From 4476584d9b9b09d6393585b3e60b47d3cf4a32e4 Mon Sep 17 00:00:00 2001
From: actions <actions@github.com>
Date: Wed, 9 Dec 2020 01:07:44 +0000
Subject: [PATCH] Generated changes

---
 assets/index.yaml                             |  30 ++-
 .../rancher-external-ip-webhook-0.1.400.tgz   | Bin 0 -> 7255 bytes
 charts/rancher-external-ip-webhook/Chart.yaml |  23 ++
 charts/rancher-external-ip-webhook/README.md  |  70 ++++++
 .../rancher-external-ip-webhook/app-README.md |   9 +
 .../questions.yaml                            |   7 +
 .../templates/NOTES.txt                       |   3 +
 .../templates/_helpers.tpl                    |  50 +++++
 .../templates/admissionregistration.yaml      |  30 +++
 .../templates/clusterrole.yaml                |  33 +++
 .../templates/clusterrolebinding.yaml         |  31 +++
 .../templates/deployment.yaml                 | 107 ++++++++++
 .../templates/issuer.yaml                     |  52 +++++
 .../templates/service.yaml                    |  35 +++
 .../templates/serviceaccount.yaml             |   7 +
 .../templates/servicemonitor.yaml             |  16 ++
 .../tests/admissionregistration_test.yaml     |  32 +++
 .../tests/clusterrole_test.yaml               |  37 ++++
 .../tests/clusterrolebinding_test.yaml        |  42 ++++
 .../tests/deployment_test.yaml                | 202 ++++++++++++++++++
 .../tests/issuer_test.yaml                    | 106 +++++++++
 .../tests/service_test.yaml                   |  69 ++++++
 .../tests/serviceaccount_test.yaml            |   9 +
 .../tests/servicemonitor_test.yaml            |  20 ++
 .../rancher-external-ip-webhook/values.yaml   |  67 ++++++
 index.yaml                                    |  30 ++-
 .../rancher-external-ip-webhook.sum           |   2 +
 27 files changed, 1117 insertions(+), 2 deletions(-)
 create mode 100644 assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
 create mode 100644 charts/rancher-external-ip-webhook/Chart.yaml
 create mode 100644 charts/rancher-external-ip-webhook/README.md
 create mode 100644 charts/rancher-external-ip-webhook/app-README.md
 create mode 100644 charts/rancher-external-ip-webhook/questions.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/NOTES.txt
 create mode 100644 charts/rancher-external-ip-webhook/templates/_helpers.tpl
 create mode 100644 charts/rancher-external-ip-webhook/templates/admissionregistration.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/clusterrole.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/clusterrolebinding.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/deployment.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/issuer.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/service.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-external-ip-webhook/templates/servicemonitor.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/admissionregistration_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/clusterrole_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/clusterrolebinding_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/deployment_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/issuer_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/service_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/serviceaccount_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/tests/servicemonitor_test.yaml
 create mode 100644 charts/rancher-external-ip-webhook/values.yaml
 create mode 100644 sha256sum/rancher-external-ip-webhook/rancher-external-ip-webhook.sum

diff --git a/assets/index.yaml b/assets/index.yaml
index 47e137aec..ab9ca6418 100644
--- a/assets/index.yaml
+++ b/assets/index.yaml
@@ -352,6 +352,34 @@ entries:
     urls:
     - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz
     version: 1.0.100
+  rancher-external-ip-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: External IP Webhook
+      catalog.cattle.io/namespace: cattle-externalip-system
+      catalog.cattle.io/release-name: rancher-external-ip-webhook
+      catalog.cattle.io/ui-component: rancher-external-ip-webhook
+    apiVersion: v1
+    appVersion: v0.1.4
+    created: "2020-12-09T01:07:43.561742972Z"
+    description: |
+      Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
+    digest: 533a8d7721001eb5efe4efe23d398f619f3b51634fcd1848fc52d0eb11d01016
+    home: https://github.com/rancher/externalip-webhook
+    keywords:
+    - cve
+    - externalip
+    - webhook
+    - security
+    maintainers:
+    - email: raul@rancher.com
+      name: rawmind0
+    name: rancher-external-ip-webhook
+    sources:
+    - https://github.com/rancher/externalip-webhook
+    urls:
+    - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
+    version: 0.1.400
   rancher-gatekeeper:
   - annotations:
       catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
@@ -1098,4 +1126,4 @@ entries:
     urls:
     - assets/rio/rio-0.8.000.tgz
     version: 0.8.000
-generated: "2020-11-10T00:02:09.783616681Z"
+generated: "2020-12-09T01:07:43.560407349Z"
diff --git a/assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz b/assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c73130276e88dd4f8e89b68f8097ca3129aef400
GIT binary patch
literal 7255
zcmV-d9H`?TiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKD3a@#nTX#eI@oGZ`V8|Q`;C4Z$^H&Zv0cxJNONxSS!rlwM<
z2qGZ~ZHizMpd3%)t$mGsy?v4`e2@ewiV`JR&WF%dX^RAb^M!+hg9DrdMg9aQHvYtM
z5~0v0v3-Mw6H2eUFD5AA&MlgTKW$W8*L6>ikLCYe*RB4)*FSQ9>K&b(9=rYC$<f(Q
zZtwKO?fnGqX5Fq<QpQp8le=+WRph>rf})6W#0ia<X94(#qmYgrA8{UHhtRH%6HZ11
z2OelysjU_e7KiB8j?ff)aIU2ZUR}UHlr+_TC2F%6`Pc*XFqcCT+w7KcJgxmM!68Nr
z>)sk<xc2Lm*gl=cG{O;Y{u;&P9Zndbkq5J$h2psQ={h~<*a|T76B2Xz?285P62~FE
z1wO%0(;{#RQ^Ls@aSYc_8N7IRZui~3Yd<|XIkqNL;4|SoW?r{DCVY|(9iL9S8py6e
zo(#roe0xKafO(b;{tR0-6qPI+vT8Ok?57Fgx7HMqh$9l=M1F*)h=hU;Y54zjKcY_y
zAS3V1lth7REvGi4Y2stqYC9xm8CfM&UDtZ(aq**+CjCD{VT#%26TlMve{^zsT-E<)
zCr5kzzl(Bk0MEma-ryit8$xOOBuJQr)SFD3zq)uK9(&N~SO*92Ld^_5;+Vl0M>vu5
z2#jcwYaQRHBj*>K@Yg6pW1NVe00(d$p<#&S8<?tBKq8LEsyRpYlfPjTnuY-kF`zKP
zD7Xa@F^<9z2Y|R#yF#t{Vam9issOO;An<@EDV9%iZPV#k0)$s1*}YxUJrD)~VX}oM
zfPw%R4oASqIKlz=$ng^nB!VGg`1DxdK1E#4I)6^1AjIwaNaK*AKvrfDAdcXX>gEaX
zkjef~6v)4?@$DfXCNXB%PcVOjrdWU@=#WpY78q~6j5jvJ$qXm9=t!{hCFY2P4A79K
zijZWA##qc)Lkw{$NbFehnP8oGa6v=j-+J(B^oH__1T!3Q{pw0~$UJ!e!2(EdOc~)c
zxy|Q~x>*2#qj5g99%$Jh(HN$fC&Xufqadav;?_ZCR{)+8&S0S1_&7o&#KFe||DIyT
zKl(I{_#prOW`ZL;6XfTR;NP&%1?7?%@iF)bR_ve&q;Vi-Xc}vwwsZpm^IV=rC}e`T
zF-^D!Pmhm}EJL8P89xX8lc*=id6Cd5<`bMU@p1m+{F7=ZYqmf!YXYTwB0l(Z>%iLy
zVL;<dett_C2Q)(@l%0z)h^E2mF`&esSRg;W5MO%bF_CqaW8pq^<<Fea^4(%)XRpf)
z7p0Er*Xa=3$q@OrL_^oixPIcOz7w1q5~@N-1e3F008>1b%^tb0N&e7}QxAHsJI(u-
zB2e>Lzy7m>19(FN3?UlgkVzWGGyufJXrBsn4-ViGj|vM-pp!(HV<v52>a%XjaAJ>B
z65wt`18g%KVqb8nYaJX|;?b3SLK6=@-^mvL{QQL_Xd(cuSe!!5Ui@7S_}3D6MGE;q
z<0s*)8B8T2ngpC9o=Lbe(dGzNRMn$K)YIa5VGaWgg?c6)9TeiMKYi}Y!6}rI1OF!E
zH)S{gGRhisa-ns!yuvdru=7oL5a1C?L&>CH2;)FUAjl2E)a6VJJWfL~o-sTUXp#go
z`1hQH@TX_cb50K}T}v*Bgfv$m$4V;1aIs2Q{w&ZOhjfTSK^3)pd8vT9#ACv^AZ4fX
zRoS*p_8-U7I21E?_sy?w&#xT*iLcei68q2XpPiKLzrNe=?d`vvl($q^Lu4dYtccg>
z5ttwbf<{~zCrKK4mIWXbpU*?E?cB<E_W3h7mug||yvd%z-5rcE7ej`D9YP1iv8b8J
z7IfyjbVQpSaNzFliC*c?H4b-oU)MnTM$2mB|KkLQF;1An<29CoOU8fy)UA&HUeDc+
z|DBZ2pSzD?My4Jx%wa@A%x`1-Y%0j&Pp}7%yLWe%sAZjhisiyXFD=CUD*pDRm)O$v
zY%vX!sA*i=MMW_+f}{M*a#TC-l+Qub{B?$tgajDAh?QI9!|9RylT5GD(TIG4j$Jf{
zqd@+xKz$)hc?>A;W0Z#BE&QIMQ2H_f#j!-fvHpQo>#{x<eF%gY46%<=hJn#3HmwAS
z`iS5#V1N>=EGryH^Fo;9kA}+m_wvn^s4EsPEXMxfY7`Q1mZ|gy*`fDrb#i52k`Y8$
ze_z&}S&cX$5g$S4kIeof>r^VK4_Bgn$m-hcv}r=KZ;qAlSLIm1Vuelo%r;+zma1w8
z?(QrU#~!Rc>sS+<5H8j~@cDC2l`FkYyt}jXtW<ifXQdp4Tp0gBqJZAyJ_)!XVJJNb
z8AqjoD$V$iMCm7KwX!E*i8@0Z(i{EUFieHG-O%JZq$ptEXFd_;PjHZinK)90%_iq1
zP`<R~I>l&QvBidKEbP_7Z%$dq0+3!oPk$>O;L!;C+=I>=dZqgpkJZ{)EOR>NV&HYE
z%&i53>BW(Pp}fAL%v0zrZb=#4A2nq^Cfe-on1do4G|E(WYVGtIaqf27eOVe6okmfA
zK>fek{EvbuVPa9L393AEt2&04?f;z~SLgp@_iVrax07P}8|t}y{ZtOVS#O9r>RHz$
z3Osm+LJ}ZOqOo2Yzo5~GjMKtfh62QqR~>VvKiDyx!TAFJ?#=?JY)V4Ob1Hx#(Qnx2
zwvX&lLZ?!-*DgJ}%XEG*-wM57a)}yx9CF{_TQbFrqiO6xl!jrxN7k~RSx&yJhV7RK
zsGq7$y^!FDD+1>PjVOmlt5Wq)Az^x@1;uK=)-@_KnfTc7_=vI&;>M?X+jkM?GS4F7
z6A!wYUf9+!SO6nL!Zg9TS8^QD1h2^tXAu+*oB0+%l7`BSW&?`JUlW?fS}<+p-Z%Yr
z`I}i!{*n8T^A|5J&!4|N*FXM#@iO~SaeLYs#o0ZM|JC%rHeC`L;x)Ddm+Sx2ivI7r
zz2m+9-$l{tL@exbb&|PXbL}zrX3jBtC`}r3GD(KWm-T2u{#BYu4ArA5<zI<$ujZE*
zO5iSOh>ghvwD~W`H;Mc(4Vq1V2fhG_0vvHT&UK(zJ}JdxtfcPl?BYoV&KF2<912y?
z`M(|LeC((;)>8R$zrz+I$kOVhqD*YLM}s3SG;u*LtD+Zd;Pe_t37!#r!z{U(In;0D
zEQRYEuCigiU6u~TtcrXeGuGI?ZSPs#z-m28>;$6#Ck4AB8eM9V|NZh8P1CNfU8eLH
z^W7{ETI>HIi2@Rh+e`z?{D1v^CH}8}bab@W|2rx7GLHYOWaK*;&RY0wp%5)G1TOJN
zZ`DdA+dw!AU|z{(V955g(v|u_RlO>0ZLSHlwVIK=wb}pf?*3+l?@O8rJ3wpFZHm<T
zHp#=wp;~D^v_AaN%4+j}AcLBxI9lsCz>@j@?CkWYy8m~2bhe-WcTr0Izc^;yS?1z<
zne)7)dFOm{4EsKv#!ePq?w~N9AgAoQk7?jRl17|NaW@Op`G(c_ih7O3SVnb;eu<A*
z$?ujuRLx}@A3E>~aewlQqK<ZjwcW#lyk-{5RWMPuS7qd;%#?w8Ycup|;q==EQvovC
z%l2q-;6XjvrsbnrwAY)1MU$mqNC1?K4VKto+mapF4hiEpvQZEun6YQBBmeUZnaTi_
zp{52wMI&j<c!JUN*@W}h>vntnGuc3|u7Ltm-Bh>KR!GO3G9KV0d6tJ&XD?^ZdT#ze
z#gUe&vT&D9P^1wU*_u;Cmfqbp1F!0HG&YGLA6^(Ct(_IxC_-Rm=uy^|piYTdxu~h2
zz!i9tX`pN;pl}G}og|b~pN1a1eQ}XLH{3UZy7ZrD8aAMjS1-m~&o$vlFbYV78M{d6
z5PL@d+>fuQe~r2MFpC&o3^s`fCn$W0Lv(wEeHsPKgA)@koDdr1uMDXP$qerl6uq7B
zc9LK=p<z&hW)9LL*H9zI7RkC=U@N1ger#02MxN(K*ec((86%A&!l%<IiUM;?bc+Cg
zRpvEZ#yY{sXGT{>gsll)Wm~cSph{H%>RKgRR~~dRJ6zt>9M9*#sZ1p0!M>pGe5`W?
z`pl~+wEweqy1UZ5j7(^1y~V_`kQ|jqE%f99mRHrJ+N)ivC0Cp1OWUc7XZyo4*><Pv
zYbZLSVLHXH#p1j~Sk-~KlU+1E6}2zao+_Wl-Rq~!F4MCs_Z*|K{L+L=%nrXs;jM9u
z3YJYm_dVsziNJlS`AsLJodH@oUt(C{wJ}!0{*LAi@QR8u8&%$#Dx*s^>P-4M`7Ir?
zSO8}!B+Uf%bP=Rxgj_A4W`!Ki(*`)}4w|erx2xfrkJP4dst)U!@}wv6*EGN$9QRF0
zFi-X^3hFS<2HxG3qvluh{}9GfoUD5ic!~e#<kam~&wreq?EODGDQ)AkY$?z(Fj>6T
zF<I|$0^T#R<_-ymj?-D*pgx0ZG)P836L{pjKrtGUkZ^*T^Zepf7FXl^4Ke6cL&0Xf
z&LKRK)BBjiqYy_`$efSvA-IR|2>%X`NW^R3_YUFF7%zC=6W<>~CBk7I63ei!*2P9f
z*=+?ScL_?p(^YU%QGZ)NOnQ>~yTPot3T6tR^-#+i%7Y_iW833f$lGJL04A$!^dG<#
z=A1-hkgA<$hv5OS`~>A{Qm&>+y%|*u^Y3Jzt~@cfarOoglh0Ko$95wTx7wbgceb67
z`Y5yj)HJX6BC~zQSMs5JuofXn_I-Ox#kTGJ+_0Y;_H)BGJvV3t@_kGTxi)JvBQP9}
zuH=m|^3I3S>7@rg#Jt-2Pp^X4TmUYM|8tLy=g<G{&;RVCRPGxoh5mdWL$>8u%^lVD
zVt;d7b@yiDqsDbT@6Y8Z8DqZO?Ol!tSY!MDHpU)wbe!0$i%#`0R?Rj=HHh!~6p4Jd
zqc~2q6%jGL`3q&lxGkr(jLdH<+>em#WAT2J(rW%k$_w7s3|KP%yT^0!|NZ0r{g1mT
zP0BtC{rxU<{)#&Oq4}}v(rWxqX+$_}y$`hP{HNRRRmcB{yFdT4ld@hMWcAX@`Qx8j
zR7f;-e41d&<PFeO4f9&n`aU#_t#NK?O=ee`=BK{(nfG#Nh%zVTy_5G5EW9`Re$djS
z|D6dAr$k<?uu&h&?7x%V$=v<l`}-evQx4z)alv|drIcc}yd@ciDG37-jUh(<H5y~)
zSO@CXVV1^n2@Gt4!w|+H9V#6}qVW?*aELgWVX4QA=O_xS1BmcgU9$WrPVk6)!U5b6
zK7s#r=)kX0cndU=UkZ>Q#_~!m>{!mrtB+TlCfGWF7j!zM5xjeG1p!Hz<%|jM%6}F3
zmNWcU(v|;a4<_TT_$T|xW>L3jXo&plG?sVYG3&9zZer`PGep<cV~0;;>+yeB2k;Ih
zgr*E$y*y`@nErmlKDQhaVANIh68hV>XgoHJ|I72|FJGTK(_q6sn#X^?ch*0uj(_)f
zZ~yJ29MoMMEw7yxW>R)3yk*IOFYPLIf1O|4u$Uba13H4id}{+az)1wRG)>H#6t&OE
zfmi(hFwi$L2hAB$90}Vib>+WMPJDtDsFwAXX1M^0dnuK25kK{ned_+kL4(*2Jj=2M
zgTWB7iS-8%bD+G+Twd9ieWx1Ft^t?7n3E+>A++?Jx=TKLl!4d)LAjT1Q%&Rk-Gv!+
zz#f5-%0u9$I9$4M%6dD&Frr~dZzNsiHS!^0oGEH%mBr&2C1{E{PFQvcXwALBibVRx
zP?F>a5i}^4WqpB*tRZM9U*KhtWT&a(eH78Tg1gN}))%ms7TNmpYWG#v>Rh5Ws6Qhy
zs1WW7b3iq@MP9smdC7obAw?VqFuVn%PK|7lYlBW_(DoyNTJ2?MgKF!o5{680f>+5J
zvRl;VV><`3_4`c6vK%#@q*ZEfh@1{#P{@^F&w?8`g_PlzowhDp;#(0QH7K{f&HOU|
zyG?c(g<4HgnFeenUQM^C4syIM(lCU8`qu)dsaS`=D52B(^a|@Rrh)ovv#feRuC9?U
z)vOX4N%0lL>RjEu6@i+W$YnX26})u1mzvKS@ltYhPe^TnWyR^qHY`(#l8SG)giN*b
zL1%I9q(-C-1UVWv)NDqOqcLRWkaQPpA3^P%EfOs*$E)J4uC1R>Yt=kbTSlQCN*Ktb
zHEW5bx#Pd6fiH83qOt@vTY!EklrVUDe0;PSa+U3bL8*Psx*}_qPNn6*U*vKH-mBjv
z8s~u>BbwMns~;X^E43k|*YY+C>D^LMiwPd#1V=v3T<*?<Ps4*{jUI{-kR|n+%;)>s
z3ft$7pbly%Q=|oxm&or##<z^!ym%KvZJ@U+xfVk0K6ST*+`KhVi`=f}|Mqi#TQoD{
zU@4l)9ANi`=5|ptje{oC?%f;^sEvK8ybN7dO|Dmm{8l8?um<j@2>et!z-=)wKZ)+B
zOn8nTr-Q7s8cehL;K!*>xwmZud#*dZH}q8EzQI!Tre;#Xt)h42z9!p8FH29D^RE`Y
z8<TrN$t5$iMd#uDaW6+N<KIf$+cJg%z5d$VGp_<zY_K-x+1vsW4N$`1^W9pgRW2)C
zu+q33A|IY#yxOsU2{OIeTaRxI8q#S0@_zMVBa|DBx&{qt^l*8<da)78jdW&%hBSJ(
zykEW82<4WzH>V+u9;)2iA%>gj%$lPCbM4G8^0U0vJ6I5HvdFJF8`FTC_B-tmH-X%S
zxEZ&@%s2C8i+PXN!L6e=Ue^;%<HDSU-+$RC-*Ri5<}iH!VJ*~}1hQy-LF(rXp<WG2
z82r4JWLj4-_Q~iLF!CqGZat(d3z-<$Hp3jQ@$ECYAOHSI{^y4Qpk$m%JB(8pm{AJ@
z$FiP>()Y~C42QQ*0Kq?>zy3u=PpK5bO!iH%iW^Y7{nEx0KaI!%A4M?4!la#%00(e0
z5lxVCXopHJ3V)F)&e1du@sl4QIO9+7`0-m3KYr}NKWQo{B`iomkSvPgz46h9N5+rC
zc2Q_e@n0y8?QO(>Esg)L=Kt=Up7z~+{MRl@ef*ah?S+^Q_9};Fy)VUO6(07Rn;XZU
z;XnnB$*6yShP$QO-9yVdHzGnZ9ZMJ>D01V;o#$*Y-AstkWeJ{PF}q}`(bQ(JQfvu|
z0y;HgO_-BKnaSjak;-aF6K07q#k7_T_3WhrQ?ig1PKA1sQ!`?v0G8ox_NnM~u<%;Z
zL80y(knvSHG9(OvM&YgMt-wZMi3y*`&9~^k|MS1N%*<@`{{(0PH!``aiK@&-tV8W&
zz#EFjIM>E9%tkye(ZR7Sp<1Uj5t>(pp%5B90hRtqe(*P;7?m1O(O#KoINxHt>%Npr
zlm3@0EqS-eniv1+vMm1ps9(ANuXlEQwvYecNy&Nafpq}&fqj+@Gn5dq67d#Q(dV{2
zcwQ6n=j$p#5y$DR5gwQyS7$sS(bxhQt7JK)NY;m@=(kmx&wnz$Aoue}@orVMu+08D
zJFcGpJnrxFKkufnlyL09Tg*5-&o~X22CJ?77_dxPxiAyBCB;S5A>7LXLlYbYI9b#(
z0AdX1mucYNQxtlo%)f=VJ-bF%WuIRuRrTtS7|Bp%#Ck+|o+}xMimYtB7WG+nE4Dsn
z;2HPjRfm{iXhS&}vY?<m-N`*r2U(Z&n_tGgjE>m>TgS-yQle;aegBeF+XBY9Rd0b(
z<=#Xa2z!%;6=<^T*6-a9j+xy$54di_x|~lL;|yM|#yaU*YoL3cG+Xm$6~1I`E@RAc
zQk3LgLr_oFS|%?U|I78ik^8fi)-TEu{on7MRqy}m_xJgqcT-ILpDmRyX^2@_?N<|k
z*D8B4`1DvUHD$WCs}AiVUTv}0TMx}Fi<Q|<G0<RfI}1kR1hJRYmyS+WB#KHS?t!{s
zJ<p#tkA9tgS^;OFt)-r7!da{I#VF?q7#c9Hn->}o?r)B;JZYD?CzB!a#pIoDf`5hN
zXkl(F&Sg5QH#2HT<EM<%>DNjbfJ$_O2g;1PC#s32A6obAOUwCRXRK{&1}vNZkKL1M
z{_m6h`S0D7Me{%Ctjmk-05cJM)7r1L)#lm4RBAP9>7f*P1^NXFeF^aQtW#IA$TCE9
zJmEKIp7j=6D<!F1ouLhc_!e!pHL38Uns5)TgdeahpZ|*sKGt0RFPZ;)N2jON{7-%N
z=wv_t@1mIVf06OKGV52;zc<bHMH@<+EZiIil#J!ggZ23~2@~pK4Toy3Wa=CCpwoNO
z@2sFmSd4uqBZDJ<6=|g3yB{2sjM@9%hq9V!$}-w}(qD;YnFfw&!k?5<`l;(wj2w0i
zQ};5ZoK3oI3A{1gL?0F1+|=KCoyZHy-n$j<6khIf=FXpwkB{<qjcG=!S9Pxnox!v!
