From a8607cb6d637587cfd5dd23035f9dd0d59265bfd Mon Sep 17 00:00:00 2001
From: Michael Bolot <michael.bolot@suse.com>
Date: Tue, 3 Oct 2023 10:32:15 -0500
Subject: [PATCH 1/3] Bump rancher-webhook to v0.4.0-rc10

---
 packages/rancher-webhook/package.yaml | 2 +-
 release.yaml                          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/rancher-webhook/package.yaml b/packages/rancher-webhook/package.yaml
index d8bc1c9a6..25ca96189 100644
--- a/packages/rancher-webhook/package.yaml
+++ b/packages/rancher-webhook/package.yaml
@@ -1,3 +1,3 @@
-url: https://github.com/rancher/webhook/releases/download/v0.4.0-rc9/rancher-webhook-0.4.0-rc9.tgz
+url: https://github.com/rancher/webhook/releases/download/v0.4.0-rc10/rancher-webhook-0.4.0-rc10.tgz
 version: 103.0.0
 doNotRelease: false
diff --git a/release.yaml b/release.yaml
index 2a10d916b..6b29c672f 100644
--- a/release.yaml
+++ b/release.yaml
@@ -28,7 +28,7 @@ rancher-provisioning-capi:
   - 103.0.0+up0.0.1
   - 100.0.0+up0.0.1
 rancher-webhook:
-  - 103.0.0+up0.4.0-rc9
+  - 103.0.0+up0.4.0-rc10
   - 2.0.6+up0.3.6
 rancher-aks-operator:
   - 103.0.0+up1.2.0-rc4

From 137a088dba303dad53098656d48120acc5061b33 Mon Sep 17 00:00:00 2001
From: Michael Bolot <michael.bolot@suse.com>
Date: Tue, 3 Oct 2023 11:10:53 -0500
Subject: [PATCH 2/3] make charts

---
 .../rancher-webhook-103.0.0+up0.4.0-rc10.tgz  | Bin 0 -> 3166 bytes
 .../103.0.0+up0.4.0-rc10/Chart.yaml           |  18 ++++
 .../charts/capi/Chart.yaml                    |   4 +
 .../charts/capi/templates/service.yaml        |  13 +++
 .../templates/_helpers.tpl                    |  22 ++++
 .../templates/deployment.yaml                 | 102 ++++++++++++++++++
 .../103.0.0+up0.4.0-rc10/templates/rbac.yaml  |  12 +++
 .../templates/secret.yaml                     |  11 ++
 .../templates/service.yaml                    |  13 +++
 .../templates/serviceaccount.yaml             |  11 ++
 .../templates/webhook.yaml                    |   9 ++
 .../103.0.0+up0.4.0-rc10/tests/README.md      |  16 +++
 .../tests/capi-service_test.yaml              |  20 ++++
 .../tests/deployment_test.yaml                |  94 ++++++++++++++++
 .../tests/service_test.yaml                   |  18 ++++
 .../103.0.0+up0.4.0-rc10/values.yaml          |  34 ++++++
 index.yaml                                    |  10 +-
 17 files changed, 402 insertions(+), 5 deletions(-)
 create mode 100644 assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc10.tgz
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/README.md
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/capi-service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc10/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc10.tgz b/assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc10.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..aaa7ae510a2252348b72816431a7f3824e6bfddf
GIT binary patch
literal 3166
zcmV-k459NMiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH;PZ`-(%{j9%Y;M}1fu9D@%aa!T_0I!?fE6}7t5_IvfSY&Bw
zY;#MKsz^EOP4mA$kd$OemhCk5bM`%Wz9go|;gFo)94R3@oM7VK<8UIxm-b*n66MXw
zl)c&+_`dJ=x?S_v_x<|cPUraKRi}IEpZO=fle69{ztcTFJ$nWI?nqb-sZ=C+<!?P#
zeR2OLKsXnQC@Q!N9DtB0!o=7MiBb$bD%v3?ijF8o0c5<=*lj|i2zdZ4m895e?D8cY
zqC3MxQo#dw{eM3|$2&gpeAkEn)&IWL|GsV<%E=UEOhOF6Ho9^y6;2yF3mE{TJpHrr
zX^hE~D(M!z-rQ3jiF?`DI~R`%*~i}7jOt_W-D;u}WJn~sn)qV#azS%QOh4yHXU7hS
z<Kn09bv@rr!jA7m7$c96hZJStxDW~+QDu6CB&Hs6GGrJz0CpDL=l~=b3rUqo<^i-?
zPJ}W{Xl%!QCX7ZzQ9kZRQ!4e8zgU`JBoer`bb^}4D4k~7i{0q>C!X*5|C7cgnqQiw
z5AYpO*Z(uZQk1(j0GsrG&p)o~|I^Mv|L+Cpl#DT`sf>&%+I6`HP-GmytR(CJ2E$d#
z*p*;3oCok>bSczTf)crMoG}wa!ZO>Un3)T}s_*wWA}LeXIHpo%x(Z+-q`E|PFOn|-
zj0ltHI9jjik(s{B+W}&cr~uxcot-((G@MrYXj9}kN1z15#M(Hc;?x8oTM|SVGclhc
zS03CT!bGW925n=k5{?R`R^^chWjho+#8}C;3?~?+jPkLIGa72dZAB<oF5!{8n5}JQ
zn~DU1@{w>#bOiA0Zw?m`-XOzJi6nrBN5?rjf~$mzgsS;~5h*Xp6oE)d#~dS2qD-z6
z*L#}%bB@fOWTPb9PiQ!?O-ev25$-3*AxSx>e7vOE?S8)Nc26{>E0T~YDopIgkyK5P
zD;gT}VfN7&brMsF$qW<E(OvW*9KoR9G^W}gLPn7*&`yT*;KK-T8msx6qFr!~p*^{K
z${28=V2EX;7<p#8i&UCNLn5))b&-c6vd=88K|f=!Bj__G?irN|#0UnLc5P22jPSW>
zgzQX)bF&SDKE#Qb(Fh};yqMAwtqBe_>sWe-o*tvYrR9Q`mH)c_S2&FsQ7GGY6J#+a
z(o^x4reK5q_s>r2`oGufbq@M}AMo(tLWCpA5n5I$-$hm{-zAw^Zh`yw=;)4g1m0)s
zAXv4Yd%KP5yciZIl&cZ6{#&+N&q9DqV)3K3pa*%h^uJSHQH{GjMuy0wML^<s*|W_t
z)e)IU!PN@8q~9|{E_^|4yUG!WRy4+y3bL`f0Y@VYRRFC^abr!0iIhaF@o5v#I{%sy
z)>^%u5*acx9F~TvxmrX(B}~odzgqrFre;fTaD)8!I=)|%|Fe^`?m_<d0h&SnOPf;&
zekf$q{Qd@+B7lg73XH@oLRJ#TvOViKUnq|Pcwg{}Get!rqDWB0q;(mSF^2kS&cW6r
zoDvmIJ{tM74FHW23XrpCHm)?E23A3_5(z*~hK5YJiKN(qa&&Ds$SaKc<6|~#CRjQ}
zS;mqnj|$pGoJA)$+a|?iLA1m$LA6*!-g4Qrq3&YjDhgIDAfMYlaYOP%3hMngtvplq
zCC`4*wc_p@mwg4!n!Ee}l!q*hR;fh~z5%B^(r(<_m6Vl{f-xna#6QTCHTU=i%@`|$
zR{Z=GbXKfLnbh7&Qp;gXBc<gI1);q)goc9axCN7fg>{G7;?#5gxVi0LT$OksH*F6O
z`P@>GY5e%uS{izO+5hq5`Q4y@^<gc7vT&@yb1}GBi)I>5*I^m-Z*M=I-(7vWzFkJM
zz+%Fsg#y&!5PXBLsZdyK-V##1#EqEEGHd8{^tuN9W&h&*=Bht9ujBnG5!14S0*olK
z=o&}W)~x-Cs7X-hORvbO7JVzqViBc415N#pA3yza{{C)od9%FQ*AEZyhoBr<Z(2>*
zURP$UaAcNFusCu>zs585;PLU{p^yMG*juDB;PEk7daTH}LPWEbs?bwTZ?u*W*1ABM
z@$^y4Wq~qjhSJUzl6Ym}@6r@atk`fMny=iaV_n6DCCu6{QfYjZh#{8wNl)@~)ieOa
zhPPVn2@<9zf3>O)&Fn2hUG<3!Cus5(|9^XXbyI#eB9x^G-cAyf6TzYYdVc9~j0qLd
z4Tge8GJw<K5u-EYDCG;0y^^kHdKkHnaUoJ(=A#C|d6Kiy>}~)|HGZog+G-lNzr2-&
zdtoyoZT*Mxv1?KyrJ)Iu=o4r2it%1Y;p(-nc1NB>VbiehrmnPqm#BWEJi5^f53$@=
zVwjrLo8SuntT0tbVlt$RDvGkoY$S@R4K7@s-`@TB;qv|6&H44`4<!x1M4z-o^uti^
zL!%$q>@_T92^Tn<5{M-mSbw@uYbEMlI(|98cCb4BPlhDi%{|bj{9pH^Q_uf(jt}ww
zUZ5P)n-kZ{StRr?6GwPo-kO9`5$F$CDitQzf}vK8l#ibf@F#*{=9H3{{+x(3UNe~k
zur$}=e%rRWB$`t0$aMGzhRWQG+c7s4HMx=^+n!YvJUn>U_Nv~y%v)Eb%l_kFwfx(7
ze-|2Hll-3?pVsC7)IZ4oUf_H3e=GgBN-ayr$+ba9yfBM9mdE7ss+p`ohm?J}mDN9L
z9%BHXV)8Xb=irn)2iD2IQKdUj02}4MSI__VdZ)dE{O<!QX0tBHn@#%~;mq^vMFzyp
zBI<7U#KaMbBx6+HlkkWWp+qQH0Jj61j;v-=sy7Oang5sG@4p*tlz(DfscqE2M*qKF
z|8?vipZEv)-v`trzR`=`tOi`yt?Q2GVRB^}=?I`!mYf%lnOdxJF>C9lpH(=8gu@Vl
zPGd}@;6&Miso^{(Qr4$|Syluqc<ZH4;ALU8{O2_jd$9kf-DUfKsQ=sxRPOZidhqOi
zr8xz#s2|VD#s`9r=s30ASBv<fGJZ*2JZ<8ORBboyOYimH5tij&D%rk1@4vq|_omTK
z=GbWe&+78uJ?otu<bNOF9324@Az={V4D{(!J_gFAN>W>R>o}i`v4u_mKc$R8I3bCG
z!3RiE4);_|fS7ByJUQn$zyJRGkjRPSwXLa^Z8Ju;Lkjv~f$}(jTa-#;l0e2p&ui*w
z?Hq!$IV{i}8M+8#rppA`6k?W+DTfhFqyo3nmiNsoy2n&a(xDfMX<K)5Q%;p$Z}pcq
zrpnQ?>HTnX@~d6s#4h5c&u$mcEdS;<IST;p%$m3H0yfEiuh*^n|Gs~GkpF#vOsT?5
z3iB*L;RD*JJ(pb)(-r9<$8e49O;rGLB2pHCL{)mv!iMuEy0<SG*($unm3;Zex^!Jj
zq{LDUg$wvKwJ((9U~lndjG;*$$Y1^6yhU<hxjx0dEz&@28b>y6FoO-PjYQf!#_>t#
z-M&dTbMEr|o8^B|`@6mLZ<PO2|E!+>KkIc4_5XW;viz5-cxx)4RtxTIA@JWN6FC{4
z`L!rl)M8S|OQp(bS!CYj`Nr)h>uj9NsFr-Ptgn2=e8^|DIxgh3+NE^`jf=`iz53Qm
zP}EcnxgbmLQ){gb&iSZG3D@-R-dU=o`TriLtO;7bo!UY@*`V!sLpO`fOKs?SCT-qT
zE|l5Xa-kOt=eff3ns<=O%alE53u~ojjfc$Z<d|1Hmn+z)G`@+~zysBu>wK6kj;FR3
zuS~N?qNw5QmP_PTok#XE28g6mGg&&CtxqPK;`u`@NsVVX=-Vpo?C=JC5V0-gCkg5v
z^+T)Ns0X$8UQLx|xnt?2(^9!*^`+O+gFnPBPQSWe8$`0Hdb8<06xi@C%2pg&Ii@Yh
zerC1mih9-k=)~rl{z4sAdF74fke7B|53n^f$A3FZ{TSGk|2aK5tH*zS?{NRK7kEPc
zr;_Q}SLFAkY>53##q$z5+qk?hldAcbKwbXJ$-Z5E3vQGA`)Bp<zxBGkL;iO!u=X=#
zzUMoo?~2W;PhOhz1MC3S$^WiuK{ww2c53<G<Bor*|JV<FXZ>e6hN0%w;iXC~ju^Sb
z1fZplA=-$o`CEwQ0|pJ{qV-p0pHn_+-mNy}qle<q103K02Pnfo0{{U3|F8rX*#KGq
E03vW#vH$=8

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/Chart.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/Chart.yaml
new file mode 100644
index 000000000..6c5aad626
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/Chart.yaml
@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.0-rc10
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 103.0.0+up0.4.0-rc10
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/Chart.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/Chart.yaml
new file mode 100644
index 000000000..388210bef
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/templates/service.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/templates/service.yaml
new file mode 100644
index 000000000..de7c255c4
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/charts/capi/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.port | default 8777 }}
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/_helpers.tpl b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/_helpers.tpl
new file mode 100644
index 000000000..c37a65c6f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/deployment.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/deployment.yaml
new file mode 100644
index 000000000..a0cc77c2d
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/deployment.yaml
@@ -0,0 +1,102 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if or .Values.capi.enabled $auth.clientCA }}
+      volumes:
+      {{- end }}
+      {{- if .Values.capi.enabled }}
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- end }}
+      {{- if $auth.clientCA }}
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: CATTLE_CAPI_PORT
+          value: {{.Values.capi.port | default 8777 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        - name: capi-https
+          containerPort: {{ .Values.capi.port | default 8777}}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if or .Values.capi.enabled $auth.clientCA }}
+        volumeMounts:
+        {{- end }}
+        {{- if .Values.capi.enabled }}
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+        {{- end }}
+        {{- if $auth.clientCA }}
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/rbac.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/rbac.yaml
new file mode 100644
index 000000000..f4364995c
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/secret.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/secret.yaml
new file mode 100644
index 000000000..9fd331dc1
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/service.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/service.yaml
new file mode 100644
index 000000000..220afebea
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/serviceaccount.yaml
new file mode 100644
index 000000000..9e7ad7e1f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/webhook.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/webhook.yaml
new file mode 100644
index 000000000..53a0687b6
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/README.md b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/README.md
new file mode 100644
index 000000000..6d3059a00
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/capi-service_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/capi-service_test.yaml
new file mode 100644
index 000000000..4ee94a84a
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/capi-service_test.yaml
@@ -0,0 +1,20 @@
+suite: Test Service
+templates:
+  - charts/capi/templates/service.yaml
+tests:
+  - it: should set webhook default port values
+    set:
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8777
+
+  - it: should set updated target port
+    set:
+      capi.port: 2319
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/deployment_test.yaml
new file mode 100644
index 000000000..5f153461c
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/deployment_test.yaml
@@ -0,0 +1,94 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 8777
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "8777"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should set updated capi port
+    set:
+      capi.port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/service_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/service_test.yaml
new file mode 100644
index 000000000..03172ad03
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc10/values.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/values.yaml
new file mode 100644
index 000000000..2978803ae
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc10/values.yaml
@@ -0,0 +1,34 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.4.0-rc10
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+  port: 8777
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index a9689acbd..7f5a19a0b 100755
--- a/index.yaml
+++ b/index.yaml
@@ -16144,18 +16144,18 @@ entries:
       catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
       catalog.cattle.io/release-name: rancher-webhook
     apiVersion: v2
-    appVersion: 0.4.0-rc9
-    created: "2023-09-26T10:32:25.944066-04:00"
+    appVersion: 0.4.0-rc10
+    created: "2023-10-03T11:10:38.834206702-05:00"
     dependencies:
     - condition: capi.enabled
       name: capi
       repository: ""
     description: ValidatingAdmissionWebhook for Rancher types
-    digest: 3fd5f39baee30c7737c8b55540ba2440f613169522cbbe8145cc1f0716d2d329
+    digest: 8de0041c6c01685f7ad41148daca3d6da658e1e72686eaebf22d8f34d1d5dcf3
     name: rancher-webhook
     urls:
-    - assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc9.tgz
-    version: 103.0.0+up0.4.0-rc9
+    - assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc10.tgz
+    version: 103.0.0+up0.4.0-rc10
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"

From 82912e19e409b1acca08c02efc415dd2539d4c19 Mon Sep 17 00:00:00 2001
From: Michael Bolot <michael.bolot@suse.com>
Date: Tue, 3 Oct 2023 11:11:11 -0500
Subject: [PATCH 3/3] make remove rancher-webhook v0.4.0-rc9

---
 .../rancher-webhook-103.0.0+up0.4.0-rc9.tgz   | Bin 3167 -> 0 bytes
 .../103.0.0+up0.4.0-rc9/Chart.yaml            |  18 ----
 .../charts/capi/Chart.yaml                    |   4 -
 .../charts/capi/templates/service.yaml        |  13 ---
 .../templates/_helpers.tpl                    |  22 ----
 .../templates/deployment.yaml                 | 102 ------------------
 .../103.0.0+up0.4.0-rc9/templates/rbac.yaml   |  12 ---
 .../103.0.0+up0.4.0-rc9/templates/secret.yaml |  11 --
 .../templates/service.yaml                    |  13 ---
 .../templates/serviceaccount.yaml             |  11 --
 .../templates/webhook.yaml                    |   9 --
 .../103.0.0+up0.4.0-rc9/tests/README.md       |  16 ---
 .../tests/capi-service_test.yaml              |  20 ----
 .../tests/deployment_test.yaml                |  94 ----------------
 .../tests/service_test.yaml                   |  18 ----
 .../103.0.0+up0.4.0-rc9/values.yaml           |  34 ------
 16 files changed, 397 deletions(-)
 delete mode 100644 assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc9.tgz
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/Chart.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/Chart.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/templates/service.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/_helpers.tpl
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/deployment.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/rbac.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/secret.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/service.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/serviceaccount.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/webhook.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/README.md
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/capi-service_test.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/deployment_test.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/service_test.yaml
 delete mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc9/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc9.tgz b/assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc9.tgz
deleted file mode 100644
index a0e4cf5bf9a346db3d145c66dc38042c926b5250..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3167
zcmV-l450HLiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH;PZ`-(%{j9%Y;M}1fu9D@%aa!T_0I!?fE6}7t5_IvfSY&Bw
zY;#MKsz^EOP4mA$kd$OemhCk5bM`%Wz9go|;gFo)94R3@oM7VK<8UIxm-b*n66MXw
zl)c&+_`dJ=x?S_v_x<|cPUpDus?$C7yQjU=)6Ur|ztcTF?Y#njcO<NaR4S6Z^0%I=
zzPNuAAe;+D6ct<s4nRm0VPfosL@9<I73~lcMMo5)05V=_>^7lMggk(jN>Xe!cKMPH
z(Vbx;so(*;{=Xlf;~k%PzU#yP>VMzre_uBa<z$L7CLso38(le<3a5>og$#gEp8nbR
zG{$5~m2`_<Z|*6N#Jz0nor_0>>|^h3M)k4xZZ**fG9(gRO?<I=xu7{Drk``9vtx(E
zaq-jlx}NVQ;X5b77<q&|q$mT&g;4N_D$^+>G4+s>A;ZW4u#@OU2Oz;%NUB6K51`d@
zB9vi5V>|9MVKgF&@^L?!QmJSB#gYUgk-)Vj6VyCL=`@pGY(~dF@qEw!pEO>O{L&14
zfbW93{+|(+qTH<k*rfk^{*wOJe-8S84?w46j6qFjWK7Yn3qF7%;{aw0X$LR}u2ROX
z1f$_RfDfZfp{^2?$d%)anHUn5nHI&&Q~*|czsC_tnYzX?l`7L!023kAC8~Rod<kGg
zm_*0XdQFea^j+Q#5Q{_w@b>KN%yFjSw9-dgBF8xbB^V~w#2FQ*CJ5PzAi|i5`4qYG
z;06&UO2sm08(WodR4BD3k3=Zjq2M9LO15P<!6;>vk6oP6P$O<DLb-AYkKDy<Z8O_c
zBnXs`gj1p;fM0)exQOru8HP$E0X#f9&e0KEB~&C-%?FG~c}b=SL`pj57=aRHa-F!|
z)9jyfWcDN*CE<QT!-;KD0#b=^KS2&j$~ooZCDm^C^If-lqA^{OgiKLkVmFSYYJyzR
z(3lUikH)5xm`Y4$n0Suvq7UH+2K}Zn)&3ANid=#AF{B3{Mu5{;&EFL5f^!V*$=y@N
zfC~jfEF;CpGt*t9(mWaxiM_6iJQR_AW^oPr8G9W;pD}UIs8k?EFu1g9dm>?k&rKs_
zXEL0dZ5Z?+PQ;8x7y;$Ql$K~saHv_w(nIw07!58h7re0i*Y&@`Y0QX1*}j_~i!qU&
zinlZc8}z?_c6waX|Gi%C_@Mvy0S^x@L^z@xp=Gu5U1ZhrU6SeL7Pya(j_ycD;C;3Z
zg4OG}x7(=Ci(zp>xf((1zh%4iECk3T7C%}GdXPs;|2yRs)wtVZWQa^!1SF1^UE3T}
z9g&F?T&=N73O+;R!WY!Ws~mx7O=DcCARDV2a5TbD1<<+_H`a!jNJ+#RpSA(5^RFpk
zt<~!(ks&k7VQHw^t3?D<!qj~JtL49BYqs<TH^_gl<NG!FKRY=)J;?t)Kr_gHX?qI6
z4~1-+-`^lp1Q5|sfsvR+$V%c^wr3sZ3*}J&?+adWrl?3n6bXu;v@T;Z#!x@aIoP^{
zQ=-DjM<buM0iaPr0df}2#+ByNz$z$KA_2(B(2yxNkrZ1{4zKM7d4*Mfe9VT;1WTtV
z%UCkyQ9;{?v*_ez+oYH*h?W>8s1}RJTP~Y6)Lo2RMZu~C<a666Zb+U;LB0Q`m1oMn
z<k~N~R{VYAv#-Ee^Oqlh@{py`Dz)grH{g^<+K+p?lCm;VFs1~Q_y?J?<{sam8DoXe
zile`R&WaT&liFKJYB`Q+q_o_jAhfrJ&`@w4xL{JSu<kHhoO;e5H@E$Zs}e8drtRS&
zpIa(2jUOLdOGD2u`#*j>zZ>+gKCDGh7LGM|E(RBC(M-eXIxK_!?d`|&yQ@#vx65c2
zSWLXMP=Goff^YCO6$*>ZTSBUrxDm5iW(~a#U)P|&>|dPUT=fU%b-X_%Vp^6^fDuI&
zUE`?QnzdgMH3<rR=@mKEqHjf6EW#9MpsD}y<ELNF-`@=`Z<bg4`r!fo5R^mfO{)pp
z>&lE3j?D527Duk=*LbELJU%`=6cS(tdy7;CJU#|Xj};kLh-kJ_6?)3~jn)#vS{EoY
zo<3^1EKnxTP};dd60b}EUYeqb6&nsj^OgH_tgG0tgjxGVDvhraF~l-I=}CUBng)Q_
z@K&omLBiDJuU7S;nZ0GGt3Hw81Wn@N|8H-vZpzO_gt9cj+ew0QB3Kka&o4cWF`**5
z!BFr>25?$DVswTarF<c>SJL%N4<q+6E=0=9eAFN~PjWVz-3@@L#%~owTTSEkm$$NT
zFKkMrt^ZIyc1=#CG&DgHed26hG2ZJaT)o!S?#PoUY#R36)Rp${64j5CM>l%mA(s0}
z3{#VP6I|h+6{ZSFOoo(EMNw9njYLtk!G+87+q)k>T)w}%Ilun=p`_uL=#!R+ei-U~
zX!HY{y@sVU;R0t<2C-xV>rWSItwh~R$1exi4pzti$&iG*xd+;m|LdOA?|*uo<3s$v
z7bwT{=ESvf776{!#1Y<?w<e)f1o{J(N`=X_V5n6i<>My={E1+gIi)0~KPMuM*G%RB
zEX}pJ;I?fpiKdi0G9CVbp)yzFcFavhO|GQKwr3Ru4-ek8y{h*v^VU`Avi~?(E&n#&
z--QO)B>yMJr*-*1^$+sD7x<q1-%9_jQp?hDa%~V2FU;bO<uSRuY9?#YA!T1~W%ZAm
z#~8q;n0!sqIXETHfpzk4ROt>Bz()D+)${+o-sz$KV=quKn{`3nY}(fdXP#d#G9Ydi
zQFps1CXP@f8Ke51gh!kRB|^ahxE<JZWHp;oy-{e){J->m|J`7t{1fX+ZKDP@`u~3I
z{{PrNKIt6fe;-hj_(m^!vl?(+x2`*$hsl*`q$7Y@S#n-IW{R=O)vT?XepccX5)MNI
zI*l=rf)iycriSyFNLil-W?2=i;H{TFftQ8V@}JjC?7{w@c9-ja{Db`O11fj=c|mw~
zztWrnSQL<Fb>joUM|7Op?yE(7Q5nCaE}k~=MXI)&_NDjw?+DBCFO_UxpZDKioO{z~
zCv$AH|7Ugi@1FI#2l?LzI7dgoL`WD!I0Jq9l#hXOsgl%I-a5`FV{D-lz)vY-5Kc&<
zVDJHwl*2t$6Cmc=El<ul&hNkfJ|uGDcx`K{W!sFA?T~_gSfD%(;1;FQm?V%f(es*u
zT04i}Yz_-_M}{uKnCUV>Hiej_W6EJf6RE(hwB>#ClI}58lXU2XV%pZ-+>}$L*IWJN
zjj3|<Y<fT3ocwARIkAg)>9gAfG|RuaP0j*<JG16(yns#e-|Kbj{=e^^9OQo=AXBO^
zlfpa;Q22m0YR_et#B@b^$T3`Fds7vFoQRY~AW@ZGw6Nj4iSF%7Mz#uXaV1~Au`XTL
z5-G7%L*W8`P3;>cIoMl#8DnUY2l7|{H*b+#Sgud8uZuJgo5qoi8_ZxsYa@|1k8ym`
zdAD!U&78YD|7Q7L)c$TS{Tt=~)IY1||Id1zL;e3=pe+BTD&Cq3sMUfyTL}Dj$wW?u
zXMQcp6}6ZY@=~dCS{9jidA@P`$vPV+GpZ$@EbA+uF(2|-t&R(Mt#)Z$LF1w_Qm?-C
z5)?I6LoUeD`_x*igL6J=Qo=R;yLXl<Y5u>*DQkk(Z>P3UPc~>f-q6ir^HLkSo=KZ`
zl?!Edwp{21!+EaoyyhLG@-k)5*}__>S>qw|IyvSY&*cg>DvfXAHSj>S=Q<x|i{q)S
z#Vgb7ktk|7yX6wORp*hti~%C4)J&F+X6uv5rg;8POH$(*4*IrAJ3G8VA4F_R`ALGh
zNBz($H|jy{#aC0MS?*YR>$FsES$*rZ^xzM%i_@>}*9MVns@`mR4+S>7i?S7mR*q>4
zvY%P4x}sinKRU6wroT{!RbF|cIpn3C*8^+~&GFyPQa=VZ<$q33&g$`>e|EV4*$X@&
z|5M5I>?`tnQZ~eXr{Z~uoNZj*mr2$9OQ0_Q<z(Nkz6G~Q{{6F)`u%UWcgX+l1=fCs
z%=dh!^kK1C^~p<<et;doI{DvKE$GJk-%c(6d))C4^&k6z@2vkU$1v2qI=ob=#StTy
zm;ki&F+>}&HGd1ye88ZgT(thG>~qRT&AZj6eDqKpdVm8Q-~eU#X8-^I|NoID^a21{
F0014RHiZBH

diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/Chart.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/Chart.yaml
deleted file mode 100644
index eb4cb45c0..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/Chart.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-annotations:
-  catalog.cattle.io/certified: rancher
-  catalog.cattle.io/hidden: "true"
-  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0'
-  catalog.cattle.io/namespace: cattle-system
-  catalog.cattle.io/os: linux
-  catalog.cattle.io/permits-os: linux,windows
-  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
-  catalog.cattle.io/release-name: rancher-webhook
-apiVersion: v2
-appVersion: 0.4.0-rc9
-dependencies:
-- condition: capi.enabled
-  name: capi
-  repository: ""
-description: ValidatingAdmissionWebhook for Rancher types
-name: rancher-webhook
-version: 103.0.0+up0.4.0-rc9
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/Chart.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/Chart.yaml
deleted file mode 100644
index 388210bef..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/Chart.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v2
-appVersion: 0.0.0
-name: capi
-version: 0.0.0
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/templates/service.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/templates/service.yaml
deleted file mode 100644
index de7c255c4..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/charts/capi/templates/service.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: webhook-service
-  annotations:
-    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: {{ .Values.port | default 8777 }}
-  selector:
-    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/_helpers.tpl b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/_helpers.tpl
deleted file mode 100644
index c37a65c6f..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/_helpers.tpl
+++ /dev/null
@@ -1,22 +0,0 @@
-{{- define "system_default_registry" -}}
-{{- if .Values.global.cattle.systemDefaultRegistry -}}
-{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
-{{- else -}}
-{{- "" -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "rancher-webhook.labels" -}}
-app: rancher-webhook
-{{- end }}
-
-{{- define "linux-node-tolerations" -}}
-- key: "cattle.io/os"
-  value: "linux"
-  effect: "NoSchedule"
-  operator: "Equal"
-{{- end -}}
-
-{{- define "linux-node-selector" -}}
-kubernetes.io/os: linux
-{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/deployment.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/deployment.yaml
deleted file mode 100644
index a0cc77c2d..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/deployment.yaml
+++ /dev/null
@@ -1,102 +0,0 @@
-{{- $auth := .Values.auth | default dict }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: rancher-webhook
-spec:
-  selector:
-    matchLabels:
-      app: rancher-webhook
-  template:
-    metadata:
-      labels:
-        app: rancher-webhook
-    spec:
-      {{- if or .Values.capi.enabled $auth.clientCA }}
-      volumes:
-      {{- end }}
-      {{- if .Values.capi.enabled }}
-      - name: tls
-        secret:
-          secretName: rancher-webhook-tls
-      {{- end }}
-      {{- if $auth.clientCA }}
-      - name: client-ca
-        secret:
-          secretName: client-ca
-      {{- end }}
-      {{- if .Values.global.hostNetwork }}
-      hostNetwork: true
-      {{- end }}
-      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
-      {{- if .Values.nodeSelector }}
-{{ toYaml .Values.nodeSelector | indent 8 }}
-      {{- end }}
-      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
-      {{- if .Values.tolerations }}
-{{ toYaml .Values.tolerations | indent 6 }}
-      {{- end }}
-      containers:
-      - env:
-        - name: STAMP
-          value: "{{.Values.stamp}}"
-        - name: ENABLE_CAPI
-          value: "{{.Values.capi.enabled}}"
-        - name: ENABLE_MCM
-          value: "{{.Values.mcm.enabled}}"
-        - name: CATTLE_PORT
-          value: {{.Values.port | default 9443 | quote}}
-        - name: CATTLE_CAPI_PORT
-          value: {{.Values.capi.port | default 8777 | quote}}
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- if $auth.allowedCNs }}
-        - name: ALLOWED_CNS
-          value: '{{ join "," $auth.allowedCNs }}'
-        {{- end }}
-        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
-        name: rancher-webhook
-        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
-        ports:
-        - name: https
-          containerPort: {{ .Values.port | default 9443 }}
-        - name: capi-https
-          containerPort: {{ .Values.capi.port | default 8777}}
-        startupProbe:
-          httpGet:
-            path: "/healthz"
-            port: "https"
-            scheme: "HTTPS"
-          failureThreshold: 60
-          periodSeconds: 5
