}
          name: webhook-metrics
          protocol: TCP
        {{- end }}
        volumeMounts:
        - name: server-cert
          mountPath: /tmp/k8s-webhook-server/serving-certs
          readOnly: true
        resources:
 {{ toYaml .Values.resources | indent 10 }}
        readinessProbe:
          tcpSocket:
            port: webhook-server
          initialDelaySeconds: 5
          failureThreshold: 10
          periodSeconds: 30
        livenessProbe:
          tcpSocket:
            port: webhook-server
          initialDelaySeconds: 5
          failureThreshold: 10
          periodSeconds: 30
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
      {{- if .Values.nodeSelector }}
 {{ toYaml .Values.nodeSelector | indent 8 }}
      {{- end }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 6}}
      {{- if .Values.tolerations }}
 {{ toYaml .Values.tolerations | indent 6 }}
      {{- end }}
      serviceAccountName: {{ template "externalip-webhook.fullname" . }}
      volumes:
      - name: server-cert
        secret:
          defaultMode: 420
          secretName: {{ .Values.certificates.secretName }}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/issuer.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/issuer.yaml
@ -1,52 +0,0 @@
 {{- if .Values.certificates.certManager.enabled -}}
  {{- $certmanagerVer :=  split "." .Values.certificates.certManager.version -}}
  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
 apiVersion: cert-manager.io/v1
  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
 apiVersion: cert-manager.io/v1beta1
  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
 apiVersion: cert-manager.io/v1alpha2
  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
 apiVersion: certmanager.k8s.io/v1alpha1
  {{- else }}
 # Setting latest version as default
 apiVersion: cert-manager.io/v1
  {{- end }}
 kind: Certificate
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-server-cert
  namespace: {{ .Release.Namespace }}
 spec:
  dnsNames:
  - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
  - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: {{ template "externalip-webhook.fullname" . }}-issuer
  secretName: {{ .Values.certificates.secretName }}
 ---
  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
 apiVersion: cert-manager.io/v1
  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
 apiVersion: cert-manager.io/v1beta1
  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
 apiVersion: cert-manager.io/v1alpha2
  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
 apiVersion: certmanager.k8s.io/v1alpha1
  {{- else }}
 # Setting latest version as default
 apiVersion: cert-manager.io/v1
  {{- end }}
 kind: Issuer
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-issuer
  namespace: {{ .Release.Namespace }}
 spec:
  selfSigned: {}
 {{- end -}}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/service.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/service.yaml
@ -1,35 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
  - name: webhook-server
    port: {{ .Values.service.webhookPort }}
    protocol: TCP
    targetPort: {{ .Values.webhookPort }}
  selector:
    app: {{ template "externalip-webhook.name" . }}
  type: "ClusterIP"
 {{- if .Values.metrics.enabled }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-metrics-service
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
  - name: webhook-metrics
    port: {{ .Values.service.metricsPort }}
    protocol: TCP
    targetPort: {{ .Values.metrics.port }}
  selector:
    app: {{ template "externalip-webhook.name" . }}
  type: "ClusterIP"
 {{- end }}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/serviceaccount.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/serviceaccount.yaml
@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}
  namespace: {{ .Release.Namespace }}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/servicemonitor.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/templates/servicemonitor.yaml
@ -1,16 +0,0 @@
 {{- if and (.Values.metrics.enabled) (.Values.metrics.prometheusExport) -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ template "externalip-webhook.fullname" . }}-monitor
  namespace: {{ .Release.Namespace }}
 spec:
  endpoints:
    - path: /metrics
      port: https
  selector:
    matchLabels:
      app: {{ template "externalip-webhook.name" . }}
 {{- end }}
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/admissionregistration_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/admissionregistration_test.yaml
@ -1,32 +0,0 @@
 suite: Test Admission Registration
 templates:
 - admissionregistration.yaml
 tests:
 - it: should render Admission Registration
  asserts:
  - equal:
      path: apiVersion
      value: admissionregistration.k8s.io/v1beta1
 - it: should render Admission Registration annotation and not caBundle if certificates.certManager.enabled = true
  release:
    name: rancher-externalip-webhook
    namespace: test
  set: 
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: metadata.annotations
      value:
        cert-manager.io/inject-ca-from: test/rancher-externalip-webhook-server-cert
  - isNull:
      path: webhooks[0].clientConfig.caBundle
 - it: should render Admission Registration caBundle and not annotation if certificates.certManager.enabled = false
  set: 
    certificates.caBundle: test
    certificates.certManager.enabled: false
  asserts:
  - equal:
      path: webhooks[0].clientConfig.caBundle
      value: test
  - isNull:
      path: metadata.annotations
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/clusterrole_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/clusterrole_test.yaml
@ -1,37 +0,0 @@
 suite: Test Cluster Roles
 templates:
 - clusterrole.yaml
 tests:
 - it: should not render Cluster Roles if metrics.enabled = false or metrics.authProxy.enabled = false
  set:
    metrics.enabled: false
    metrics.authProxy.enabled: false
  asserts:
  - hasDocuments:
      count: 0
    template: clusterrole.yaml
 - it: should render Cluster Roles if metrics.enabled = true and metrics.authProxy.enabled = true
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
  asserts:
  - hasDocuments:
      count: 2
    template: clusterrole.yaml
