Merge pull request #1835 from aiyengar2/fix_rancher_webhook

Bump rancher-webhook to 1.0.4+up0.2.5

charts/rancher-webhook/1.0.3+up0.2.5/Chart.yaml

@@ -4,6 +4,7 @@ annotations:
   catalog.cattle.io/namespace: cattle-system
   catalog.cattle.io/os: linux
   catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: <2.5.99-0
   catalog.cattle.io/release-name: rancher-webhook
 apiVersion: v2
 appVersion: 0.2.5

charts/rancher-webhook/1.0.4+up0.2.5/Chart.yaml

@@ -0,0 +1,16 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.2.5
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 1.0.4+up0.2.5

charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0

charts/rancher-webhook/1.0.4+up0.2.5/charts/capi/templates/service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 8777
+  selector:
+    app: rancher-webhook

charts/rancher-webhook/1.0.4+up0.2.5/templates/_helpers.tpl

@@ -0,0 +1,11 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}

charts/rancher-webhook/1.0.4+up0.2.5/templates/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      volumes:
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: 9443
+        - name: capi-https
+          containerPort: 8777
+        volumeMounts:
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+      serviceAccountName: rancher-webhook

charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role-binding.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rancher-webhook-pre-delete
+subjects:
+  - kind: ServiceAccount
+    name: rancher-webhook-pre-delete
+    namespace: {{ .Release.Namespace }}
+{{- end }}

charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-cluster-role.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.preDelete.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+rules:
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "mutatingwebhookconfigurations" ]
+    verbs: [ "delete" ]
+    resourceNames: [ "rancher.cattle.io" ]
+  - apiGroups: [ "" ]
+    resources: [ "serviceaccounts" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "policy" ]
+    resources: [ "podsecuritypolicies" ]
+    verbs: [ "use" ]
+    resourceNames: [ "rancher-webhook-pre-delete" ]
+{{- end }}

charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-job.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      name: rancher-webhook-pre-delete
+      labels: {{ include "rancher-webhook.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: rancher-webhook-pre-delete
+      restartPolicy: OnFailure
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: rancher-webhook-pre-delete
+          image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+          command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ]
+{{- end }}

charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-psp.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- end }}

charts/rancher-webhook/1.0.4+up0.2.5/templates/pre-delete-hook-service-account.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+{{- end }}

charts/rancher-webhook/1.0.4+up0.2.5/templates/rbac.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}

charts/rancher-webhook/1.0.4+up0.2.5/templates/service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook

charts/rancher-webhook/1.0.4+up0.2.5/templates/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook

charts/rancher-webhook/1.0.4+up0.2.5/templates/webhook.yaml

@@ -0,0 +1,19 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: rancher-webhook
+      namespace: cattle-system
+      path: /v1/webhook/validation
+      port: 443
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: rancher.cattle.io
+  sideEffects: None
+  timeoutSeconds: 10

charts/rancher-webhook/1.0.4+up0.2.5/values.yaml

@@ -0,0 +1,24 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.2.5
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+
+mcm:
+  enabled: true
+
+preDelete:
+  enabled: true
+  image:
+    repository: rancher/kubectl
+    tag: v1.20.2
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []

index.yaml

@@ -6977,13 +6977,34 @@ entries:
       catalog.cattle.io/release-name: rancher-webhook
     apiVersion: v2
     appVersion: 0.2.5
-    created: "2022-03-29T09:51:23.547032-07:00"
+    created: "2022-03-30T08:28:22.837164-07:00"
     dependencies:
     - condition: capi.enabled
       name: capi
       repository: ""
     description: ValidatingAdmissionWebhook for Rancher types
-    digest: 0b4cc8831205486a3e3dc5bb6cf56cec7cebfc4eedb54cc46258ea297eef8f5a
+    digest: d56b28f316c6cff84cad21b76bd8109ac79ffd835f4e7f56f4b73442557a226e
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-1.0.4+up0.2.5.tgz
+    version: 1.0.4+up0.2.5
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: <2.5.99-0
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.2.5
+    created: "2022-03-30T08:26:34.624569-07:00"
+    dependencies:
+    - condition: capi.enabled
+      name: capi
+      repository: ""
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 3c4ba0bf085fadf18ed801776cee7ccb8d07d246ef228bd63da9ecba3f33ca38
     name: rancher-webhook
     urls:
     - assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.5.tgz

packages/rancher-webhook/package.yaml

@@ -1,2 +1,2 @@
 url: https://github.com/rancher/webhook/releases/download/v0.2.5/rancher-webhook-0.2.5.tgz
-version: 1.0.3
+version: 1.0.4

release.yaml

@@ -1,87 +1,3 @@
-fleet:
-- 100.0.3+up0.3.9
-fleet-agent:
-- 100.0.3+up0.3.9
-fleet-crd:
-- 100.0.3+up0.3.9
-longhorn:
-- 1.1.300+up1.1.3
-- 1.2.300+up1.2.3
-- 100.1.2+up1.2.4
-longhorn-crd:
-- 1.1.300+up1.1.3
-- 1.2.300+up1.2.3
-- 100.1.2+up1.2.4
-rancher-alerting-drivers:
-- 1.0.301
-- 100.0.2
-rancher-backup:
-- 1.2.100+up1.2.1
-- 2.1.1
-rancher-backup-crd:
-- 1.2.100+up1.2.1
-- 2.1.1
-harvester-cloud-provider:
-- 100.0.1+up0.1.8
-harvester-csi-driver:
-- 100.0.1+up0.1.9
-rancher-external-ip-webhook:
-- 100.0.2+up1.0.1
-rancher-istio:
-- 1.10.400
-- 1.11.700
-- 100.1.2+up1.11.7
-rancher-kiali-server:
-- 1.35.100+up1.35.0
-rancher-kiali-server-crd:
-- 1.35.100+up1.35.0
-rancher-logging:
-- 3.15.0
-- 100.1.0+up3.17.3
-rancher-logging-crd:
-- 3.15.0
-- 100.1.0+up3.17.3
-rancher-monitoring:
-- 100.1.1+up19.0.3
-- 16.6.1+up16.6.0
-rancher-monitoring-crd:
-- 100.1.1+up19.0.3
-- 16.6.1+up16.6.0
-rancher-pushprox:
-- 0.1.501
-rancher-vsphere-csi:
-- 2.3.1
-- 100.2.0+up2.4.1-rancher1
-rancher-vsphere-cpi:
-- 100.2.0+up1.1.0
 rancher-webhook:
-- 0.1.300+up0.1.3
 - 1.0.3+up0.2.5
-rancher-windows-gmsa:
+- 1.0.4+up0.2.5
-- 1.0.0
-rancher-windows-gmsa-crd:
-- 1.0.0
-rancher-wins-upgrader:
-- 100.0.1+up0.0.1
-rancher-eks-operator:
-- 100.0.2+up1.1.3
-rancher-eks-operator-crd:
-- 100.0.2+up1.1.3
-rancher-aks-operator:
-- 100.0.3+up1.0.4
-rancher-aks-operator-crd:
-- 100.0.3+up1.0.4
-rancher-gke-operator:
-- 100.0.2+up1.1.3
-rancher-gke-operator-crd:
-- 100.0.2+up1.1.3
-rancher-cis-benchmark:
-- 2.0.3
-rancher-cis-benchmark-crd:
-- 2.0.3
-system-upgrade-controller:
-- 100.0.2+up0.3.2
-sriov:
-- 100.0.2+up0.1.0
-sriov-crd:
-- 100.0.2+up0.1.0