zRC(Li_|}7tiWCzQ6J?zOVvT{yk62{e#iJ4Sxd)v$^va*$APsTxlEzqud3ew{7f^Ou
z0Bnlg0&q)7;VJV#!q!^ErKD<O`fC&RT$`BrD)l{`Rdxxjm@}-FT@B2tV^uYsr&ULH
z(Q8Ke{owpT2B!&dZ$*Gh;`uG<llu3j+^?c>w1UYMjylBpkSfK9Klk8g*HxPi)uYD7
zu48_KhX(<k+4}jnG2|ue^Lv?|fyhpDNk-<Dx}?pVR$Ri7@C_Et8_U<CRra?bFkjmo
zQ3qYs_+JFw)5XwL6Tr6@JFVEhcBw1gsH@DMs*$)C#+?h}VimZ#Fm71~t{GId6G!7#
zCDRsgsB1fRB&2KWq_x27?P8$zb~RAfRm)54&aZw*EYRUwGiB>wm~TY9Ypg7rl>_P_
zOyq40<r-^QwCb5i?L<keJ6C+wO5%RjBJH)$dTWvG`u~^j|EP?&>+b#hv^@Uf<n-ih
zF8}M<KK^4T#oYf<iJB{WKZ^Y;1%0ZjYXn_OL0>bbx<wSHiAvoR-U|Nep7wg7`YpEi
z7edc4&p<CWzsu&h8PvZy&@Fb|YcqszidE^JYk7-=>$v(1uy3Six1jVhOOZ-+Ktt}x
zuLbfuqmk?MPPa^?Ec^dMQYwSt9>~?(GPz{N{r&^fD+gk$1p9y6p;rcJ9+xAb-Mxq{
zhT}dpSAJK(O8CyQh(g)K_o}GYq={<dyVgnTQ>OQDlxeShLd@BD<R`Z=Z>56PCeP2i
zq)vN9vvvD_`T9@aO|roPaLM}bsDDz;|J^%s_wj!_Ddzf5C*`dy0JHo1mPP)ReHZx+
zex-GY;U{d^dS5A^d?lY=twUx-pNsU-m=5Bqhf5WXk}>9nKe;V!w4->7q^bAEew73h
zpsheK6a`hsqj6`_A_+5H=_;0Tq1%0H`{oZJapGa1y$G+O0Dn@hkL>_C=jWZ@Jz5Ut
z(*<DGpSfwx{F))OW!|^i`S>aYB?I^?7nB8H{>Vo(?zOCJ{~>j2?K)=Q68q2XpH}_<
z{nOL4z5Ta~Qe*#tzM#0?4%Bk6)Euldw!!JXx{e>3Y~M{;dHhdlL^xe*A8^U|@42Vd
z^WXim-hTY=q|}Z7*NWBk<6q0cN*jWe23I_2T+Ifz<~iePGn?-p)=^*u)wk1wv-4QD
l+;&``eM?9`w9xL$zU<4s?90aGe*ypi|NpL<_a^}C006YVe;oh-

literal 0
HcmV?d00001

diff --git a/charts/rancher-external-ip-webhook/Chart.yaml b/charts/rancher-external-ip-webhook/Chart.yaml
new file mode 100644
index 000000000..be6c7f96b
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: External IP Webhook
+  catalog.cattle.io/namespace: cattle-externalip-system
+  catalog.cattle.io/release-name: rancher-external-ip-webhook
+  catalog.cattle.io/ui-component: rancher-external-ip-webhook
+apiVersion: v1
+appVersion: v0.1.4
+description: |
+  Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
+home: https://github.com/rancher/externalip-webhook
+keywords:
+- cve
+- externalip
+- webhook
+- security
+maintainers:
+- email: raul@rancher.com
+  name: rawmind0
+name: rancher-external-ip-webhook
+sources:
+- https://github.com/rancher/externalip-webhook
+version: 0.1.400
diff --git a/charts/rancher-external-ip-webhook/README.md b/charts/rancher-external-ip-webhook/README.md
new file mode 100644
index 000000000..9223987da
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/README.md
@@ -0,0 +1,70 @@
+# externalip-webhook
+
+## Chart Details
+
+This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It's required to mitigate k8s CVE-2020-8554.
+
+## Installing the Chart
+
+To install the chart with the release name `rancher-external-ip-webhook`:
+
+
+```bash
+$ helm repo add rancher-chart https://charts.rancher.io
+$ helm repo update
+$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the externalip-webhook chart and their default values.
