make charts

2022-01-06 12:23:31 -08:00 · 2022-01-06 12:23:31 -08:00 · e8de4d24f0
parent 362eb78855
commit e8de4d24f0
50 changed files with 13262 additions and 0 deletions
--- a/assets/fleet-agent/fleet-agent-100.0.3+up0.3.9-rc1.tgz
+++ b/assets/fleet-agent/fleet-agent-100.0.3+up0.3.9-rc1.tgz
--- a/assets/fleet-crd/fleet-crd-100.0.3+up0.3.9-rc1.tgz
+++ b/assets/fleet-crd/fleet-crd-100.0.3+up0.3.9-rc1.tgz
--- a/assets/fleet/fleet-100.0.3+up0.3.9-rc1.tgz
+++ b/assets/fleet/fleet-100.0.3+up0.3.9-rc1.tgz
--- a/assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.4-rc2.tgz
+++ b/assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.4-rc2.tgz
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/Chart.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/Chart.yaml
@ -0,0 +1,12 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-fleet-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/release-name: fleet-agent
+apiVersion: v2
+appVersion: 0.3.9-rc1
+description: Fleet Manager Agent - GitOps at Scale
+icon: https://charts.rancher.io/assets/logos/fleet.svg
+name: fleet-agent
+version: 100.0.3+up0.3.9-rc1
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/_helpers.tpl
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/_helpers.tpl
@ -0,0 +1,7 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/configmap.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/configmap.yaml
@ -0,0 +1,12 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: fleet-agent
+data:
+  config: |-
+    {
+      {{ if .Values.labels }}
+      "labels":{{toJson .Values.labels}},
+      {{ end }}
+      "clientID":"{{.Values.clientID}}"
+    }
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/deployment.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/deployment.yaml
@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleet-agent
+spec:
+  selector:
+    matchLabels:
+      app: fleet-agent
+  template:
+    metadata:
+      labels:
+        app: fleet-agent
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}'
+        name: fleet-agent
+        command:
+        - fleetagent
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level
+        - {{ quote .Values.debugLevel }}
+        {{- end }}
+      serviceAccountName: fleet-agent
+      {{- with .Values.fleetAgent.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.fleetAgent.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/network_policy_allow_all.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/network_policy_allow_all.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ .Values.internal.systemNamespace }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/patch_default_serviceaccount.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/patch_default_serviceaccount.yaml
@ -0,0 +1,28 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-fleet-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: fleet-agent
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ .Values.internal.systemNamespace }}]
+      {{- with .Values.kubectl.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.kubectl.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  backoffLimit: 1
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/rbac.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/rbac.yaml
@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleet-agent-system-fleet-agent-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleet-agent-system-fleet-agent-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleet-agent-system-fleet-agent-role
+subjects:
+- kind: ServiceAccount
+  name: fleet-agent
+  namespace: {{.Release.Namespace}}
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/secret.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/secret.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}"
+  clusterNamespace: "{{b64enc .Values.clusterNamespace}}"
+  token: "{{b64enc .Values.token}}"
+  apiServerURL: "{{b64enc .Values.apiServerURL}}"
+  apiServerCA: "{{b64enc .Values.apiServerCA}}"
+kind: Secret
+metadata:
+  name: fleet-agent-bootstrap
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/serviceaccount.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/serviceaccount.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleet-agent
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/validate.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/templates/validate.yaml
@ -0,0 +1,11 @@
+{{if ne .Release.Namespace .Values.internal.systemNamespace }}
+{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }}
+{{end}}
+
+{{if ne .Release.Name .Values.internal.managedReleaseName }}
+{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }}
+{{end}}
+
+{{if not .Values.apiServerURL }}
+{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }}
+{{end}}
--- a/charts/fleet-agent/100.0.3+up0.3.9-rc1/values.yaml
+++ b/charts/fleet-agent/100.0.3+up0.3.9-rc1/values.yaml
@ -0,0 +1,60 @@
+image:
+  os: "windows,linux"
+  repository: rancher/fleet-agent
+  tag: v0.3.9-rc1
+
+# The public URL of the Kubernetes API server running the Fleet Manager must be set here
+# Example: https://example.com:6443
+apiServerURL: ""
+
+# The the pem encoded value of the CA of the Kubernetes API server running the Fleet Manager.
+# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
+apiServerCA: ""
+
+# The cluster registration value
+token: ""
+
+# Labels to add to the cluster upon registration only. They are not added after the fact.
+#labels:
+#  foo: bar
+
+# The client ID of the cluster to associate with
+clientID: ""
+
+# The namespace of the cluster we are register with
+clusterNamespace: ""
+
+# The namespace containing the clusters registration secrets
+systemRegistrationNamespace: fleet-clusters-system
+
+# Please do not change the below setting unless you really know what you are doing
+internal:
+  systemNamespace: fleet-system
+  managedReleaseName: fleet-agent
+
+# The nodeSelector and tolerations for the agent deployment
+fleetAgent:
+  nodeSelector: {}
+  tolerations: []
+kubectl:
+  nodeSelector:
+    kubernetes.io/os: linux
+  tolerations:
+    - key: cattle.io/os
+      operator: "Equal"
+      value: "linux"
+      effect: NoSchedule
+    - key: node.cloudprovider.kubernetes.io/uninitialized
+      operator: "Equal"
+      value: "true"
+      effect: NoSchedule
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.21.5
+
+debug: false
+debugLevel: 0
--- a/charts/fleet-crd/100.0.3+up0.3.9-rc1/Chart.yaml
+++ b/charts/fleet-crd/100.0.3+up0.3.9-rc1/Chart.yaml
@ -0,0 +1,12 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-fleet-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/release-name: fleet-crd
+apiVersion: v2
+appVersion: 0.3.9-rc1
+description: Fleet Manager CustomResourceDefinitions
+icon: https://charts.rancher.io/assets/logos/fleet.svg
+name: fleet-crd
+version: 100.0.3+up0.3.9-rc1
--- a/charts/fleet-crd/100.0.3+up0.3.9-rc1/templates/crds.yaml
+++ b/charts/fleet-crd/100.0.3+up0.3.9-rc1/templates/crds.yaml
--- a/charts/fleet-crd/100.0.3+up0.3.9-rc1/templates/gitjobs-crds.yaml
+++ b/charts/fleet-crd/100.0.3+up0.3.9-rc1/templates/gitjobs-crds.yaml
--- a/charts/fleet/100.0.3+up0.3.9-rc1/Chart.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/Chart.yaml
@ -0,0 +1,19 @@
+annotations:
+  catalog.cattle.io/auto-install: fleet-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/experimental: "true"
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-fleet-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1
+  catalog.cattle.io/release-name: fleet
+apiVersion: v2
+appVersion: 0.3.9-rc1
+dependencies:
+- condition: gitops.enabled
+  name: gitjob
+  repository: file://./charts/gitjob
+description: Fleet Manager - GitOps at Scale
+icon: https://charts.rancher.io/assets/logos/fleet.svg
+name: fleet
+version: 100.0.3+up0.3.9-rc1
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/.helmignore
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/.helmignore
@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/Chart.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/Chart.yaml
@ -0,0 +1,5 @@
+apiVersion: v2
+appVersion: 0.1.23
+description: Controller that run jobs based on git events
+name: gitjob
+version: 0.1.23
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/_helpers.tpl
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/_helpers.tpl
@ -0,0 +1,7 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/clusterrole.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/clusterrole.yaml
@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gitjob
+rules:
+  - apiGroups:
+      - "batch"
+    resources:
+      - 'jobs'
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - 'pods'
+    verbs:
+      - 'list'
+      - 'get'
+      - 'watch'
+  - apiGroups:
+      - ""
+    resources:
+      - 'secrets'
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - 'configmaps'
+    verbs:
+      - '*'
+  - apiGroups:
+      - "gitjob.cattle.io"
+    resources:
+      - "gitjobs"
+      - "gitjobs/status"
+    verbs:
+      - "*"
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/clusterrolebinding.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/clusterrolebinding.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gitjob-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gitjob
+subjects:
+  - kind: ServiceAccount
+    name: gitjob
+    namespace: {{ .Release.Namespace }}
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/deployment.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/deployment.yaml
@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitjob
+spec:
+  selector:
+    matchLabels:
+      app: "gitjob"
+  template:
+    metadata:
+      labels:
+        app: "gitjob"
+    spec:
+      serviceAccountName: gitjob
+      containers:
+        - image: "{{ template "system_default_registry" . }}{{ .Values.gitjob.repository }}:{{ .Values.gitjob.tag }}"
+          name: gitjob
+          command:
+          - gitjob
+          {{- if .Values.debug }}
+          - --debug
+          {{- end }}
+          - --tekton-image
+          - "{{ template "system_default_registry" . }}{{ .Values.tekton.repository }}:{{ .Values.tekton.tag }}"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          {{- if .Values.proxy }}
+            - name: HTTP_PROXY
+              value: {{ .Values.proxy }}
+            - name: HTTPS_PROXY
+              value: {{ .Values.proxy }}
+            - name: NO_PROXY
+              value: {{ .Values.noProxy }}
+          {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/service.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/service.yaml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitjob
+spec:
+  ports:
+    - name: http-80
+      port: 80
+      protocol: TCP
+      targetPort: 8080
+  selector:
+    app: "gitjob"
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/serviceaccount.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/templates/serviceaccount.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitjob
--- a/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/values.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/charts/gitjob/values.yaml
@ -0,0 +1,28 @@
+gitjob:
+  repository: rancher/gitjob
+  tag: v0.1.23
+
+tekton:
+  repository: rancher/tekton-utils
+  tag: v0.1.3
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+
+# http[s] proxy server
+# proxy: http://<username>@<password>:<url>:<port>
+
+# comma separated list of domains or ip addresses that will not use the proxy
+noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
+
+nodeSelector:
+  kubernetes.io/os: linux
+
+tolerations:
+  - key: cattle.io/os
+    operator: "Equal"
+    value: "linux"
+    effect: NoSchedule
+
+debug: false
--- a/charts/fleet/100.0.3+up0.3.9-rc1/templates/_helpers.tpl
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/templates/_helpers.tpl
@ -0,0 +1,7 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
--- a/charts/fleet/100.0.3+up0.3.9-rc1/templates/configmap.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/templates/configmap.yaml
@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fleet-controller
+data:
+  config: |
+    {
+      "agentImage": "{{ template "system_default_registry" . }}{{.Values.agentImage.repository}}:{{.Values.agentImage.tag}}",
+      "agentImagePullPolicy": "{{ .Values.agentImage.imagePullPolicy }}",
+      "apiServerURL": "{{.Values.apiServerURL}}",
+      "apiServerCA": "{{b64enc .Values.apiServerCA}}",
+      "agentCheckinInterval": "{{.Values.agentCheckinInterval}}",
+      "ignoreClusterRegistrationLabels": {{.Values.ignoreClusterRegistrationLabels}},
+      "bootstrap": {
+        "paths": "{{.Values.bootstrap.paths}}",
+        "repo": "{{.Values.bootstrap.repo}}",
+        "secret": "{{.Values.bootstrap.secret}}",
+        "branch":  "{{.Values.bootstrap.branch}}",
+        "namespace": "{{.Values.bootstrap.namespace}}",
+        "agentNamespace": "{{.Values.bootstrap.agentNamespace}}",
+      },
+      "webhookReceiverURL": "{{.Values.webhookReceiverURL}}",
+      "githubURLPrefix": "{{.Values.githubURLPrefix}}"
+    }
--- a/charts/fleet/100.0.3+up0.3.9-rc1/templates/deployment.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/templates/deployment.yaml
@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleet-controller
+spec:
+  selector:
+    matchLabels:
+      app: fleet-controller
+  template:
+    metadata:
+      labels:
+        app: fleet-controller
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if .Values.proxy }}
+        - name: HTTP_PROXY
+          value: {{ .Values.proxy }}
+        - name: HTTPS_PROXY
+          value: {{ .Values.proxy }}
+        - name: NO_PROXY
+          value: {{ .Values.noProxy }}
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: fleet-controller
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        command:
+        - fleetcontroller
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level
+        - {{ quote .Values.debugLevel }}
+        {{- end }}
+        {{- if not .Values.gitops.enabled }}
+        - --disable-gitops
+        {{- end }}
+      serviceAccountName: fleet-controller
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/charts/fleet/100.0.3+up0.3.9-rc1/templates/rbac.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/templates/rbac.yaml
@ -0,0 +1,106 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleet-controller
+rules:
+- apiGroups:
+  - gitjob.cattle.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - fleet.cattle.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - serviceaccounts
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleet-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleet-controller
+subjects:
+- kind: ServiceAccount
+  name: fleet-controller
+  namespace: {{.Release.Namespace}}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: fleet-controller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: fleet-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: fleet-controller
+subjects:
+- kind: ServiceAccount
+  name: fleet-controller
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleet-controller-bootstrap
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleet-controller-bootstrap
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleet-controller-bootstrap
+subjects:
+- kind: ServiceAccount
+  name: fleet-controller-bootstrap
+  namespace: {{.Release.Namespace}}
--- a/charts/fleet/100.0.3+up0.3.9-rc1/templates/serviceaccount.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/templates/serviceaccount.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleet-controller
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleet-controller-bootstrap
--- a/charts/fleet/100.0.3+up0.3.9-rc1/values.yaml
+++ b/charts/fleet/100.0.3+up0.3.9-rc1/values.yaml
@ -0,0 +1,62 @@
+image:
+  repository: rancher/fleet
+  tag: v0.3.9-rc1
+  imagePullPolicy: IfNotPresent
+
+agentImage:
+  repository: rancher/fleet-agent
+  tag: v0.3.9-rc1
+  imagePullPolicy: IfNotPresent
+
+# For cluster registration the public URL of the Kubernetes API server must be set here
+# Example: https://example.com:6443
+apiServerURL: ""
+
+# For cluster registration the pem encoded value of the CA of the Kubernetes API server must be set here
+# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
+apiServerCA: ""
+
+# A duration string for how often agents should report a heartbeat
+agentCheckinInterval: "15m"
+
+# Whether you want to allow cluster upon registration to specify their labels.