 - it: should render Cluster Roles with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: rbac.authorization.k8s.io/v1
 - it: should render Cluster Roles with custom rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
    rbac.apiVersion: v1beta
  asserts:
  - equal:
      path: apiVersion
      value: rbac.authorization.k8s.io/v1beta
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/clusterrolebinding_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/clusterrolebinding_test.yaml
@ -1,42 +0,0 @@
 suite: Test Cluster Role Bindings
 templates:
 - clusterrolebinding.yaml
 tests:
 - it: should render Cluster Role Bindings with default rbac api version
  set:
    rbac.apiVersion: v1
  asserts:
  - equal:
      path: apiVersion
      value: rbac.authorization.k8s.io/v1
 - it: should render Cluster Role Bindings with custom rbac api version
  set:
    rbac.apiVersion: v1beta
  asserts:
  - equal:
      path: apiVersion
      value: rbac.authorization.k8s.io/v1beta
 - it: should not render Cluster Role Binding proxy if metrics.enabled = false or metrics.authProxy.enabled = false
  set:
    metrics.enabled: false
    metrics.authProxy.enabled: false
  asserts:
  - hasDocuments:
      count: 1
    template: clusterrolebinding.yaml
 - it: should render Cluster Role Bindings proxy if metrics.enabled = true and metrics.authProxy.enabled = true
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
  asserts:
  - hasDocuments:
      count: 2
    template: clusterrolebinding.yaml
 - it: should render Cluster Role Bindings with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: rbac.authorization.k8s.io/v1
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/deployment_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/deployment_test.yaml
@ -1,202 +0,0 @@
 suite: Test Deployments
 templates:
 - deployment.yaml
 tests:
 - it: should render Deployment with allowed-external-ip-cidrs arg if allowedExternalIPCidrs is set
  release:
    name: rancher-externalip-webhook
  set:
    allowedExternalIPCidrs: "1,2"
  asserts:
  - equal:
      path: spec.template.spec.containers[0].args[1]
      value: --allowed-external-ip-cidrs=1,2
 - it: should render Deployment with default port, nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false
  release:
    name: rancher-externalip-webhook
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 9443
        name: webhook-server
        protocol: TCP
  - equal:
      path: spec.template.spec.tolerations[0]
      value:
        key: "cattle.io/os" 
        value: "linux"
        effect: "NoSchedule"
        operator: "Equal"
  - equal:
      path: spec.template.spec.nodeSelector
      value:
        kubernetes.io/os: linux
 - it: should render Deployment with default port and custom nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false
  release:
    name: rancher-externalip-webhook
  set:
    tolerations:
    - key: "cattle.io/test" 
      value: "linux"
      effect: "NoSchedule"
      operator: "Equal"
    nodeSelector: 
      kubernetes.io/test: linux
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 9443
        name: webhook-server
        protocol: TCP
  - equal:
      path: spec.template.spec.tolerations[0]
      value:
        key: "cattle.io/os" 
        value: "linux"
        effect: "NoSchedule"
        operator: "Equal"
  - equal:
      path: spec.template.spec.tolerations[1]
      value:
        key: "cattle.io/test" 
        value: "linux"
        effect: "NoSchedule"
        operator: "Equal"
  - equal:
      path: spec.template.spec.nodeSelector
      value:
        kubernetes.io/os: linux
        kubernetes.io/test: linux
 - it: should render Deployment with custom port and image if metrics.enabled = false and metrics.authProxy.enabled = false
  release:
    name: rancher-externalip-webhook
  set:
    webhookPort: 9000
    image.repository: test
    image.tag: dev-test
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[0].image
      value: test:dev-test
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 9000
        name: webhook-server
        protocol: TCP
 - it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = false
  release:
    name: rancher-externalip-webhook
  set:
    metrics.enabled: true
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 9443
        name: webhook-server
        protocol: TCP
  - equal:
      path: spec.template.spec.containers[0].ports[1]
      value: 
        containerPort: 8443
        name: webhook-metrics
        protocol: TCP
 - it: should render Deployment with custom metrics port if metrics.enabled = true and metrics.authProxy.enabled = false
  release:
    name: rancher-externalip-webhook
  set:
    metrics.enabled: true
    metrics.port: 8000
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 9443
        name: webhook-server
        protocol: TCP
  - equal:
      path: spec.template.spec.containers[0].ports[1]
      value: 
        containerPort: 8000
        name: webhook-metrics
        protocol: TCP
 - it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = true
  release:
    name: rancher-externalip-webhook
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook-auth-proxy
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 8443
        name: webhook-metrics
        protocol: TCP
  - equal:
      path: spec.template.spec.containers[1].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[1].ports[0]
      value: 
        containerPort: 9443
        name: webhook-server
        protocol: TCP
 - it: should render Deployment with custom metrics port and image if metrics.enabled = true and metrics.authProxy.enabled = true
  release:
    name: rancher-externalip-webhook
  set:
    metrics.enabled: true
    metrics.authProxy.enabled: true
    metrics.port: 8000
    webhookPort: 9000
    image.repository: test
    image.tag: dev-test
    metrics.authProxy.image.repository: auth
    metrics.authProxy.image.tag: auth-test
  asserts:
  - equal:
      path: spec.template.spec.containers[0].name
      value: rancher-externalip-webhook-auth-proxy
  - equal:
      path: spec.template.spec.containers[0].image
      value: auth:auth-test
  - equal:
      path: spec.template.spec.containers[0].ports[0]
      value: 
        containerPort: 8000