+
+
+| Parameter                            | Description                                                                                                                | Default                                            |
+| ----------------------------------   | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
+| `allowedExternalIPCidrs`             | Set allowed external IP CIDRs separated by a comma                                                                         | `""`                                               |
+| `certificates.caBundle`              | If cert-manager integration is disabled, add here self signed ca.crt in base64 format                                      | `""`                                               |
+| `certificates.certManager.enabled`   | Enable cert manager integration. Cert manager should be already installed at the k8s cluster                               | `true`                                               |
+| `certificates.certManager.version`   | Cert manager version to use                                                                                                | `""`                                               |
+| `certificates.secretName`            | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace  | `"webhook-server-cert"`                         |
+| `global.systemDefaultRegistry`       | Pull docker images from systemDefaultRegistry                                                                              | `""`                                               |
+| `image.pullPolicy`                   | Webhook server docker pull policy                                                                                          | `"IfNotPresent"`                                |
+| `image.pullSecrets`                  | Webhook server docker pull secret                                                                                          | `""`                                               |
+| `image.repository`                   | Webhook server docker image repository                                                                                     | `"rancher/externalip-webhook"`                           |
+| `image.tag`                          | Webhook server docker image tag  Defaults to                                                                               | `".Chart.appVersion"`                           |
+| `metrics.enabled`                    | Enable metrics endpoint                                                                                                    | `false`                                               |
+| `metrics.port`                       | Webhook metrics pod port                                                                                                   | `8443`                                               |
+| `metrics.prometheusExport`           | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false`                                               |
+| `metrics.authProxy.enabled`          | Enable auth proxy for metrics endpoint                                                                                     | `false`                                               |
+| `metrics.authProxy.port`             | Webhook auth proxy pod port                                                                                                | `8080`                                               |
+| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy                                                                                      | `"IfNotPresent"`                                               |
+| `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets                                                                                     | `""`                                               |
+| `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository                                                                                 | `"gcr.io/kubebuilder/kube-rbac-proxy"`                  |
+| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag                                                                                        | `"v0.5.0"`                                               |
+| `metrics.authProxy.resources.limits.cpu`      | Webhook auth proxy resource cpu limit                                                                             | `"100m"`                                               |
+| `metrics.authProxy.resources.limits.memory`   | Webhook auth proxy resource memory limit                                                                          | `"30Mi"`                                               |
+| `metrics.authProxy.resources.requests.cpu`    | Webhook auth proxy wesource cpu reservation                                                                       | `"100m"`                                               |
+| `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation                                                                    | `"20Mi"`                                               |
+| `nodeSelector`                       | Node labels for pod assignment                                                                                             | `{}`                                               |
+| `rbac.apiVersion`                    | Rbac API version to use                                                                                                    | `"v1"`                                               |
+| `resources.limits.cpu`               | Resource cpu limit                                                                                                         | `"100m"`                                               |
+| `resources.limits.memory`            | Resource memory limit                                                                                                      | `"30Mi"`                                               |
+| `resources.requests.cpu`             | Resource cpu reservation                                                                                                   | `"100m"`                                               |
+| `resources.requests.memory`          | Resource memory reservation                                                                                                | `"20Mi"`                                               |
+| `service.metricsPort`                | Webhook metrics service port                                                                                               | `8443`                                               |
+| `service.webhookPort`                | Webhook server service port                                                                                                | `443`                                               |
+| `serviceAccountName`                 | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false                                                 | `"default"`                                               |
+| `tolerations`                        | List of node taints to tolerate (requires Kubernetes >= 1.6)                                                               | `[]`                                               |
+| `webhookPort`                        | Webhook server pod port                                                                                                    | `9443`                                               |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```bash
+$ helm repo add rancher-chart https://charts.rancher.io
+$ helm repo update
+$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
diff --git a/charts/rancher-external-ip-webhook/app-README.md b/charts/rancher-external-ip-webhook/app-README.md
new file mode 100644
index 000000000..38c317119
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/app-README.md
@@ -0,0 +1,9 @@
+# externalip-webhook
+
+This chart was created to mitigate [CVE-2020-8554](https://www.cvedetails.com/cve/CVE-2020-8554/)
+
+External IP Webhook is a validating k8s webhook which prevents services from using random external IPs. Cluster administrators
+can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter. 
+The webhook will only allow services which either don’t set external IP, or whose external IPs are within the range specified by the administrator.
+
+For more information, review the Helm README of this chart.
diff --git a/charts/rancher-external-ip-webhook/questions.yaml b/charts/rancher-external-ip-webhook/questions.yaml
new file mode 100644
index 000000000..8b0e19040
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/questions.yaml
@@ -0,0 +1,7 @@
+questions: 
+# allowedExternalIPCidrs
+- variable: allowedExternalIPCidrs
+  label: Allowed external IP cidrs
+  description: Set allowed external IP CIDRs separated by a comma
+  type: string
+  group: Configuration
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/templates/NOTES.txt b/charts/rancher-external-ip-webhook/templates/NOTES.txt
new file mode 100644
index 000000000..74271bdd5
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/NOTES.txt
@@ -0,0 +1,3 @@
+To verify that externalip-webhook has started, run:
+
+  kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "externalip-webhook.name" . }},release={{ .Release.Name }}"
diff --git a/charts/rancher-external-ip-webhook/templates/_helpers.tpl b/charts/rancher-external-ip-webhook/templates/_helpers.tpl
new file mode 100644
index 000000000..cc8a9a0d3
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/_helpers.tpl
@@ -0,0 +1,50 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "externalip-webhook.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "externalip-webhook.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if ne $name .Release.Name -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Generate basic labels */}}
+{{- define "externalip-webhook.labels" }}
+app: {{ template "externalip-webhook.name" . }}
+heritage: {{.Release.Service }}
+release: {{.Release.Name }}
+{{- end }}
+
+{{/*
+Windows cluster will add default taint for linux nodes, 
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/templates/admissionregistration.yaml b/charts/rancher-external-ip-webhook/templates/admissionregistration.yaml
new file mode 100644
index 000000000..d8152faa5
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/admissionregistration.yaml
@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+{{- if .Values.certificates.certManager.enabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "externalip-webhook.fullname" . }}-server-cert
+{{- end }}
+  creationTimestamp: null
+  name: {{ template "externalip-webhook.fullname" . }}-validating-webhook-configuration
+webhooks:
+- clientConfig:
+{{- if not (.Values.certificates.certManager.enabled) }}
+    caBundle: {{ .Values.certificates.caBundle }}
+{{- end }}
+    service:
+      name: {{ template "externalip-webhook.fullname" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-service
+  failurePolicy: Ignore
+  name: {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - services
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/templates/clusterrole.yaml b/charts/rancher-external-ip-webhook/templates/clusterrole.yaml
new file mode 100644
index 000000000..46e18bf00
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/clusterrole.yaml
@@ -0,0 +1,33 @@
+{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
+kind: ClusterRole
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-proxy-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
+kind: ClusterRole
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-metrics-reader
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/templates/clusterrolebinding.yaml b/charts/rancher-external-ip-webhook/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000..2fa40817f
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/clusterrolebinding.yaml
@@ -0,0 +1,31 @@
+apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
+kind: ClusterRoleBinding
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-cluster-view
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: {{ template "externalip-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }}
+---
+apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
+kind: ClusterRoleBinding
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "externalip-webhook.fullname" . }}-proxy-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "externalip-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/templates/deployment.yaml b/charts/rancher-external-ip-webhook/templates/deployment.yaml
new file mode 100644
index 000000000..c82754deb
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/deployment.yaml
@@ -0,0 +1,107 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: {{ template "externalip-webhook.name" . }}
+  template:
+    metadata:
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: runtime/default
+      labels: {{ include "externalip-webhook.labels" . | indent 8 }}
+        chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    spec:
+      containers:
+      {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }}
+      - name: {{ template "externalip-webhook.fullname" . }}-auth-proxy
+        args:
+        - --secure-listen-address=0.0.0.0:{{ .Values.metrics.port }}
+        - --upstream=http://127.0.0.1:{{ .Values.metrics.authProxy.port }}/
+        - --logtostderr=true
+        - --v=10
+        image: {{ template "system_default_registry" . }}{{ .Values.metrics.authProxy.image.repository}}:{{ .Values.metrics.authProxy.image.tag }}
+        imagePullPolicy: "{{ .Values.metrics.authProxy.image.pullPolicy }}"
+        ports:
+        - containerPort: {{ .Values.metrics.port }}
+          name: webhook-metrics
+          protocol: TCP
+        resources:
+{{ toYaml .Values.metrics.authProxy.resources | indent 10 }}
+        readinessProbe:
+          tcpSocket:
+            port: webhook-metrics
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          tcpSocket:
+            port: webhook-metrics
+          initialDelaySeconds: 5
+          failureThreshold: 10
+          periodSeconds: 30
+      {{- end }}
+      - name: {{ template "externalip-webhook.fullname" . }}
+        image: {{ template "system_default_registry" . }}{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }}
+        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+        command:
+        - /webhook
+        args:
+        - --webhook-port={{ .Values.webhookPort }}
+        {{- if .Values.allowedExternalIPCidrs }}
+        - --allowed-external-ip-cidrs={{ .Values.allowedExternalIPCidrs }}
+        {{- end }}
+        {{- if .Values.metrics.enabled }}
+          {{- if .Values.metrics.authProxy.enabled }}
+        - --metrics-addr=127.0.0.1:{{ .Values.metrics.authProxy.port }}
+          {{- else }}
+        - --metrics-addr=0.0.0.0:{{ .Values.metrics.port }}
+          {{- end }}
+        {{- end }}
+        ports:
+        - containerPort: {{ .Values.webhookPort }}
+          name: webhook-server
+          protocol: TCP
+        {{- if and (.Values.metrics.enabled) (not (.Values.metrics.authProxy.enabled)) }}
+        - containerPort: {{ .Values.metrics.port }}
+          name: webhook-metrics
+          protocol: TCP
+        {{- end }}
+        volumeMounts:
+        - name: server-cert
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        readinessProbe:
+          tcpSocket:
+            port: webhook-server
+          initialDelaySeconds: 5
+          failureThreshold: 10
+          periodSeconds: 30
+        livenessProbe:
+          tcpSocket:
+            port: webhook-server
+          initialDelaySeconds: 5
+          failureThreshold: 10
+          periodSeconds: 30
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6}}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      serviceAccountName: {{ template "externalip-webhook.fullname" . }}
+      volumes:
+      - name: server-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.certificates.secretName }}
diff --git a/charts/rancher-external-ip-webhook/templates/issuer.yaml b/charts/rancher-external-ip-webhook/templates/issuer.yaml
new file mode 100644
index 000000000..ff1c2de10
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/issuer.yaml
@@ -0,0 +1,52 @@
+{{- if .Values.certificates.certManager.enabled -}}
+  {{- $certmanagerVer :=  split "." .Values.certificates.certManager.version -}}
+  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
+apiVersion: cert-manager.io/v1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
+apiVersion: cert-manager.io/v1beta1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha2
+  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
+apiVersion: certmanager.k8s.io/v1alpha1
+  {{- else }}
+# Setting latest version as default
+apiVersion: cert-manager.io/v1
+  {{- end }}
+kind: Certificate
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-server-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
+  - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: {{ template "externalip-webhook.fullname" . }}-issuer
+  secretName: {{ .Values.certificates.secretName }}
+---
+  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
+apiVersion: cert-manager.io/v1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
+apiVersion: cert-manager.io/v1beta1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha2
+  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
+apiVersion: certmanager.k8s.io/v1alpha1
+  {{- else }}
+# Setting latest version as default
+apiVersion: cert-manager.io/v1
+  {{- end }}
+kind: Issuer
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+{{- end -}}
+
+
diff --git a/charts/rancher-external-ip-webhook/templates/service.yaml b/charts/rancher-external-ip-webhook/templates/service.yaml
new file mode 100644
index 000000000..256add3e4
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/service.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: webhook-server
+    port: {{ .Values.service.webhookPort }}
+    protocol: TCP
+    targetPort: {{ .Values.webhookPort }}
+  selector:
+    app: {{ template "externalip-webhook.name" . }}
+  type: "ClusterIP"
+{{- if .Values.metrics.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-metrics-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: webhook-metrics
+    port: {{ .Values.service.metricsPort }}
+    protocol: TCP
+    targetPort: {{ .Values.metrics.port }}
+  selector:
+    app: {{ template "externalip-webhook.name" . }}
+  type: "ClusterIP"
+{{- end }}
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/templates/serviceaccount.yaml b/charts/rancher-external-ip-webhook/templates/serviceaccount.yaml
new file mode 100644
index 000000000..895df4f5b
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/rancher-external-ip-webhook/templates/servicemonitor.yaml b/charts/rancher-external-ip-webhook/templates/servicemonitor.yaml
new file mode 100644
index 000000000..c481ea31d
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/templates/servicemonitor.yaml
@@ -0,0 +1,16 @@
