From adc6add45ffa17d62aedaed65a8f267915318f21 Mon Sep 17 00:00:00 2001
From: Diogo Souza <diogo.souza@suse.com>
Date: Tue, 25 Apr 2023 21:57:43 +0000
Subject: [PATCH] make charts

---
 ...ancher-gatekeeper-crd-102.1.0+up3.12.0.tgz | Bin 0 -> 13219 bytes
 .../rancher-gatekeeper-102.1.0+up3.12.0.tgz   | Bin 0 -> 17262 bytes
 .../102.1.0+up3.12.0/Chart.yaml               |  10 +
 .../102.1.0+up3.12.0/README.md                |   2 +
 .../assign-customresourcedefinition.yaml      | 757 ++++++++++++++++++
 .../assignimage-customresourcedefinition.yaml | 237 ++++++
 ...signmetadata-customresourcedefinition.yaml | 655 +++++++++++++++
 .../config-customresourcedefinition.yaml      | 105 +++
 ...intpodstatus-customresourcedefinition.yaml |  67 ++
 ...ainttemplate-customresourcedefinition.yaml | 357 +++++++++
 ...atepodstatus-customresourcedefinition.yaml |  66 ++
 ...siontemplate-customresourcedefinition.yaml |  73 ++
 .../modifyset-customresourcedefinition.yaml   | 676 ++++++++++++++++
 ...torpodstatus-customresourcedefinition.yaml |  65 ++
 .../provider-customresourcedefinition.yaml    |  78 ++
 .../102.1.0+up3.12.0/templates/_helpers.tpl   |  22 +
 .../102.1.0+up3.12.0/templates/jobs.yaml      | 126 +++
 .../102.1.0+up3.12.0/templates/manifest.yaml  |  14 +
 .../102.1.0+up3.12.0/templates/rbac.yaml      |  76 ++
 .../templates/validate-psp-install.yaml       |   7 +
 .../102.1.0+up3.12.0/values.yaml              |  21 +
 .../102.1.0+up3.12.0/.helmignore              |  21 +
 .../102.1.0+up3.12.0/CHANGELOG.md             |  15 +
 .../102.1.0+up3.12.0/Chart.yaml               |  26 +
 .../102.1.0+up3.12.0/README.md                | 210 +++++
 .../102.1.0+up3.12.0/app-readme.md            |  32 +
 .../102.1.0+up3.12.0/templates/_helpers.tpl   | 113 +++
 .../templates/allowedrepos.yaml               |  35 +
 .../gatekeeper-admin-podsecuritypolicy.yaml   |  38 +
 .../gatekeeper-admin-serviceaccount.yaml      |  11 +
 .../gatekeeper-audit-deployment.yaml          | 156 ++++
 ...ekeeper-controller-manager-deployment.yaml | 169 ++++
 ...per-controller-manager-network-policy.yaml |  30 +
 ...ontroller-manager-poddisruptionbudget.yaml |  24 +
 ...atekeeper-critical-pods-resourcequota.yaml |  23 +
 .../gatekeeper-manager-role-clusterrole.yaml  | 174 ++++
 .../gatekeeper-manager-role-role.yaml         |  37 +
 ...anager-rolebinding-clusterrolebinding.yaml |  20 +
 ...eeper-manager-rolebinding-rolebinding.yaml |  21 +
 ...guration-mutatingwebhookconfiguration.yaml |  60 ++
 ...ration-validatingwebhookconfiguration.yaml | 109 +++
 ...gatekeeper-webhook-server-cert-secret.yaml |  14 +
 .../gatekeeper-webhook-service-service.yaml   |  38 +
 .../templates/namespace-post-install.yaml     | 165 ++++
 .../templates/namespace-post-upgrade.yaml     | 153 ++++
 .../templates/probe-webhook-post-install.yaml |  46 ++
 .../templates/requiredlabels.yaml             |  57 ++
 .../templates/upgrade-crds-hook.yaml          | 116 +++
 .../templates/validate-install-crd.yaml       |  24 +
 .../templates/validate-psp-install.yaml       |   7 +
 .../templates/webhook-configs-pre-delete.yaml | 135 ++++
 .../102.1.0+up3.12.0/values.yaml              | 271 +++++++
 index.yaml                                    |  44 +
 release.yaml                                  |   4 +-
 54 files changed, 5810 insertions(+), 2 deletions(-)
 create mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-102.1.0+up3.12.0.tgz
 create mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-102.1.0+up3.12.0.tgz
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/Chart.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/README.md
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/config-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/jobs.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/manifest.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/rbac.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/validate-psp-install.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/values.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/.helmignore
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/CHANGELOG.md
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/Chart.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/README.md
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/app-readme.md
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/allowedrepos.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-audit-deployment.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-role.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-service-service.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-install.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-upgrade.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/probe-webhook-post-install.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/requiredlabels.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/upgrade-crds-hook.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-install-crd.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-psp-install.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/webhook-configs-pre-delete.yaml
 create mode 100644 charts/rancher-gatekeeper/102.1.0+up3.12.0/values.yaml

diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-102.1.0+up3.12.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-102.1.0+up3.12.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..aee320be88a4e18662ce8c0c114d5ff76bb03857
GIT binary patch
literal 13219
zcmch8V{~O*vu-Ep*tXTNZ9D1MwrzFC?0CoM*tTuk=olTN!+nx|-|vib?zs2w-DB)E
z=UP=y&8mf(d)BiyVI&mVr;iVi>JyEjq!OdCq#V1fCl{L$iyEVeGMlBAG8emoni{*D
zx{Z~gor$N4qCKCasg3QYvyNwHT#j0X^XxnIoRn99k?#QVU3I&JYSX<H9i=))W8O7s
zkvut<i~|IjBP-rGDAtJVFW@T%PB-tcr(z;Gk7Z(+=+yR%#i!_Vaeu~mik*y+ohU1}
z360S`#>APPNUkJqjaji5lV?_(Xz?OS%1d`voQgMmJ|3^Pz01A5BMTQNFAt{|6PG_{
zdyhAiCN7A!?uD|J)Y(yucGeBf`ck=4B&-WMWG6PEv9VS-k(x+K6~-72j!4WUkBN0h
zQOzw%>9&)3VdUl}Ii`aU4Voye2Gj+_Jf!!Ap0gzdvo?y_^0g_710jVz^8KSh8$YRl
z;Zg%)PU3b5?j(i6Bg*i=F4@FF$MUc&mg`@?gGrQ$t*K$$w9==?5;Kw03YieU8}o2<
z4)o0^I$%Y;0crUV5MlymCXErTFXpS?>@6~wTopibtY5PU2r4RpheM<~K*YFCVoV$9
zIt^5wJ$RWu*$9I}+-tu{^qq*W*ZPN5`tU`<^u>#`B+3LV2|EG7Oi5AeUq_C~%pxp=
zD5COJs4$STEQA0g38HmkILZ?$)pab913`oGZ$~Mq`av3T+r!>tW;&KFyrh93?Q*JC
zb;!Lab4o7ag{*2e=AjHna3`^}=n>Y25iR`qI_9VtCmx|la^~V{pC$6PEzF11uGwW+
z^%<9rcrZeY;`F2pTiwN@Y}Qs3X~)Ty#xO}{&hpsdXE-sM)Z@1<Qzn*W&}UP$R*a>X
z@nw#KhIE_@X*c4~Dj`Lj-cA-s!=pm(vSTKDx(;aNQ&qmpUr@tvF9LUtR*GBSV#M?2
z{yiJ^8<m|m&le&nHB<^%*vkzMRl}8m{!&d(5GH?)QBC%gQC>_qpxeA&Lv-7$Zj4Iy
z!n5LgfJF!p?xo+zXI3vVxBLZ`*B%wJM1QHpF-|6$#jjs;Qm{sZoqnE4q{P|N9#1$U
zl@jfrfBP}QY*^Fm8q*M#T8|SKr`sf~HxwWq5kwLxr<U8x6<M1icF>UpJ21+2eumHa
z#LKd?Ki!T8pl)i%i?=ol()xK0W%?OUa+gJYk=J033ib{gyB+yL=lP&UQqEU6E3RkE
z-<*}8+^G-%H(-QeMN9`TPBt2ZtqJ!#d*xik%InNC;`k<C{t+l(R9iu?ObpD<Cg9he
z0cH^j2#7rbkxFbh<cbjvAvr>MmUzP_hk@t`nc#D*xoJ3J12__0KzYzpd=C-KD4!=*
zIP$!-7P!f7mX=MeHu&ov<Ll!&1Y)Ml>g8iWRyk`cRv6U<T5=Oc^DC0CH-RlkOMxu$
zFa@FOIBw7P{+iqgtVZYlO8r+sAxozPp~#V`W_>FCygCSzP`oOdSj-qT77_)ttkF+w
z2GC!ed-LV(QdG{Zt^J{|DthfH>^+7j`@Wil`^`<y22i*_9B@vPlH5;*yADqzFiz%D
zv=GJ$NcJX#k*B?6mfN4~pPX6e4*1WA>16LB)@miMaOx~cdMeoFSJbk(#i?)RTbIz7
z9}!iGXE#ZijkI`?#y1ID6uqeH`F@qfS@UOgni7e_A`cvyjYZs$t-0xiQcvn4?N6f)
zA@^%+IMM@oyd9ARTN3+%i^h)dczbN~yP>cyx5zV6T@z2g=T?9;d5%L^U#d_eSLRW;
zMq`?cn}!c3J`h?#8bjqOpwP0toEKZZj64+qQ8-Ta@r)=jF16ifH1UoJ;ItXWsa?Hf
zwpr%1W-5+RK!Y9CA(2Oz;L*aY!A>Wesjf0LHQJxZ%r*&@pmw0&)S$7?J+IeDt{zs`
zSzzUB{afA4_R7Qbpvon$J{BP+;#YjCufns`rSUcXz9R+S+!^B@>GY`g*zgi7oqMSi
z??FLm-_9hT4Zj*d;P!x2bLKMeoW4NK(fu*<H$Csplh_yn>5A}r^-dxs>p>S&_%qx&
zOHAifeTk^N(wmfOZbUH!r+U{*%hM6}4Cyj3^DTQczg-(Q^AI?-^a7Ni^muz9vfN)^
zr`}?CIs07@kWArENWQM#L~%7aOvvN+`bIaN|9(|5BNF54fMTGR!kAU2`Qy9xffpX*
zDwn>r6hUyKt^{Ylg&G2jl5*oISj67|N_<<C{?ExJ{i^Ddu48vT!C}AHuA-T3X{bjM
zP#NT-e3dbjMCufMJ>PC8?-(dqU)tZccJpRhfe%=_{sd%6O9F6g6Sq2&Z@3y9J$G9>
zvc<7*_YS`+!Zh_)w#$d@#(1V^>y~Zm#MchDWa0|G!o7|0TLG}Fl1Sm@ACrbnhIJ|#
zm9=PJL^xl58I=4+a_ZX?&5X--ui&tA&pw+>VfR-m?Q3~7Txi_TUsK>xPU7~3oR48H
z**ny=e!h6qB1XuP&_n%Bn?W_aH_Uu|_<n~;OCe=7T2Ii@ln9soNSYA8%jOODV1AAY
zq%pb&$PruhUX=$A;tMZQ>T!rsr@tV=vdNNYzv&Jf&y*?qve&7a9n$Jr+OxQACNt1f
z&BnHj_|UtL$R7lz_d(CiyI)9)UaZSDo?IJ0O!G7=5eA{6*Klmia5?|H#VxcCZm;BT
zZ}(F4b#V1m<o)u(DwrFmZEo`5T6nt_?`-Zqq`_U~5${{R7sz`!g0g9DiBktI!x{}6
z*QB>!>1*YZ5>H&aJ%Y_OP8SXS>LD(l&Bx={C^D?F!se#1;ORW;0#{E|Jq`;{iOMHl
znSlSP3ly#S%G{xip&8Qw{T8fT^yV&NOrSUsQX>8O{WRps!2IRVV&RR4n~P8M^@4bo
z!%jQJ^4fMB<=U3E-xUxql)lPH6gcb0O9XavajeV?I(LvR=Z2Hbg`DPt+x|sN3gS>b
z*$!2y2lz7ru9Rn{XO)1}BW;PZfR`fh!C9O&iKXzSxLT4CJbL07KJeRRgVpfkf@!5M
z_#R9n1&X6-7=`*pCE5=3jB}-=#XSkLp)xVHQ~?w=%c?Tt7pxsoow<u40$|7;@P7Ys
z;5501q&0@U^?i=H8nJqLI6A^w0*d6@r%fXq@-xoMIq?;xU9yph6>5l5jA^kB7(c)(
zyIW}h(Is$HBc|dF6AU*>;Oi@aeY<lr$H${@z_ZV<0*DEt0KH8Af<3ZtJN~C3KoY{Y
zi2WuEZsZ728RQ|eh#IoyNeY|zD^4R6>Z#uciVmDG;xz2~QYpoc-#OSIWFUxV7f0(8
zSTsy3S8|lTG{KrL&P*pxXy!L+u5CFNV-fW091}_->N~p6Ck&?M*HHF~Yh9WE22=n9
zh4EAr_RFDr+{jHM?imAd)Up)l5sCW*2&V{2S%Ghf$AhcJ)ERYR1mq-204%!WKf3!&
z#OQz03sN0u8f?{|0y%&UqBu#E!!kum`LY<2=;_id1y1W~mex&QS9R7~Y!_U^#VR31
zWh)@aHLa#J4K>D%(~v+m(?4Z=k)_T(K=LAt*b9-8BZD2F-RatIpu!ECf=Zz^OP`gc
zU~N>qeGZ~P)|@7f8=se{%~uH&X^mSF58fS7$%t!NEaB$iOmY0JF7yQ>l6J?-^Al>C
z0yAAcci1v~BqCZid<op4PTg1Yc>L)^#P7@flMQ0Ga_5li8=3;UDq7e1K4&m2)xl$C
z%vx9gIxBBQ#yMW*7mw%bjc1*t2Dqkny4uo!i4ZZ~RAx(O`2r0=I@)lh9#nWBwDBa0
zoC>?9gYDqO7Pj(gl%Swq_cbM|c<uahl%gO#>U99U#!CS8{Yt7$b4f^u=j(Dij_U&Z
zYq&tSt|!D>oH}jl@gp`DpPu*HbiKb}Xr9k6y@>fzY_GPItpeKe@~SW@`U$UT6_&aP
zo6a2bA)@kw4vh=#2HSMl{-3ssNMl93^}keqALhaW@ZdiGY?*F|&48}M()u>_nJbsk
zkXSillsvUM)+_?qt#7aP%Q$9XEJ?|X_?S~~B-)(GemIFrKoBZ1N8L=;$v&$;a1N1L
z<CJO1re-i(TuoG#rRAGpGaF28$($O<%SgC83fv#KjW>P_RGDl|rtP05Gu&*pfo5~%
zdvrPq(H%7<j!u<kKb2-pZ4t2chO9f=)%hX7;mexKENE$i+KmT(cRD?;?}lriI~>`3
zZ(tnIs7K`CewM_v9G@Is9>30k>U>(ULWUhp&>!lt^QSWHPe(Y!cj;vJJfm&=Y&LpE
zBCbN)Owr^_Fd3Q0$ZWhiXX_RgwsrX>uf{eaDBhZaD|o^2?Z5~s-e~YPW8_-~C7De5
zQKTAdw|{DFyvUR%v$nqC@6&MKpy`<}0$~;@JPV3mEo!57lj2`-6qB;umi0keGPsZN
zf1_I6;uMhQpo*a|WO{rqDBMm(M&)%(sx2;NA!3`D(}3nwK~ln%RvIaMAw`Zawz2Y)
zD`r|ZuSxkF<fAT|>C0TX1M;}?<-D&$e~2rFQg~_vi$Ht82M%<ZU#d=Oysu`V{e))S
zdB97h#Z69h1CByB(pOC3E)De$o0B|ti0rs=X}F?&p;C%soH!(N6hA50Sorsi@w3l(
zi53JY>wzek5YHyn$z3*d4U02Eg2Ud^vlE}ymx8pTVeh@_w(ULff>m0R3@Ci~%)^ke
z#i{s7fv>+Ay!~HlIeeaCvX3vDW-bN%UhfZoJ~tc^^1X(Ru)UaG91FZHQe$e1nzwD+
ztZ+Ob?jox7L5ToPt^?|>HCEsS1kxC&$d#*m&bCE}N$bzlybPQZt!8?qsz(8KR|94u
zp?B@WMiX-$4H)Xd$fojFjMfBz7Ri)!=$yCe;ph^}g6S2Z;hTP~a90@6<DX<m!lgZE
zawVmEI=bA0Tx(Y^C$p|q!ug;t^_nsyL~Y(}L@&RVO~KEbizW}2n+9>dOe~_9hz{_w
zuB#ddgav``Riq!wb)09=u-`53N+HSxx=`^T%E_0V%;<u1YB|YD#OR)@wtUM*`Kcl6
z5s!QEq=p0nZgGaOf{oor8~STB+{NSiIxiJ5r!%@DM;Xq_p^PQzSBONEs1LX4tVSkm
z;bAYmJS;m?E)F|GU0(`N2iT$E;ueD%?hG%hAzQgJ8v)|J79JQOY8K43)`J@iLVW0W
zwuTIC2;Q>D9`Y)^(llyKbFcPoot~)Ori2#D8K9g(SDRwx*Vitnk7dlO5C3BV{#Uzq
zM-_9kr@R`3XM=`nObzdCy($!<L3XJNxw+)c({CMmRnK|hZ#N--IEa=rpUTz^a8*y!
z=qi+q2K#k04OnC#CP}y7*t7u@Qt5w=Nj>CR&BpHGXmr`on$ZCYIx^;-Zi%b|>?BhD
zCCaT|jZmGO)iCVH$If(3v8@kgGm6YCQxpSM_W0}tW>O?P(cLz6D4zGCrw^vaVz%uV
zcO8jSyhvGjTbdBGnb}V&F$qGbY4n9il5`y1mRO9F>OyFoQn3v8pTO-Dwc{#!FMPu#
zLu}$sOl|Rh;0voY&nRV<!MxDkN4vHSvYH@=GZW$9g{#zIBaQ@&V5g+)v`3EcHMT_$
z=5Eo;I^j20ST<`G+;x~+AJVVa4&CRq)PppBu~6*)J?Xh1Q+oUBq}8R#M8mTsrzEwd
z3%3R;;Sg1dDw&$-&><GNZj{HaY1WCY5TY^+I|dgASI7q7A)FFz#?nxAPW8NpaX!vO
z0`KOf+_RlV2l;GW=j)IPSKh6czSZIaY3lXq0>XVQ#LG%48vEq6*ZOQLI7f_fQ7$!U
z_eX^Gx6|4RN%O+8R;%Si-s(wWBqUH<mo#8QNY@>50SV4|^avd%t?lU|BL_qA+}8L-
zc+-V#ONSwKZmZLL=eKgyKO6ZA>s8^aHT+JHqY&Je=?l#A0;Q$oe%04MH&p!^aWu6(
z0yAn36GbY~Ba5EJjcEng;L#=tR3H`cMO~2=gj679pg*=<jIPzdotZ;kRx3_Mk_Q*1
z#Pua;#Q;hX59Ymu=+IL=E)0NfMEABb;ekL9ca#<;K9r{H>u}c>Kv*24TbkJWJ$nAd
zvYlg-(ik(IW0S*}aS~IG6=AsPoE}BPVYlOIt}TTK5W=t95Gs^pfy#+U$pXN-8YU6R
zjrAEs#o=&exY&5;oc|MZ6;nC=zV*b5QTH+<;A6Yq5>E-YY^lzyBl0`zrz;+zV*Hgk
z6ovM?JSiTIgd&ppE;p5YB{xf5#ED=C-rmUychkF;ov;g_OH>d~KW?xvoH5$1w~zhG
z)?sFxUd`39V<uQMkeU~p4#Bd#JV`J&1|GRWoCWL6d~&bu4r+O7wQbb2(#O9VHXhkv
z(I%d&2Z$&S>iV-PX|ma3Omh4MTr?o=+gpC4XWoT*WvcjQL-~Awmj;LVX9tDD)uD42
zG-}sJ5__tL({AZxMwqia0Bb!3p$i`S7eeKtjM{}>!cu9}I^AS@J!^h=j+28}pRXbL
z11IpJ3-fc#ml>Pi>dp}^11i|9YHyFh`r2ig`Y!ULBjb-{g@Z^9m2k?|O7fJwwPV3#
z)8SV%8nt43AonjAaO&$i%z?Tx=efCl3D-QMr=~h|U7a*d)xB&>0(r|KoV$f^Ykmjl
zFK5FZTrxp6*-m|Slec*2TRZTD`$>m05z5V}=?{$lURX8CR2Ws(fqA%X*SaNPYjjau
zhRJFK(t6EhuS{(XkBvz)Uq>LKAmPNthOZqug%b{2s6ohi4Z7P(bn*jcYGFvtbg<ZV
zL$Mj28@~C0fg7!*r5T9Kl3{+^e<i!9ngR7~K54EAkLmkG11f^(fo+Cy#e5q_#HK!d
zcVaAk_rj-KwzTy)ztxJX(~@=)pi0*r4K#DfSxYitAg=1^mZbWeixrUJG?B!-h~6?U
zD&y6c@5BND=b42>ObVqFZJb*xRZ?tbkn+3>8e8Eu3bHuR>VJLnNw5)Xr0Tw`-Vqn?
zB;dqW#5hS#R(&XlTq_Ox{MA1=Sb#3tT5vLfe7X74Lq2hFJ|iY;hZ%pEIQF9nC9LWm
zfcu5=3uVa`WJix>*{)PUsy>R7pNJ=%h80h~Nlg1>qN@%{?67AT3(~}Pa4Z?hv?4Co
znY3rjp%zs_U8f171#^&hSelQH7ol?dCAqY8dDEs-Ja#A$(+8<`mG97cjIJGl(By%i
zn-=GEe7|IQ@%e~iAD}m0@oN(YmZQg!bs_ZxVo$IUhD<_M5MmQMfkjg<{5@3@^6xh^
zU{#5lP@RfxS^aG5R@7idXSQ)0&}LT%3d648z!sEfr^(9u0nH#JQ-vqSW!|{3C6YFA
zu-ZapfwlsMWbWKXN`2X4Tb56oqI5oHGGUo;IsNuD`D{80r9eW^TS7ti^{b&QdJw*r
z8CKtlhERejbgPUoGLwTKE|nJauZ9A=cFW$dkjMp+I=*lHcitd!fX^-<IWGkDx#uj|
zKh6KJr>QO(B3z^#({(toob~OCF)Zw7V$AMxzwW&_c<!L5%04#FeNB+OF4?4{hCQrS
z#D%R$nRPB54yp-~#CY0Cvoa305Yub#_!hmf8HkA-XIa*14vj_awbg5F3OHb#(`FfU
zHw{b{nN(b=ZCI^>&q}>lP|!+eLBmL1s;W;uNFLad8{|bWD{q`$6&V|i&#kDBb;x$R
zB1>1XlO-FVm+%9se9xHU%vAoIMS6+%{SXm^S3;DNq!$_aN7!XjP?&>g5Ge`XuHW04
zqd*wcUr`e=B=XLC9|}qM8xm-}YA7;j5K<0;6ViJ_^j95urx+oZds&XYG_V+9b4VkH
zJM3gzy%d3j1P^(~gZW>p?WP9E$eWUAAA@ZUv;K>8&qMob{U0YfxyO)@^|E1+caq9K
zhW}%xQv>}WXCN015)l^lsLEX<>3w||;s^**ND=>U&z~Cq2C(p-06ri?&DpJR|HdEy
z$@RDQ5y89j72HusL_wciV*@`L;tx09#qTpjkDb%URB_2a2>N%PP;y23Ybt^GUw7%i
zBEv4lbCEtymw4g7$S&N1f5-X93(b(Q%O{;Ms45e&4-YwZBji5h9#rr8C?vh!=)R1i
ze^6!p<H;;hCR6bM2r<Ig_(9A#^cKBEvd3W72Up;kH9s5tU)DeAf}kxKNMSmP;O5O(
zxOh2%`b*@^jBf3s-kkrhQv18e=}%A;K>$eVtO`H2?Z%?jVQ0KbtMvEj#JZR?a)-V1
zxXbqfr33gUPY_bzV)Tm`|22>45qHk{SbW`Aq!1Rs=cSb(Ic5S}>m`-*^iFK>&^&|s
zT_Va#2PP^oHi2rGMQm)^ROW+Jcq&@C$?o(v>f*%pD-X|4xS4T<Hs>mvjkY|t3s+;o
zOGr^2Z+$1}>YHa$yRx&*!U;)*yx-@_7C1H`uX|brJDmxT7(#v%Q#w*c@u(6xJCZ|2
z&pj@>I|)i?F&uo#y>dfn&jhnSw8(tRXIl0a66gfw-F;u%*?m2+QW><R2l;Ng@j!tz
z9JTa)+m*-ze;CtzmG9h@2*l>ig9=IyCLlS$;E3{XTknL)0In(bpTk5jE`i^xp%rt&
zK*i9$<O(8#Kbebt|5ZTrkHQJj$Nihj?IB?N{iCm6!X1_zu>CG(4*I91k{s*i?=B$1
zG!pUzmI>Lo<t4Teu{;C6(kjJuV`QbkZ-m5YO)l#$+KAU6$5Izso$qGp_~Zzfmk_S}
zFg1Fffuk%x4jyUOBs`a2_U1m7OOBqJfUZNUzqwb^-q5wAZs3`r*sWt4&IfLM<Gvum
z6Iz6-6^~^LD3{Ufq>XKW_c)KK-~4iby|d^Fy|Y+gQ-Myrj<d4})l_MDQ3c&ZpT$eC
z+A8q26xw8q0Ae=)Bp|?#Mu<_n?3zN1`GEv{Mmkmq08SV)2w;9**4Kt)P*d!FGX+EP
zP^52*0H^P0C*-WQ-JcZPe(~#Mr*-gyCg}Z+j1c9p-FU3fNyb^NzwV3N!|$&T)`Feq
z!N4hmTlLHS7p;g%nj<~bn#eK%!6g6N4sGu}Qe$X!hwZS?GC}V>qde|zJ(Ik58G>;J
z`=F(JY@p*RR#9{{U(j!28^n*NtZhW><I#J@g8lfR_9DF?^jD-1@?qv(t)ji}!hZLm
z>FRk6KK1f>?a!<2%bS}B#mgJJpZ_z><J-M?fb#)J*(-8p`d~TxH|{d=U;F9q3|pO)
zhnSej7YzPB&TkRz-u`cIeLUA2`(x^uCPxg08kD1&U-p~~&!p3iSl$VgVFRJ6m2RyI
zy+{bz>^@&Q(f%SCYk-qjA+Oo#Jszk6vPVSsd)g$qtS{jDoVAJV;dP;(D(Zk8FovYF
zIC<dZfSuckbQfIAAnDQgaF_9$_ykr_KkR8W1W(lWz2E1<G>+Nl({#cZ@@SM|56Ojf
z5NX&M_9Q%yncMmGJ?T`Z>wLuD9#bRuaXPA0@I^mFmnKjjW`yULMtS}kQq+e}{X34R
zFPq6<^uK!x6r#RKwRg#7VNX_ee?g`B0^}!S{t`B%%S%C)ALz2wvA?#Y{{k;<E*N|o
zLyH+cMAo=Ye+|Li3^3}$-E5Th{q+!k&me^%<dNi`XoUaoN%F(P-uEQ=5vZa*&Bg!e
z-$E?(KS8_)gmkBx{{9_Z)UPBtDQo!)DvN(xEv}+Wc?*!5CCgypqUHK2@;_2y;8!wb
ze%z4MS)-jIq+&FOFm&2u5<6?-cLGvgL4Nzff>rC$o72n9<>h}9khf<hw`b7Ue4oLX
z3rc*LS6eF<CVk0EJ{OR&?hg*jZ68gN?!1$RpFkz`x-Yw2`~2e&f%4d`5XEh^iFAqK
zJ5l7{nWQPOW1{zMs2}9Eq5}F98CM;Dp8h8%jxK-XM4YqcVOk@~BABzS93_(>u>DUJ
z+c%Yaj^<vCVoR#SkcdW=w}=IyRn4_19MLRNyY0R-hMu6Cc0iX<BzrI4YQU2F<mI)}
zN>(VEx!VlF)hE@Qqs`7PixPXm?N)xGTa2GgP#w1Fi`+R)ZmF&!cD9|Jc9HzWn%c%@
zsyZ4gVzD5C7AhO5f_bBBmKP77=j_Z{fOiN-0)5D@d>Yh@Z^X(clYLK|gDAxDGsCoP
zIJ4XU8NGN5slHPjnp$7El!gjD3KtX(F3MG313G-QF|ze$fx>ARE4w)Yx`fLiGCR(h
zQdUHI63nrq_bN1$eIc!Q3=Qt{UdKv&0n?v+k~%rq>)i#<j`RXsz};1+=0w%l&&7Qg
zt*!8juOo7qoAr)-+QcH-Fk90p67Y5@KT_4uHXH&{gBNLH&yyn4X^ycQ9R%N~ZZqJR
z2lhU(wu9Kb1oBd_3+z1c-q4I<RLqrmO(N5Pke{ujt3&v;b2A7MR%&0IDK@~b%~Ybb
z89J313Ouf}v<f#Ng956JKChP?sr1)0vpGR*@5!HXq*==B`-&X%VA@}t-ydI#C*5g`
z<IXS9+%Jz`RfLou%rDJ9l8@%KWsz~ewoR3&XTo$=)S+kbHp-ai&CdZ3d*hUmSBRH~
zv6s(*xO_a^ycJKt9}*H%3Nye5q~ob=pmt`4Ecm@d8%H&}LI=lt=`cICstrQjdHxZ4
z=~(9hr}Cgh0rQue`{RO3?Mi0zrm72lt}}9G<XRa=nRRtlWt~=K)kTfQcmoJ*^iLRa
zxH+>Kn1TRAwCd^HefChc1}^6`;nb%AhYdQrl79A6g%%k!^)I=DN4fIaIgi4_S?DhP
zQm%>iuy8oSQ&#${LogdNV49fN^TJ-)j4Ah@QW~d|8*`EeSC+xBoq>+j`q{^~MUv?&
z{%Ledd7o@CU}x=s_yRoqTv`o4@gfT#pX5`(Sy$h-2hH=8f;>7}mlk|?p-lz*wzqom
z%;#HdE!yt(9r0%c%!*qUAYMkp%zYbV-IROz+{sv*xeY(-<Mf_Lf_<b%eA2=aO`}PH
zti86v;!!2OdB64T1C4~F*yv^j=<KOV(IIwJ8f?i{eS+wdUeMe#Uda?W=j$i)=%Ob6
zJHg{Y8}Yt^HALy3yRIc$mnv2^`=URhZ0!NJpr|YJ&3$a@tBw#7jiHNoR;PA<c!WPV
z2@a<FMn`CspW@C3^c~g9?B1&Nr89_512jZ|O*Rw|WUOn>C=4`^_YU^Xy-+&(Vx6XV
z^aG!6J7V7ga=!<`d^^2+aB-<z_Crl2XUVbw?O63iOwXV)y%3xZV64l-VY0<W>47BJ
z9?WDJikO`^njkhd0V`QN%?$z=-u9_SX=azLU6>}_e)rOZXfmnxT@i0|i#(FnkCtQ9
znRfA*07SEt243F5&>_R7Ew*j`*_#2q8|R$p&&>2wGuo*6^GaOG?$mkMx@^|@Ah%Eh
zQST(ca4nELz_d~L8KpGLh?Y2^fGNWR<qDU;l$Ad9#(i1(9C7CvR37Yo#c*^?<E~Cv
zsFK$7OokSjICPnC?4a#qzlLF{tYEmYFSJ!$`z(V05Z4F)<_dgLL~cnc5s?C1`kO~x
z4ljEsPnvWN6_7Y3(@XBKTdHO}aKzmX80he%G!Oh(ANO{rZyI@A?#Muko!~ca=JSHd
zG&uS!LW#xQGYu{NrX*jj276cc*sY~aegrCliPhRY4K6+n4xn`T{u35X*Wd`0=DqtE
zM9(PckAbOiA+x~``2zWITm(~tBYg&ZF%M4&Q-g~11GvZm_R)mUGX~IC^Ztu}*W>yL
zJN|A(=xMB_n*i7F*|ex_r;DQvvi$U|Dq(Knx$B2GWoQ`CFYFe4r>m(0Xl?7{*XZ5d
z9y0GsxU4lvP<+Y%5LmJQigE$1ed=?83f9g6hlqH2x$V4;+t^5PVS#7o6SM5*ZshBy
zj94|O<$Xn@Zd~ExeZ%6zb;IEBh%tg+w~>77+uUA#y`o|UulpSCX^yO~*Bou0eMuI@
z(yV{p7di%uj&!Ynq4ehq2Wgz78{6a6L>VvuQ9}5KFAoA9KfRo>U6a5X_7~fW(m;Sn
z8jfMfH_z~pOoz!|^H9&$;wlvQu7yS(usGP^pM4CS23dWYzCajm`cGeF)k>cj18ZWa
z!1K24mi%2;{ELRBvZ{Q5zaMY<Nb7+FB))g|TdR9;*Ob4_^pzWN#x4q`RvjLfR-f5u
z?4w7~$12ZXUv*v@$gdqMtl`<$z4+_brtL)9D#VVD;GVR!l{c95t;L?w%vt4j_n*_i
z)=wa9Z0M1EOJAtsrlnOIvSo-hh`TvNl9e}mT%79w>yw_GQ(aKtD2%1b`%ju-S@mI-
z6qwyVwe$G=-uaJFHANqxwJ>nXPdQtRbDc2*qR7<P#mNr(uD&iJ$psc%S00d8-M1g?
z20R}GxO=_ahTIk`;OM4$$h=yw@?c5?keJ}`=q+puK_~cw>LIS%h<s0ftZG9F>>9yJ
zZ}s9B_0Mn`>QuE?)Z@am39>kwrf^nof{2H(U2~WrmyLlSa#xDx?W=--i^K7=(jq!U
zD&;w;QW<j(uXZxld7@&)+-fI@b|=XK(@L7LG!IOpAAV_Qus-3!q5Jm`gG#GU>f|>t
zr}zRp)k}WaRe&w6?)lut=^$!c$OCfMEGD8YXsJq3)*xi&Io7I*J(OV;@m&w-`p@Wm
z&6w`f4nVw;m{<D_n}}l`KhVyFHvwKRx7(MMh*y8FKX4a7zu4P_HQ?hOT)Wkh<N8`+
z#o)O=yla=S*TCjfcGb!w7aPsJ@8ct>{!u3CMc0T?kauBJI0atjCEb#Bqe<MtZKQqu
zH?cGRL8*OO?QZNSjC(M$wCf<L`lp!_iLx$Lx?r*P!YA6Jq5tq=n@UV4F7$gwIcp`c
z=C3Fj(DjTv9jD!_Lm*nnu@CYqvKqsQxlU3P=fg1kS=wj^u*#BgiPE}p7<$zy6f_Fu
z&floXg%P%L1MKe){_<OFh0xp#C$%{@zx*;WC$7L%9f70!&M}mB14SxRneL#4SdsUc
z1&3dyjH_3!@%3KMTo~T@C@^YsE1f`PD?<oQUhXho+w1w`FHHIlzj?uf4-E$EDK~8}
zxYR(>NPh06Ny!_AXLPk-1vIBH@tHFd9YXuCPKI?`G<<qVE?Km<Z(^XnXNsx|6Z72D
z?fYDcurSu3<d%KEs{Si`?JxgCMeti)01`5mn}#$AzTlFVr8a=FQV9dy6(YaT6Ng4f
z1yCp~ye>z*lITw+jFKcbQ3b6^OH!vH3kpgP!r^~E(i{T0XKoA!_uz+r$eRVlM``R~
zll00YY4}VwLBWJLqy}A9<uHYQs%Sd0={kiQ>sCSICuVvljTS_=m%$8|`t3r#FBG=u
zFZ+c5-|W-O|BHS4v?&qo*|Wg5Lyd?Opz1%i`z4=wbR#|*t3S~yk1#t9_;#P%A>g-y
z%l|qw<??6E;tye$-}BA%>*`HR)?42m&RgxnEup_P`VU*q8nxq<TF+a;LBjGh<Ph40
zeQ@*O+S)dLIWC`z&hk`^vmkt*FQ4t$hFxO`gZ^mMe|h9C!+}3Lsm{XGEce8zTKrYY
zm`nR`alU3sk8)rJdL&5eWUO^x%Plp9YHh{7ll7F7<-}gU6Iq%zxlmx7!6U)n)#|dL
z?Fg=*K|8L60<yBP2EKziL{H-|#OHc2)Y-5m=zs5LiheWgp#GhTI6kX-fnfM8>!^&s
z_)RVP@aM=ew3K}*Xa>iH#<(z@N%sGwoYt<M)Ht!YqQfD-L>mG`9QQ@Jc|9Lz#v!M7
z2GypiAlRB0Ql%aHNX1F`Gnp;nrorc&4Ka&Ag`<i?CdMGUbpPR-ocW!P=v&NWXducV
zyTvBB_FCD9+I_K*-s|X{_;E;TvDOnN%T<ZKW$ledhPy3}f*vb6nv4hIMU2`eObag|
zp5N^@Sp3*H**U^)&hI)$x3d^07K~K+2Ct{*)QEY%`IgQmWe`uCHaWMb>?^{8Ofvo2
z`exwHT|H_{R)XzcmYBjMwLuJH0vOlxH)-~t02D~gQusaf$c2~G@byWn!-Lxe@1riw
zYG&b+%hlkocJ=I2WYOTprPtM>ocT@w+D4fd#|yX=DjpP>Qsg$FA5fz`6V(k5CroP<
zHlb|a+FzjfAz27814=lA`x3lQtI3V?&b@XFMa-jpz{6FpM^|(aL2vo2n@N(xk<}{o
zw}~6jSEye$lfz7)4hI`tIo+T%cf@5}E2$kCmpK-}aOYyh`2P_2MEr+lT2B3-nL5rF
zRt#vLe)sxbP6WYCyjc5QtgN=cy6Z5_$vIns*(gruhOK4ZlqRbj4=lJI+l^FTI|(VX
zIQw%LAyZ6I#w*dQ3QqE=<h@L8Y%5g`&Ud3T?K+AWn{`>pqxKrn00vxa6;>#loPU-l
zHVm!m#PzUgBit{UJ#RB(Ykcou?{Ypy7`^?p34h)QZ|mNokPzt+{n|G8>E37~QIqSj
zxEZ{eel5bqthKZ(L~aEB6b}>xWZa<XQQ!KHwuB;e?#^b)dce|bqaD2SO#t`n#7maP
z^Cn;ow~(ZiM&dW@F!%Q@IjxD;v|{{IQuiF29I!4;y4~BnQmtQ*G=!_V`{reF4Z$44
z*xvG7ds;Oft@f;g*UEE(J7+@g>*DuP#z*n6I`LyQe+jD$`AkUQJ1LSE0!HejKq)rj
zn~6mJUP_`A;a|yVJx{us+@lFKyrhD*CEG+gVYJe9Au?gQBL(Jakcbm3TVj9*Wwhnx
zUu}A1N9pQpd2B`XG&e_^;>Fr;Y&2DG4|?xDrOWbg&bTd@H<aBo7Na<U9`1<wbP+2`
z^6x@Nr?)0Q&?DXv0-4@s&~boF{4u*%(o^GkMdEL31}sc;n2pXD{V|!%;A~vr;_Wvn
zak-fdO7TK_riz7ntaW7C^EXzKle^73a`Lu)-U^EcyGymO`6{!)*yT8>%Gk?gym<+~
z*?qF#-~ZtN<EER$3tneUA?}*Xu?%ThOBd=p%?c8DI*~@E^22GZSRUY(OQ}Hpq1uVx
zebJ+=AyzVuf)QsAd1-vfN`wi3<LDWuu)neAg-mN>s-M_24KGxg+G0_47rMa-tn|^t
z^$|x)Fq6Pg?u}BKjE_aO-KFRuC<xzC;WXc2W06gV`JxuoK}AU4w4cR(nYa*qq>=Fn
z7#-KrtjqNa;~J;mN_ywd1Y=(~S|!>#s$)qw;5I~RKpJ^yU4tDt=(L|naV1}6-l03p
z?2znx3WfJHWKXBs@k9p^(kf2@uiCTfYBPMeBU~+fv?@E3E<P&2V!NZs3#P+NdXOK~
z8ZY+71e%8j`cP#S34<hzQm!ghfLq07Cs9rqy``YE86RhxEf@pN0Y@2MfqLR4KK2H8
z)R;RQyJjx@EN&^a_8=`Y&(j4H30`@y9Lqg4Bs$rtpgprmZFH}k0ehaI*pEN*ol4;`
z*ZYIQ)=NUUqKl+=DKu>LkP#erVV&vT!7&Dz9wKI(*}{vywyI;NWM|oC>$$phuviSY
zuAmmL9*B_XF|||@**?XARYyNKImeV_bQM9vSGhI7^IUURP{iiCbw^)Ga@jgHp^ZDF
zXYZ<eYh8wB<Hoi8&anjH^Bh^_H5EK-BR;rS)SoI$y;s;Mr1OTKnlrTa+hYyXY`tr4
zUv+oRY8%v4#Nz0cAu#<zx0?&a>b<d)O&5?1LTV6L28K;Eg?(D=adqSk$BO$cSCoRS
zihhIlnoacG|Ki|JqlKnb%4y$F_poo$5IA95*ii3T!B+F0NtRP(QGh*G<n?p%Yi_^P
z(k}F|P%M@rdsM+Rs9NKakyiGSM^9x0AdLtM=s3XQE=9C^c!Oxk_8UO}j0<fAl>wr$
zrdt6eCV+#S+`rUGU!Pv-hF@yBoIV-*w%*q{lRCr+ThDzYP&DM6uulUF4_YLm2qaF`
z6vR$Qae-lYqI*Onkh;A$J5`51SpOW@X5S<F5MojP`1uQqx>GfjNd-@2fM>Ypt0Nq`
z#0LPGE9|3wys?-2L4^25fq&GM{R&S05mAc#YgZcr<G;svhYSmeA_xori~rbp_oIMI
z6rqwB^7R3ZBLG1@Mf^i*O+oT^h!2%Yioa@@EJ$1$2}mC{cnSY1A#?rF`2XzZCO+4n
z&vT9cDc~LaFHWNgOBq>n6S1OXUjo9-YC0~ET(|$!HcC8i=6D491wUH6%s(5SFpHmy
zmy3%VCo_W}3r_$WpHBcklb<**)IhM1HAz8SyQyKdrHU*GsVt~4!*`zc`z{<JXFJzA
zNItnINZ{Kd{F4~}5szsQ(Kp;NlCtI0(05WpoIJ~fmz}+#WSzs81qMN)$6_e>rnPq<
zA8!7o+lt-Xq}pT@>pKEsJu_D-%vns1lGl(3Dsjql)ck>?1VN+Y+Nr7-s@}l++kRI1
zUDs}EIOg$#u6vq2gQ%D2mFCOD{kX7%<rSBiEa>eT^?v)m&PZ2FjE2wQ<vM0L{GIG!
z_le&&6BJKKxVl<Ji&=#Wkf}SOC;WhJj&;A6Y+#!-d*tpf#6y7Q4W4b~8wfm2ThIoC
z2}d+FRy^G6W+RO&)$T!9OPb}jP+J%@cc+aC+T0sM6t+#`YiHB!u=S2f51h6yvV^7n
zHnvZvGQMX5hxEzmtG@iM%l=a_5}`ErTXlz1G1G6}@5|y9|InT*{4)UoE>!~y4lC|&
z1lrMEfDAT@?Idf%f!mvyCE3o5Tyz-*x|3t`o%fdz*ly^VTjOU)M+2q>_DCKTs8O@V
zSD!o`oF#W%<PoD+_2)5T5hEHf!P4U|MJ>g3&wg@n*hafIa`1`Zo{hiUJuZ;10xYz1
zZ9SK)n-}f2Mw0;?(&e8ota(Fjvo%o$*h0RtCH`7BtE)2<M(5$fuI*1@S0q<sL;TKO
z-{F7vqn(oyRh^Ysok5=`7$eus19`xyk1U(swiq^>eExDXG|O|RtxVFw3na6gDNxHr
zeF9U~q%|-3!j_()Ux(P5<AulA>6o&;s5m^tE0{OI5fX%Ov-3LIoOyD<d^2Op04)3^
z$;j`AeRte5_dyGTzv<9hoc&ny_icy(T*)z<LHN%cu~mj(Ldl2}vMG!ke6L*}|HlCq
NbVB_2L=E=ozW@$(mskJ*

literal 0
HcmV?d00001

diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-102.1.0+up3.12.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-102.1.0+up3.12.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..b43fb17fe17bd7b426a2e88fee2ae2467c036f33
GIT binary patch
literal 17262
zcmV*FKx)4qiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POvHbK5x5FpAH=KYa?k%5EjjW6JV18U3E@DUais@jG$iV|(T~
zZ>3TZOhOXYB)|ng*`7G(v!B9^1TUf}o4!Wat%*h4yMacdyV1=c@h6CRV<^x$LNQ`%
zdlSe+?+QlYPwk|Bzu({4+EV}a`~Bj-8~v@FpVqgwHsl}cTbn=i*SFqmy!i?ATk5|y
zC0s!EQ~%a|6({#Z5+sBQC@>{_&;h`Q0)}+l^PvzS>S4MD6G1&pxPW0e0OjT4`7C%B
zLE%p-tNVxvJi;hQ>sA&EFpooc<q;U60r+&Z3w}#`sH||FoFQ+D7{`<hz{`KV1M9tw
zey{KK!GFs?cjTWhE33*rcnp0s0Q#dl8-B$FiYn_-J^&#m$z^43j97#P_tH|U7nlU}
zf>)PjbczGSz44R{fKSN?k9*lLdVJE;AJ?YqFpMW~y|NjLjvOF1dT$IIHhOPogMpzC
zL5>W_%ZRP4B(7o!wlLuWF;7q$Ru)UJ=hG;r1Q9U+PMa{sf7!84H##tmv!9#2^^IP?
z6Cmz091HdFkOp$~aPTQc1RT*2`&VFhjEH#2K@xMp5R9A-fG>#`5ECeXg>eUfSXK1S
zAV-0OwqP^_Bg%ju(j))`3Oq#sktt@BM2HC9nNSIqi4ZX#tgVf)m?URCpGIpmM#M7>
zLOGH(XMWh1qqeowV0h2KR_!Lvk>G0~9aFyM;(I#ooTIA?$^t&<ctCbyMh#Ra9S?Bi
zCk%_L&P<GPnlK-!1{NH6Z;VAJT}A8tjox~%|6fULaPrVpYMJgTRh<7*7$%6f$N<!z
z|Lfc9+x^1%zrDV*y*&T#BQX?**oS-oHajp0us9$Bu_+7(V5i@SkYL#7zd-*Sk$?}t
z=Wfhsgv10Ty!%DhIFyI~AD9H6NO&~>BN%ej@hRbgK}^J7n1-6c_<$oU24JJF>;1}T
zv<LkOvULK?;aP|d6U~qmKK}(n96*7|_<zvZgwk`HKP_f_RP@m~)Uy)ag)ZXh(=}nL
zr*adgI6^cLC&;I2-kaqjzd{@)4Cymz01n24vWmg%It&*0_PtzS{}M&9_-L6D{sEq$
za7NirXa7dNI6)!u1!dJ`_9n<b*P|&6QU0tbpKw8=<0M47Q$!@R-=h!-^eINnj$H#=
z=k8w$#0U)ELjeasu*7EkhKQ^|*)h_G(f(x&33srm%bk8W`5nPfOnf<7n-{^$6U3&N
zj87*FK?!(oy%VYRFdMrze+F&~)vM7~D0GZ4nNnXhU`u{PQ^bk|i`Xq>*Wk8LvI4V(
z62&E10!$H+k=aMNF={}o{kJzs$oUEW8x6pAzuyVz_yd}vZ~zWI{`yJ&e2)l5X`PUc
z?as_rLxja{5MeGcyg!wUQ!Yz(lm86!r4PuIhEo)L%y@EVgmcO;v&R1Kgr>_7M{tbP
zRVG^@@)rOM#gt<~*;UFrtwoqI%241*-bk}XiZjZy!2k$2&KOj;X`cnRYF*x*cvTm1
z5{Bs-9et$Yh#@ZdK%I4he1;@cKY!`O3>}#JnPkRUaGZ@rHLYNx|I81RBw=Vi=emz6
z7k|cM1_M<sl&dy_zN(?OabQtV+l_^XytDZt-=n&<ZJ19rleXFJ#ML-11%ufJOTWi7
zI5GUPI<;uvS^l{v$H52^i0cb(fW<q8xIF3v3c9PNySbI@wd-971>&Mn#S6&DqMgY)
zH|YzJ5oJDFv^!HR?NQ=rtLuQfNb~@JqY)+w)as|8VRmjPgb*4ahq&cCOs~wcuHDqO
zX*<Y0N(8zTdVRq#q!&jFPjQIGXrKEq%&`ozj1OaYhC?i{rUx<wjK=nF5A1&UVD>Il
zyvs4A;#V9ZEdwwFMHNWMF8__uBp!gDfBrf9_K^}<saW(+j+nef_4QVAc4zHYN*hs7
zHiX=)=ee6}A!1V^H_P4kgm+)e=ozw1@r)(aeEs+d3-u|g{&d&No8H^a-ulg#%LT;3
zurca-A-_$8h|_QSAizYy2K|0|dUTR)=@yC1Qzt46{Yh{}RRYDVTQ<<;e$5~&2+B<k
z@CTqV%adjH$r2PvK}-YZh7r?Xk0wNzYj=0O-|u#~f^M;*UJS<x5jaBc(Fi7?ylD6|
zijNo_;SiaD7};rv*dZivta)oxxaAnk6h0p@G{To@?u2sj5s3@R&NJ8sgxl4zr)A8)
zV#XEIOPLsew_97A9RQ42;z)mc`}VDDPhBVVr=R;j_d6Q;m>|wm`XXsph^MIZF=m*m
zwGcwi^$k<w%CoX=pJ9Q0DCwaQNbDgdj;Sat4-xW1Oj4=#dQT464>2M_R?uyCyYAAq
zN9HaOcsKV^4h)SDV<>o^FigfL{saX{h{;%AT+QeGOXMeN9HyFFgtA4`+9_gDmL-#7
zMAChe%K|{DbM`M|hSXJ!7xQK7=jh74h4=Vmjaq3zsW<>SPj1nJs%$NDEcc`PG8g+?
zuAngu>G<joIgb3UmrIMl2s!015FSs2+Bu!9?nx|{$X+U{vTJiLmC2J6)lVpQSvrFV
zMT&B6uWuY;Lkj+rAfA=*<3tT7no;A4Q>Ppcn480>*dkBjI7AU50){G!XG7IxO2-$`
zgu~E^ndcc9%N0BT-@td%;tSw`5u@p5c%gd1@h>6u&)ts-k~m-k(C?}Ltr@B1U~$^@
z7|E4E+@i<pa^c_W!oOfxpi_Fhd-xu6XRQ@Bgs-%QKNPdHv%S5!(GV}XY#f{^`B)VP
z13-ky?iAus?i9Jl#vwg}p)rXNp<#>lkPL%#jK-J?xpdWW4nWM)S(T`fk$ue;7P`W*
zoM?<AHpM<tcraTz_$9%izzVJ1Z}JA!<A?;`yI(qq7TfI|zgN&MUIYsZhn+!R3k?wz
zmd8UzxGxFD0r@xbEn`udlx8MN0(mQkmm`;?2r;qLAV1Pnq5l;qij|yW?dt@EF=D(Y
z;@hZ#=h%PkY;0{5^uKR5H@24g-}^|NZ{OBlca)Yc0AhlGWSjvVslS!|O0V;J?fdu6
zw{IQ@&<GO*x(?efi+6#S6_At>^t273qzs_<m$oO6B|l9OV>m$IT9O*#gPl$FCyq{%
z(Fk9Hu9r22NTB}KL)=p&3c$3FQ4)q%;6Dirm3<k2ajXX4>--PWt*i1v_8}+2!5Q*l
z!V%y!Lg0_|?9)>oVH5@&K!!9&g90EZ5EIP7tFtQwj`tr=WLZqcfXB#R>2(f9z?f0#
zM&#iFG2zAxNqxftT;MPSX9y%*j*|nZ25&}N2VGe#4`Dn?0ctZ-pxQDs3p9dy$g`II
zp=L06*Br6VI8$KgR(i)8Qo3?F*4)>H2N*L<#0Yf%$-RH_ZlN{Z?;=ZW*5A1$=-^gv
z8Y8Hccvbi{i$#}G*X(*6tAgE`Gjaj0|2DD(a4q?W5c&vo|EmkSU%NNhRl9*)^Fe^+
z84p9ryXrA>z53;njv`6`C5YEfBb7Z>uGKUbm^?xM4~)W!{A)lk2@nzBEpUch9(^_n
z&6RyMYxFBKd|Bl{G+$>;6)X9<3RJ9hZ`43;sdnp^o5sigXq!=MVW}wx41#n6${i(?
z>7ruQ6-UokJF>_b3h9OU?6Ce4k@BV*QW$XH(<GEd0oRfwOXes?Zi{79t4vR3dQRhd
zPDUEkb!}xOORS_i15;OiK%)`z#Q=0aQX|Pi@^dB}>h4Q|-kptWXBgaEWb_zj++`|Y
z{3#J}B0x;J07i&zB}`hCVksA501?5i=B)cv!Dj^UN3xAQ+k}OXHrlkTvFgW@bvst>
z4!YmI0n2;UEb1Qk{{7oGXXm8-_gqC#Pqo_1t{UL`_d)Y|0*=A=?_E2(BS&uEypc@W
zFZVA{v;-1kG2wx(pRiC#LfM$7A3cvDIZ^xjXPLT%TrYx`p1=`GGn$Ob(Lb5V<=PBT
z2(y0Io%|d1=4iIk-b!R~7W`Zlm<FC1ip|N|Q&h$+;zN1mvSU>y_<YTWJ)eoJlBTJ)
z&NQ7_YB*edpTj=t$;rD1trG8p@85fT>aR`L*I*D~p-z$iOX&H(+fei%CpoG-1u}4?
zWt|gYOAon17Eyrfe0_$UJkM)6tmaCYx##P53V@q4{=y*3vzXE_iO?ZUh?b3cAd-I{
zK`|K^q^Z$p!l5qFu9U=F)^9@Ibk8@ZZGWlydBSGKrzHXd3))mV;Ov)5@j@>vTs-O@
z`iAtpQ|<j<$@fs8&X8N!gU@^awfUxS|KI3u?(8h@|M!vH2RSL?^DmLsrt4=&!1c~K
zCcyw?>atT)z7rt<11O-}_nI7>zvb@Y>B#%Cu}(C^!F;e3&e8qpZvJ@7cXbQOoYCZ3
z>t$Ed`2t8@GJ=XLmRFWx3>l1&K#ULdy*@2VV?=h34*uHIRa}K*%p@D?im7!{6DVpX
z^#K7HgI9$dEKpRT$kY|MV3>?M00_v&NTf`U{y6}tb!_kaZ2=3ZS;m+Sz;)Vw4E=LB
zMkRo!1*X>g{`0qP#K+wMi1_&X7x2v)V#e<d-T_SFMD!S%Vsz1?$}G7jvDHgU@y}ns
zIJG$xm@5&?;2roprZmu3QwnTj89p>W`uXb@@c##@<U1hupWqi*OkSluX#R0kwX)*&
zMW_IfT)j&BTyZiZK9)n^`rh`cn@#J#|2h2^m_QC70hp*or1@GsPMN(54E!|0l_2P!
z)9xzxoQ+B@)KyR#W%VS#WJCLY7wEtQi@haEZj6$Lro4|M)t>*(9Y9hh;>9$ue62SB
zYQz=HIsezUwhQmSH@0?mHkRlAeWY6PSj=N{l~Q*emsil}FR%tjndVzx`*WN@;i-9g
z_e!ryJ@wMLXzQy<fVrTl>*fHweErfIQ=7J691p<DoCKw$rRah0-(PB_^aL`oK>0jB
zWEIohE5!A^d4d=gN{I8)y&RwD3v=3x(G?U*nM=>hlzA#{yOevHuWz?D2D&>)#wg`6
zB6z7);oH{m0uyab0su=wGysPQ7sm<N<sEIcff)+kGaBy|RQOh9pQ+fZ8Zjz)bt(LS
zNpk6yQYChYWS(YOLEL8a`i5%;tDl1%!dU%^8I@-!3e+!s?NomT^nzSK7VI7!sNX1x
z#npSvToLp`@7DIyV)WlgfS~Wwgf#XMGKc>6xBKfw`rm)ExupO1k#Y_hEFCv=YgeN=
zN5p>^nrp75`n_SPt`&K{eCi~j@%~p&ZUPjC^h(m|MZ`gK-v4iI_O}cBe{*BW|J_e=
z_dkqdzLpY!_bIL)hyWN%JueO+K?9&yU}nBoK_pTGbW{3)>4+IZGdf~<yv!lPx?-JN
z3w>pm|G`1Pq9|A#3C+;Z2odv9(HI#G&|zn1Am^-L1-9Z{1XL;K+y^#RVPp%I4H(?Q
z+Wewu%;45{6mZ$5QX?RKm;^J8D|&82i(>yK_;0!b8m@sRt6+h3&|oFxh0U<=z@`$L
zYQQ~Pv>J^t5magH^4!uXJx9c`Lw3Y@j(N9H`M<o8%3r_Ebj8CnwfyCxTCtyjFVns2
zk$L8*$HouLJEygrgBW)m%4#7Udm)-4RpV72lGe8bxYpMy2~jFm<TgQ!Kz0RYl((PL
z4~0%MH#1%;S>>KG;ByB)(;H2(y?LHul(#gu<x1x>#a8P*l$6@6aClN|QR8UDXyp0O
zpP&+!Qs+9=HT_9K&OMI*F4s)mf>hU3XOJgZ1do#Ns#HDa4XD@zim)*4Am!V`tzPgL
zQr*3-=3(O##7hs?(m-Z74=FaAlBsujDwWUU0*Zt?Btsq)go?Dwg72d5-}CjYFBVTX
zR5}3CEhH!x0b(roT|XA`U=Xl(gW^1U*;Arodzr5$FQ!bCK-6<yCY4a7<bIyj)_d~w
z%wenK2xvwNW9t&gvnCxLvQB}@4bFBT<Tjt9-AYiDZJxZ#s^U)6x!#%1R{htW%!R%j
z_8_HHzv2*8(83W8%Zt*MpVOyo!>lOve8OXfvycr^R%o;0f!7>s3rDDHyUf{U=`pND
z`h`sT36ZIruQ}eMPw&5e+&$bsIojRZcT_*h`0rQet({IvAA5{OMHOj55RuPRm9%Ay
z<>Y$l&YwA=n-6AIf2FP-*TnZeeLUSg__%*uIsE}B;<IGh_p;17<ZSpdw!uD2R0cur
zlqN#NzgZI?n__L$q$$<k`7HGWvLR6eKoq=Sl{Z-ay`)=P1E~lEIe;7ol=5pw)kB*>
zG}HEVw(~t^R8XIW18}-`v_MC*V4(Xc1GBoH^jYabsFJm=?iN$U_pWaB!W&baW-{tk
zwu0+@x4p{ei&?8TG964?t}q}pAgDGYbbBrk{+db7HYi;0J1rE=3hiR6HZF7*RBB?F
ztsBSCu(~A?#cO%K$+jk<*wbS%S<d_D(o#tCGFar^SeF-FmYY>c$(eN_Qg_93$eSr%
zea$O8nf;dC&nr#QdsPn@N?e26s4i5E^IW-WFymoF<vP|4lpcy_<tyHhm*HGfzchfE
zdu-;CF29tn#sSaWuuJbvt-xMwIm9AN6c6+pgFZS!469x=5!$hiXmW3(XJ9q=&Y>A%
z-FFu?cy)`-L93(61kO>P+pMnDt=Vjv*c{RT4Zzk$KToilKH9BWSoxRf*>E$xsXLqq
z1vrTY;84BwPutCzuIK9NN9UExtb)Kiv=IFXr>6R!Ox))g2CBI-XrBM)jg2=2{m=HB
z?dAL5dr416|5ILps?<!Ov+FeI!E`{CgTARk$T^+uNBbb=v1y5BAgdv|mYO2B{?pYI
z&0GbI*TIv}7L{De{1}>}TS$+}N~fZHx(w5}LP$MJFkY^GBO!UYnHqulEa81f$6la3
zsk=?5?$xVRB=#N1EHz2qi+V{_Qm8&pT{6cfdoxX68CcD=el>OHX#lmC$-=~{PSjkj
zOfyrYH;-QTVKHD;O2uWBI_a<0LQ>*6M_O6!n2Q(CSSK+XkyXlx;=tggwk#!MPw2o8
zxp5VvLKN$Zkb4o%oHW;tC+D9tf7B|S9;&IEcjF1VU7+=R`n!foQJFip6-l7$l}>l8
z;L;P%FU5R(4n0e=rX{o|S>DVBZ=xMFn{hFK6rG~YShF;S-kC14u-Y%*VHu@G54cTe
z)E)M3UG2^ph8L@HcRd>Igl7I|xGHxWm2BlP(oj7+v+kU+EcK=h`YUzyxF)`+-t_L2
zpG_IpTJ>7RQoci_=zLBc6rA5^5wnxMxPr7XXWph(wmEVhi-z`&mQx#=+p1QdwHCKL
z;YXp-tyarc@bS%6v=yuFsj6$sQ<<;2ol|EqHEsoUy|GGnp|)<N-mN+lo{y@x;!-(J
z?OR`E&XSlNu3#}7%xtF`6%VO-erUDW50h@8|207vyt$qr=J|hk(=WvT-PqaQUSH~e
z?<37W@7z!uso}8lxT(~{AKm<%iwIK_ld<w<gz4IJ{ee`;_o?5t>LVL{q@#)FD0i{-
zbd-py@H-XiTbmYF;#tOTuF^}cg9|JsjaP!1o;@zy1E}olu)t1~=Dt)}FQT$;(>vlV
z=zmOu0CSea5*lYoFh(;Bf#%Wwot@1B{eQFbW=a3=B`GiO({(U-2YRlbm)`EtfuZEQ
z_dDdEn|l0NJEFn+6!E_(#Am*(|6yDLEz+W@FuU1GzeDEWf+PU12o<v5m8^5``*-z+
zLv~UZMa52jH2)SY*d*nn<+#p}gR?5xoKt*hv2<JV-|GHvO#e+hG35d-)n@-Ep#siz
z1u~ERukRH7zin@AF6}?>B^CJpTuA+*&$rYx^w=%+!;w#SCoD`kC(wGpmDLN*^qqLE
zhD`c2Mis1bDK@896<|}<*5Z~USI}qWJJ5}}>D^dT=rw#c@~r)+J=N5d{#&M>(Gb}n
zlk)E-exT;i|E)JWMfuOxoAvD_{lAY?r2l8o@9AiOMe47zU?L`z;lC9N<cM{QYjC|T
zj%k?p39cH%l$_!SaRH-v07w#sKgN0C?wk%&p%*(IfHBUTU3xl#WKMPJ0d2e40bq*Q
zne}C<P@^4L%7dWXl6H++Xi9%{+8G<Cmm%i*kBjQoQqxdlQtaa0>E<I$y=^w}V^SEM
zEoT_&oO2XDXWSYJ@~<QgENEs;CdTMeAfm6JrAb&2CtT3TepFF0aK%U*Oz80Yw;!LL
zc**U1aeS)OBOA?H>L8^8S*2d9`m(yHc^#IP@*Paw8vZJ?p*iD;8J*$)vAah|YVi92
zAX>ytbZOvPW>ZZrDs;O=02h3YV^jcj!ja2cmb%wV^D(Te838sbca_->X_ZGkxU~@`
zFvNeCwn4?<=2L@PjpTNO=vL=ljW4jmz_XGK&b)SZ?~I$*jrjkjjK4|q<UgDJV*H=Y
z&3=E$|KCSymH%Hd{xcc>rgEaYzaUh#q%Cvqgzn5yDrW)dK`E-9qet$8>R7N#S<)@j
zP3Zp_CIKd6R}5r6-Aw=6FYAA|-z??-_mb{P{_~4o5I>r7pkkYJ<lpA~iY3K0(CpX%
zc&;#Q-s!><6&Oq%9F-v)ZXM=eNpPQMx()rGOZZKitN&du#(&sZf3xKO?<KX)|1SxD
zO86V|{5LxwmM6n9-8#AJrrt|^otCCv7&M3eZ*FWA=>O(cf9uT?r~h>aYda%vB^ml(
z<E){04%CTAv!mcJulw6`SIf+(kX6r^3QELU*ICBe{J9=CFX!r3Uv|vy)FLE{sbdvA
z*c#s&5%jwGM+fi(z_=w*h|;h#Z}F^!Q0bg-A8z6FS$(rpLzgvAnWyV(YCbB0CB$LE
zP{o_n!jyk?3u?qG+bCOe{}TGy@n)50C6z)t+-7E0=jh4})16-ccuXj>aL5d@-c!Us
zQn7!jMP_L;`9P;t4imCAK2nj|byXQ|&GdMbzP`|2JN|Kwu2#W6R1?ZXyBfIr1&1cu
zIM+03hX3uGYArJaYcg7ABzg=5GqRZvP;)<Z9PHdX-+Hp~DObVjWH6ahUoDII%k8*S
z+O(ntwxx%=h3b3Cs$hnobAFYK#%*NPGw-<tA#bM7blqf>vQk^-G-vO4fA@6X{P^?e
zz5P*m)Nh-};e_J=?T<!^*#sXck!!fdt3YA0r@4|#5$}B^hn&xieN?ZtoXrEy;s18}
z8yiLbZ)ao4|J_TP&Hw#X)Mnp|5iB)xb5^jVUtcnV^@ayemmQR26}8-8Y0iuBgSPsT
zBb>z%mH_<ZdBW0+D!IZL{9LJW6OOL7(gX8!l^&DcD@FgO*!5<jYrfzAu<z7#urPx;
z1mFeOzl=ldV-a2{djSB$5S$ZwK>$zAGJj9#(nqlXU2VJ71+N4Ja7u9i0>p)SLHai)
zV<0977^Sm%_=$<n5aco|q%Z)KIP_?xX9n?qXaamlzzCB7K)`4+p6KDwQGOg}S0JFW
zH3)pjk;f6?Sl}rF96{z!048b-f27+K_%uLgkRvdn47@zaT6@)fX~7ZGfUlu=f+ECV
zm^pPW6u3lw{!2*5g(6d|;<x3$#*~Q>WfzbIg$zb7ukxRu5YV6GzZr3L`Z0^^z}L7B
zLzL!Nuk)ysBQb|YNm!9(D#>wY<{zc{`phVfnb08r?FIOiGS^%fhzS%R!U9XogT24@
zy^a1x-+Q~gy;W*ludmzQTuPg|e0O<*hppn17CUkGCdfZOP$%4Chp%!R>*=%6QysT*
z2;al$nVt?6)VbTe!wYu`4}K>Lc6r(UK~q!xe}$7SPg@PnHw2z@|L?!qD8B#OUf<q)
z;`je2k}B^1b3?{fz6sY}85g?G>-F;^U*hM+U%PV^{7v>h_L2R!(JO#C`+sA-6#r{$
zdvj_3b1!MeUe-+I4`#zt=BXF+?a*=jW?OHW6Cq;mRd~MEzM8kTHq|cy*%%4!ak@~r
za8KvyG-u=(7teoZKAzpNq(gC?Q<wZk&ul6`(!7J~+?}fQqk0O~yK+U}G6P&&f1;pk
z>|qa%x~}-AV*Vk8!7ng`#FwSb0h0Sx*<V$)x=H0-7%fBL-JOr3WxBgmd;U9-LMRs=
zCS1TUT;S!OPW9*i`ey%4k^kS=*xFg1|M!tfkqo&wFlbgMetOc)x&WL(;ZHJk-~Xm(
zIkus6$m&O8PS_VKcyi9#>ZA4={3oFTJ=YsSDbQqhg2G7lDQS0i0Ng!TF5q1tJf4W|
z0Cc_WZbiO+!)LrTcLzZ87>VyA6rf=B42>v5o>u#tXPZ^0Y~2dE6bx2G533A<*}Rom
zm%`k6Y<aL72J^gmjLxv&srPXP=6u*FnhZ%IE37d16EWgqhjDDS!c-K9To8!4(IjN!
zH){FXE(#|s$3|^@1lO*<8O@tB`<T%)WMsB3{WW6iynp`L3omWZG^N7K{H1DF1UoR`
zBv|Z~!jCT4N7}&5Zc0!rhdj;hFXzb_@<o_~UW)pghD4paCT2!Rom;aQFts9N>LShM
zVyQZf=7XtffE7WcfXE9U=0?iY#p-Pv-Vy3?6pr*wL_d4UQaM~)%`}}DA>~mN!@^ar
z9$VP+=oGOFh6QqRDnk>^J)SDV5^a>i2h9phbnDPW^}&heh9{Z{r8(2C2~M<842ib@
zdyturfLu_%iXHB$3gvy?z0cj-eWbg0p^a4od9e8AnnMp%XI@TU>DFFu&G|5Hach=h
zOXd7=IIXr9Ld(qk)=`&qJM|IR>jSO3Uco$XmfkA&9P+;Jt|=#7!AKXbm(@)9BfU9F
zc;Aa}(dJ0{5x_p%KE<(6DG}R(d5Pl%Nat#wKl<;~$&dbNz5i7BMgvWl%y!PPT07B7
zP-wY%gov<S4Asl(O5ntdsyEbCpwZxnIV?Lnnm3X8UXM0rdp)|#{Z;jZf4R+a+w4wU
zy37D+_Jm(qx>Y~oUj##oomWe*ThBQyqW?+aF@wP(o*#9ZqyO31*jg{?e>Rr-pL<Ca
z*Y`gSn(tHplUra*Wl+OIFN4<uDuZS%m&KGpO<QSE8MM^g+=b?51|nO~+%#_a&NVkh
zY6TujaZwABTG3~1&BYZLb8+)L6c;n5`M4Apc91`qbkt7!7K)3yL+B0^7k9dQ7g1c?
z=k8r-V?8&;#d2%5sJJk#E)^FyRa_L=n1_+v-R~vlvFRm#L>xR5CB>p=)?-mpJZ=rb
z54j=kQJs*7Z@apM^1XPeXn5qQR{pQ-PtzA;H+};$-~Vq>{=eDZUdI2pm$ab&H&Yyv
z0K9VR%zrnsvXF)IZ8QwCSM3k1D!5<$`0_Qz(~;?aMD|H?^S1~szQdT)?xM2%JAD*U
zmhs=ogNPs0M03giJwU4E{}}pDf*A@lRbANb!=`!s-`1OA{I~wjGXC5BB$v^e5qEdZ
z`l&Ow&eZwdsVQH<j-9{d`Nfm61U?G}r6Y;B;uw3q{o^e^Hf`v$+LHLxb!%4R1vv31
zD1yojqnIEtj3I*&5{U637-19!X;~U0vU_y!*QT!G%D!VpW5fh5it{7Hxjc(2#pGPD
zqV}-JhPcHcWALhwg9VC8#cc)c*tC>6Ype!@=&I^-&6st9VMs4faE!+2vQY!tA4uw_
zPXBZr;-0@P$8iRV4H?q`xK8_sp??m?sAB14d=nC14Juw`_+157S-t|^fryX6H)r7T
zmXek2nd(jfSz+)lZ6nS3e!G56vo&2i9ZWF|)r$W7tsC)icOa{;f^L8W#3Anvz_+e~
zCmDa$K#@iChwtCN<T^G1=>ysOH&qy115DyX^qBHR+0zTEmpVw)Eq+%2eEFVJZfQK^
zn$rIc-kCO?37U4ke(9Z~E4LjpQduc&GL4)cI0co&>6IzI0{#X1PG*2cUky}w%rFt7
zSKTX`fGFX@HfDDo_~*2{3O<{bzO0lH<Knb9lU3W-N@HXdkdS&)ZUXpoboIrli!Nj2
z3k~(zFs`T|!4BTNlY8IEeE|Zhc7gJpsc!Gi9tW7K%m9rrLBT4ZOn!m{pePnsWkQj5
zmTTpIy|Z%rY}YaLRdxBQvdXH4(aIbIE6NZ4`=3*Z(tm+~B0XLX1?HnGI~Pe!(4|GY
z@@TD^U#%W*D+}VGkM34dE&pdExt`Agu5S1@V*%&ze{a?|w+j5<`bK|y$^YF)D%|)D
z#`lijb5|VqFd9=8htP8u;eF_XT;bOM#0**4*{b~8Rc_1{lMO((ftajYZbb{@2B5p%
ztyYtQ&s`W}bSV%~E`|+syI%@=LGZcjD_`^WlOpg~U*x|yN<#3tJ4T|r3c4Dh@-MC3
zk$)-8Y4=O{aZ_%gJpI>9KloC+sT!~nYz?%2-@m&$&qmtJ%C4GdOK)jQ)Ak~0HnFCT
z+#m0fD#H4P??h78qsgO?>c=4SCG)O+r(x;l+MSszVeWcr3%M>@+QGb)-JC)HoQ_5x
zaD>G`UDoO~K25L;mYSi5(hTJvLVRpU?HAD~DFqK-OmkF;`HF^a>R`&+aH~a_f7Efy
zCmLpu83=tA%r@+<EM0txQ8MLzS#BX`v7J@T8*EFaG7hht-`>diA%U^xtfLAm=L)RI
zTGhtQeRnU_m^R<iu({5xd5%$YrAhOwIo4P*_iL1SvhI(g#e3+x?J~_zwelaMX-U}(
zN%L<Y0-ERle`{mADF4}cv-JOeFX@FLxMKlcg@}MxA*JU@47zof>~89fUEbEZpez5s
zvI6?R`~JQ2LXm@ijA%lX3_HNSa56X&HnVG^a+fuZYrCA|G3kO43^`i3It=3pw2d6d
zWAUafnKlj$CtKf)4v0HzG&;UleG587S+xRoEmOT7(cr`c%d2Z`wnlfYtj29+V79S_
z14NfGBo$AxQkd=A0?kHQgU3S};L+6y61SM=p=_SA#*@>5bd;`V#{7=7-ino5G7k>+
zV5|Zl3XFJf_vpaJ7IRAC5tu;!2fDI7zY_FB>1{x7#gzO16$Y0pB3R<~ERXM5zf7FY
zudCo6=n`|m<qkJ(=0@}i{U<G=rj{E?ss`*@6+hTJe$N49$Z89F;7DCpfH{10^he4V
z;xSbsJy}KHvVgv(+M+sEB<4D^rwG*C={Y|hnke66YIgp|Jif8_|M~I1cKSvC|Lbqo
zm+`;uCEdmOU%11KLwW{7`+_Ovv8!2n;TWL5nn~<>ze5hXT1J%;<D=}=y}s>sSJD<o
z5Qm_9Izh%DB@G*!Dv&2|iWEsHH3N2!4$>QMN`;J7JUBWz;yMnjr7xEF#Ekj~Ny60Y
z=1EG;-w%!d+Wl{B=rvozy_g{*FKqGs$NGAIXQ$}@>CKy^|EGIN?t>1>@{c-ZJp@^)
zEOuyEuNCK|2Sa}ndv553V?)QP6_ps7L|ZREj4ZpbY?tn&8oUuncXl~@`9kDJ(*rE%
z^{MGDzwN7$oA=YAN2r-J1~ha6<!m!&?l<-VwHQ!ldzD$NodrEaEsnXS9%o9>OqXZV
zCyn{`vRK&$!@fJhwYsR<t|5RsmKlChs)uM#(elW&Xk-4kY`H~8wSXrZ7oGF9J<rFL
zjXUofYJl7}p1CHd70)$yz|!517m533s2<L-%}f+Mf1sx(nhT#fmHuARM>FQQFL?c^
z^!rkOVDVhF3a>X!4zq$cnH0j`Dq{T3J<?j6c-?u}blNp%WrIoA68HN1?$fuJ{gHS5
zow)0n0nnS8=GNR(mQHz=$)*bVZ%=Lz?Gv+|KIZ9vw$}^xAM4xen@j!Ay`&f52nvB1
z;XqKJu?{XKh=8*Mhf2$89_I31=LI;OU=DZ^$CL>U_ymO^7>D#sKQ6>%yeerv6nKh2
z48_Fx4oT2?0SFpvX5dxK&<J0mKp&z1Yo!N1k?;yoqH4+^ffz9mVuE^|-usiUCxSB6
zc>(rl6j1{H+B*ROX1voIW3i_GtB2p|o&C+$)PL=V$#_lv$NuC~vX(V;2L1CS2J-UA
zJFk2EBJRBIox$_Y>z;_>&g=iT^8)+@8Kwyb2k-ZJr)PZab$U2Ja7~wE^xsdBELQCQ
zz2A2~{<i<&({H^fXr+&N`~S_(o5KFz+Syp{|9eR<z}^IsF$(Fpvm1tze^+WwUw!3Z
z#Au|{q)E&LLofoLj&{Ls>1r`5&<h-f;0ys61SpV{M5#yRmg;m~ya1n%%;SE;k%E5z
z3-G{3f1~g9fA-e<ofj`&fL&R+<AHsn4U*kvCLUu%5QBm;fC(5HqNMbY!;Y%141BO^
z;ZOCfAjmi!Ii#W1Ks!s_(^A%<Q)5IK_#K52*aSX}VkofEM{7H24;<1d3Y2lQZjl9i
zD5;PV%-BN5C{o2_wl$j=D$bHCMO&(1)zDRj^lApCV#jHsG}z4NqMkc|931OS3?`5S
z@=lRCN>%gG@G}F^ENqJZiv54Qzx)1hzpc$bZ~w1v?`&=t&;PBBrT+JR(hGMltA)QO
zSBu)UzaasRQB1)B8PQH>I2`(vaCv=^93o&c3kHF6>i`oWVm??~qcI}pQsu!hB0?U|
zljKZZIi01ZRwj3vGmd+Q!(pfM^#mdCInDd>$~JB<Z~^tX`l0^wRTf%X(JP)tk=$tk
z^^*t@eSPeGRkO0rw9Gu6S-sEzu+mw@mz4IOLsMYL5Dcz>zH<kif2fyLX?>4W)c$<D
z|6zakWdG~O-NXGaP5}ojo#II3RLsRb?Y*_$fTwS^jyKnii-61v!k1SsvL7qp42ASU
z0@Xp38O>Z=nQ{%#Wxc!`biID9KS;(@QP2Md)6L#iumAdWM->6;7YI<ykgtfWVOKNK
zzM%jLLrwuxbe3z|LUX?dbfjGfl@AJ#-H}!2a)~HgAY@DpHG@2&VMs5yJxG2*T!146
zeSv++Mt45Ns-N{iXBTiB#UTP0@JgO2=J^r8>U>F3O~D8=F4VBIM}K;O>giGj#tMn7
zms`?ikz@@ytL*L<keTPkpmUsPC=C_%BRpnMpdOzL0rwe>s|`3&X>vIzE1p9mP!(3t
z=1Sw6x`Cn$k1>Ivl|-$AiwO=9kRz9!$cY<try|B4I1us+G1N$}4o3`CssXrUc%Z5U
z2)ZyQt`7;oky?8abK0A?EE82B$$?5E)Hn#JrXmUjrTy}+ciD!iSSV)w-JEt6N%w|a
z$eS|=f}k<>`Py{j>vYr1A5&teg4wI-=Q4Sa^kM%JMX`|6`<Si1Q@b2AB48qD1O@hC
z7+wL6ghr`z@{K|`21Cz7s<mt(znk^YcqqA0$^yjX{B$*q{<P4=1TmD+2DzsVLQ$})
zNl*~zkqqlYlMId1CB;{}T?C0T;f6UMuZq*`StL}zhiBMmcurrSGmZt)NGrmKYjj0=
z|Bfh&T>5>Ko*13Zb@mH1N!Q>#()2;1|3^u3)=Ev?Mq8b0Fz^;gV8QawBegke1@rm-
zu=5z-4FaP$nYqbjlfd2LyoL4gkm(u>1xwJdmA2-<ybzN^^)3$ymEqo()iF+x7Gk6}
z;+p(E14LYd;pZ={K)e~uU8_vl`@Vv=%S$;DBa{d2|E6c{4D^B1H5h*Tem^iT8TrZH
z)$>PvSui$;65NKP$WfZ-ldi!~vNoEtQH+hl&UjjE*SM`FFc)y__O4-``}pkBHP}lS
zLqyoi7MNQ5gW+_ux4zNqHvxJha62ZV8Mt#FpMAOp!-LUBDvlW9h=^Men8q--2Gu#3
zryrkvy6@vtn+RpS>*G^douwj<xlx(GF%6$EZNE#HSB9S{^sWLo0Aoj^-Uhl{N)P<c
z1QB5C!jO`&K5K{b?*PM9ttX3h7fPO$5CA!dArpX(>KYj;1_>%(y_jH;#+GOUPIt(f
zR|NdXF)Rg^#ZQ>xS2T>|f_G8zjM6n2%DHMEPHXbdn}fdr%nQ89kIJ$P-}K&Y_SRci
z=?!3BU{IEPOWS<QoM1v=$+xu7RvpYQAQq=MLNpO>@26D25C|M8Lkw9cWnWxsE+{xd
zK8+B7Q;0)li1K99H5l$Ry6`k<s}AN9A>s;{|9*OU1pE-o3z;ZpKhty#h8rz`d=70P
z>irjzKt9QOKhXA*9I+{4;N;{3@DUSugncNU@KUZ#*I=mp`?LY~BFxjbW;MN^PEh({
zO)1SeQp6>u0pR`w1&LB8W8$`~<hJ17^z3O;|GN|^Ixhrg_O2YOIOTo>u;1kw>c0P+
z)w_hbEC=j6&>sNm*I;;_oFPV#K<c>?<pZEzvo4N^BFr=EjoH1QI#wRaXBpyREyNKP
znfxVv^RJ)4KY7^SC2c7_ny%{II%86Rm4#p&hZqHbk^;P+Pm(YPT@|6|h~X&?(HQM>
zA8Kpe?m&CcTLoR;agfy=fNsEO+#P_=Fbuz}f-XZa_(a01V@k!ZI7HfTr#ny{{$zea
zcDZ`6)*XPKfBxBi`bdeaQYiQ*N31&l>-~Nod>^LBG!}WS>b0%i(GydrR;D%?qPakC
zU9tVlFwxqP-3SvmQFmK_FV)=@ZPmkksqQxEF4Wz%Fkh;>TT*v7g7#9|eJ4`mxiDX9
zyFY&!7J${hNajz6<9JdxrChqpWA9ExGS2|)cOjCoFux;_%#(-uU5I2X%<otv^JHOv
zm$YRmlBrHlM<m0L6|ea$I8HA^4Qy+i`;j&svrq1M4;*M;UL1*4{X|JOm+N8(FqiZ$
zP}Wcg2EB*I+KhA!h9n7ZVNm0?H6P|n+nToSM+Vq4ysGgEq2o1puZmd10&bs{I`1X1
z;3yoa#Y@sBd3OqoyH2euVQXMsrYp0EimvFIc|4gTw?S%M=rR}PE&*8*m0Jp3=0e*Q
zuq=fxtq5Hj!8~)?{^JT=T54<F=~;SXF!zZ;wOh&M6N9X+BFyIs%odWDx$eWC+&$J!
zt>0-~n9miMEh;a29$>%Ibv{>Mwz$0PIY7O2d0BPvg_*tIR9^O!VSlHzWv;+%DKC56
z@-im?VUuZDZ<OUYfzLO!{r=C`xG2fueAr)SPT!8-bC7UloRm2}Ta$l3Cp#sT?iA+b
z$Hb-H=P>>-h%m8GSJDmFp?w>Jet^_ALnOh{KtrDP-kkAQ0Do%da4xlZD5q^&n9tXc
zr=wVi@qglAZ`A<OwrOELUqhabVnN3LNkhF&hCgl7!hF7lJRQXi8UH5<`#YsA^EKq@
zC}uML#^86!__xIP?`&^xZZu;3RY}YH!z94sfC$8<Fl;b0xrat-?-2h=tG6yD*q`Wz
z0OrbH$MZ_pV7S?D^Wm~j2^S1vBL2cuuL}M_(xDmMOQ1*a5=Th{UI02Wz@Da+l{;`I
z^nDsS?YA@Lhe+38xX~ue707;NG}?pyWG;7p4Nl>?*3&Yo!sOGD<K0+LgMu^|g#PI_
zY5Os!wzcL8EPIoLoS)#o8$ewZ1zeVuCvu3na@6bVdzFI$nX6&`3Wo6nf)RouVQ8g=
zf!}kw2E*;v$V&$GLn!>oADE~kq`rSu!k-}j+<~xh>3xn#z*Q`46-q=hL@*2;62n1&
zMwsX<b);)#Jyy#nliFVCGlN^s=>5GeuOODinoOO4Jj--PFi*p2&g<R6JZe_qS){gM
zUL6;8cJHU=fms?uqO?PDkw9C%vOG+>&PB?|AXYFEXf)+Ym>cIdC&;IgIv0Ca0v+Sv
z#$IeIXbdKRSGMpJlVsA{JVQ$`{}tjeVW?WuVJ=3wA~leICg~as4@@|Q+qYE(^Ze`K
zLf@x_7$ic+UNVA(dNOnS@ji~!mYAm!`kz#s-5CN+4S)TJ*p*?95+){!RhLYm5e}p;
zj01<kv=Q=jZ4`jBE7vf#2adEoBcaM-7774~i7O&8sJo63B+BBRaTQ(0$IMTnDI&rN
zX7ZA!lcOZvgb4`|=duN!FvJ052ncwNh@6H`iC{DY6M9kXQ+K2WE*4>O+t$IC@U<s7
zc)cOZ#Hx-$Dc0Z9kyVU`+-E|xuE9`(qBRv_3FbPOOy+OmgI*!F_uU}Ca^=9#d1Y_i
zf5;_mH-U+llgbmy@UPqtSCpW_y$dL*VyOHIngC0V(~C4Lr76MBajY(MPUs(Jubipi
zKx!DWC(Xn0bP8qxVU~5#yN7k2a6zLP%G+z8vmL#yCNK(=iW==69k{X_hR0*X@}%c5
z5s3<ogf1mm@zj{|54EmdKdAT=Tb0?c2R?o}-5-F15xAm>i503`8Lt9FBz;jpzM=`s
zU7aP(;X>m?4iJ$MWj<Q?*-+asub$@Y-nB_c71fXkFs~kH+E5R?r--ZPR2P(;8`#z%
z`Vrm>+P+z7nD1W-#0U)ELjmi1H!w%00tn{Rc#5e-6OatVzuCCC$A$>(U&fH|5?h#p
zI199!st-|G<;lw*>(kw=^3x9|zatomiIzIn^lnfPGkWHd6-mRjH+09HC>NAzIi&ph
z9zRv3V%so};N=NoQ%uIE6NccN`~Ef1x+vuuD2dLr^24XZHxG?`7=}E@rI?uUNX2vv
zkmcmdOm`1>>%geom81VD3=_qO{PyW^_y0LM{<L?}1NN$>gI=bkB6tNtdV!dn5IEjF
z1PPby4J3hX6YL%R3B-g^Awm^l|1=@WfI>%}q_Mye{#$#aRcZwoLm!K)o&veohR^d9
z<VY~=^ItSn<_TD?!J#fM=?Y~+-e$BtNKap6o$rvL0T{-NMo3Ih!iTG1$OZJz1BR!F
z4Rs(z^$^dOtjA+KI(51R!_VDpBHi2A<tUgdv2HWLWTj~GFyFxQ6HFFGlNMq(5lmLX
zyjDn7e+jiMJ?Z;qWolbYR)G02!emN)g|Z63Tf3)Hp=S;FYcTwXBspxOtuoASA(*Tq
zGA#`DQKUA-k_E`u3S4d_aw+bECnIoa|N38md95J$$%%qf?e7B#g6|kvwYtGs+QHHp
z@T_!$?P~`MFt3$Jwk4B%SPA0|;MBHEGQwilMup#(`?_vzUW0vkBmCnn2S}I21f=Y(
zB*xk4pp40E%dT1F6O`?=F0YYLPXa9FLLA%#>P17=CkSzHS9X&c;s<0(!zl_rHuTbL
zP@o}ekRU;gpg+kVZFv}MS_f2}@jSzic5)V&!27S%^j54W6uJ1#`;d0{8q7iFObU}8
z*v$<}GG2y<^0-gqGD{#2Ure-s$o4$5W5pND?!5)f+(&ACCFLpRO;=M&9Ut3@Dh+J8
zs;W}k%POSf_lV&6&#p}GALtkaNI<N?HljeHOfH}Rk!SjF{0?CL0Zq~TXF8_$Lrm0@
zk&uo-*u3JCPS;>~@bTAAtr>h&hAFM-U0$wm>ZA+A&)qKq0PQ<Pt8~*^)4O(x*0lWd
zNVTpO7sP-Ib1i3?-+Q*sZ5;u}_6_qhP3^f_tPI3k)9;CTescvN0gy3x1?Wh(arAsW
z0k-XlqVYp<)B8<ci$C>rZFKVkunzW){#*sy>l=r7)lQ!)zd@18+1TDW#I<d8u0dmm
z2&VT%ydpf8)V4b`Bd`t;J5<UDR_lJnfq9kNm8>zN+IY@rXjNKSMuVU+4e9vmBxVQ(
zdyb4YbHbua0IrJU<hVZwQd;*vRDp)sj&W*z;XG%s7t`INVWQ0cjwq}27pRQ`K`gUp
z!2a2#YcTw||8qMJ!K+~&S3=wNZgg3miPio?!2TKx-)?QSqZ+J+xiJK+T<DqE-wy$7
zlO)XFzI}U#FqelXCWv#R3(xm%KRPOIm!Ho=|0M@$Ysv`u=`;Chx(35`OkS(85aKCn
z4GFffB@SjaRE>igk+JbBR1y-;#>1*Ii;*}$J_-==5uoy@7}{=z;9`P^<1OUzB^&st
z`haAZD#vCa<h)=%d<~9FF7RcxHXVNMH2WG1wc9bz>ePIO1@_?$-c-(FN>VSvC4X`i
z{^KZ7Tz9rqpEvZsjkJe1<Jp-fafl*B1Ps+@J^-J8{`u!G-y5}734c^DsLc1TBd0@O
z<RYh2YdmS}^fLAEbFd-4`^!%O=0^;T@TCEL_AWsypktf)tf77n7f#B>M<mpH({k_n
znHewFlVCqXAV6_Que5``x|W_&YFj^DhIv5vOtq<`?fQ{fRw_@=4>Kvtv(au`gQ0N}
z{wrqu_PWwC%<G)9E(0+<>Oc$?!pe{zV)B<(GnS@hH<0Dwc@i5ppr;>Bta4IqD(7K7
zBthBSTg!Z&@Gg`0sNP-5aq0pF%ncP_7*mhY5Iyn8U|G8RBb(?$Rv!+9Fd5h2WI~fL
z01%jB*4SqD{Z$_1K0{DE%A4uUQk#ePU8W`&#$?P8uk@Z{v-B3zJQ)mvyd&`fwhQax
zsiwPd<$f0_wOel-?_-YgS(~swQyp8|`eqIJIvsPq_XYIL&kPT3pIa94&El=ps+gY{
zq>JfpAYUi6&G$Y_fNPw$XD7%rN^J{p4a{qVw)x&m7tRdeIZ^JjN$tyQHOQMvoibUL
zhVt{3U%BZ{9^lo=ukyWD%d%2>{)BJVvs2r$EDiIf!G)HxtVb=&GDNG!$}2yuqQ#fq
zI?p?`ZSkdHUT1NX@4aMw^aB9BZR;Zq^BY+lsj5o@qb3cdfWE0wk%jfrj%Z#(8K@gR
zH?6ZHQY}3Pv!POQ?1&hOL+rzbJf0DHrH(b7x8-R=f*OWBUB6FV!{4?8o|pzTKG@2=
z*ZX91aPW+n^=mLpSzyUl`!tGE_PVDWt@QFwkBsDe09Zl<j?kKM)-bd%FL+z4?>+Sj
z_G5rsrMAVoF%9-;Ld5Lwkon%-P?421Mgd&V=M<(>o_%cv(33Fd>OpN&^0EMJ;m_x#
zZtLqjIO|nBp1@>x3UR1BN9B4yEjp*Jc$#JWJw^!^sS7j!)Ary<Af_A%PO<+Kyl=L~
z<E87IO|g%9;wo;y315Q~T^=+m|2$GA<2pFHE$m&GhZF|Czz`B&wmiFcxy}!cBt22;
zZ#n`WoSL?|TMq1zrE4&3P2KInTnnTAo+B8^*0~ak2<jN}*f(-u;z+BWMQU3V#m=DL
z)3!E^dN*Mnl-O3*lH{0<!0|7;dkcDQcsi-Y;3nEtqlpBwhnP4Z|3>OiE0|5ykH^6R
zwhgFw<0K0+;{@F3fzt`*HVi8VFcCC@0{gkB9LB|(YzmS9F#0TmueNH3H5;3ng`5-G
zARE(16W%~qQ_=*DSQO-N^t@6&$iYSKU9%^r-4c>IFJ6E>$$H|mM48j>DX+Y|(=q<4
z85-#q1fO%o1O>mNFp|ZY`0{EZM9c?kYcxj0)5dC^a_Q6?V=+n2<jp*r&)Nk#<5-}z
zfckuGg2MQP?=<cS>P=7>dA@9XMWH;R0UllHXevl|t#W&vpO&eZ7$p7#G0%ZGjAM@>
z7(}QS1#R@v@AvyVTU+Yie!pM*cV}yT`=|A-t&NTT*3SCY=1=|g?ai&tpFqEj&gZ3s
z3&?)z-@32j<eo@+0gm+w0H2O_o!fh-qYgW@aRBDv4003zIvUyVF-gn?LofoL^A)oV
zZnm>eqw-#Ncer2(twm7YI@VNw+{s<Bd$;qe+S&{$f0`^ZOcPPA>WxvE9GCH>yqZxX
znlSKLl8<a?X4R{)DZ*kttW7t1murZu(HNR7AxF5<li)xW8rmVMjtMoQVMs4jcqJOe
zlprGbpwsaR;M9au-Pt|+(5F-ea{#URE+S)0j3+2Yr#O&Zm^_V(F`dd2lNjI9f25*K
z>kpRq)P2g47NjGGvZv4PGl}$Zom1Q#B^lWA;!_Pc31vilv<7`2aqhuHOo;mL-)m{B
zUe+pKdy(~<7BF3{q{a*;*o0)EFcFCPC>C7#e9wkz{d8%;hi1Q5K@tb@jL!lw!pyN*
zK9ohT<AKl0N%O*s_JvaQtN;(}f*3JO1MFKnuTgFW89NWhP$EF(TEFxfr5N!Z*d<p0
zU1F~Ak&akRO?w?i&hoG!BpC833s4|2n)wx16U)qD!6}Mj*}&q{%xq*mVH)9j*7m1f
zwR^|!!K-1`rR{OJqGu4Opcs0~aDRd#s8D;1#uS8fjD5v-+u0d|cVpjTP2LSa&#v+T
zF6x%90oej3{bAV)`xb%`x=1}USB)C@CW3)QUIC)F0i=On_CZ6i&|?+YXsozf$G@`*
zrU0!f(RUk7@x#r-kvI+|WGzvMVzoI8#O1w4^`(N5K$(ArNqRA@fDs>pSGb3I;6e^m
z4lr$MMaN`w?6GrYvnf(Ls;su4EAwf+b+L~M9G*k;(~RT&-S>z4J;lBL8IKtZ3{UD1
z%;|b>WBb24of83>+J2anvRA?9BN}8@SVv~#)>22G5=FSytR8ADrh#XFn8mWT0w!>Z
zz!^f4rbTp$f-FvtGmhP(gI=ez%QZzyLa_>7zdl1F38<uQYOh~|SCmNrLNH>8PwZZh
z6NP0+*uA#0Y68qarec8Vo0OoE<Vn29n=&R|975lYzy$G0H=T}kI}Yg?40}ElB1FBI
z$M&8+1RN=;lf6#j5x@dWAlKlC8Jc36@bD@vsDuc;PUm0X_3MvRpuy|coqvG?;`VAh
zmaYOwuF^KZ2%|7CQIX^c$T{_~dLE@lDa#(6969@|j22A52u>-}<cec54iV6^)6Ea+
zCR-l04sT*Xr^A^TI#;zsfx)&Kjzsp+$&n=d5I``L_aNKU5WGTDL?k$62N5JXz_TAB
zNI(*2lU$LD2%9)jA(Asr_l|Y^s#eJvqvwbKE+kQr04v0W;)y@ez_pQ(R2x|sWZgv?
z1^Ja3FfnU!xLTOPDnP>Tt@I?MQdlvKVGhPf04@^$Tp#L~>yfR3SdUqfLP_4`5G{)<
z_oPckEHG5NxfvVXRj<?eGo~aBQdPH*1+~_QB4riTjP=^7SYED`G8S^hPhdF8w!URk
z^dW|ME}(!Nk~W#JD?g(TYEwptXfcRfCq)XD1{1gq2}@7kwH15PoFPdyf;5cPOiYX{
zmDjHFc_oF<aGoM3@0%kFsjWg8pbJnvOLZve^Cnl|L_iWi7VxEfV40R_nSQAB{{;X5
N|NoUVsOA7n0sx9mx*Pxi

literal 0
HcmV?d00001

diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/Chart.yaml
new file mode 100644
index 000000000..add45b1c5
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/Chart.yaml
@@ -0,0 +1,10 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-gatekeeper-system
+  catalog.cattle.io/release-name: rancher-gatekeeper-crd
+apiVersion: v1
+description: Installs the CRDs for rancher-gatekeeper.
+name: rancher-gatekeeper-crd
+type: application
+version: 102.1.0+up3.12.0
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/README.md b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/README.md
new file mode 100644
index 000000000..26079c833
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/README.md
@@ -0,0 +1,2 @@
+# rancher-gatekeeper-crd
+A Rancher chart that installs the CRDs used by rancher-gatekeeper.
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml
new file mode 100644
index 000000000..ce98648ba
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml
@@ -0,0 +1,757 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: assign.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: Assign
+    listKind: AssignList
+    plural: assign
+    singular: assign
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Assign is the Schema for the assign API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: AssignSpec defines the desired state of Assign.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  pathTests:
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: AssignStatus defines the observed state of Assign.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Assign is the Schema for the assign API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AssignSpec defines the desired state of Assign.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  pathTests:
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: AssignStatus defines the observed state of Assign.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Assign is the Schema for the assign API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AssignSpec defines the desired state of Assign.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  pathTests:
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: AssignStatus defines the observed state of Assign.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml
new file mode 100644
index 000000000..bab801672
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml
@@ -0,0 +1,237 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: assignimage.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: AssignImage
+    listKind: AssignImageList
+    plural: assignimage
+    singular: assignimage
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AssignImage is the Schema for the assignimage API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: AssignImageSpec defines the desired state of AssignImage.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  assignDomain:
+                    description: AssignDomain sets the domain component on an image string. The trailing slash should not be included.
+                    type: string
+                  assignPath:
+                    description: AssignPath sets the domain component on an image string.
+                    type: string
+                  assignTag:
+                    description: AssignImage sets the image component on an image string. It must start with a `:` or `@`.
+                    type: string
+                  pathTests:
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: AssignImageStatus defines the observed state of AssignImage.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
new file mode 100644
index 000000000..468b01fcc
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
@@ -0,0 +1,655 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: assignmetadata.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: AssignMetadata
+    listKind: AssignMetadataList
+    plural: assignmetadata
+    singular: assignmetadata
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AssignMetadata is the Schema for the assignmetadata API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: AssignMetadataSpec defines the desired state of AssignMetadata.
+            properties:
+              location:
+                type: string
+              match:
+                description: Match selects which objects are in scope.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                type: object
+            type: object
+          status:
+            description: AssignMetadataStatus defines the observed state of AssignMetadata.
+            properties:
+              byPod:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AssignMetadata is the Schema for the assignmetadata API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AssignMetadataSpec defines the desired state of AssignMetadata.
+            properties:
+              location:
+                type: string
+              match:
+                description: Match selects which objects are in scope.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                type: object
+            type: object
+          status:
+            description: AssignMetadataStatus defines the observed state of AssignMetadata.
+            properties:
+              byPod:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: AssignMetadata is the Schema for the assignmetadata API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AssignMetadataSpec defines the desired state of AssignMetadata.
+            properties:
+              location:
+                type: string
+              match:
+                description: Match selects which objects are in scope.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                type: object
+            type: object
+          status:
+            description: AssignMetadataStatus defines the observed state of AssignMetadata.
+            properties:
+              byPod:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/config-customresourcedefinition.yaml
new file mode 100644
index 000000000..57826ac09
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/config-customresourcedefinition.yaml
@@ -0,0 +1,105 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: configs.config.gatekeeper.sh
+spec:
+  group: config.gatekeeper.sh
+  names:
+    kind: Config
+    listKind: ConfigList
+    plural: configs
+    singular: config
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Config is the Schema for the configs API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConfigSpec defines the desired state of Config.
+            properties:
+              match:
+                description: Configuration for namespace exclusion
+                items:
+                  properties:
+                    excludedNamespaces:
+                      items:
+                        description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                        pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                        type: string
+                      type: array
+                    processes:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              readiness:
+                description: Configuration for readiness tracker
+                properties:
+                  statsEnabled:
+                    type: boolean
+                type: object
+              sync:
+                description: Configuration for syncing k8s objects
+                properties:
+                  syncOnly:
+                    description: If non-empty, only entries on this list will be replicated into OPA
+                    items:
+                      properties:
+                        group:
+                          type: string
+                        kind:
+                          type: string
+                        version:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              validation:
+                description: Configuration for validation
+                properties:
+                  traces:
+                    description: List of requests to trace. Both "user" and "kinds" must be specified
+                    items:
+                      properties:
+                        dump:
+                          description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
+                          type: string
+                        kind:
+                          description: Only trace requests of the following GroupVersionKind
+                          properties:
+                            group:
+                              type: string
+                            kind:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        user:
+                          description: Only trace requests from the specified user
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: ConfigStatus defines the observed state of Config.
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
new file mode 100644
index 000000000..230a541bb
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
@@ -0,0 +1,67 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: constraintpodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: ConstraintPodStatus
+    listKind: ConstraintPodStatusList
+    plural: constraintpodstatuses
+    singular: constraintpodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintPodStatus is the Schema for the constraintpodstatuses API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus.
+            properties:
+              constraintUID:
+                description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
+                type: string
+              enforced:
+                type: boolean
+              errors:
+                items:
+                  description: Error represents a single error caught while adding a constraint to OPA.
+                  properties:
+                    code:
+                      type: string
+                    location:
+                      type: string
+                    message:
+                      type: string
+                  required:
+                  - code
+                  - message
+                  type: object
+                type: array
+              id:
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
new file mode 100644
index 000000000..737e3aff1
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
@@ -0,0 +1,357 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: constrainttemplates.templates.gatekeeper.sh
+spec:
+  group: templates.gatekeeper.sh
+  names:
+    kind: ConstraintTemplate
+    listKind: ConstraintTemplateList
+    plural: constrainttemplates
+    singular: constrainttemplate
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplate is the Schema for the constrainttemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
+            properties:
+              crd:
+                properties:
+                  spec:
+                    properties:
+                      names:
+                        properties:
+                          kind:
+                            type: string
+                          shortNames:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      validation:
+                        default:
+                          legacySchema: false
+                        properties:
+                          legacySchema:
+                            default: false
+                            type: boolean
+                          openAPIV3Schema:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                    type: object
+                type: object
+              targets:
+                items:
+                  properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
+                    libs:
+                      items:
+                        type: string
+                      type: array
+                    rego:
+                      type: string
+                    target:
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
+            properties:
+              byPod:
+                items:
+                  description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
+                  properties:
+                    errors:
+                      items:
+                        description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                        properties:
+                          code:
+                            type: string
+                          location:
+                            type: string
+                          message:
+                            type: string
+                        required:
+                        - code
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      description: a unique identifier for the pod that wrote the status
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              created:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplate is the Schema for the constrainttemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
+            properties:
+              crd:
+                properties:
+                  spec:
+                    properties:
+                      names:
+                        properties:
+                          kind:
+                            type: string
+                          shortNames:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      validation:
+                        default:
+                          legacySchema: true
+                        properties:
+                          legacySchema:
+                            default: true
+                            type: boolean
+                          openAPIV3Schema:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                    type: object
+                type: object
+              targets:
+                items:
+                  properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
+                    libs:
+                      items:
+                        type: string
+                      type: array
+                    rego:
+                      type: string
+                    target:
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
+            properties:
+              byPod:
+                items:
+                  description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
+                  properties:
+                    errors:
+                      items:
+                        description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                        properties:
+                          code:
+                            type: string
+                          location:
+                            type: string
+                          message:
+                            type: string
+                        required:
+                        - code
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      description: a unique identifier for the pod that wrote the status
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              created:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplate is the Schema for the constrainttemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
+            properties:
+              crd:
+                properties:
+                  spec:
+                    properties:
+                      names:
+                        properties:
+                          kind:
+                            type: string
+                          shortNames:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      validation:
+                        default:
+                          legacySchema: true
+                        properties:
+                          legacySchema:
+                            default: true
+                            type: boolean
+                          openAPIV3Schema:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                    type: object
+                type: object
+              targets:
+                items:
+                  properties:
+                    code:
+                      description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
+                      items:
+                        properties:
+                          engine:
+                            description: 'The engine used to evaluate the code. Example: "Rego". Required.'
+                            type: string
+                          source:
+                            description: The source code for the template. Required.
+                            x-kubernetes-preserve-unknown-fields: true
+                        required:
+                        - engine
+                        - source
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - engine
+                      x-kubernetes-list-type: map
+                    libs:
+                      items:
+                        type: string
+                      type: array
+                    rego:
+                      type: string
+                    target:
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
+            properties:
+              byPod:
+                items:
+                  description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
+                  properties:
+                    errors:
+                      items:
+                        description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                        properties:
+                          code:
+                            type: string
+                          location:
+                            type: string
+                          message:
+                            type: string
+                        required:
+                        - code
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      description: a unique identifier for the pod that wrote the status
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              created:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
new file mode 100644
index 000000000..271572bd7
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
@@ -0,0 +1,66 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: constrainttemplatepodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: ConstraintTemplatePodStatus
+    listKind: ConstraintTemplatePodStatusList
+    plural: constrainttemplatepodstatuses
+    singular: constrainttemplatepodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus.
+            properties:
+              errors:
+                items:
+                  description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                  properties:
+                    code:
+                      type: string
+                    location:
+                      type: string
+                    message:
+                      type: string
+                  required:
+                  - code
+                  - message
+                  type: object
+                type: array
+              id:
+                description: 'Important: Run "make" to regenerate code after modifying this file'
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+              templateUID:
+                description: UID is a type that holds unique ID values, including UUIDs.  Because we don't ONLY use UUIDs, this is an alias to string.  Being a type captures intent and helps make sure that UIDs and names do not get conflated.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml
new file mode 100644
index 000000000..042249cf1
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml
@@ -0,0 +1,73 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: expansiontemplate.expansion.gatekeeper.sh
+spec:
+  group: expansion.gatekeeper.sh
+  names:
+    kind: ExpansionTemplate
+    listKind: ExpansionTemplateList
+    plural: expansiontemplate
+    singular: expansiontemplate
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              enforcementAction:
+                description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation.
+                type: string
+              generatedGVK:
+                description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
+                properties:
+                  group:
+                    type: string
+                  kind:
+                    type: string
+                  version:
+                    type: string
+                type: object
+              templateSource:
+                description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml
new file mode 100644
index 000000000..1bb193336
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml
@@ -0,0 +1,676 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: modifyset.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: ModifySet
+    listKind: ModifySetList
+    plural: modifyset
+    singular: modifyset
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: ModifySetSpec defines the desired state of ModifySet.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  operation:
+                    default: merge
+                    description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
+                    enum:
+                    - merge
+                    - prune
+                    type: string
+                  pathTests:
+                    description: PathTests are a series of existence tests that can be checked before a mutation is applied
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                  values:
+                    description: Values describes the values provided to the operation as `values.fromList`.
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
+            type: object
+          status:
+            description: ModifySetStatus defines the observed state of ModifySet.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ModifySetSpec defines the desired state of ModifySet.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  operation:
+                    default: merge
+                    description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
+                    enum:
+                    - merge
+                    - prune
+                    type: string
+                  pathTests:
+                    description: PathTests are a series of existence tests that can be checked before a mutation is applied
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                  values:
+                    description: Values describes the values provided to the operation as `values.fromList`.
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
+            type: object
+          status:
+            description: ModifySetStatus defines the observed state of ModifySet.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ModifySetSpec defines the desired state of ModifySet.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                  source:
+                    description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
+                    enum:
+                    - All
+                    - Generated
+                    - Original
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  operation:
+                    default: merge
+                    description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
+                    enum:
+                    - merge
+                    - prune
+                    type: string
+                  pathTests:
+                    description: PathTests are a series of existence tests that can be checked before a mutation is applied
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                  values:
+                    description: Values describes the values provided to the operation as `values.fromList`.
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
+            type: object
+          status:
+            description: ModifySetStatus defines the observed state of ModifySet.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
new file mode 100644
index 000000000..fd6a0f6de
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
@@ -0,0 +1,65 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: mutatorpodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: MutatorPodStatus
+    listKind: MutatorPodStatusList
+    plural: mutatorpodstatuses
+    singular: mutatorpodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MutatorPodStatus is the Schema for the mutationpodstatuses API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+            properties:
+              enforced:
+                type: boolean
+              errors:
+                items:
+                  description: MutatorError represents a single error caught while adding a mutator to a system.
+                  properties:
+                    message:
+                      type: string
+                    type:
+                      description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                      type: string
+                  required:
+                  - message
+                  type: object
+                type: array
+              id:
+                type: string
+              mutatorUID:
+                description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml
new file mode 100644
index 000000000..95e66a8b8
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml
@@ -0,0 +1,78 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.3
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: providers.externaldata.gatekeeper.sh
+spec:
+  group: externaldata.gatekeeper.sh
+  names:
+    kind: Provider
+    listKind: ProviderList
+    plural: providers
+    singular: provider
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - deprecated: true
+    deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead.
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Provider is the Schema for the Provider API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the Provider specifications.
+            properties:
+              caBundle:
+                description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate.
+                type: string
+              timeout:
+                description: Timeout is the timeout when querying the provider.
+                type: integer
+              url:
+                description: URL is the url for the provider. URL is prefixed with https://.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Provider is the Schema for the providers API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the Provider specifications.
+            properties:
+              caBundle:
+                description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate.
+                type: string
+              timeout:
+                description: Timeout is the timeout when querying the provider.
+                type: integer
+              url:
+                description: URL is the url for the provider. URL is prefixed with https://.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/_helpers.tpl
new file mode 100644
index 000000000..6a89079bc
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+# Rancher
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/jobs.yaml
new file mode 100644
index 000000000..0e9ace26a
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/jobs.yaml
@@ -0,0 +1,126 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-create
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade, post-rollback
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ .Chart.Name }}-create
+      labels:
+        app: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-manager
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: create-crds
+          image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/kubectl
+          - apply
+          - -f
+          - /etc/config/crd-manifest.yaml
+          volumeMounts:
+            - name: crd-manifest
+              readOnly: true
+              mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
+      restartPolicy: OnFailure
+      volumes:
+      - name: crd-manifest
+        configMap:
+          name: {{ .Chart.Name }}-manifest
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-delete
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ .Chart.Name }}-delete
+      labels:
+        app: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-manager
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      initContainers:
+        - name: remove-finalizers
+          image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/kubectl
+          - apply
+          - -f
+          - /etc/config/crd-manifest.yaml
+          volumeMounts:
+            - name: crd-manifest
+              readOnly: true
+              mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
+      containers:
+        - name: delete-crds
+          image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/kubectl
+          - delete
+          - -f
+          - /etc/config/crd-manifest.yaml
+          volumeMounts:
+            - name: crd-manifest
+              readOnly: true
+              mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
+      restartPolicy: OnFailure
+      volumes:
+      - name: crd-manifest
+        configMap:
+          name: {{ .Chart.Name }}-manifest
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/manifest.yaml
new file mode 100644
index 000000000..31016b6ef
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/manifest.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Chart.Name }}-manifest
+  namespace: {{ .Release.Namespace }}
+data:
+  crd-manifest.yaml: |
+    {{- $currentScope := . -}}
+    {{- $crds := (.Files.Glob  "crd-manifest/**.yaml") -}}
+    {{- range $path, $_ :=  $crds -}}
+    {{- with $currentScope -}}
+    {{ .Files.Get $path | nindent 4 }}
+    ---
+    {{- end -}}{{- end -}}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/rbac.yaml
new file mode 100644
index 000000000..d1df38961
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/rbac.yaml
@@ -0,0 +1,76 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-manager
+  labels:
+    app: {{ .Chart.Name }}-manager
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs: ['create', 'get', 'patch', 'delete']
+{{- if .Values.global.cattle.psp.enabled }}
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ .Chart.Name }}-manager
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}-manager
+  labels:
+    app: {{ .Chart.Name }}-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-manager
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-manager
+---
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Chart.Name }}-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-manager
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'configMap'
+    - 'secret'
+{{- end }}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/validate-psp-install.yaml
new file mode 100644
index 000000000..a30c59d3b
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/templates/validate-psp-install.yaml
@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}
diff --git a/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/values.yaml b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/values.yaml
new file mode 100644
index 000000000..3304f097b
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/102.1.0+up3.12.0/values.yaml
@@ -0,0 +1,21 @@
+# Default values for rancher-gatekeeper-crd.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    psp:
+      enabled: false
+
+image:
+  repository: rancher/kubectl
+  tag: v1.20.2
+
+enableRuntimeDefaultSeccompProfile: true
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/.helmignore b/charts/rancher-gatekeeper/102.1.0+up3.12.0/.helmignore
new file mode 100644
index 000000000..f0c131944
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/CHANGELOG.md b/charts/rancher-gatekeeper/102.1.0+up3.12.0/CHANGELOG.md
new file mode 100644
index 000000000..c68d23c24
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/CHANGELOG.md
@@ -0,0 +1,15 @@
+# Changelog
+All notable changes from the upstream OPA Gatekeeper chart will be added to this file
+
+## [Package Version 00] - 2020-09-10
+### Added
+- Enabled the CRD chart generator in `package.yaml`
+
+### Modified
+- Updated namespace to `cattle-gatekeeper-system`
+- Updated for Helm 3 compatibility
+    - Moved crds to `crds` directory
+    - Removed `crd-install` hooks and templates from crds
+
+### Removed
+- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/Chart.yaml
new file mode 100644
index 000000000..69ed2ead6
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/Chart.yaml
@@ -0,0 +1,26 @@
+annotations:
+  catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: OPA Gatekeeper
+  catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.26.0-0'
+  catalog.cattle.io/namespace: cattle-gatekeeper-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+  catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+  catalog.cattle.io/release-name: rancher-gatekeeper
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: gatekeeper
+apiVersion: v2
+appVersion: v3.12.0
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+  policy-based control for cloud native environments
+home: https://github.com/open-policy-agent/gatekeeper
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+keywords:
+- open policy agent
+- security
+name: rancher-gatekeeper
+sources:
+- https://github.com/open-policy-agent/gatekeeper.git
+version: 102.1.0+up3.12.0
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/README.md b/charts/rancher-gatekeeper/102.1.0+up3.12.0/README.md
new file mode 100644
index 000000000..155a81337
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/README.md
@@ -0,0 +1,210 @@
+# Gatekeeper Helm Chart
+
+## Get Repo Info
+
+```console
+helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+```console
+# Helm install with gatekeeper-system namespace already created
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
+
+# Helm install and create namespace
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
+
+```
+
+_See [parameters](#parameters) below._
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Upgrade Chart
+
+**Upgrading from < v3.4.0**
+Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
+
+Option 1:
+A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
+
+```console
+$ helm uninstall gatekeeper
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
+
+```
+
+Option 2:
+Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
+
+```console
+$ helm_migrate.sh
+$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
+```
+
+**Upgrading from >= v3.4.0**
+```console
+$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
+```
+
+_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
+
+
+## Exempting Namespace
+
+The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
+
+_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
+
+## Parameters
+
+| Parameter                                     | Description                                                                                                                                                                                                                                         | Default                                                                   |
+| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
+| postInstall.labelNamespace.enabled            | Add labels to the namespace during post install hooks                                                                                                                                                                                               | `true`                                                                    |
+| postInstall.labelNamespace.extraNamespaces    | The extra namespaces that need to have the label during post install hooks                                                                                                                                                                          | `[]`                                                                      |
+| postInstall.labelNamespace.extraAnnotations   | Extra annotations added to the post install Job                                                                                                                                                                                                     | `{}`                                                                      |
+| postInstall.labelNamespace.image.repository   | Image with kubectl to label the namespace                                                                                                                                                                                                           | `openpolicyagent/gatekeeper-crds`                                         |
+| postInstall.labelNamespace.image.tag          | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.12.0`                                   |
+| postInstall.labelNamespace.image.pullPolicy   | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| postInstall.labelNamespace.image.pullSecrets  | Image pullSecrets                                                                                                                                                                                                                                   | `[]`                                                                      |
+| postInstall.labelNamespace.extraRules         | Extra rules for the gatekeeper-update-namespace-label Role                                                                                                                                                                                          | `[]`                                                                      |
+| postInstall.probeWebhook.enabled              | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer                                                                   | `true`                                                                    |
+| postInstall.probeWebhook.image.repository     | Image with curl to probe the webhook API                                                                                                                                                                                                            | `curlimages/curl`                                                         |
+| postInstall.probeWebhook.image.tag            | Image tag                                                                                                                                                                                                                                           | `7.83.1`                                                                  |
+| postInstall.probeWebhook.image.pullPolicy     | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| postInstall.probeWebhook.image.pullSecrets    | Image pullSecrets                                                                                                                                                                                                                                   | `[]`                                                                      |
+| postInstall.probeWebhook.waitTimeout          | Total time to wait for the webhook API to become available                                                                                                                                                                                          | `60`                                                                      |
+| postInstall.probeWebhook.httpTimeout          | HTTP client timeout                                                                                                                                                                                                                                 | `2`                                                                       |
+| postInstall.probeWebhook.insecureHTTPS        | Ignore server SSL certificate                                                                                                                                                                                                                       | `false`                                                                   |
+| postInstall.affinity                          | The affinity to use for pod scheduling in postInstall hook jobs                                                                                                                                                                                     | `{}`                                                                      |
+| postInstall.tolerations                       | The tolerations to use for pod scheduling in postInstall hook jobs                                                                                                                                                                                  | `[]`                                                                      |
+| postInstall.nodeSelector                      | The node selector to use for pod scheduling in postInstall hook jobs                                                                                                                                                                                | `kubernetes.io/os: linux`                                                 |
+| postInstall.resources                         | The resource request/limits for the container image in postInstall hook jobs                                                                                                                                                                        | `{}`                                                                      |
+| postInstall.securityContext                   | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| postUpgrade.labelNamespace.enabled            | Add labels to the namespace during post upgrade hooks                                                                                                                                                                                               | `false`                                                                    |
+| postUpgrade.labelNamespace.extraNamespaces    | The extra namespaces that need to have the label during post upgrade hooks                                                                                                                                                                                               | `[]`                                                                       |
+| postUpgrade.labelNamespace.extraAnnotations   | Extra annotations added to the post upgrade Job                                                                                                                                                                                                     | `{}`                                                                      |
+| postUpgrade.labelNamespace.image.repository   | Image with kubectl to label the namespace                                                                                                                                                                                                           | `openpolicyagent/gatekeeper-crds`                                         |
+| postUpgrade.labelNamespace.image.tag          | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.12.0`                                  |
+| postUpgrade.labelNamespace.image.pullPolicy   | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| postUpgrade.labelNamespace.image.pullSecrets  | Image pullSecrets                                                                                                                                                                                                                                   | `[]`
+| postUpgrade.affinity                          | The affinity to use for pod scheduling in postUpgrade hook jobs                                                                                                                                                                                     | `{}`                                                                      |
+| postUpgrade.tolerations                       | The tolerations to use for pod scheduling in postUpgrade hook jobs                                                                                                                                                                                  | `[]`                                                                      |
+| postUpgrade.nodeSelector                      | The node selector to use for pod scheduling in postUpgrade hook jobs                                                                                                                                                                                | `kubernetes.io/os: linux`                                                 |
+| postUpgrade.resources                         | The resource request/limits for the container image in postUpgrade hook jobs                                                                                                                                                                        | `{}`                                                                      |
+| postUpgrade.securityContext                   | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| preInstall.crdRepository.image.repository     | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead.                                                                                                                                                       | `null`                                                                    |
+| preInstall.crdRepository.image.tag            | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.12.0`                                 |
+| preUninstall.deleteWebhooks.enabled           | Delete webhooks before gatekeeper itself is uninstalled                                                                                                                                                                                             | `false`                                                                   |
+| preUninstall.deleteWebhooks.image.repository  | Image with kubectl to delete the webhooks                                                                                                                                                                                                           | `openpolicyagent/gatekeeper-crds`                                         |
+| preUninstall.deleteWebhooks.image.tag         | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.12.0`                                  |
+| preUninstall.deleteWebhooks.image.pullPolicy  | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets                                                                                                                                                                                                                                   | `[]`                                                                      |
+| preUninstall.deleteWebhooks.extraRules        | Extra rules for the gatekeeper-delete-webhook-configs Role                                                                                                                                                                                          | `[]`                                                                      |
+| preUninstall.affinity                         | The affinity to use for pod scheduling in preUninstall hook jobs                                                                                                                                                                                    | `{}`                                                                      |
+| preUninstall.tolerations                      | The tolerations to use for pod scheduling in preUninstall hook jobs                                                                                                                                                                                 | `[]`                                                                      |
+| preUninstall.nodeSelector                     | The node selector to use for pod scheduling in preUninstall hook jobs                                                                                                                                                                               | `kubernetes.io/os: linux`                                                 |
+| preUninstall.resources                        | The resource request/limits for the container image in preUninstall hook jobs                                                                                                                                                                       | `{}`                                                                      |
+| preUninstall.securityContext                  | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| psp.enabled                                   | Enabled PodSecurityPolicy                                                                                                                                                                                                                           | `true`                                                                    |
+| upgradeCRDs.enabled                           | Upgrade CRDs using pre-install/pre-upgrade hooks                                                                                                                                                                                                    | `true`                                                                    |
+| upgradeCRDs.extraRules                        | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole                                                                                                                                                                                       | `[]`                                                                      |
+| crds.affinity                                 | The affinity to use for pod scheduling in crds hook jobs                                                                                                                                                                                    | `{}`                                                                              |
+| crds.tolerations                              | The tolerations to use for pod scheduling in crds hook jobs                                                                                                                                                                                 | `[]`                                                                              |
+| crds.nodeSelector                             | The node selector to use for pod scheduling in crds hook jobs                                                                                                                                                                               | `kubernetes.io/os: linux`                                                         |
+| crds.resources                                | The resource request/limits for the container image in crds hook jobs                                                                                                                                                                       | `{}`                                                                              |
+| crds.securityContext                          | Security context applied to the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
+| auditInterval                                 | The frequency with which audit is run                                                                                                                                                                                                               | `300`                                                                      |
+| constraintViolationsLimit                     | The maximum # of audit violations reported on a constraint                                                                                                                                                                                          | `20`                                                                      |
+| auditFromCache                                | Take the roster of resources to audit from the audit cache                                                                                                                                                                                            | `false`                                                                   |
+| auditChunkSize                                | Chunk size for listing cluster resources for audit (alpha feature)                                                                                                                                                                                  | `500`                                                                       |
+| auditMatchKindOnly                            | Only check resources of the kinds specified in all constraints defined in the cluster.                                                                                                                                                              | `false`                                                                   |
+| disableValidatingWebhook                      | Disable the validating webhook                                                                                                                                                                                                                      | `false`                                                                   |
+| disableMutation                               | Disable mutation                                                                                                                                                                                                                                    | `false`                                                                   |
+| validatingWebhookName                         | The name of the `ValidatingWebhookConfiguration`                                                                                                                                                                                                    | `gatekeeper-validating-webhook-configuration`                             |
+| validatingWebhookTimeoutSeconds               | The timeout for the validating webhook in seconds                                                                                                                                                                                                   | `3`                                                                       |
+| validatingWebhookFailurePolicy                | The failurePolicy for the validating webhook                                                                                                                                                                                                        | `Ignore`                                                                  |
+| validatingWebhookAnnotations                | The annotations to add to the ValidatingWebhookConfiguration                                                                                                                                                                                                        | `{}`                                                                  |
+| validatingWebhookObjectSelector               | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set.                                           | `{}`                                                                      |
+| validatingWebhookCheckIgnoreFailurePolicy     | The failurePolicy for the check-ignore-label validating webhook                                                                                                                                                                                     | `Fail`                                                                    |
+| validatingWebhookExemptNamespacesLabels       | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}`                                                                      |
+| validatingWebhookCustomRules                  | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced.                                               | `{}`                                                                      |
+| enableDeleteOperations                        | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules`                                                                                                                                                  | `false`                                                                   |
+| enableExternalData                            | Enable external data                                                                                                                                                                                                                | `true`                                                                   |
+| enableGeneratorResourceExpansion              | Enable generator resource expansion (alpha feature)                                                                                                                                                                                                                | `false`                                                                   |
+| enableTLSHealthcheck                          | Enable probing webhook API with certificate stored in certDir                                                                                                                                                                                       | `false`                                                                   |
+| maxServingThreads                             | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity.  | `-1`                                                                      |
+| metricsBackends                               | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus`                                                                                                                                                        | `["prometheus"]`                                                          |
+| mutatingWebhookName                           | The name of the `MutatingWebhookConfiguration`                                                                                                                                                                                                      | `gatekeeper-mutating-webhook-configuration`                               |
+| mutatingWebhookFailurePolicy                  | The failurePolicy for the mutating webhook                                                                                                                                                                                                          | `Ignore`                                                                  |
+| mutatingWebhookReinvocationPolicy             | The reinvocationPolicy for the mutating webhook                                                                                                                                                                                                     | `Never`                                                                   |
+| mutatingWebhookAnnotations                | The annotations to add to the MutatingWebhookConfiguration                                                                                                                                                                                                        | `{}`                                                                  |
+| mutatingWebhookExemptNamespacesLabels         | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace.   | `{}`                                                                      |
+| mutatingWebhookObjectSelector                 | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set.                                          | `{}`                                                                      |
+| mutatingWebhookTimeoutSeconds                 | The timeout for the mutating webhook in seconds                                                                                                                                                                                                     | `3`                                                                       |
+| mutatingWebhookCustomRules                    | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced.                                                                                                 | `{}`                                                                      |
+| emitAdmissionEvents                           | Emit K8s events in configurable namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
+| emitAuditEvents                               | Emit K8s events in configurable namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| auditEventsInvolvedNamespace                               | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in                                                                                                                                                                       | `false`                                                                   |
+| admissionEventsInvolvedNamespace                               | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in                                                                                                                                                                        | `false`                                                                   |
+| logDenies                                     | Log detailed info on each deny                                                                                                                                                                                                                      | `false`                                                                   |
+| logLevel                                      | Minimum log level                                                                                                                                                                                                                                   | `INFO`                                                                    |
+| image.pullPolicy                              | The image pull policy                                                                                                                                                                                                                               | `IfNotPresent`                                                            |
+| image.repository                              | Image repository                                                                                                                                                                                                                                    | `openpolicyagent/gatekeeper`                                              |
+| image.release                                 | The image release tag to use                                                                                                                                                                                                                        | Current release version: `v3.12.0`                                  |
+| image.pullSecrets                             | Specify an array of imagePullSecrets                                                                                                                                                                                                                | `[]`                                                                      |
+| resources                                     | The resource request/limits for the container image                                                                                                                                                                                                 | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi                            |
+| nodeSelector                                  | The node selector to use for pod scheduling                                                                                                                                                                                                         | `kubernetes.io/os: linux`                                                 |
+| controllerManager.affinity                    | The node affinity to use for controller manager pod scheduling                                                                                                                                                                                                         | `{}`                                                                      |
+| controllerManager.topologySpreadConstraints   | The topology spread constraints to use for controller manager pod scheduling                                                                                                                                                                                           | `[]`                                                                      |
+| controllerManager.tolerations                 | The tolerations to use for controller manager pod scheduling                                                                                                                                                                                                           | `[]`                                                                      |
+| controllerManager.healthPort                  | Health port for controller manager                                                                                                                                                                                                                  | `9090`                                                                    |
+| controllerManager.port                        | Webhook-server port for controller manager                                                                                                                                                                                                          | `8443`                                                                    |
+| controllerManager.metricsPort                 | Metrics port for controller manager                                                                                                                                                                                                                 | `8888`                                                                    |
+| controllerManager.readinessTimeout            | Timeout in seconds for the controller manager's readiness probe                                                                                                                                                                                                          | `1`                                                                    |
+| controllerManager.livenessTimeout            | Timeout in seconds for the controller manager's liveness probe                                                                                                                                                                                                          | `1`                                                                    |
+| controllerManager.logLevel                    | The minimum log level for the controller manager, takes precedence over `logLevel` when specified                                                                                                                                                   | `null`
+| controllerManager.priorityClassName           | Priority class name for controller manager                                                                                                                                                                                                          | `system-cluster-critical`                                                 |
+| controllerManager.podSecurityContext          | Security context on pod level for controller manager                                                                                                                                                                                                          | {fsGroup: 999, suplementalGroups: [999]}                                    |
+| controllerManager.exemptNamespaces            | The exact namespaces to exempt by the admission webhook                                                                                                                                                                                             | `[]`                                                                      |
+| controllerManager.exemptNamespacePrefixes     | The namespace prefixes to exempt by the admission webhook                                                                                                                                                                                           | `[]`                                                                      |
+| controllerManager.hostNetwork                 | Enables controllerManager to be deployed on hostNetwork                                                                                                                                                                                             | `false`                                                                   |
+| controllerManager.dnsPolicy                   | Set the dnsPolicy for controllerManager pods                                                                                                                                                                                                        | `ClusterFirst`                                                            |
+| controllerManager.securityContext             | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| controllerManager.tlsMinVersion               | Set the minimum supported TLS version for validating and mutating webhook servers                                                                                                                                                                                          | `1.3`                                                                    |
+| controllerManager.extraRules                  | Extra rules for the gatekeeper-manager-role Role                                                                                                                                                                                                    | `[]`                                                                      |
+| controllerManager.networkPolicy.enabled       | Should a network policy for the controller manager be created                                                                                                                                                                                                         | `false`                                                                                                                                                               |
+| controllerManager.networkPolicy.ingress       | Additional ingress rules to be added to the controller manager network policy                                                                                                                                                                                         | `{}`                                                                                                                                                                  |
+| audit.affinity                                | The node affinity to use for audit pod scheduling                                                                                                                                                                                                         | `{}`                                                                      |
+| audit.topologySpreadConstraints               | The topology spread constraints to use for audit pod scheduling                                                                                                                                                                                           | `[]`                                                                      |
+| audit.tolerations                             | The tolerations to use for audit pod scheduling                                                                                                                                                                                                           | `[]`                                                                      |
+| audit.priorityClassName                       | Priority class name for audit controller                                                                                                                                                                                                            | `system-cluster-critical`                                                 |
+| audit.podSecurityContext                      | Security context for audit on pod level                                                                                                                                                                                                          | {fsGroup: 999, suplementalGroups: [999]}                                    |
+| audit.hostNetwork                             | Enables audit to be deployed on hostNetwork                                                                                                                                                                                                         | `false`                                                                   |
+| audit.dnsPolicy                               | Set the dnsPolicy for audit pods                                                                                                                                                                                                                    | `ClusterFirst`                                                            |
+| audit.securityContext                         | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| audit.healthPort                              | Health port for audit                                                                                                                                                                                                                               | `9090`                                                                    |
+| audit.metricsPort                             | Metrics port for audit                                                                                                                                                                                                                              | `8888`                                                                    |
+| audit.readinessTimeout            | Timeout in seconds for audit's readiness probe                                                                                                                                                                                                          | `1`                                                                    |
+| audit.livenessTimeout            | Timeout in seconds for the audit's liveness probe                                                                                                                                                                                                          | `1`                                                                    |
+| audit.logLevel                                | The minimum log level for audit, takes precedence over `logLevel` when specified                                                                                                                                                                    | `null`
+| replicas                                      | The number of Gatekeeper replicas to deploy for the webhook                                                                                                                                                                                         | `3`                                                                       |
+| podAnnotations                                | The annotations to add to the Gatekeeper pods                                                                                                                                                                                                       | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
+| podLabels                                     | The labels to add to the Gatekeeper pods                                                                                                                                                                                                            | `{}`                                                                      |
+| podCountLimit                                 | The maximum number of Gatekeeper pods to run                                                                                                                                                                                                        | `100`                                                                     |
+| secretAnnotations                             | The annotations to add to the Gatekeeper secrets                                                                                                                                                                                                    | `{}`                                                                      |
+| pdb.controllerManager.minAvailable            | The number of controller manager pods that must still be available after an eviction                                                                                                                                                                | `1`                                                                       |
+| service.type                                  | Service type                                                                                                                                                                                                                                        | `ClusterIP`                                                               |
+| service.loadBalancerIP                        | The IP address of LoadBalancer service                                                                                                                                                                                                              | ``                                                                        |
+| service.healthzPort                           | Service port to gatekeeper Webhook health port                                                                                                                                                                                                      | `9090`                                                                    |
+| rbac.create                                   | Enable the creation of RBAC resources                                                                                                                                                                                                               | `true`                                                                    |
+| externalCertInjection.enabled                                   | Enable the injection of an external certificate. This disables automatic certificate generation and rotation                                                                                                                                                                                                               | `false`                                                                    |
+| externalCertInjection.secretName                                   | Name of secret for injected certificate                                                                                                                                                                                                               | `gatekeeper-webhook-server-cert`                                                                    |
+
+## Contributing Changes
+
+Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart.
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/app-readme.md b/charts/rancher-gatekeeper/102.1.0+up3.12.0/app-readme.md
new file mode 100644
index 000000000..dff688f51
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/app-readme.md
@@ -0,0 +1,32 @@
+# Rancher OPA Gatekeeper
+
+This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart.
+
+For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/).
+
+The chart installs the following components:
+
+- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster.
+- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations.
+- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources.
+- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).
+
+For more information on how to configure the Helm chart, refer to the Helm README.
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/_helpers.tpl
new file mode 100644
index 000000000..c71a8fb61
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/_helpers.tpl
@@ -0,0 +1,113 @@
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gatekeeper.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gatekeeper.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gatekeeper.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Adds additional pod labels to the common ones
+*/}}
+{{- define "gatekeeper.podLabels" -}}
+{{- if .Values.podLabels }}
+{{- toYaml .Values.podLabels | nindent 8 }}
+{{- end }}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
+
+{{/*
+Output post install webhook probe container entry
+*/}}
+{{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
+- name: webhook-probe-post
+  image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
+  imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
+  command:
+    - "curl"
+  args:
+    - "--retry"
+    - "99999"
+    - "--retry-max-time"
+    - "{{ .Values.postInstall.probeWebhook.waitTimeout }}"
+    - "--retry-delay"
+    - "1"
+    - "--max-time"
+    - "{{ .Values.postInstall.probeWebhook.httpTimeout }}"
+    {{- if .Values.postInstall.probeWebhook.insecureHTTPS }}
+    - "--insecure"
+    {{- else }}
+    - "--cacert"
+    - /certs/ca.crt
+    {{- end }}
+    - "-v"
+    - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s"
+  resources:
+  {{- toYaml .Values.postInstall.resources | nindent 4 }}
+  securityContext:
+  {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+    seccompProfile:
+      type: RuntimeDefault
+  {{- end }}
+  {{- toYaml .Values.postInstall.securityContext | nindent 4 }}
+  volumeMounts:
+  - mountPath: /certs
+    name: cert
+    readOnly: true
+{{- end -}}
+
+{{/*
+Output post install webhook probe volume entry
+*/}}
+{{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
+- name: cert
+  secret:
+    secretName: {{ .Values.externalCertInjection.secretName }}
+{{- end -}}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/allowedrepos.yaml
new file mode 100644
index 000000000..9abb84ecb
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/allowedrepos.yaml
@@ -0,0 +1,35 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            repos:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
new file mode 100644
index 000000000..2c179e570
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
@@ -0,0 +1,38 @@
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-admin
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - projected
+  - secret
+  - downwardAPI
+  - emptyDir
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml
new file mode 100644
index 000000000..4b68998cb
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-admin
+  namespace: '{{ .Release.Namespace }}'
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-audit-deployment.yaml
new file mode 100644
index 000000000..a1adb6044
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-audit-deployment.yaml
@@ -0,0 +1,156 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    control-plane: audit-controller
+    gatekeeper.sh/operation: audit
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-audit
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: audit-controller
+      gatekeeper.sh/operation: audit
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+        {{- end }}
+      labels:
+{{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        control-plane: audit-controller
+        gatekeeper.sh/operation: audit
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      affinity:
+        {{- toYaml .Values.audit.affinity | nindent 8 }}
+      automountServiceAccountToken: true
+      containers:
+      - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+        args:
+        - --audit-interval={{ .Values.auditInterval }}
+        - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }}
+        - --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
+        - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
+        - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
+        - --audit-from-cache={{ .Values.auditFromCache }}
+        - --audit-chunk-size={{ .Values.auditChunkSize }}
+        - --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
+        - --emit-audit-events={{ .Values.emitAuditEvents }}
+        - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
+        - --operation=audit
+        - --operation=status
+        {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
+        - --logtostderr
+        - --health-addr=:{{ .Values.audit.healthPort }}
+        - --prometheus-port={{ .Values.audit.metricsPort }}
+        - --enable-external-data={{ .Values.enableExternalData }}
+        - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
+        
+        {{- range .Values.metricsBackends}}
+        - --metrics-backend={{ . }}
+        {{- end }}
+        
+        {{- if .Values.audit.logFile}}
+        - --log-file={{ .Values.audit.logFile }}
+        {{- end }}
+        - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
+        command:
+        - /manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CONTAINER_NAME
+          value: manager
+        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.audit.healthPort }}
+          timeoutSeconds: {{ .Values.audit.livenessTimeout }}
+        name: manager
+        ports:
+        - containerPort: {{ .Values.audit.metricsPort }}
+          name: metrics
+          protocol: TCP
+        - containerPort: {{ .Values.audit.healthPort }}
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.audit.healthPort }}
+          timeoutSeconds: {{ .Values.audit.readinessTimeout }}
+        resources:
+          {{- toYaml .Values.audit.resources | nindent 10 }}
+        securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
+          {{- toYaml .Values.audit.securityContext | nindent 10}}
+        volumeMounts:
+        - mountPath: /certs
+          name: cert
+          readOnly: true
+        - mountPath: /tmp/audit
+          name: tmp-volume
+      dnsPolicy: {{ .Values.audit.dnsPolicy }}
+      hostNetwork: {{ .Values.audit.hostNetwork }}
+      imagePullSecrets:
+        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.audit.nodeSelector }}
+{{ toYaml .Values.audit.nodeSelector | indent 8 }}
+{{- end }}
+      {{- if .Values.audit.priorityClassName }}
+      priorityClassName:  {{ .Values.audit.priorityClassName }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
+      serviceAccountName: gatekeeper-admin
+      terminationGracePeriodSeconds: 60
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.audit.tolerations }}
+{{ toYaml .Values.audit.tolerations | indent 8 }}
+{{- end }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: gatekeeper-webhook-server-cert
+      {{- if .Values.audit.writeToRAMDisk }}
+      - emptyDir:
+          medium: Memory
+      {{ else }}
+      - emptyDir: {}
+      {{- end }}
+        name: tmp-volume
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml
new file mode 100644
index 000000000..5eb8c9b42
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml
@@ -0,0 +1,169 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    control-plane: controller-manager
+    gatekeeper.sh/operation: webhook
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+        {{- end }}
+      labels:
+{{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        control-plane: controller-manager
+        gatekeeper.sh/operation: webhook
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      affinity:
+        {{- toYaml .Values.controllerManager.affinity | nindent 8 }}
+      automountServiceAccountToken: true
+      containers:
+      - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
+        args:
+        - --port={{ .Values.controllerManager.port }}
+        - --health-addr=:{{ .Values.controllerManager.healthPort }}
+        - --prometheus-port={{ .Values.controllerManager.metricsPort }}
+        - --logtostderr
+        - --log-denies={{ .Values.logDenies }}
+        - --emit-admission-events={{ .Values.emitAdmissionEvents }}
+        - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
+        - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
+        - --exempt-namespace={{ .Release.Namespace }}
+        - --operation=webhook
+        - --enable-external-data={{ .Values.enableExternalData }}
+        - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
+        - --log-mutations={{ .Values.logMutations }}
+        - --mutation-annotations={{ .Values.mutationAnnotations }}
+        - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }}
+        - --max-serving-threads={{ .Values.maxServingThreads }}
+        - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }}
+        {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }}
+        
+        {{- range .Values.metricsBackends}}
+        - --metrics-backend={{ . }}
+        {{- end }}
+        {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }}
+        {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }}
+        
+        {{- range .Values.disabledBuiltins}}
+        - --disable-opa-builtin={{ . }}
+        {{- end }}
+        
+        {{- range .Values.controllerManager.exemptNamespaces}}
+        - --exempt-namespace={{ . }}
+        {{- end }}
+        
+        {{- range .Values.controllerManager.exemptNamespacePrefixes}}
+        - --exempt-namespace-prefix={{ . }}
+        {{- end }}
+        
+        {{- range .Values.controllerManager.exemptNamespaceSuffixes}}
+        - --exempt-namespace-suffix={{ . }}
+        {{- end }}
+        
+        {{- if .Values.controllerManager.logFile}}
+        - --log-file={{ .Values.controllerManager.logFile }}
+        {{- end }}
+        command:
+        - /manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CONTAINER_NAME
+          value: manager
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.controllerManager.healthPort }}
+          timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }}
+        name: manager
+        ports:
+        - containerPort: {{ .Values.controllerManager.port }}
+          name: webhook-server
+          protocol: TCP
+        - containerPort: {{ .Values.controllerManager.metricsPort }}
+          name: metrics
+          protocol: TCP
+        - containerPort: {{ .Values.controllerManager.healthPort }}
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.controllerManager.healthPort }}
+          timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }}
+        resources:
+          {{- toYaml .Values.controllerManager.resources | nindent 10 }}
+        securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
+          {{- toYaml .Values.controllerManager.securityContext | nindent 10}}
+        volumeMounts:
+        - mountPath: /certs
+          name: cert
+          readOnly: true
+      dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
+      hostNetwork: {{ .Values.controllerManager.hostNetwork }}
+      imagePullSecrets:
+        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.controllerManager.nodeSelector }}
+{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }}
+{{- end }}
+      {{- if .Values.controllerManager.priorityClassName }}
+      priorityClassName:  {{ .Values.controllerManager.priorityClassName }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
+      serviceAccountName: gatekeeper-admin
+      terminationGracePeriodSeconds: 60
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.controllerManager.tolerations }}
+{{ toYaml .Values.controllerManager.tolerations | indent 8 }}
+{{- end }}
+      topologySpreadConstraints:
+        {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: gatekeeper-webhook-server-cert
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml
new file mode 100644
index 000000000..e05213feb
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.controllerManager.networkPolicy.enabled -}}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-controller-manager
+spec:
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: '{{ template "gatekeeper.name" . }}'
+              release: '{{ .Release.Name }}'
+    {{- with .Values.controllerManager.networkPolicy.ingress }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  podSelector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
+{{- end -}}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
new file mode 100644
index 000000000..424f6a67c
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
@@ -0,0 +1,24 @@
+{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
+apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml
new file mode 100644
index 000000000..154646366
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.resourceQuota }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-critical-pods
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  hard:
+    pods: {{ .Values.podCountLimit }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - {{ .Values.controllerManager.priorityClassName }}
+      - {{ .Values.audit.priorityClassName }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml
new file mode 100644
index 000000000..37ac19cc1
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml
@@ -0,0 +1,174 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - {{ .Values.mutatingWebhookName }}
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - config.gatekeeper.sh
+  resources:
+  - configs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - config.gatekeeper.sh
+  resources:
+  - configs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - constraints.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - externaldata.gatekeeper.sh
+  resources:
+  - providers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mutations.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- if .Values.global.cattle.psp.enabled }}
+- apiGroups:
+  - policy
+  resourceNames:
+  - gatekeeper-admin
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+{{- end }}
+- apiGroups:
+  - status.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - templates.gatekeeper.sh
+  resources:
+  - constrainttemplates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - templates.gatekeeper.sh
+  resources:
+  - constrainttemplates/finalizers
+  verbs:
+  - delete
+  - get
+  - patch
+  - update
+- apiGroups:
+  - templates.gatekeeper.sh
+  resources:
+  - constrainttemplates/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - {{ .Values.validatingWebhookName }}
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-role.yaml
new file mode 100644
index 000000000..1018dcdb6
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-role-role.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-role
+  namespace: '{{ .Release.Namespace }}'
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- with .Values.controllerManager.extraRules }}
+  {{- toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
new file mode 100644
index 000000000..1fb9f6c87
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-manager-role
+subjects:
+- kind: ServiceAccount
+  name: gatekeeper-admin
+  namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
new file mode 100644
index 000000000..fbe9580d5
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-rolebinding
+  namespace: '{{ .Release.Namespace }}'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gatekeeper-manager-role
+subjects:
+- kind: ServiceAccount
+  name: gatekeeper-admin
+  namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
new file mode 100644
index 000000000..0bc3bc43e
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
@@ -0,0 +1,60 @@
+{{- if not .Values.disableMutation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: '{{ .Values.mutatingWebhookName }}'
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: gatekeeper-webhook-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1/mutate
+  failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
+  matchPolicy: Exact
+  name: mutation.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.gatekeeper.sh/ignore
+      operator: DoesNotExist
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - {{ .Release.Namespace }}
+    
+    {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      values:
+      {{- range $value }}
+      - {{ . }}
+      {{- end }}
+    {{- end }}
+  objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }}
+  reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }}
+  rules:
+  {{- if .Values.mutatingWebhookCustomRules }}
+  {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+    - '*'
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*'
+  {{- end }}
+  sideEffects: None
+  timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
new file mode 100644
index 000000000..f0dd85d5e
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -0,0 +1,109 @@
+{{- if not .Values.disableValidatingWebhook }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: '{{ .Values.validatingWebhookName }}'
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: gatekeeper-webhook-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1/admit
+  failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
+  matchPolicy: Exact
+  name: validation.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.gatekeeper.sh/ignore
+      operator: DoesNotExist
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - {{ .Release.Namespace }}
+    
+    {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      values:
+      {{- range $value }}
+      - {{ . }}
+      {{- end }}
+    {{- end }}
+  objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }}
+  rules:
+  {{- if .Values.validatingWebhookCustomRules }}
+  {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+    - '*'
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    {{- if .Values.enableDeleteOperations }}
+    - DELETE
+    {{- end }}
+    resources:
+    - '*'
+    # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper).