-        livenessProbe:
-          httpGet:
-            path: "/healthz"
-            port: "https"
-            scheme: "HTTPS"
-          periodSeconds: 5
-        {{- if or .Values.capi.enabled $auth.clientCA }}
-        volumeMounts:
-        {{- end }}
-        {{- if .Values.capi.enabled }}
-        - name: tls
-          mountPath: /tmp/k8s-webhook-server/serving-certs
-          readOnly: true
-        {{- end }}
-        {{- if $auth.clientCA }}
-        - name: client-ca
-          mountPath: /tmp/k8s-webhook-server/client-ca
-          readOnly: true
-        {{- end }}
-        {{- if .Values.capNetBindService }}
-        securityContext:
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-        {{- end }}
-      serviceAccountName: rancher-webhook
-      {{- if .Values.priorityClassName }}
-      priorityClassName: "{{.Values.priorityClassName}}"
-      {{- end }}
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/rbac.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/rbac.yaml
deleted file mode 100644
index f4364995c..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/rbac.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rancher-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: rancher-webhook
-  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/secret.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/secret.yaml
deleted file mode 100644
index 9fd331dc1..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/secret.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{- $auth := .Values.auth | default dict }}
-{{- if $auth.clientCA }}
-apiVersion: v1
-data:
-  ca.crt: {{ $auth.clientCA }}
-kind: Secret
-metadata:
-  name: client-ca
-  namespace: cattle-system
-type: Opaque
-{{- end }}
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/service.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/service.yaml
deleted file mode 100644
index 220afebea..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/service.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: rancher-webhook
-  namespace: cattle-system
-spec:
-  ports:
-  - port: 443
-    targetPort: {{ .Values.port | default 9443 }}
-    protocol: TCP
-    name: https
-  selector:
-    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/serviceaccount.yaml
deleted file mode 100644
index 9e7ad7e1f..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: rancher-webhook
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: rancher-webhook-sudo
-  annotations:
-    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/webhook.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/webhook.yaml
deleted file mode 100644
index 53a0687b6..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/templates/webhook.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: rancher.cattle.io
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/README.md b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/README.md
deleted file mode 100644
index 6d3059a00..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/README.md
+++ /dev/null
@@ -1,16 +0,0 @@
-
-## local dev testing instructions
-
-Option 1: Full chart CI run with a live cluster
-
-```bash
-./scripts/charts/ci 
-```
-
-Option 2: Test runs against the chart only 
-
-```bash
-# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
-bash dev-scripts/helm-unittest.sh
-```
-
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/capi-service_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/capi-service_test.yaml
deleted file mode 100644
index 4ee94a84a..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/capi-service_test.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-suite: Test Service
-templates:
-  - charts/capi/templates/service.yaml
-tests:
-  - it: should set webhook default port values
-    set:
-      capi.enabled: true
-    asserts:
-      - equal:
-          path: spec.ports[0].targetPort
-          value: 8777
-
-  - it: should set updated target port
-    set:
-      capi.port: 2319
-      capi.enabled: true
-    asserts:
-      - equal:
-          path: spec.ports[0].targetPort
-          value: 2319