+{{- if and (.Values.metrics.enabled) (.Values.metrics.prometheusExport) -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels: {{ include "externalip-webhook.labels" . | indent 4 }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  name: {{ template "externalip-webhook.fullname" . }}-monitor
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: https
+  selector:
+    matchLabels:
+      app: {{ template "externalip-webhook.name" . }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/tests/admissionregistration_test.yaml b/charts/rancher-external-ip-webhook/tests/admissionregistration_test.yaml
new file mode 100644
index 000000000..0660aa6e8
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/admissionregistration_test.yaml
@@ -0,0 +1,32 @@
+suite: Test Admission Registration
+templates:
+- admissionregistration.yaml
+tests:
+- it: should render Admission Registration
+  asserts:
+  - equal:
+      path: apiVersion
+      value: admissionregistration.k8s.io/v1beta1
+- it: should render Admission Registration annotation and not caBundle if certificates.certManager.enabled = true
+  release:
+    name: rancher-externalip-webhook
+    namespace: test
+  set: 
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        cert-manager.io/inject-ca-from: test/rancher-externalip-webhook-server-cert
+  - isNull:
+      path: webhooks[0].clientConfig.caBundle
+- it: should render Admission Registration caBundle and not annotation if certificates.certManager.enabled = false
+  set: 
+    certificates.caBundle: test
+    certificates.certManager.enabled: false
+  asserts:
+  - equal:
+      path: webhooks[0].clientConfig.caBundle
+      value: test
+  - isNull:
+      path: metadata.annotations
diff --git a/charts/rancher-external-ip-webhook/tests/clusterrole_test.yaml b/charts/rancher-external-ip-webhook/tests/clusterrole_test.yaml
new file mode 100644
index 000000000..9e563807b
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/clusterrole_test.yaml
@@ -0,0 +1,37 @@
+suite: Test Cluster Roles
+templates:
+- clusterrole.yaml
+tests:
+- it: should not render Cluster Roles if metrics.enabled = false or metrics.authProxy.enabled = false
+  set:
+    metrics.enabled: false
+    metrics.authProxy.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: clusterrole.yaml
+- it: should render Cluster Roles if metrics.enabled = true and metrics.authProxy.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 2
+    template: clusterrole.yaml
+- it: should render Cluster Roles with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: rbac.authorization.k8s.io/v1
+- it: should render Cluster Roles with custom rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+    rbac.apiVersion: v1beta
+  asserts:
+  - equal:
+      path: apiVersion
+      value: rbac.authorization.k8s.io/v1beta
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/tests/clusterrolebinding_test.yaml b/charts/rancher-external-ip-webhook/tests/clusterrolebinding_test.yaml
new file mode 100644
index 000000000..2129573a3
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/clusterrolebinding_test.yaml
@@ -0,0 +1,42 @@
+suite: Test Cluster Role Bindings
+templates:
+- clusterrolebinding.yaml
+tests:
+- it: should render Cluster Role Bindings with default rbac api version
+  set:
+    rbac.apiVersion: v1
+  asserts:
+  - equal:
+      path: apiVersion
+      value: rbac.authorization.k8s.io/v1
+- it: should render Cluster Role Bindings with custom rbac api version
+  set:
+    rbac.apiVersion: v1beta
+  asserts:
+  - equal:
+      path: apiVersion
+      value: rbac.authorization.k8s.io/v1beta
+- it: should not render Cluster Role Binding proxy if metrics.enabled = false or metrics.authProxy.enabled = false
+  set:
+    metrics.enabled: false
+    metrics.authProxy.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: clusterrolebinding.yaml
+- it: should render Cluster Role Bindings proxy if metrics.enabled = true and metrics.authProxy.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 2
+    template: clusterrolebinding.yaml
+- it: should render Cluster Role Bindings with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: rbac.authorization.k8s.io/v1
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/tests/deployment_test.yaml b/charts/rancher-external-ip-webhook/tests/deployment_test.yaml
new file mode 100644
index 000000000..50e3f9ec1
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/deployment_test.yaml
@@ -0,0 +1,202 @@
+suite: Test Deployments
+templates:
+- deployment.yaml
+tests:
+- it: should render Deployment with allowed-external-ip-cidrs arg if allowedExternalIPCidrs is set
+  release:
+    name: rancher-externalip-webhook
+  set:
+    allowedExternalIPCidrs: "1,2"
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].args[1]
+      value: --allowed-external-ip-cidrs=1,2
+- it: should render Deployment with default port, nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false
+  release:
+    name: rancher-externalip-webhook
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 9443
+        name: webhook-server
+        protocol: TCP
+  - equal:
+      path: spec.template.spec.tolerations[0]
+      value:
+        key: "cattle.io/os" 
+        value: "linux"
+        effect: "NoSchedule"
+        operator: "Equal"
+  - equal:
+      path: spec.template.spec.nodeSelector
+      value:
+        kubernetes.io/os: linux
+- it: should render Deployment with default port and custom nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false
+  release:
+    name: rancher-externalip-webhook
+  set:
+    tolerations:
+    - key: "cattle.io/test" 
+      value: "linux"
+      effect: "NoSchedule"
+      operator: "Equal"
+    nodeSelector: 
+      kubernetes.io/test: linux
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 9443
+        name: webhook-server
+        protocol: TCP
+  - equal:
+      path: spec.template.spec.tolerations[0]
+      value:
+        key: "cattle.io/os" 
+        value: "linux"
+        effect: "NoSchedule"
+        operator: "Equal"
+  - equal:
+      path: spec.template.spec.tolerations[1]
+      value:
+        key: "cattle.io/test" 
+        value: "linux"
+        effect: "NoSchedule"
+        operator: "Equal"
+  - equal:
+      path: spec.template.spec.nodeSelector
+      value:
+        kubernetes.io/os: linux
+        kubernetes.io/test: linux
+- it: should render Deployment with custom port and image if metrics.enabled = false and metrics.authProxy.enabled = false
+  release:
+    name: rancher-externalip-webhook
+  set:
+    webhookPort: 9000
+    image.repository: test
+    image.tag: dev-test
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[0].image
+      value: test:dev-test
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 9000
+        name: webhook-server
+        protocol: TCP
+- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = false
+  release:
+    name: rancher-externalip-webhook
+  set:
+    metrics.enabled: true
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 9443
+        name: webhook-server
+        protocol: TCP
+  - equal:
+      path: spec.template.spec.containers[0].ports[1]
+      value: 
+        containerPort: 8443
+        name: webhook-metrics
+        protocol: TCP
+- it: should render Deployment with custom metrics port if metrics.enabled = true and metrics.authProxy.enabled = false
+  release:
+    name: rancher-externalip-webhook
+  set:
+    metrics.enabled: true
+    metrics.port: 8000
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 9443
+        name: webhook-server
+        protocol: TCP
+  - equal:
+      path: spec.template.spec.containers[0].ports[1]
+      value: 
+        containerPort: 8000
+        name: webhook-metrics
+        protocol: TCP
+- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = true
+  release:
+    name: rancher-externalip-webhook
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook-auth-proxy
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 8443
+        name: webhook-metrics
+        protocol: TCP
+  - equal:
+      path: spec.template.spec.containers[1].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[1].ports[0]
+      value: 
+        containerPort: 9443
+        name: webhook-server
+        protocol: TCP
+- it: should render Deployment with custom metrics port and image if metrics.enabled = true and metrics.authProxy.enabled = true
+  release:
+    name: rancher-externalip-webhook
+  set:
+    metrics.enabled: true
+    metrics.authProxy.enabled: true
+    metrics.port: 8000
+    webhookPort: 9000
+    image.repository: test
+    image.tag: dev-test
+    metrics.authProxy.image.repository: auth
+    metrics.authProxy.image.tag: auth-test
+  asserts:
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: rancher-externalip-webhook-auth-proxy
+  - equal:
+      path: spec.template.spec.containers[0].image
+      value: auth:auth-test
+  - equal:
+      path: spec.template.spec.containers[0].ports[0]
+      value: 
+        containerPort: 8000
+        name: webhook-metrics
+        protocol: TCP
+  - equal:
+      path: spec.template.spec.containers[1].name
+      value: rancher-externalip-webhook
+  - equal:
+      path: spec.template.spec.containers[1].image
+      value: test:dev-test
+  - equal:
+      path: spec.template.spec.containers[1].ports[0]
+      value: 
+        containerPort: 9000
+        name: webhook-server
+        protocol: TCP
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/tests/issuer_test.yaml b/charts/rancher-external-ip-webhook/tests/issuer_test.yaml
new file mode 100644
index 000000000..eeeb660b2
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/issuer_test.yaml