        name: webhook-metrics
        protocol: TCP
  - equal:
      path: spec.template.spec.containers[1].name
      value: rancher-externalip-webhook
  - equal:
      path: spec.template.spec.containers[1].image
      value: test:dev-test
  - equal:
      path: spec.template.spec.containers[1].ports[0]
      value: 
        containerPort: 9000
        name: webhook-server
        protocol: TCP
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/issuer_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/issuer_test.yaml
@ -1,106 +0,0 @@
 suite: Test Issuers
 templates:
 - issuer.yaml
 tests:
 - it: should not render issuer if certificates.certManager.enabled = false
  set:
    certificates.certManager.enabled: false
  asserts:
  - hasDocuments:
      count: 0
    template: issuer.yaml
 - it: should render issuer if certificates.certManager.enabled = true
  set:
    certificates.certManager.enabled: true
  asserts:
  - hasDocuments:
      count: 2
    template: issuer.yaml
 - it: should set issuer apiVersion with default cert-manager
  set:
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager >= 1.0.0 using capabilities
  capabilities:
    apiversions:
    - cert-manager.io/v1
  set:
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager >= 0.16.0 using capabilities
  capabilities:
    apiversions:
    - cert-manager.io/v1beta1
  set:
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1beta1
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager >= 0.11.0 using capabilities
  capabilities:
    apiversions:
    - cert-manager.io/v1alpha2
  set:
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1alpha2
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager < 0.11.0 using capabilities
  capabilities:
    apiversions:
    - certmanager.k8s.io/v1alpha1
  set:
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: certmanager.k8s.io/v1alpha1
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager >= 1.0.0 using parameter
  set:
    certificates.certManager.version: 1.0.0
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager >= 0.16.0 using parameter
  set:
    certificates.certManager.version: 0.16.0
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1beta1
    template: issuer.yaml
 - it: should set issuer apiVersion with cert-manager >= 0.11.0 using parameter
  set:
    certificates.certManager.version: 0.11.0
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: cert-manager.io/v1alpha2
    template: issuer.yaml
 - it: should set letsEncrypt apiVersion with cert-manager < 0.11.0 using parameter
  set:
    certificates.certManager.version: 0.9.0
    certificates.certManager.enabled: true
  asserts:
  - equal:
      path: apiVersion
      value: certmanager.k8s.io/v1alpha1
    template: issuer.yaml
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/service_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/service_test.yaml
@ -1,69 +0,0 @@
 suite: Test Services
 templates:
 - service.yaml
 tests:
 - it: should render webhook-server service with default webhookPort if metrics.enabled = false
  set:
    metrics.enabled: false
  asserts:
  - equal:
      path: spec.ports[0]
      value:
        name: webhook-server
        port: 443
        protocol: TCP
        targetPort: 9443
 - it: should render webhook-server service with custom webhookPort if metrics.enabled = false
  set:
    metrics.enabled: false
    webhookPort: 9000
  asserts:
  - equal:
      path: spec.ports[0]
      value:
        name: webhook-server
        port: 443
        protocol: TCP
        targetPort: 9000
 - it: should render webhook-server and webhook-metrics services with default webhookPort and metrics.port, if metrics.enabled = true
  set:
    metrics.enabled: true
  asserts:
  - equal:
      path: spec.ports[0]
      value:
        name: webhook-server
        port: 443
        protocol: TCP
        targetPort: 9443
    documentIndex: 0
  - equal:
      path: spec.ports[0]
      value:
        name: webhook-metrics
        port: 8443
        protocol: TCP
        targetPort: 8443
    documentIndex: 1
 - it: should render webhook-server and webhook-metrics services with custom webhookPort and metrics.port, if metrics.enabled = true
  set:
    metrics.enabled: true
    metrics.port: 8000
    webhookPort: 9000
  asserts:
  - equal:
      path: spec.ports[0]
      value:
        name: webhook-server
        port: 443
        protocol: TCP
        targetPort: 9000
    documentIndex: 0
  - equal:
      path: spec.ports[0]
      value:
        name: webhook-metrics
        port: 8443
        protocol: TCP
        targetPort: 8000
    documentIndex: 1
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/serviceaccount_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/serviceaccount_test.yaml
@ -1,9 +0,0 @@
 suite: Test Service Accounts
 templates:
 - serviceaccount.yaml
 tests:
 - it: should render Service Account
  asserts:
  - hasDocuments:
      count: 1
    template: serviceaccount.yaml
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/servicemonitor_test.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/tests/servicemonitor_test.yaml
@ -1,20 +0,0 @@
 suite: Test Service Monitors
 templates:
 - servicemonitor.yaml
 tests:
 - it: should not render Service Monitor if metrics.enabled = false or metrics.prometheusExport = false
  set:
    metrics.enabled: false
    metrics.prometheusExport: false
  asserts:
  - hasDocuments:
      count: 0
    template: servicemonitor.yaml
 - it: should render Service Account if metrics.enabled = true and metrics.authProxy.enabled = true
  set:
    metrics.enabled: true
    metrics.prometheusExport: true
  asserts:
  - hasDocuments:
      count: 1
    template: servicemonitor.yaml
--- a/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/values.yaml
+++ b/charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.0+up0.1.6/values.yaml
@ -1,67 +0,0 @@
 ## Allowed external IP cidrs
 allowedExternalIPCidrs: ""
 ## Certificates generation for webhook
 certificates:
  certManager:
    # Enable cert manager integration. Cert manager should be already installed at the k8s cluster
    enabled: true
    version: ""
  # If cert-manager integration is disabled, add self signed ca.crt in base64 format
  caBundle: ""
  # If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace
  secretName: webhook-server-cert
 ## Details about the image to be pulled.
 image:
  pullPolicy: IfNotPresent
  pullSecrets: []
  repository: rancher/externalip-webhook
  tag: v0.1.6
 ## Enabling metrics endpoint
 # Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation
 metrics:
  enabled: false
  port: 8443
  # Enable webhook metrics export to Prometheus
  prometheusExport: false
  # Webhook metrics auth proxy. This option is just available for amd64 arch
  authProxy:
    enabled: false
    port: 8080
    image:
      pullPolicy: IfNotPresent
      pullSecrets: []
      repository: rancher/mirrored-kube-rbac-proxy
      tag: v0.5.0
    resources:
      limits:
        memory: 30Mi
        cpu: 100m
      requests:
        memory: 20Mi
        cpu: 100m
 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
 ##
 nodeSelector: {}
 ## RBAC
 rbac:
  apiVersion: v1
 ## CPU and Memory limit and request for externalip-webhook
 resources:
  limits:
    memory: 30Mi
    cpu: 100m
  requests:
    memory: 20Mi
    cpu: 100m
 service:
  metricsPort: 8443
  webhookPort: 443
 ## Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false
 serviceAccountName: default
 ## List of node taints to tolerate (requires Kubernetes >= 1.6)
 tolerations: []
 ## Webhook server pod port
 webhookPort: 9443
 global:
  systemDefaultRegistry: ""
--- a/charts/rancher-operator-crd/rancher-operator-crd/100.0.0+up0.1.4/Chart.yaml
+++ b/charts/rancher-operator-crd/rancher-operator-crd/100.0.0+up0.1.4/Chart.yaml
@ -1,11 +0,0 @@
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/hidden: "true"
  catalog.cattle.io/namespace: rancher-operator-system
  catalog.cattle.io/os: linux
  catalog.cattle.io/release-name: rancher-operator-crd
 apiVersion: v2
 appVersion: 0.1.4
 description: Rancher Operator CustomResourceDefinitions
 name: rancher-operator-crd
 version: 100.0.0+up0.1.4
--- a/charts/rancher-operator-crd/rancher-operator-crd/100.0.0+up0.1.4/templates/crds.yaml
+++ b/charts/rancher-operator-crd/rancher-operator-crd/100.0.0+up0.1.4/templates/crds.yaml
--- a/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/Chart.yaml
+++ b/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/Chart.yaml
@ -1,14 +0,0 @@
 annotations:
  catalog.cattle.io/auto-install: rancher-operator-crd=match
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/experimental: "true"
  catalog.cattle.io/hidden: "true"
  catalog.cattle.io/namespace: rancher-operator-system
  catalog.cattle.io/os: linux
  catalog.cattle.io/provides-gvr: clusters.rancher.cattle.io/v1
  catalog.cattle.io/release-name: rancher-operator
 apiVersion: v2
 appVersion: 0.1.4
 description: Control Rancher using GitOps
 name: rancher-operator
 version: 100.0.0+up0.1.4
--- a/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/_helpers.tpl
+++ b/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/_helpers.tpl
@ -1,7 +0,0 @@
 {{- define "system_default_registry" -}}
 {{- if .Values.global.cattle.systemDefaultRegistry -}}
 {{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
 {{- else -}}
 {{- "" -}}
 {{- end -}}
 {{- end -}}
--- a/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/deployment.yaml
+++ b/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/deployment.yaml
@ -1,23 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: rancher-operator
 spec:
  selector:
    matchLabels:
      app: rancher-operator
  template:
    metadata:
      labels:
        app: rancher-operator
    spec:
      containers:
      - env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
        name: rancher-operator
        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
      serviceAccountName: rancher-operator
--- a/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/rbac.yaml
+++ b/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/rbac.yaml
@ -1,44 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rancher-operator
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  - configmaps
  - namespaces
  verbs:
  - '*'
 - apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  verbs:
  - list
  - get
  - watch
 - apiGroups:
  - "rancher.cattle.io"
  - "management.cattle.io"
  - "fleet.cattle.io"
  resources:
  - '*'
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: rancher-operator
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rancher-operator
 subjects:
 - kind: ServiceAccount
  name: rancher-operator
  namespace: {{.Release.Namespace}}
--- a/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/serviceaccount.yaml
+++ b/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/templates/serviceaccount.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: rancher-operator
--- a/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/values.yaml
+++ b/charts/rancher-operator/rancher-operator/100.0.0+up0.1.4/values.yaml
@ -1,8 +0,0 @@
 image:
  repository: rancher/rancher-operator
  tag: v0.1.4
  imagePullPolicy: IfNotPresent
 global:
  cattle:
    systemDefaultRegistry: ""
--- a/charts/rio/rio/100.0.0/.helmignore
+++ b/charts/rio/rio/100.0.0/.helmignore
@ -1,22 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/charts/rio/rio/100.0.0/Chart.yaml
+++ b/charts/rio/rio/100.0.0/Chart.yaml
@ -1,15 +0,0 @@
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/display-name: Rio
  catalog.cattle.io/experimental: "true"
  catalog.cattle.io/hidden: "true"
  catalog.cattle.io/namespace: rio-system
  catalog.cattle.io/release-name: rio
  catalog.cattle.io/requires-gvr: networking.istio.io.virtualservice/v1beta1
 apiVersion: v1
 appVersion: 0.8.0
 description: The application deployment engine for Kubernetes
 home: https://rio.io
 icon: https://charts.rancher.io/assets/logos/rio.svg
 name: rio
 version: 100.0.0
--- a/charts/rio/rio/100.0.0/README.md
+++ b/charts/rio/rio/100.0.0/README.md
@ -1,46 +0,0 @@
 # Rio
 [Rio](https://rio.io) is an application deployment engine for Kubernetes.
