make forward-port rancher-webhook

2022-11-10 00:35:50 -08:00 · 2022-11-10 00:35:50 -08:00 · 399a417a93
parent 15c92274ef
commit 399a417a93
18 changed files with 328 additions and 0 deletions
--- a/assets/rancher-webhook/rancher-webhook-1.0.6+up0.2.7.tgz
+++ b/assets/rancher-webhook/rancher-webhook-1.0.6+up0.2.7.tgz
--- a/charts/rancher-webhook/1.0.6+up0.2.7/Chart.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/Chart.yaml
@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.2.7
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 1.0.6+up0.2.7
--- a/charts/rancher-webhook/1.0.6+up0.2.7/charts/capi/Chart.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/charts/capi/Chart.yaml
@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0
--- a/charts/rancher-webhook/1.0.6+up0.2.7/charts/capi/templates/service.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/charts/capi/templates/service.yaml
@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 8777
+  selector:
+    app: rancher-webhook
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/_helpers.tpl
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/_helpers.tpl
@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/deployment.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/deployment.yaml
@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      volumes:
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: 9443
+        - name: capi-https
+          containerPort: 8777
+        volumeMounts:
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+      serviceAccountName: rancher-webhook
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-cluster-role-binding.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-cluster-role-binding.yaml
@ -0,0 +1,19 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rancher-webhook-pre-delete
+subjects:
+  - kind: ServiceAccount
+    name: rancher-webhook-pre-delete
+    namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-cluster-role.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-cluster-role.yaml
@ -0,0 +1,23 @@
+{{- if .Values.preDelete.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+rules:
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "mutatingwebhookconfigurations" ]
+    verbs: [ "delete" ]
+    resourceNames: [ "rancher.cattle.io" ]
+  - apiGroups: [ "" ]
+    resources: [ "serviceaccounts" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "policy" ]
+    resources: [ "podsecuritypolicies" ]
+    verbs: [ "use" ]
+    resourceNames: [ "rancher-webhook-pre-delete" ]
+{{- end }}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-job.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-job.yaml
@ -0,0 +1,36 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      name: rancher-webhook-pre-delete
+      labels: {{ include "rancher-webhook.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: rancher-webhook-pre-delete
+      restartPolicy: OnFailure
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+        - name: rancher-webhook-pre-delete
+          image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+          command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ]
+{{- end }}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-psp.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-psp.yaml
@ -0,0 +1,33 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- end }}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-service-account.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/pre-delete-hook-service-account.yaml
@ -0,0 +1,12 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+{{- end }}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/rbac.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/rbac.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/service.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/service.yaml
@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/serviceaccount.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/serviceaccount.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
--- a/charts/rancher-webhook/1.0.6+up0.2.7/templates/webhook.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/templates/webhook.yaml
@ -0,0 +1,19 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: rancher-webhook
+      namespace: cattle-system
+      path: /v1/webhook/validation
+      port: 443
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: rancher.cattle.io
+  sideEffects: None
+  timeoutSeconds: 10
--- a/charts/rancher-webhook/1.0.6+up0.2.7/values.yaml
+++ b/charts/rancher-webhook/1.0.6+up0.2.7/values.yaml
@ -0,0 +1,25 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.2.7
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+
+mcm:
+  enabled: true
+
+preDelete:
+  enabled: true
+  image:
+    repository: rancher/kubectl
+    tag: v1.23.3
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
--- a/index.yaml
+++ b/index.yaml
@ -10223,6 +10223,28 @@ entries:
    urls:
    - assets/rancher-webhook/rancher-webhook-2.0.0+up0.3.0-rc5.tgz
    version: 2.0.0+up0.3.0-rc5
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.2.7
+    created: "2022-11-10T00:33:57.451093-08:00"
+    dependencies:
+    - condition: capi.enabled
+      name: capi
+      repository: ""
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 53c1ab12bcc90b2b96280ef581ea18cce1dc49338ced93ea7ab9407974c05933
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-1.0.6+up0.2.7.tgz
+    version: 1.0.6+up0.2.7
  - annotations:
      catalog.cattle.io/certified: rancher
      catalog.cattle.io/hidden: "true"
--- a/release.yaml
+++ b/release.yaml
@ -82,6 +82,7 @@ rancher-vsphere-csi:
  - 101.0.0+up2.5.1-rancher1
 rancher-webhook:
  - 2.0.0+up0.3.0-rc5
+  - 1.0.6+up0.2.7
 rancher-windows-gmsa:
  - 2.0.0
 rancher-windows-gmsa-crd: