diff --git a/assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.5.tgz b/assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.5.tgz index ce53a8319..9f953aa6b 100644 Binary files a/assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.5.tgz and b/assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.5.tgz differ diff --git a/assets/rancher-webhook/rancher-webhook-1.0.4+up0.2.5.tgz b/assets/rancher-webhook/rancher-webhook-1.0.4+up0.2.5.tgz new file mode 100644 index 000000000..da9dd5310 Binary files /dev/null and b/assets/rancher-webhook/rancher-webhook-1.0.4+up0.2.5.tgz differ diff --git a/charts/rancher-webhook/1.0.3+up0.2.5/Chart.yaml b/charts/rancher-webhook/1.0.3+up0.2.5/Chart.yaml index d91ea717f..f5f826c24 100644 --- a/charts/rancher-webhook/1.0.3+up0.2.5/Chart.yaml +++ b/charts/rancher-webhook/1.0.3+up0.2.5/Chart.yaml @@ -4,6 +4,7 @@ annotations: catalog.cattle.io/namespace: cattle-system catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: <2.5.99-0 catalog.cattle.io/release-name: rancher-webhook apiVersion: v2 appVersion: 0.2.5 diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/Chart.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/Chart.yaml new file mode 100644 index 000000000..d2d4a0587 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: rancher-webhook +apiVersion: v2 +appVersion: 0.2.5 +dependencies: +- condition: capi.enabled + name: capi + repository: "" +description: ValidatingAdmissionWebhook for Rancher types +name: rancher-webhook +version: 1.0.4+up0.2.5 diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/Chart.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/Chart.yaml new file mode 100644 index 000000000..388210bef --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v2 +appVersion: 0.0.0 +name: capi +version: 0.0.0 diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/templates/service.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/templates/service.yaml new file mode 100644 index 000000000..08df65d62 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: webhook-service + annotations: + need-a-cert.cattle.io/secret-name: rancher-webhook-tls +spec: + ports: + - name: https + port: 443 + targetPort: 8777 + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/_helpers.tpl b/charts/rancher-webhook/1.0.4+up0.2.5/templates/_helpers.tpl new file mode 100644 index 000000000..45f62d0b8 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/_helpers.tpl @@ -0,0 +1,11 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "rancher-webhook.labels" -}} +app: rancher-webhook +{{- end }} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/deployment.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/deployment.yaml new file mode 100644 index 000000000..4431a78ba --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rancher-webhook +spec: + selector: + matchLabels: + app: rancher-webhook + template: + metadata: + labels: + app: rancher-webhook + spec: + volumes: + - name: tls + secret: + secretName: rancher-webhook-tls + {{- if .Values.global.hostNetwork }} + hostNetwork: true + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - env: + - name: STAMP + value: "{{.Values.stamp}}" + - name: ENABLE_CAPI + value: "{{.Values.capi.enabled}}" + - name: ENABLE_MCM + value: "{{.Values.mcm.enabled}}" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + name: rancher-webhook + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + ports: + - name: https + containerPort: 9443 + - name: capi-https + containerPort: 8777 + volumeMounts: + - name: tls + mountPath: /tmp/k8s-webhook-server/serving-certs + serviceAccountName: rancher-webhook diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role-binding.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role-binding.yaml new file mode 100644 index 000000000..ca439ff48 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role-binding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rancher-webhook-pre-delete +subjects: + - kind: ServiceAccount + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role.yaml new file mode 100644 index 000000000..36a1c7fef --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role.yaml @@ -0,0 +1,23 @@ +{{- if .Values.preDelete.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +rules: + - apiGroups: [ "admissionregistration.k8s.io" ] + resources: [ "mutatingwebhookconfigurations" ] + verbs: [ "delete" ] + resourceNames: [ "rancher.cattle.io" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "get" ] + - apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: [ "use" ] + resourceNames: [ "rancher-webhook-pre-delete" ] +{{- end }} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-job.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-job.yaml new file mode 100644 index 000000000..ad80c6085 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-job.yaml @@ -0,0 +1,32 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 3 + template: + metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 8 }} + spec: + serviceAccountName: rancher-webhook-pre-delete + restartPolicy: OnFailure + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: rancher-webhook-pre-delete + image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}" + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 0 + command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ] +{{- end }} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-psp.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-psp.yaml new file mode 100644 index 000000000..8acf758d0 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-psp.yaml @@ -0,0 +1,33 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-service-account.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-service-account.yaml new file mode 100644 index 000000000..93e215394 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-service-account.yaml @@ -0,0 +1,12 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +{{- end }} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/rbac.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/rbac.yaml new file mode 100644 index 000000000..9afaae6c6 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/rbac.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: rancher-webhook + namespace: {{.Release.Namespace}} diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/service.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/service.yaml new file mode 100644 index 000000000..74a8a9e5a --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: rancher-webhook + namespace: cattle-system +spec: + ports: + - port: 443 + targetPort: 9443 + protocol: TCP + name: https + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/serviceaccount.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/serviceaccount.yaml new file mode 100644 index 000000000..f9251b418 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/templates/webhook.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/templates/webhook.yaml new file mode 100644 index 000000000..4f95ae896 --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/templates/webhook.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: rancher.cattle.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: rancher-webhook + namespace: cattle-system + path: /v1/webhook/validation + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: rancher.cattle.io + sideEffects: None + timeoutSeconds: 10 diff --git a/charts/rancher-webhook/1.0.4+up0.2.5/values.yaml b/charts/rancher-webhook/1.0.4+up0.2.5/values.yaml new file mode 100644 index 000000000..430349a0a --- /dev/null +++ b/charts/rancher-webhook/1.0.4+up0.2.5/values.yaml @@ -0,0 +1,24 @@ +image: + repository: rancher/rancher-webhook + tag: v0.2.5 + imagePullPolicy: IfNotPresent + +global: + cattle: + systemDefaultRegistry: "" + hostNetwork: false + +capi: + enabled: false + +mcm: + enabled: true + +preDelete: + enabled: true + image: + repository: rancher/kubectl + tag: v1.20.2 + +# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info +tolerations: [] diff --git a/index.yaml b/index.yaml index ddc5229ea..34fe5187d 100755 --- a/index.yaml +++ b/index.yaml @@ -6977,13 +6977,34 @@ entries: catalog.cattle.io/release-name: rancher-webhook apiVersion: v2 appVersion: 0.2.5 - created: "2022-03-29T09:51:23.547032-07:00" + created: "2022-03-30T08:28:22.837164-07:00" dependencies: - condition: capi.enabled name: capi repository: "" description: ValidatingAdmissionWebhook for Rancher types - digest: 0b4cc8831205486a3e3dc5bb6cf56cec7cebfc4eedb54cc46258ea297eef8f5a + digest: d56b28f316c6cff84cad21b76bd8109ac79ffd835f4e7f56f4b73442557a226e + name: rancher-webhook + urls: + - assets/rancher-webhook/rancher-webhook-1.0.4+up0.2.5.tgz + version: 1.0.4+up0.2.5 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: <2.5.99-0 + catalog.cattle.io/release-name: rancher-webhook + apiVersion: v2 + appVersion: 0.2.5 + created: "2022-03-30T08:26:34.624569-07:00" + dependencies: + - condition: capi.enabled + name: capi + repository: "" + description: ValidatingAdmissionWebhook for Rancher types + digest: 3c4ba0bf085fadf18ed801776cee7ccb8d07d246ef228bd63da9ecba3f33ca38 name: rancher-webhook urls: - assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.5.tgz diff --git a/packages/rancher-webhook/package.yaml b/packages/rancher-webhook/package.yaml index 0df54146e..720bc1d34 100644 --- a/packages/rancher-webhook/package.yaml +++ b/packages/rancher-webhook/package.yaml @@ -1,2 +1,2 @@ url: https://github.com/rancher/webhook/releases/download/v0.2.5/rancher-webhook-0.2.5.tgz -version: 1.0.3 +version: 1.0.4 diff --git a/release.yaml b/release.yaml index 2c86ffeed..960152675 100644 --- a/release.yaml +++ b/release.yaml @@ -1,87 +1,3 @@ -fleet: -- 100.0.3+up0.3.9 -fleet-agent: -- 100.0.3+up0.3.9 -fleet-crd: -- 100.0.3+up0.3.9 -longhorn: -- 1.1.300+up1.1.3 -- 1.2.300+up1.2.3 -- 100.1.2+up1.2.4 -longhorn-crd: -- 1.1.300+up1.1.3 -- 1.2.300+up1.2.3 -- 100.1.2+up1.2.4 -rancher-alerting-drivers: -- 1.0.301 -- 100.0.2 -rancher-backup: -- 1.2.100+up1.2.1 -- 2.1.1 -rancher-backup-crd: -- 1.2.100+up1.2.1 -- 2.1.1 -harvester-cloud-provider: -- 100.0.1+up0.1.8 -harvester-csi-driver: -- 100.0.1+up0.1.9 -rancher-external-ip-webhook: -- 100.0.2+up1.0.1 -rancher-istio: -- 1.10.400 -- 1.11.700 -- 100.1.2+up1.11.7 -rancher-kiali-server: -- 1.35.100+up1.35.0 -rancher-kiali-server-crd: -- 1.35.100+up1.35.0 -rancher-logging: -- 3.15.0 -- 100.1.0+up3.17.3 -rancher-logging-crd: -- 3.15.0 -- 100.1.0+up3.17.3 -rancher-monitoring: -- 100.1.1+up19.0.3 -- 16.6.1+up16.6.0 -rancher-monitoring-crd: -- 100.1.1+up19.0.3 -- 16.6.1+up16.6.0 -rancher-pushprox: -- 0.1.501 -rancher-vsphere-csi: -- 2.3.1 -- 100.2.0+up2.4.1-rancher1 -rancher-vsphere-cpi: -- 100.2.0+up1.1.0 rancher-webhook: -- 0.1.300+up0.1.3 - 1.0.3+up0.2.5 -rancher-windows-gmsa: -- 1.0.0 -rancher-windows-gmsa-crd: -- 1.0.0 -rancher-wins-upgrader: -- 100.0.1+up0.0.1 -rancher-eks-operator: -- 100.0.2+up1.1.3 -rancher-eks-operator-crd: -- 100.0.2+up1.1.3 -rancher-aks-operator: -- 100.0.3+up1.0.4 -rancher-aks-operator-crd: -- 100.0.3+up1.0.4 -rancher-gke-operator: -- 100.0.2+up1.1.3 -rancher-gke-operator-crd: -- 100.0.2+up1.1.3 -rancher-cis-benchmark: -- 2.0.3 -rancher-cis-benchmark-crd: -- 2.0.3 -system-upgrade-controller: -- 100.0.2+up0.3.2 -sriov: -- 100.0.2+up0.1.0 -sriov-crd: -- 100.0.2+up0.1.0 +- 1.0.4+up0.2.5 \ No newline at end of file