@@ -0,0 +1,106 @@
+suite: Test Issuers
+templates:
+- issuer.yaml
+tests:
+- it: should not render issuer if certificates.certManager.enabled = false
+  set:
+    certificates.certManager.enabled: false
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer.yaml
+- it: should render issuer if certificates.certManager.enabled = true
+  set:
+    certificates.certManager.enabled: true
+  asserts:
+  - hasDocuments:
+      count: 2
+    template: issuer.yaml
+- it: should set issuer apiVersion with default cert-manager
+  set:
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager >= 1.0.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1
+  set:
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager >= 0.16.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1beta1
+  set:
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1beta1
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager >= 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - cert-manager.io/v1alpha2
+  set:
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1alpha2
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager < 0.11.0 using capabilities
+  capabilities:
+    apiversions:
+    - certmanager.k8s.io/v1alpha1
+  set:
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: certmanager.k8s.io/v1alpha1
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager >= 1.0.0 using parameter
+  set:
+    certificates.certManager.version: 1.0.0
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager >= 0.16.0 using parameter
+  set:
+    certificates.certManager.version: 0.16.0
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1beta1
+    template: issuer.yaml
+- it: should set issuer apiVersion with cert-manager >= 0.11.0 using parameter
+  set:
+    certificates.certManager.version: 0.11.0
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: cert-manager.io/v1alpha2
+    template: issuer.yaml
+- it: should set letsEncrypt apiVersion with cert-manager < 0.11.0 using parameter
+  set:
+    certificates.certManager.version: 0.9.0
+    certificates.certManager.enabled: true
+  asserts:
+  - equal:
+      path: apiVersion
+      value: certmanager.k8s.io/v1alpha1
+    template: issuer.yaml
diff --git a/charts/rancher-external-ip-webhook/tests/service_test.yaml b/charts/rancher-external-ip-webhook/tests/service_test.yaml
new file mode 100644
index 000000000..a0ba4d352
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/service_test.yaml
@@ -0,0 +1,69 @@
+suite: Test Services
+templates:
+- service.yaml
+tests:
+- it: should render webhook-server service with default webhookPort if metrics.enabled = false
+  set:
+    metrics.enabled: false
+  asserts:
+  - equal:
+      path: spec.ports[0]
+      value:
+        name: webhook-server
+        port: 443
+        protocol: TCP
+        targetPort: 9443
+- it: should render webhook-server service with custom webhookPort if metrics.enabled = false
+  set:
+    metrics.enabled: false
+    webhookPort: 9000
+  asserts:
+  - equal:
+      path: spec.ports[0]
+      value:
+        name: webhook-server
+        port: 443
+        protocol: TCP
+        targetPort: 9000
+- it: should render webhook-server and webhook-metrics services with default webhookPort and metrics.port, if metrics.enabled = true
+  set:
+    metrics.enabled: true
+  asserts:
+  - equal:
+      path: spec.ports[0]
+      value:
+        name: webhook-server
+        port: 443
+        protocol: TCP
+        targetPort: 9443
+    documentIndex: 0
+  - equal:
+      path: spec.ports[0]
+      value:
+        name: webhook-metrics
+        port: 8443
+        protocol: TCP
+        targetPort: 8443
+    documentIndex: 1
+- it: should render webhook-server and webhook-metrics services with custom webhookPort and metrics.port, if metrics.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.port: 8000
+    webhookPort: 9000
+  asserts:
+  - equal:
+      path: spec.ports[0]
+      value:
+        name: webhook-server
+        port: 443
+        protocol: TCP
+        targetPort: 9000
+    documentIndex: 0
+  - equal:
+      path: spec.ports[0]
+      value:
+        name: webhook-metrics
+        port: 8443
+        protocol: TCP
+        targetPort: 8000
+    documentIndex: 1
\ No newline at end of file
diff --git a/charts/rancher-external-ip-webhook/tests/serviceaccount_test.yaml b/charts/rancher-external-ip-webhook/tests/serviceaccount_test.yaml
new file mode 100644
index 000000000..5aebbc74b
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/serviceaccount_test.yaml
@@ -0,0 +1,9 @@
+suite: Test Service Accounts
+templates:
+- serviceaccount.yaml
+tests:
+- it: should render Service Account
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: serviceaccount.yaml
diff --git a/charts/rancher-external-ip-webhook/tests/servicemonitor_test.yaml b/charts/rancher-external-ip-webhook/tests/servicemonitor_test.yaml
new file mode 100644
index 000000000..21989265e
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/tests/servicemonitor_test.yaml
@@ -0,0 +1,20 @@
+suite: Test Service Monitors
+templates:
+- servicemonitor.yaml
+tests:
+- it: should not render Service Monitor if metrics.enabled = false or metrics.prometheusExport = false
+  set:
+    metrics.enabled: false
+    metrics.prometheusExport: false
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: servicemonitor.yaml
+- it: should render Service Account if metrics.enabled = true and metrics.authProxy.enabled = true
+  set:
+    metrics.enabled: true
+    metrics.prometheusExport: true
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: servicemonitor.yaml
diff --git a/charts/rancher-external-ip-webhook/values.yaml b/charts/rancher-external-ip-webhook/values.yaml
new file mode 100644
index 000000000..dc17e9796
--- /dev/null
+++ b/charts/rancher-external-ip-webhook/values.yaml
@@ -0,0 +1,67 @@
+## Allowed external IP cidrs
+allowedExternalIPCidrs: ""
+## Certificates generation for webhook
+certificates:
+  certManager:
+    # Enable cert manager integration. Cert manager should be already installed at the k8s cluster
+    enabled: true
+    version: ""
+  # If cert-manager integration is disabled, add self signed ca.crt in base64 format
+  caBundle: ""
+  # If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace
+  secretName: webhook-server-cert
+## Details about the image to be pulled.
+image:
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+  repository: rancher/externalip-webhook
+  tag: v0.1.4
+## Enabling metrics endpoint
+# Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation
+metrics:
+  enabled: false
+  port: 8443
+  # Enable webhook metrics export to Prometheus
+  prometheusExport: false
+  # Webhook metrics auth proxy. This option is just available for amd64 arch
+  authProxy:
+    enabled: false
+    port: 8080
+    image:
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+      repository: rancher/kube-rbac-proxy
+      tag: v0.5.0
+    resources:
+      limits:
+        memory: 30Mi
+        cpu: 100m
+      requests:
+        memory: 20Mi
+        cpu: 100m
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+## RBAC
+rbac:
+  apiVersion: v1
+## CPU and Memory limit and request for externalip-webhook
+resources:
+  limits:
+    memory: 30Mi
+    cpu: 100m
+  requests:
+    memory: 20Mi
+    cpu: 100m
+service:
+  metricsPort: 8443
+  webhookPort: 443
+## Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false
+serviceAccountName: default
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+## Webhook server pod port
+webhookPort: 9443
+global:
+  systemDefaultRegistry: ""
diff --git a/index.yaml b/index.yaml
index 47e137aec..ab9ca6418 100644
--- a/index.yaml
+++ b/index.yaml
@@ -352,6 +352,34 @@ entries:
     urls:
     - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz
     version: 1.0.100
+  rancher-external-ip-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: External IP Webhook
+      catalog.cattle.io/namespace: cattle-externalip-system
+      catalog.cattle.io/release-name: rancher-external-ip-webhook
+      catalog.cattle.io/ui-component: rancher-external-ip-webhook
+    apiVersion: v1
+    appVersion: v0.1.4
+    created: "2020-12-09T01:07:43.561742972Z"
+    description: |
+      Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
+    digest: 533a8d7721001eb5efe4efe23d398f619f3b51634fcd1848fc52d0eb11d01016
+    home: https://github.com/rancher/externalip-webhook
+    keywords:
+    - cve
+    - externalip
+    - webhook
+    - security
+    maintainers:
+    - email: raul@rancher.com
+      name: rawmind0
+    name: rancher-external-ip-webhook
+    sources:
+    - https://github.com/rancher/externalip-webhook
+    urls:
+    - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
+    version: 0.1.400
   rancher-gatekeeper:
   - annotations:
       catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
@@ -1098,4 +1126,4 @@ entries:
     urls:
     - assets/rio/rio-0.8.000.tgz
     version: 0.8.000
-generated: "2020-11-10T00:02:09.783616681Z"
+generated: "2020-12-09T01:07:43.560407349Z"
diff --git a/sha256sum/rancher-external-ip-webhook/rancher-external-ip-webhook.sum b/sha256sum/rancher-external-ip-webhook/rancher-external-ip-webhook.sum
new file mode 100644
index 000000000..54638266c
--- /dev/null
+++ b/sha256sum/rancher-external-ip-webhook/rancher-external-ip-webhook.sum
@@ -0,0 +1,2 @@
+9f7d1eaa86b2b929e679dac7bb94e1632e959e6bc3f1137010474a24a38844b2  packages/rancher-external-ip-webhook/package.yaml
+98bb6cea7a63466baaf420932e03dec62c4a0460b50303ec46f1836b5c7b00d2  packages/rancher-external-ip-webhook/rancher-external-ip-webhook.patch