diff --git a/assets/rancher-webhook/rancher-webhook-2.0.0+up0.3.0-rc5.tgz b/assets/rancher-webhook/rancher-webhook-2.0.0+up0.3.0-rc5.tgz new file mode 100644 index 000000000..093667482 Binary files /dev/null and b/assets/rancher-webhook/rancher-webhook-2.0.0+up0.3.0-rc5.tgz differ diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/Chart.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/Chart.yaml new file mode 100644 index 000000000..29215c013 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-webhook +apiVersion: v2 +appVersion: 0.3.0-rc5 +dependencies: +- condition: capi.enabled + name: capi + repository: "" +description: ValidatingAdmissionWebhook for Rancher types +name: rancher-webhook +version: 2.0.0+up0.3.0-rc5 diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/charts/capi/Chart.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/charts/capi/Chart.yaml new file mode 100644 index 000000000..388210bef --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/charts/capi/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v2 +appVersion: 0.0.0 +name: capi +version: 0.0.0 diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/charts/capi/templates/service.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/charts/capi/templates/service.yaml new file mode 100644 index 000000000..08df65d62 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/charts/capi/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: webhook-service + annotations: + need-a-cert.cattle.io/secret-name: rancher-webhook-tls +spec: + ports: + - name: https + port: 443 + targetPort: 8777 + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/_helpers.tpl b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/_helpers.tpl new file mode 100644 index 000000000..c37a65c6f --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "rancher-webhook.labels" -}} +app: rancher-webhook +{{- end }} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/deployment.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/deployment.yaml new file mode 100644 index 000000000..e5f70be95 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rancher-webhook +spec: + selector: + matchLabels: + app: rancher-webhook + template: + metadata: + labels: + app: rancher-webhook + spec: + volumes: + - name: tls + secret: + secretName: rancher-webhook-tls + {{- if .Values.global.hostNetwork }} + hostNetwork: true + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} + {{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} + containers: + - env: + - name: STAMP + value: "{{.Values.stamp}}" + - name: ENABLE_CAPI + value: "{{.Values.capi.enabled}}" + - name: ENABLE_MCM + value: "{{.Values.mcm.enabled}}" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + name: rancher-webhook + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + ports: + - name: https + containerPort: 9443 + - name: capi-https + containerPort: 8777 + volumeMounts: + - name: tls + mountPath: /tmp/k8s-webhook-server/serving-certs + serviceAccountName: rancher-webhook + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-cluster-role-binding.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-cluster-role-binding.yaml new file mode 100644 index 000000000..ca439ff48 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-cluster-role-binding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rancher-webhook-pre-delete +subjects: + - kind: ServiceAccount + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-cluster-role.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-cluster-role.yaml new file mode 100644 index 000000000..36a1c7fef --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-cluster-role.yaml @@ -0,0 +1,23 @@ +{{- if .Values.preDelete.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +rules: + - apiGroups: [ "admissionregistration.k8s.io" ] + resources: [ "mutatingwebhookconfigurations" ] + verbs: [ "delete" ] + resourceNames: [ "rancher.cattle.io" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "get" ] + - apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: [ "use" ] + resourceNames: [ "rancher-webhook-pre-delete" ] +{{- end }} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-job.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-job.yaml new file mode 100644 index 000000000..d3608f366 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-job.yaml @@ -0,0 +1,39 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 3 + template: + metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 8 }} + spec: + serviceAccountName: rancher-webhook-pre-delete + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} + restartPolicy: OnFailure + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} + {{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} + containers: + - name: rancher-webhook-pre-delete + image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}" + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 0 + command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ] +{{- end }} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-psp.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-psp.yaml new file mode 100644 index 000000000..8acf758d0 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-psp.yaml @@ -0,0 +1,33 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: rancher-webhook-pre-delete + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-service-account.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-service-account.yaml new file mode 100644 index 000000000..93e215394 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/pre-delete-hook-service-account.yaml @@ -0,0 +1,12 @@ +{{- if .Values.preDelete.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook-pre-delete + namespace: {{ .Release.Namespace }} + labels: {{ include "rancher-webhook.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed +{{- end }} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/rbac.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/rbac.yaml new file mode 100644 index 000000000..9afaae6c6 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/rbac.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: rancher-webhook + namespace: {{.Release.Namespace}} diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/service.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/service.yaml new file mode 100644 index 000000000..74a8a9e5a --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: rancher-webhook + namespace: cattle-system +spec: + ports: + - port: 443 + targetPort: 9443 + protocol: TCP + name: https + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/serviceaccount.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/serviceaccount.yaml new file mode 100644 index 000000000..f9251b418 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/webhook.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/webhook.yaml new file mode 100644 index 000000000..4f95ae896 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/templates/webhook.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: rancher.cattle.io +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: rancher-webhook + namespace: cattle-system + path: /v1/webhook/validation + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: rancher.cattle.io + sideEffects: None + timeoutSeconds: 10 diff --git a/charts/rancher-webhook/2.0.0+up0.3.0-rc5/values.yaml b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/values.yaml new file mode 100644 index 000000000..7f7f095d9 --- /dev/null +++ b/charts/rancher-webhook/2.0.0+up0.3.0-rc5/values.yaml @@ -0,0 +1,28 @@ +image: + repository: rancher/rancher-webhook + tag: v0.3.0-rc5 + imagePullPolicy: IfNotPresent + +global: + cattle: + systemDefaultRegistry: "" + hostNetwork: false + +capi: + enabled: false + +mcm: + enabled: true + +preDelete: + enabled: true + image: + repository: rancher/kubectl + tag: v1.23.3 + +# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info +tolerations: [] +nodeSelector: {} + +## PriorityClassName assigned to deployment. +priorityClassName: ""