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/deployment_test.yaml
deleted file mode 100644
index 5f153461c..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/deployment_test.yaml
+++ /dev/null
@@ -1,94 +0,0 @@
-suite: Test Deployment
-templates:
-  - deployment.yaml
-
-tests:
-  - it: should set webhook default port values
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].ports[0].containerPort
-          value: 9443
-      - equal:
-          path: spec.template.spec.containers[0].ports[1].containerPort
-          value: 8777
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: CATTLE_PORT
-            value: "9443"
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: CATTLE_CAPI_PORT
-            value: "8777"
-
-  - it: should set updated webhook port
-    set:
-      port: 2319
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].ports[0].containerPort
-          value: 2319
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: CATTLE_PORT
-            value: "2319"
-
-  - it: should set updated capi port
-    set:
-      capi.port: 2319
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].ports[1].containerPort
-          value: 2319
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: CATTLE_CAPI_PORT
-            value: "2319"
-
-  - it: should not set capabilities by default.
-    asserts:
-      - isNull:
-          path: spec.template.spec.containers[0].securityContext
-
-  - it: should set net capabilities when capNetBindService is true.
-    set:
-      capNetBindService: true
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].securityContext.capabilities.add
-          content: NET_BIND_SERVICE
-
-  - it: should not set volumes or volumeMounts by default
-    asserts:
-      - isNull:
-          path: spec.template.spec.volumes
-      - isNull:
-          path: spec.template.spec.volumeMounts
-
-  - it: should set CA fields when CA options are set
-    set:
-      auth.clientCA: base64-encoded-cert
-      auth.allowedCNs:
-        - kube-apiserver
-        - joe
-    asserts:
-      - contains:
-          path: spec.template.spec.volumes
-          content:
-            name: client-ca
-            secret:
-              secretName: client-ca
-      - contains:
-          path: spec.template.spec.containers[0].volumeMounts
-          content:
-            name: client-ca
-            mountPath: /tmp/k8s-webhook-server/client-ca
-            readOnly: true
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ALLOWED_CNS
-            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/service_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/service_test.yaml
deleted file mode 100644
index 03172ad03..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/tests/service_test.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-suite: Test Service
-templates:
-  - service.yaml
-
-tests:
-  - it: should set webhook default port values
-    asserts:
-      - equal:
-          path: spec.ports[0].targetPort
-          value: 9443
-
-  - it: should set updated target port
-    set:
-      port: 2319
-    asserts:
-      - equal:
-          path: spec.ports[0].targetPort
-          value: 2319
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/values.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc9/values.yaml
deleted file mode 100644
index 22874e289..000000000
--- a/charts/rancher-webhook/103.0.0+up0.4.0-rc9/values.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-image:
-  repository: rancher/rancher-webhook
-  tag: v0.4.0-rc9
-  imagePullPolicy: IfNotPresent
-
-global:
-  cattle:
-    systemDefaultRegistry: ""
-  hostNetwork: false
-
-capi:
-  enabled: false
-  port: 8777
-
-mcm:
-  enabled: true
-
-# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
-tolerations: []
-nodeSelector: {}
-
-## PriorityClassName assigned to deployment.
-priorityClassName: ""
-
-# port assigns which port to use when running rancher-webhook
-port: 9443
-
-# Parameters for authenticating the kube-apiserver.
-auth:
-  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
-  # Must be base64-encoded.
-  clientCA: ""
-  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
-  allowedCNs: []