+ignoreClusterRegistrationLabels: false
+
+# http[s] proxy server
+# proxy: http://<username>@<password>:<url>:<port>
+
+# comma separated list of domains or ip addresses that will not use the proxy
+noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
+
+bootstrap:
+  # The namespace that will be autocreated and the local cluster will be registered in
+  namespace: fleet-local
+  # The namespace where the fleet agent for the local cluster will be ran, if empty
+  # this will default to fleet-system
+  agentNamespace: ""
+  # A repo to add at install time that will deploy to the local cluster. This allows
+  # one to fully bootstrap fleet, it's configuration and all it's downstream clusters
+  # in one shot.
+  repo: ""
+  secret: ""
+  branch: master
+  paths: ""
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+
+nodeSelector:
+  kubernetes.io/os: linux
+
+tolerations:
+  - key: cattle.io/os
+    operator: "Equal"
+    value: "linux"
+    effect: NoSchedule
+
+gitops:
+  enabled: true
+
+debug: false
+debugLevel: 0
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/Chart.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/Chart.yaml
@ -0,0 +1,15 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.2.4-rc2
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 1.0.3+up0.2.4-rc2
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/charts/capi/Chart.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/charts/capi/Chart.yaml
@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/charts/capi/templates/service.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/charts/capi/templates/service.yaml
@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 8777
+  selector:
+    app: rancher-webhook
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/_helpers.tpl
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/_helpers.tpl
@ -0,0 +1,11 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/deployment.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/deployment.yaml
@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      volumes:
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: 9443
+        - name: capi-https
+          containerPort: 8777
+        volumeMounts:
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+      serviceAccountName: rancher-webhook
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-cluster-role-binding.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-cluster-role-binding.yaml
@ -0,0 +1,19 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rancher-webhook-pre-delete
+subjects:
+  - kind: ServiceAccount
+    name: rancher-webhook-pre-delete
+    namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-cluster-role.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-cluster-role.yaml
@ -0,0 +1,23 @@
+{{- if .Values.preDelete.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+rules:
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "mutatingwebhookconfigurations" ]
+    verbs: [ "delete" ]
+    resourceNames: [ "rancher.cattle.io" ]
+  - apiGroups: [ "" ]
+    resources: [ "serviceaccounts" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "policy" ]
+    resources: [ "podsecuritypolicies" ]
+    verbs: [ "use" ]
+    resourceNames: [ "rancher-webhook-pre-delete" ]
+{{- end }}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-job.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-job.yaml
@ -0,0 +1,26 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      name: rancher-webhook-pre-delete
+      labels: {{ include "rancher-webhook.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: rancher-webhook-pre-delete
+      restartPolicy: OnFailure
+      containers:
+        - name: rancher-webhook-pre-delete
+          image: "{{ include "system_default_registry" . }}{{ .Values.preDelete.image.repository }}:{{ .Values.preDelete.image.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: [ "kubectl", "delete", "--ignore-not-found=true", "mutatingwebhookconfigurations", "rancher.cattle.io" ]
+{{- end }}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-psp.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-psp.yaml
@ -0,0 +1,33 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: rancher-webhook-pre-delete
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+{{- end }}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-service-account.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/pre-delete-hook-service-account.yaml
@ -0,0 +1,12 @@
+{{- if .Values.preDelete.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-pre-delete