 This chart will install the rio controller, which will then install the Rio system.
 Note that the [Rio CLI](https://github.com/rancher/rio/releases) is the preferred installation route, see `rio install -h` for more information.
 ## Configuration
 See values.yaml for installation options.
 ## Prerequisites
 Rio requires Kubernetes 1.15 or newer cluster.
 ## Installation
 Create the namespace where Rio will be installed, `rio-system` is standard but not required:
 ```bash
 $ kubectl create namespace rio-system
 $ kubectl label namespace rio-system rio.cattle.io/is-system=true
 ```
 Install the chart:
 ```bash
 $ helm install --namespace rio-system --name rio ./
 ```
 Wait for the controller to come up, and then ensure a cluster domain and IP exists:
 ```bash
 $ kubectl -n rio-system rollout status deploy/rio-controller
 $ rio info
 ```
 ## Uninstallation
 To completely uninstall Rio from your system:
 ```bash
 $ rio uninstall
 $ helm delete --purge rio
 ```
--- a/charts/rio/rio/100.0.0/templates/NOTES.txt
+++ b/charts/rio/rio/100.0.0/templates/NOTES.txt
@ -1,17 +0,0 @@
 {{ .Chart.Name | title }} {{ .Values.tag }} is now installing.
 Please wait for the system to come up.
  * Check the controller install with: kubectl -n {{ .Release.Namespace }} rollout status deploy/rio-controller
  * Check `rio info` to ensure you get a cluster domain and IP
 To troubleshoot check:
  * rio system logs
  * kubectl -n {{ .Release.Namespace }} get pods
 To start an application try: rio run -p 80 -n demo nginx
 For more info see:
 * The official site: https://rio.io
 * The docs: https://github.com/rancher/rio/tree/master/docs
--- a/charts/rio/rio/100.0.0/templates/_helpers.tpl
+++ b/charts/rio/rio/100.0.0/templates/_helpers.tpl
@ -1,8 +0,0 @@
 {{- define "featuresList" -}}
 {{- $local := dict "first" true -}}
 "features":{ {{- range $k, $v := . -}}
    {{- if not $local.first -}},{{- end -}}
    "{{$k}}":{"enabled":{{$v}}}{{- $_ := set $local "first" false -}}
    {{- end -}}
 {{- end -}}}
--- a/charts/rio/rio/100.0.0/templates/clusterrole.yaml
+++ b/charts/rio/rio/100.0.0/templates/clusterrole.yaml
@ -1,394 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-cluster-admin
 rules:
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
 - nonResourceURLs:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - apiregistration.k8s.io
  resources:
  - apiservices
  verbs:
  - '*'
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - '*'
 - apiGroups:
  - extensions
  - apps
  resources:
  - replicasets
  - deployments
  - daemonsets
  - statefulsets
  verbs:
  - '*'
 - apiGroups:
  - build.knative.dev
  - caching.internal.knative.dev
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - cert-manager.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - networking.k8s.io
  - extensions
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - '*'
 - apiGroups:
  - batch
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - autoscaling
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - admin.rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - gitwatcher.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - linkerd.io
  resources:
  - serviceprofiles
  verbs:
  - '*'
 - apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - '*'
 - apiGroups:
  - authentication.istio.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  verbs:
  - '*'
 - apiGroups:
  - split.smi-spec.io
  resources:
  - trafficsplits
  verbs:
  - '*'
 - apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - '*'
 - apiGroups:
  - gateway.solo.io.v2
  - gateway.solo.io
  - gloo.solo.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - tekton.dev
  resources:
  - tasks
  - clustertasks
  - taskruns
  - pipelines
  - pipelineruns
  - pipelineresources
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns/finalizers
  - pipelineruns/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
 - apiGroups:
  - tekton.dev
  resources:
  - tasks/status
  - clustertasks/status
  - taskruns/status
  - pipelines/status
  - pipelineruns/status
  - pipelineresources/status
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
 - apiGroups:
  - policy
  resourceNames:
  - tekton-pipelines
  resources:
  - podsecuritypolicies
  verbs:
  - use
 - apiGroups:
  - networking.istio.io
  resources:
  - '*'
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-admin
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - admin.rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - autoscale.rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - certmanager.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - split.smi-spec.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - linkerd.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - networking.istio.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-readonly
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-privileged
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-standard
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
--- a/charts/rio/rio/100.0.0/templates/clusterrolebinding.yaml
+++ b/charts/rio/rio/100.0.0/templates/clusterrolebinding.yaml
@ -1,12 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: rio-controller-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rio-cluster-admin
 subjects:
 - kind: ServiceAccount
  name: rio-controller-serviceaccount
  namespace: {{ .Release.Namespace }}
--- a/charts/rio/rio/100.0.0/templates/configmap.yaml
+++ b/charts/rio/rio/100.0.0/templates/configmap.yaml
@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rio-config
  namespace: {{ .Release.Namespace }}
 data:
  config: '{"letsEncrypt":{ {{- if .Values.letsEncryptEmail -}} "email":"{{ .Values.letsEncryptEmail }}" {{- end -}} },"gateway":{ {{- if .Values.ipAddress -}} "staticAddresses":[{"ip":"{{ .Values.ipAddress }}"}] {{- end -}}}, {{ include "featuresList" .Values.features }} }}'
--- a/charts/rio/rio/100.0.0/templates/deployment.yaml
+++ b/charts/rio/rio/100.0.0/templates/deployment.yaml
@ -1,49 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: rio-controller
  namespace: {{ .Release.Namespace }}
 spec:
  selector:
    matchLabels:
      rio-controller: "true"
  template:
    metadata:
      labels:
        rio-controller: "true"
    spec:
      containers:
      - args:
        - rio-controller
 {{- if .Values.debug }}
        - --debug
 {{- end }}
        - --features
        - ""
 {{- if .Values.gatewayServiceName }}
        - --gateway-service-name
        - {{ .Values.gatewayServiceName }}
 {{- end }}
 {{- if .Values.gatewayServiceNamespace }}
        - --gateway-service-namespace
        - {{ .Values.gatewayServiceNamespace }}
 {{- end }}
        env:
        - name: RUN_API_VALIDATOR
          value: "TRUE"
        - name: RIO_NAMESPACE
          value: {{ .Release.Namespace }}
        image: "{{ .Values.image }}:{{ .Values.tag }}"
        imagePullPolicy: Always
        name: rio-controller
        volumeMounts:
        - mountPath: /var/run/rio/ssl
          name: secret-api-validator
          readOnly: true
      serviceAccountName: rio-controller-serviceaccount
      volumes:
      - name: secret-api-validator
        secret:
          defaultMode: 420
          optional: true
          secretName: rio-api-validator
--- a/charts/rio/rio/100.0.0/templates/envoyfilter.yaml
+++ b/charts/rio/rio/100.0.0/templates/envoyfilter.yaml
@ -1,26 +0,0 @@
 {{- if .Values.addRemoteAddressFilter }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: xff-trust-hops
  namespace: {{ .Release.Namespace }}
 spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: ANY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          use_remote_address: true
          xff_num_trusted_hops: 1
 {{- end }}
--- a/charts/rio/rio/100.0.0/templates/secret.yaml
+++ b/charts/rio/rio/100.0.0/templates/secret.yaml
@ -1,5 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: rio-api-validator
  namespace: {{ .Release.Namespace }}
--- a/charts/rio/rio/100.0.0/templates/service.yaml
+++ b/charts/rio/rio/100.0.0/templates/service.yaml
@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: rio-api-validator
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
  - name: https-443
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    rio-controller: "true"
--- a/charts/rio/rio/100.0.0/templates/serviceaccount.yaml
+++ b/charts/rio/rio/100.0.0/templates/serviceaccount.yaml
@ -1,5 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: rio-controller-serviceaccount
  namespace: {{ .Release.Namespace }}
--- a/charts/rio/rio/100.0.0/values.yaml
+++ b/charts/rio/rio/100.0.0/values.yaml
@ -1,23 +0,0 @@
 image: rancher/rio-controller
 tag: v0.8.0         # Rio version to install
 letsEncryptEmail: ""    # Provide an email for Let's Encrypt account registration
 ipAddress: ""           # Manually specify IP addresses to generate rdns domain, supports comma separated values
 debug: false            # Enable debug logging in controller
 # Manually specify features to disable, supports comma separated values
 # Istio configuration with ingress enabled
 features:
  autoscaling: true
  build: true
  dashboard: false
  gloo: false
  linkerd: false
  istio: true
  ingress: false
  letsencrypt: true
  rdns: true
 gatewayServiceName: istio-ingressgateway
 gatewayServiceNamespace: istio-system
 addRemoteAddressFilter: true
--- a/packages/rancher-external-ip-webhook/generated-changes/patch/Chart.yaml.patch
+++ b/packages/rancher-external-ip-webhook/generated-changes/patch/Chart.yaml.patch
@ -1,27 +0,0 @@
 --- charts-original/Chart.yaml
 +++ charts/Chart.yaml
@@ -3,12 +3,12 @@
   catalog.cattle.io/display-name: External IP Webhook
   catalog.cattle.io/namespace: cattle-externalip-system
   catalog.cattle.io/os: linux
 -  catalog.cattle.io/release-name: rancher-externalip-webhook
 -  catalog.cattle.io/ui-component: rancher-externalip-webhook
 +  catalog.cattle.io/release-name: rancher-external-ip-webhook
 +  catalog.cattle.io/ui-component: rancher-external-ip-webhook
 apiVersion: v1
 appVersion: v0.1.6
 description: |
 -  Deploy the externalip-webhook to mitigate k8s CVE-2020-8554
 +  Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
 home: https://github.com/rancher/externalip-webhook
 keywords:
 - cve
@@ -18,7 +18,7 @@
 maintainers:
 - email: raul@rancher.com
   name: rawmind0
 -name: rancher-externalip-webhook
 +name: rancher-external-ip-webhook
 sources:
 - https://github.com/rancher/externalip-webhook
 version: 0.1.6
--- a/packages/rancher-external-ip-webhook/generated-changes/patch/values.yaml.patch
+++ b/packages/rancher-external-ip-webhook/generated-changes/patch/values.yaml.patch
@ -1,11 +0,0 @@
 --- charts-original/values.yaml
 +++ charts/values.yaml
@@ -30,7 +30,7 @@
     image:
       pullPolicy: IfNotPresent
       pullSecrets: []
 -      repository: rancher/kube-rbac-proxy
 +      repository: rancher/mirrored-kube-rbac-proxy
       tag: v0.5.0
     resources:
       limits:
--- a/packages/rancher-external-ip-webhook/package.yaml
+++ b/packages/rancher-external-ip-webhook/package.yaml
@ -1,2 +0,0 @@
 url: https://github.com/rancher/externalip-webhook/releases/download/v0.1.6/rancher-externalip-webhook-0.1.6.tgz
 version: 100.0.0
--- a/packages/rancher-operator-crd/package.yaml
+++ b/packages/rancher-operator-crd/package.yaml
@ -1,2 +0,0 @@
 url: https://github.com/rancher/rancher-operator/releases/download/v0.1.4/rancher-operator-crd-0.1.4.tgz
 version: 100.0.0
--- a/packages/rancher-operator/package.yaml
+++ b/packages/rancher-operator/package.yaml
@ -1,2 +0,0 @@
 url: https://github.com/rancher/rancher-operator/releases/download/v0.1.4/rancher-operator-0.1.4.tgz
 version: 100.0.0
--- a/packages/rio/charts/.helmignore
+++ b/packages/rio/charts/.helmignore
@ -1,22 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/packages/rio/charts/Chart.yaml
+++ b/packages/rio/charts/Chart.yaml
@ -1,15 +0,0 @@
 apiVersion: v1
 name: rio
 version: 0.8.0
 appVersion: 0.8.0
 description: The application deployment engine for Kubernetes
 home: https://rio.io
 icon: https://charts.rancher.io/assets/logos/rio.svg
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/namespace: rio-system
  catalog.cattle.io/release-name: rio
  catalog.cattle.io/hidden: true
  catalog.cattle.io/experimental: true
  catalog.cattle.io/requires-gvr: networking.istio.io.virtualservice/v1beta1
  catalog.cattle.io/display-name: "Rio"
--- a/packages/rio/charts/README.md
+++ b/packages/rio/charts/README.md
@ -1,46 +0,0 @@
 # Rio
 [Rio](https://rio.io) is an application deployment engine for Kubernetes.