+    # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("'
+    - 'pods/ephemeralcontainers'
+    - 'pods/exec'
+    - 'pods/log'
+    - 'pods/eviction'
+    - 'pods/portforward'
+    - 'pods/proxy'
+    - 'pods/attach'
+    - 'pods/binding'
+    - 'deployments/scale'
+    - 'replicasets/scale'
+    - 'statefulsets/scale'
+    - 'replicationcontrollers/scale'
+    - 'services/proxy'
+    - 'nodes/proxy'
+    # For constraints that mitigate CVE-2020-8554
+    - 'services/status'
+  {{- end }}
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: gatekeeper-webhook-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1/admitlabel
+  failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
+  matchPolicy: Exact
+  name: check-ignore-label.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - {{ .Release.Namespace }}
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - namespaces
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml
new file mode 100644
index 000000000..a841780a5
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml
@@ -0,0 +1,14 @@
+{{- if not .Values.externalCertInjection.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-webhook-server-cert
+  namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-service-service.yaml
new file mode 100644
index 000000000..3c0f4453a
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/gatekeeper-webhook-service-service.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-webhook-service
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  
+  ports:
+  - name: https-webhook-server
+    port: 443
+    targetPort: webhook-server
+{{- if .Values.service }}
+{{- if .Values.service.healthzPort }}
+  - name: http-webhook-healthz
+    port: {{ .Values.service.healthzPort }}
+    targetPort: healthz
+      {{- end }}
+  {{- end }}
+  {{- if .Values.service }}
+  type: {{ .Values.service.type | default "ClusterIP" }}
+    {{- if .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+    {{- end }}
+  {{- end }}
+  selector:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    control-plane: controller-manager
+    gatekeeper.sh/operation: webhook
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-install.yaml
new file mode 100644
index 000000000..4b4559df9
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-install.yaml
@@ -0,0 +1,165 @@
+{{- if .Values.postInstall.labelNamespace.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-namespace-label
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+    {{- if .Values.postInstall.labelNamespace.extraAnnotations }}
+    {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }}
+    {{- end }}
+spec:
+  template:
+    metadata:
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        {{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-update-namespace-label
+      {{- if .Values.postInstall.probeWebhook.enabled }}
+      volumes:
+      {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
+      initContainers:
+      {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl-label
+          image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}'
+          imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            - {{ .Release.Namespace }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postInstall.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+        {{- if .Values.postInstall.labelNamespace.extraNamespaces }}
+        - name: kubectl-label-extra
+          image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
+            - {{ . }}
+            {{- end }}
+            - admission.gatekeeper.sh/ignore=extra-namespaces
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postInstall.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+        {{- end }}
+      {{- with .Values.postInstall }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-update-namespace-label
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - patch
+    resourceNames:
+      - {{ .Release.Namespace }}
+      {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
+      - {{ . }}
+      {{- end }}
+  - apiGroups:
+      - management.cattle.io
+    resources:
+      - projects
+    verbs:
+      - updatepsa
+{{- with .Values.postInstall.labelNamespace.extraRules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-update-namespace-label
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-update-namespace-label
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-upgrade.yaml
new file mode 100644
index 000000000..9e4a75454
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/namespace-post-upgrade.yaml
@@ -0,0 +1,153 @@
+{{- if .Values.postUpgrade.labelNamespace.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+    {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }}
+    {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }}
+    {{- end }}
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-update-namespace-label-post-upgrade
+      containers:
+        - name: kubectl-label
+          image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
+          imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            - {{ .Release.Namespace }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postUpgrade.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+        {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }}
+        - name: kubectl-label-extra
+          image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
+          imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
+            - {{ . }}
+            {{- end }}
+            - admission.gatekeeper.sh/ignore=extra-namespaces
+            - --overwrite
+          resources:
+            {{- toYaml .Values.postUpgrade.resources | nindent 12 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+        {{- end }}
+      {{- with .Values.postUpgrade }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - patch
+    resourceNames:
+      - {{ .Release.Namespace }}
+      {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
+      - {{ . }}
+      {{- end }}
+  - apiGroups:
+      - management.cattle.io
+    resources:
+      - projects
+    verbs:
+      - updatepsa
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-update-namespace-label-post-upgrade
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-update-namespace-label-post-upgrade
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/probe-webhook-post-install.yaml
new file mode 100644
index 000000000..c9f706527
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/probe-webhook-post-install.yaml
@@ -0,0 +1,46 @@
+{{- if not .Values.disableValidatingWebhook }}
+{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-probe-webhook-post-install
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        {{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: Never
+      {{- if .Values.postInstall.probeWebhook.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      volumes:
+      {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
+      containers:
+      {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
+      {{- with .Values.postInstall }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/requiredlabels.yaml
new file mode 100644
index 000000000..e93e6a0a7
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/requiredlabels.yaml
@@ -0,0 +1,57 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+
+        get_message(parameters, _default) = msg {
+          not parameters.message
+          msg := _default
+        }
+
+        get_message(parameters, _default) = msg {
+          msg := parameters.message
+        }
+
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+          provided := {label | input.review.object.metadata.labels[label]}
+          required := {label | label := input.parameters.labels[_].key}
+          missing := required - provided
+          count(missing) > 0
+          def_msg := sprintf("you must provide labels: %v", [missing])
+          msg := get_message(input.parameters, def_msg)
+        }
+
+        violation[{"msg": msg}] {
+          value := input.review.object.metadata.labels[key]
+          expected := input.parameters.labels[_]
+          expected.key == key
+          # do not match if allowedRegex is not defined, or is an empty string
+          expected.allowedRegex != ""
+          not re_match(expected.allowedRegex, value)
+          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+          msg := get_message(input.parameters, def_msg)
+        }
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/upgrade-crds-hook.yaml
new file mode 100644
index 000000000..28c2d6bb0
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/upgrade-crds-hook.yaml
@@ -0,0 +1,116 @@
+{{- if .Values.upgradeCRDs.enabled }}
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-admin-upgrade-crds
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+rules:
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "create", "update", "patch"]
+{{- with .Values.upgradeCRDs.extraRules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-admin-upgrade-crds
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-admin-upgrade-crds
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: gatekeeper-admin-upgrade-crds
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  name: gatekeeper-admin-upgrade-crds
+  namespace: '{{ .Release.Namespace }}'
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-crds-hook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gatekeeper.name" . }}
+    chart: {{ template "gatekeeper.name" . }}
+    gatekeeper.sh/system: "yes"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      name: gatekeeper-update-crds-hook
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        {{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      serviceAccountName: gatekeeper-admin-upgrade-crds
+      restartPolicy: Never
+      {{- if .Values.images.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: crds-upgrade
+        image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
+        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
+        args:
+        - apply
+        - -f
+        - crds/
+        resources:
+          {{- toYaml .Values.crds.resources | nindent 10 }}
+        securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
+          {{- toYaml .Values.crds.securityContext | nindent 10 }}
+      {{- with .Values.crds }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-install-crd.yaml
new file mode 100644
index 000000000..9c4f3a3c2
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-install-crd.yaml
@@ -0,0 +1,24 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}}
+# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}}
+# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}}
+# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}}
+# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}}
+# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}}
+# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}}
+# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}}
+# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}}
+# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}}
+# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-psp-install.yaml
new file mode 100644
index 000000000..a30c59d3b
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/validate-psp-install.yaml
@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/webhook-configs-pre-delete.yaml
new file mode 100644
index 000000000..a80dee59e
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/templates/webhook-configs-pre-delete.yaml
@@ -0,0 +1,135 @@
+{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        {{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-delete-webhook-configs
+      containers:
+        - name: kubectl-delete
+          image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
+          imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
+          args:
+            - delete
+            {{- if not .Values.disableValidatingWebhook }}
+            - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }}
+            {{- end }}
+            {{- if not .Values.disableMutation }}
+            - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.preUninstall.resources | nindent 10 }}
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
+      {{- with .Values.preUninstall }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      affinity:
+        {{- toYaml .affinity | nindent 8 }}
+      {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  {{- if not .Values.disableValidatingWebhook }}
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    resourceNames:
+      - {{ .Values.validatingWebhookName }}
+    verbs:
+      - delete
+  {{- end }}
+  {{- if not .Values.disableMutation }}
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    resourceNames:
+      - {{ .Values.mutatingWebhookName }}
+    verbs:
+      - delete
+  {{- end }}
+{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-delete-webhook-configs
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-delete-webhook-configs
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/102.1.0+up3.12.0/values.yaml b/charts/rancher-gatekeeper/102.1.0+up3.12.0/values.yaml
new file mode 100644
index 000000000..2dab8b3fe
--- /dev/null
+++ b/charts/rancher-gatekeeper/102.1.0+up3.12.0/values.yaml
@@ -0,0 +1,271 @@
+replicas: 3
+auditInterval: 60
+metricsBackends: ["prometheus"]
+auditMatchKindOnly: false
+constraintViolationsLimit: 20
+auditFromCache: false
+disableMutation: false
+disableValidatingWebhook: false
+validatingWebhookName: gatekeeper-validating-webhook-configuration
+validatingWebhookTimeoutSeconds: 3
+validatingWebhookFailurePolicy: Ignore
+validatingWebhookAnnotations: {}
+validatingWebhookExemptNamespacesLabels: {}
+validatingWebhookObjectSelector: {}
+validatingWebhookCheckIgnoreFailurePolicy: Fail
+validatingWebhookCustomRules: {}
+enableDeleteOperations: false
+enableExternalData: true
+enableGeneratorResourceExpansion: false
+enableTLSHealthcheck: false
+maxServingThreads: -1
+mutatingWebhookName: gatekeeper-mutating-webhook-configuration
+mutatingWebhookFailurePolicy: Ignore
+mutatingWebhookReinvocationPolicy: Never
+mutatingWebhookAnnotations: {}
+mutatingWebhookExemptNamespacesLabels: {}
+mutatingWebhookObjectSelector: {}
+mutatingWebhookTimeoutSeconds: 1
+mutatingWebhookCustomRules: {}
+mutationAnnotations: false
+auditChunkSize: 500
+logLevel: INFO
+logDenies: false
+logMutations: false
+emitAdmissionEvents: false
+emitAuditEvents: false
+admissionEventsInvolvedNamespace: false
+auditEventsInvolvedNamespace: false
+resourceQuota: true
+images:
+  gatekeeper:
+    repository: rancher/mirrored-openpolicyagent-gatekeeper
+    tag: v3.12.0
+  gatekeepercrd:
+    repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+    tag: v3.12.0
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+preInstall:
+  crdRepository:
+    image:
+      repository: null
+      tag: v3.12.0
+postUpgrade:
+  labelNamespace:
+    enabled: false
+    image:
+      repository: rancher/kubectl
+      tag: v1.20.2
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+    extraNamespaces: []
+    podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+      "pod-security.kubernetes.io/audit-version=latest",
+      "pod-security.kubernetes.io/warn=restricted",
+      "pod-security.kubernetes.io/warn-version=latest",
+      "pod-security.kubernetes.io/enforce=restricted",
+      "pod-security.kubernetes.io/enforce-version=v1.24"]
+    extraAnnotations: {}
+  affinity: {}
+  tolerations: []
+  nodeSelector: {kubernetes.io/os: linux}
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+postInstall:
+  labelNamespace:
+    enabled: true
+    extraRules: []
+    image:
+      repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+      tag: v3.12.0
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+    extraNamespaces: []
+    podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+      "pod-security.kubernetes.io/audit-version=latest",
+      "pod-security.kubernetes.io/warn=restricted",
+      "pod-security.kubernetes.io/warn-version=latest",
+      "pod-security.kubernetes.io/enforce=restricted",
+      "pod-security.kubernetes.io/enforce-version=v1.24"]
+    extraAnnotations: {}
+  probeWebhook:
+    enabled: true
+    image:
+      repository: rancher/mirrored-curlimages-curl
+      tag: 7.83.1
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+    waitTimeout: 60
+    httpTimeout: 2
+    insecureHTTPS: false
+  affinity: {}
+  tolerations: []
+  nodeSelector: {kubernetes.io/os: linux}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+preUninstall:
+  deleteWebhookConfigurations:
+    extraRules: []
+    enabled: false
+    image:
+      repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+      tag: v3.12.0
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+  affinity: {}
+  tolerations: []
+  nodeSelector: {kubernetes.io/os: linux}
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+podAnnotations: {}
+podLabels: {}
+podCountLimit: "100"
+secretAnnotations: {}
+enableRuntimeDefaultSeccompProfile: true
+controllerManager:
+  exemptNamespaces: []
+  exemptNamespacePrefixes: []
+  hostNetwork: false
+  dnsPolicy: ClusterFirst
+  port: 8443
+  metricsPort: 8888
+  healthPort: 9090
+  readinessTimeout: 1
+  livenessTimeout: 1
+  priorityClassName: system-cluster-critical
+  disableCertRotation: false
+  tlsMinVersion: 1.3
+  clientCertName: ""
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: gatekeeper.sh/operation
+                  operator: In
+                  values:
+                    - webhook
+            topologyKey: kubernetes.io/hostname
+          weight: 100
+  topologySpreadConstraints: []
+  tolerations: []
+  nodeSelector: {}
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 512Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+  podSecurityContext:
+    fsGroup: 999
+    supplementalGroups:
+      - 999
+  extraRules: []
+  networkPolicy:
+    enabled: false
+    ingress: { }
+      # - from:
+      #   - ipBlock:
+      #       cidr: 0.0.0.0/0
+audit:
+  hostNetwork: false
+  dnsPolicy: ClusterFirst
+  metricsPort: 8888
+  healthPort: 9090
+  readinessTimeout: 1
+  livenessTimeout: 1
+  priorityClassName: system-cluster-critical
+  disableCertRotation: true
+  affinity: {}
+  tolerations: []
+  nodeSelector: {}
+  resources:
+    limits:
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 512Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+  podSecurityContext:
+    fsGroup: 999
+    supplementalGroups:
+      - 999
+  writeToRAMDisk: false
+  extraRules: []
+crds:
+  affinity: {}
+  tolerations: []
+  nodeSelector: {kubernetes.io/os: linux}
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsGroup: 65532
+    runAsNonRoot: true
+    runAsUser: 65532
+pdb:
+  controllerManager:
+    minAvailable: 1
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    psp:
+      enabled: false
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.20.2
+service: {}
+disabledBuiltins: ["{http.send}"]
+upgradeCRDs:
+  enabled: true
+  extraRules: []
+rbac:
+  create: true
+externalCertInjection:
+  enabled: false
+  secretName: gatekeeper-webhook-server-cert
diff --git a/index.yaml b/index.yaml
index 53fd469b0..bfac058fb 100755
--- a/index.yaml
+++ b/index.yaml
@@ -6896,6 +6896,36 @@ entries:
     - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
     version: 0.1.400
   rancher-gatekeeper:
+  - annotations:
+      catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: OPA Gatekeeper
+      catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.26.0-0'
+      catalog.cattle.io/namespace: cattle-gatekeeper-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+      catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+      catalog.cattle.io/release-name: rancher-gatekeeper
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/ui-component: gatekeeper
+    apiVersion: v2
+    appVersion: v3.12.0
+    created: "2023-04-25T21:55:47.817301636Z"
+    description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+      policy-based control for cloud native environments
+    digest: 69e9e4568e28623db139a93188a2abec5916b8ec09b3aa43d4f8526690196392
+    home: https://github.com/open-policy-agent/gatekeeper
+    icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+    keywords:
+    - open policy agent
+    - security
+    name: rancher-gatekeeper
+    sources:
+    - https://github.com/open-policy-agent/gatekeeper.git
+    urls:
+    - assets/rancher-gatekeeper/rancher-gatekeeper-102.1.0+up3.12.0.tgz
+    version: 102.1.0+up3.12.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
       catalog.cattle.io/certified: rancher
@@ -7239,6 +7269,20 @@ entries:
     - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz
     version: 3.1.100
   rancher-gatekeeper-crd:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-gatekeeper-system
+      catalog.cattle.io/release-name: rancher-gatekeeper-crd
+    apiVersion: v1
+    created: "2023-04-25T21:55:47.848882368Z"
+    description: Installs the CRDs for rancher-gatekeeper.
+    digest: f361755f23e9102db12c24eeedf3e99cf3362ea048c54c5a34a6f769ef592bce
+    name: rancher-gatekeeper-crd
+    type: application
+    urls:
+    - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-102.1.0+up3.12.0.tgz
+    version: 102.1.0+up3.12.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 7792c7721..aa903ff16 100644
--- a/release.yaml
+++ b/release.yaml
@@ -49,6 +49,6 @@ rancher-cis-benchmark:
 rancher-cis-benchmark-crd:
   - 2.1.2
 rancher-gatekeeper:
-- 102.1.0+up3.12.0
+  - 102.1.0+up3.12.0
 rancher-gatekeeper-crd:
-- 102.1.0+up3.12.0
\ No newline at end of file
+  - 102.1.0+up3.12.0
\ No newline at end of file