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "rancher-webhook.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+{{- end }}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/rbac.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/rbac.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/service.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/service.yaml
@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: 9443
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/serviceaccount.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/serviceaccount.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/webhook.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/templates/webhook.yaml
@ -0,0 +1,19 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: rancher-webhook
+      namespace: cattle-system
+      path: /v1/webhook/validation
+      port: 443
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: rancher.cattle.io
+  sideEffects: None
+  timeoutSeconds: 10
--- a/charts/rancher-webhook/1.0.3+up0.2.4-rc2/values.yaml
+++ b/charts/rancher-webhook/1.0.3+up0.2.4-rc2/values.yaml
@ -0,0 +1,21 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.2.4-rc2
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+
+mcm:
+  enabled: true
+
+preDelete:
+  enabled: true
+  image:
+    repository: rancher/kubectl
+    tag: v1.20.2
--- a/index.yaml
+++ b/index.yaml
@ -1,6 +1,29 @@
 apiVersion: v1
 entries:
  fleet:
+  - annotations:
+      catalog.cattle.io/auto-install: fleet-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/experimental: "true"
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-fleet-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/provides-gvr: clusters.fleet.cattle.io/v1alpha1
+      catalog.cattle.io/release-name: fleet
+    apiVersion: v2
+    appVersion: 0.3.9-rc1
+    created: "2022-01-06T12:22:52.988147-08:00"
+    dependencies:
+    - condition: gitops.enabled
+      name: gitjob
+      repository: file://./charts/gitjob
+    description: Fleet Manager - GitOps at Scale
+    digest: 0bdb5e5b40dd2a8314ded6f7168ce3cb87b0a625578acdc3a0dc2d3aa023ecb2
+    icon: https://charts.rancher.io/assets/logos/fleet.svg
+    name: fleet
+    urls:
+    - assets/fleet/fleet-100.0.3+up0.3.9-rc1.tgz
+    version: 100.0.3+up0.3.9-rc1
  - annotations:
      catalog.cattle.io/auto-install: fleet-crd=match
      catalog.cattle.io/certified: rancher
@ -185,6 +208,22 @@ entries:
    - assets/fleet/fleet-0.3.000.tgz
    version: 0.3.000
  fleet-agent:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-fleet-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/release-name: fleet-agent
+    apiVersion: v2
+    appVersion: 0.3.9-rc1
+    created: "2022-01-06T12:22:54.608073-08:00"
+    description: Fleet Manager Agent - GitOps at Scale
+    digest: 873aad501d391986bcffd12227c86a86bef0a024675cca9a5cda083b1762b274
+    icon: https://charts.rancher.io/assets/logos/fleet.svg
+    name: fleet-agent
+    urls:
+    - assets/fleet-agent/fleet-agent-100.0.3+up0.3.9-rc1.tgz
+    version: 100.0.3+up0.3.9-rc1
  - annotations:
      catalog.cattle.io/certified: rancher
      catalog.cattle.io/hidden: "true"
@ -330,6 +369,22 @@ entries:
    - assets/fleet-agent/fleet-agent-0.3.000.tgz
    version: 0.3.000
  fleet-crd:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-fleet-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/release-name: fleet-crd
+    apiVersion: v2
+    appVersion: 0.3.9-rc1
+    created: "2022-01-06T12:22:59.527333-08:00"
+    description: Fleet Manager CustomResourceDefinitions
+    digest: 9fe2dffc184ace4d545c3033722ecaaa6a5b37e36ae7fdc1b5c6b0db6174b804
+    icon: https://charts.rancher.io/assets/logos/fleet.svg
+    name: fleet-crd
+    urls:
+    - assets/fleet-crd/fleet-crd-100.0.3+up0.3.9-rc1.tgz
+    version: 100.0.3+up0.3.9-rc1
  - annotations:
      catalog.cattle.io/certified: rancher
      catalog.cattle.io/hidden: "true"
@ -5710,6 +5765,25 @@ entries:
    - assets/rancher-vsphere-csi/rancher-vsphere-csi-2.1.000.tgz
    version: 2.1.000
  rancher-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.2.4-rc2
+    created: "2022-01-06T12:23:27.134-08:00"
+    dependencies:
+    - condition: capi.enabled
+      name: capi
+      repository: ""
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 4c38fa26d4a5629baf18b43898c7589db49bf9fda982cad132117af2aeb4e869
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-1.0.3+up0.2.4-rc2.tgz
+    version: 1.0.3+up0.2.4-rc2
  - annotations:
      catalog.cattle.io/certified: rancher
      catalog.cattle.io/hidden: "true"