 This chart will install the rio controller, which will then install the Rio system.
 Note that the [Rio CLI](https://github.com/rancher/rio/releases) is the preferred installation route, see `rio install -h` for more information.
 ## Configuration
 See values.yaml for installation options.
 ## Prerequisites
 Rio requires Kubernetes 1.15 or newer cluster.
 ## Installation
 Create the namespace where Rio will be installed, `rio-system` is standard but not required:
 ```bash
 $ kubectl create namespace rio-system
 $ kubectl label namespace rio-system rio.cattle.io/is-system=true
 ```
 Install the chart:
 ```bash
 $ helm install --namespace rio-system --name rio ./
 ```
 Wait for the controller to come up, and then ensure a cluster domain and IP exists:
 ```bash
 $ kubectl -n rio-system rollout status deploy/rio-controller
 $ rio info
 ```
 ## Uninstallation
 To completely uninstall Rio from your system:
 ```bash
 $ rio uninstall
 $ helm delete --purge rio
 ```
--- a/packages/rio/charts/templates/NOTES.txt
+++ b/packages/rio/charts/templates/NOTES.txt
@ -1,17 +0,0 @@
 {{ .Chart.Name | title }} {{ .Values.tag }} is now installing.
 Please wait for the system to come up.
  * Check the controller install with: kubectl -n {{ .Release.Namespace }} rollout status deploy/rio-controller
  * Check `rio info` to ensure you get a cluster domain and IP
 To troubleshoot check:
  * rio system logs
  * kubectl -n {{ .Release.Namespace }} get pods
 To start an application try: rio run -p 80 -n demo nginx
 For more info see:
 * The official site: https://rio.io
 * The docs: https://github.com/rancher/rio/tree/master/docs
--- a/packages/rio/charts/templates/_helpers.tpl
+++ b/packages/rio/charts/templates/_helpers.tpl
@ -1,8 +0,0 @@
 {{- define "featuresList" -}}
 {{- $local := dict "first" true -}}
 "features":{ {{- range $k, $v := . -}}
    {{- if not $local.first -}},{{- end -}}
    "{{$k}}":{"enabled":{{$v}}}{{- $_ := set $local "first" false -}}
    {{- end -}}
 {{- end -}}}
--- a/packages/rio/charts/templates/clusterrole.yaml
+++ b/packages/rio/charts/templates/clusterrole.yaml
@ -1,394 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-cluster-admin
 rules:
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
 - nonResourceURLs:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - apiregistration.k8s.io
  resources:
  - apiservices
  verbs:
  - '*'
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - '*'
 - apiGroups:
  - extensions
  - apps
  resources:
  - replicasets
  - deployments
  - daemonsets
  - statefulsets
  verbs:
  - '*'
 - apiGroups:
  - build.knative.dev
  - caching.internal.knative.dev
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - cert-manager.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - networking.k8s.io
  - extensions
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - '*'
 - apiGroups:
  - batch
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - autoscaling
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - admin.rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - gitwatcher.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - linkerd.io
  resources:
  - serviceprofiles
  verbs:
  - '*'
 - apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - '*'
 - apiGroups:
  - authentication.istio.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  verbs:
  - '*'
 - apiGroups:
  - split.smi-spec.io
  resources:
  - trafficsplits
  verbs:
  - '*'
 - apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - '*'
 - apiGroups:
  - gateway.solo.io.v2
  - gateway.solo.io
  - gloo.solo.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - tekton.dev
  resources:
  - tasks
  - clustertasks
  - taskruns
  - pipelines
  - pipelineruns
  - pipelineresources
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns/finalizers
  - pipelineruns/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
 - apiGroups:
  - tekton.dev
  resources:
  - tasks/status
  - clustertasks/status
  - taskruns/status
  - pipelines/status
  - pipelineruns/status
  - pipelineresources/status
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
 - apiGroups:
  - policy
  resourceNames:
  - tekton-pipelines
  resources:
  - podsecuritypolicies
  verbs:
  - use
 - apiGroups:
  - networking.istio.io
  resources:
  - '*'
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-admin
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - admin.rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - autoscale.rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - certmanager.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - split.smi-spec.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - linkerd.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - networking.istio.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-readonly
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-privileged
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: rio-standard
 rules:
 - apiGroups:
  - rio.cattle.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch
 - apiGroups:
  - tekton.dev
  resources:
  - taskruns
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
 - apiGroups:
  - apps
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
--- a/packages/rio/charts/templates/clusterrolebinding.yaml
+++ b/packages/rio/charts/templates/clusterrolebinding.yaml
@ -1,12 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: rio-controller-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rio-cluster-admin
 subjects:
 - kind: ServiceAccount
  name: rio-controller-serviceaccount
  namespace: {{ .Release.Namespace }}
--- a/packages/rio/charts/templates/configmap.yaml
+++ b/packages/rio/charts/templates/configmap.yaml
@ -1,7 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: rio-config
  namespace: {{ .Release.Namespace }}
 data:
  config: '{"letsEncrypt":{ {{- if .Values.letsEncryptEmail -}} "email":"{{ .Values.letsEncryptEmail }}" {{- end -}} },"gateway":{ {{- if .Values.ipAddress -}} "staticAddresses":[{"ip":"{{ .Values.ipAddress }}"}] {{- end -}}}, {{ include "featuresList" .Values.features }} }}'
--- a/packages/rio/charts/templates/deployment.yaml
+++ b/packages/rio/charts/templates/deployment.yaml
@ -1,49 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: rio-controller
  namespace: {{ .Release.Namespace }}
 spec:
  selector:
    matchLabels:
      rio-controller: "true"
  template:
    metadata:
      labels:
        rio-controller: "true"
    spec:
      containers:
      - args:
        - rio-controller
 {{- if .Values.debug }}
        - --debug
 {{- end }}
        - --features
        - ""
 {{- if .Values.gatewayServiceName }}
        - --gateway-service-name
        - {{ .Values.gatewayServiceName }}
 {{- end }}
 {{- if .Values.gatewayServiceNamespace }}
        - --gateway-service-namespace
        - {{ .Values.gatewayServiceNamespace }}
 {{- end }}
        env:
        - name: RUN_API_VALIDATOR
          value: "TRUE"
        - name: RIO_NAMESPACE
          value: {{ .Release.Namespace }}
        image: "{{ .Values.image }}:{{ .Values.tag }}"
        imagePullPolicy: Always
        name: rio-controller
        volumeMounts:
        - mountPath: /var/run/rio/ssl
          name: secret-api-validator
          readOnly: true
      serviceAccountName: rio-controller-serviceaccount
      volumes:
      - name: secret-api-validator
        secret:
          defaultMode: 420
          optional: true
          secretName: rio-api-validator
--- a/packages/rio/charts/templates/envoyfilter.yaml
+++ b/packages/rio/charts/templates/envoyfilter.yaml
@ -1,26 +0,0 @@
 {{- if .Values.addRemoteAddressFilter }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: xff-trust-hops
  namespace: {{ .Release.Namespace }}
 spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: ANY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
          use_remote_address: true
          xff_num_trusted_hops: 1
 {{- end }}
--- a/packages/rio/charts/templates/secret.yaml
+++ b/packages/rio/charts/templates/secret.yaml
@ -1,5 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: rio-api-validator
  namespace: {{ .Release.Namespace }}
--- a/packages/rio/charts/templates/service.yaml
+++ b/packages/rio/charts/templates/service.yaml
@ -1,13 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: rio-api-validator
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
  - name: https-443
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    rio-controller: "true"
--- a/packages/rio/charts/templates/serviceaccount.yaml
+++ b/packages/rio/charts/templates/serviceaccount.yaml
@ -1,5 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: rio-controller-serviceaccount
  namespace: {{ .Release.Namespace }}
--- a/packages/rio/charts/values.yaml
+++ b/packages/rio/charts/values.yaml
@ -1,23 +0,0 @@
 image: rancher/rio-controller
 tag: v0.8.0         # Rio version to install
 letsEncryptEmail: ""    # Provide an email for Let's Encrypt account registration
 ipAddress: ""           # Manually specify IP addresses to generate rdns domain, supports comma separated values
 debug: false            # Enable debug logging in controller
 # Manually specify features to disable, supports comma separated values
 # Istio configuration with ingress enabled
 features:
  autoscaling: true
  build: true
  dashboard: false
  gloo: false
  linkerd: false
  istio: true
  ingress: false
  letsencrypt: true
  rdns: true
 gatewayServiceName: istio-ingressgateway
 gatewayServiceNamespace: istio-system
 addRemoteAddressFilter: true
--- a/packages/rio/package.yaml
+++ b/packages/rio/package.yaml
@ -1,2 +0,0 @@
 url: local
 version: 100.0.0
		`@ -1,3 +0,0 @@`
			`To verify that externalip-webhook has started, run:`

			`kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "externalip-webhook.name" . }},release={{ .Release.Name }}"`
		`@ -1,2 +0,0 @@`
			`url: https://github.com/rancher/externalip-webhook/releases/download/v0.1.6/rancher-externalip-webhook-0.1.6.tgz`
			`version: 100.0.0`
		`@ -1,2 +0,0 @@`
			`url: https://github.com/rancher/rancher-operator/releases/download/v0.1.4/rancher-operator-crd-0.1.4.tgz`
			`version: 100.0.0`