andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[dev-v2.9] Forward ports rancher-webhook 103.0.4+up0.4.5 (#3922)

pull/3939/head
Lucas Machado 2024-05-14 17:40:16 -03:00 committed by GitHub
parent 7e541a6daf
commit 8c0659c247
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 330 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-webhook/rancher-webhook-103.0.4+up0.4.5.tgz Normal file
View File

Binary file not shown.

14
charts/rancher-webhook/103.0.4+up0.4.5/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
catalog.cattle.io/release-name: rancher-webhook
apiVersion: v2
appVersion: 0.4.5
description: ValidatingAdmissionWebhook for Rancher types
name: rancher-webhook
version: 103.0.4+up0.4.5

22
charts/rancher-webhook/103.0.4+up0.4.5/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,22 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{- define "rancher-webhook.labels" -}}
app: rancher-webhook
{{- end }}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

82
charts/rancher-webhook/103.0.4+up0.4.5/templates/deployment.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- $auth := .Values.auth | default dict }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: rancher-webhook
spec:
selector:
matchLabels:
app: rancher-webhook
template:
metadata:
labels:
app: rancher-webhook
spec:
{{- if $auth.clientCA }}
volumes:
- name: client-ca
secret:
secretName: client-ca
{{- end }}
{{- if .Values.global.hostNetwork }}
hostNetwork: true
{{- end }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
containers:
- env:
- name: STAMP
value: "{{.Values.stamp}}"
- name: ENABLE_MCM
value: "{{.Values.mcm.enabled}}"
- name: CATTLE_PORT
value: {{.Values.port | default 9443 | quote}}
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if $auth.allowedCNs }}
- name: ALLOWED_CNS
value: '{{ join "," $auth.allowedCNs }}'
{{- end }}
image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
name: rancher-webhook
imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
ports:
- name: https
containerPort: {{ .Values.port | default 9443 }}
startupProbe:
httpGet:
path: "/healthz"
port: "https"
scheme: "HTTPS"
failureThreshold: 60
periodSeconds: 5
livenessProbe:
httpGet:
path: "/healthz"
port: "https"
scheme: "HTTPS"
periodSeconds: 5
{{- if $auth.clientCA }}
volumeMounts:
- name: client-ca
mountPath: /tmp/k8s-webhook-server/client-ca
readOnly: true
{{- end }}
{{- if .Values.capNetBindService }}
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
{{- end }}
serviceAccountName: rancher-webhook
{{- if .Values.priorityClassName }}
priorityClassName: "{{.Values.priorityClassName}}"
{{- end }}

12
charts/rancher-webhook/103.0.4+up0.4.5/templates/rbac.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rancher-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: rancher-webhook
namespace: {{.Release.Namespace}}

11
charts/rancher-webhook/103.0.4+up0.4.5/templates/secret.yaml Normal file
View File

@ -0,0 +1,11 @@
{{- $auth := .Values.auth | default dict }}
{{- if $auth.clientCA }}
apiVersion: v1
data:
ca.crt: {{ $auth.clientCA }}
kind: Secret
metadata:
name: client-ca
namespace: cattle-system
type: Opaque
{{- end }}

13
charts/rancher-webhook/103.0.4+up0.4.5/templates/service.yaml Normal file
View File

@ -0,0 +1,13 @@
kind: Service
apiVersion: v1
metadata:
name: rancher-webhook
namespace: cattle-system
spec:
ports:
- port: 443
targetPort: {{ .Values.port | default 9443 }}
protocol: TCP
name: https
selector:
app: rancher-webhook

11
charts/rancher-webhook/103.0.4+up0.4.5/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: rancher-webhook
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rancher-webhook-sudo
annotations:
cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"

9
charts/rancher-webhook/103.0.4+up0.4.5/templates/webhook.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: rancher.cattle.io
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: rancher.cattle.io

16
charts/rancher-webhook/103.0.4+up0.4.5/tests/README.md Normal file
View File

@ -0,0 +1,16 @@
## local dev testing instructions
Option 1: Full chart CI run with a live cluster
```bash
./scripts/charts/ci
```
Option 2: Test runs against the chart only
```bash
# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
bash dev-scripts/helm-unittest.sh
```

73
charts/rancher-webhook/103.0.4+up0.4.5/tests/deployment_test.yaml Normal file
View File

@ -0,0 +1,73 @@
suite: Test Deployment
templates:
- deployment.yaml
tests:
- it: should set webhook default port values
asserts:
- equal:
path: spec.template.spec.containers[0].ports[0].containerPort
value: 9443
- contains:
path: spec.template.spec.containers[0].env
content:
name: CATTLE_PORT
value: "9443"
- it: should set updated webhook port
set:
port: 2319
asserts:
- equal:
path: spec.template.spec.containers[0].ports[0].containerPort
value: 2319
- contains:
path: spec.template.spec.containers[0].env
content:
name: CATTLE_PORT
value: "2319"
- it: should not set capabilities by default.
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext
- it: should set net capabilities when capNetBindService is true.
set:
capNetBindService: true
asserts:
- contains:
path: spec.template.spec.containers[0].securityContext.capabilities.add
content: NET_BIND_SERVICE
- it: should not set volumes or volumeMounts by default
asserts:
- isNull:
path: spec.template.spec.volumes
- isNull:
path: spec.template.spec.volumeMounts
- it: should set CA fields when CA options are set
set:
auth.clientCA: base64-encoded-cert
auth.allowedCNs:
- kube-apiserver
- joe
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: client-ca
secret:
secretName: client-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: client-ca
mountPath: /tmp/k8s-webhook-server/client-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: ALLOWED_CNS
value: kube-apiserver,joe

18
charts/rancher-webhook/103.0.4+up0.4.5/tests/service_test.yaml Normal file
View File

@ -0,0 +1,18 @@
suite: Test Service
templates:
- service.yaml
tests:
- it: should set webhook default port values
asserts:
- equal:
path: spec.ports[0].targetPort
value: 9443
- it: should set updated target port
set:
port: 2319
asserts:
- equal:
path: spec.ports[0].targetPort
value: 2319

30
charts/rancher-webhook/103.0.4+up0.4.5/values.yaml Normal file
View File

@ -0,0 +1,30 @@
image:
repository: rancher/rancher-webhook
tag: v0.4.5
imagePullPolicy: IfNotPresent
global:
cattle:
systemDefaultRegistry: ""
hostNetwork: false
mcm:
enabled: true
# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
tolerations: []
nodeSelector: {}
## PriorityClassName assigned to deployment.
priorityClassName: ""
# port assigns which port to use when running rancher-webhook
port: 9443
# Parameters for authenticating the kube-apiserver.
auth:
# CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
# Must be base64-encoded.
clientCA: ""
# Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
allowedCNs: []

18
index.yaml
View File

@ -20437,6 +20437,24 @@ entries:
urls: urls:
- assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc8.tgz - assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc8.tgz
version: 104.0.0+up0.5.0-rc8 version: 104.0.0+up0.5.0-rc8
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
catalog.cattle.io/release-name: rancher-webhook
apiVersion: v2
appVersion: 0.4.5
created: "2024-05-14T14:07:36.391367-03:00"
description: ValidatingAdmissionWebhook for Rancher types
digest: 526ec09466cea540337cd309b2befec58c5221e7815a62d73e63036f1d8f8dd5
name: rancher-webhook
urls:
- assets/rancher-webhook/rancher-webhook-103.0.4+up0.4.5.tgz
version: 103.0.4+up0.4.5
- annotations: - annotations:
catalog.cattle.io/certified: rancher catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true" catalog.cattle.io/hidden: "true"

1
release.yaml
View File

@ -185,6 +185,7 @@ rancher-webhook:
- 2.0.7+up0.3.7 - 2.0.7+up0.3.7
- 103.0.2+up0.4.3 - 103.0.2+up0.4.3
- 2.0.9+up0.3.9 - 2.0.9+up0.3.9
- 103.0.4+up0.4.5
rancher-windows-gmsa: rancher-windows-gmsa:
- 4.0.0 - 4.0.0
rancher-windows-gmsa-crd: rancher-windows-gmsa-crd: