From f9ccc2cb5f3844ef034adc7eceac5094feb74669 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.com>
Date: Fri, 18 Aug 2023 15:30:42 -0700
Subject: [PATCH] make charts

---
 .../rancher-webhook-103.0.0+up0.4.0-rc2.tgz   | Bin 0 -> 3168 bytes
 .../103.0.0+up0.4.0-rc2/Chart.yaml            |  18 ++++
 .../charts/capi/Chart.yaml                    |   4 +
 .../charts/capi/templates/service.yaml        |  13 +++
 .../templates/_helpers.tpl                    |  22 ++++
 .../templates/deployment.yaml                 | 102 ++++++++++++++++++
 .../103.0.0+up0.4.0-rc2/templates/rbac.yaml   |  12 +++
 .../103.0.0+up0.4.0-rc2/templates/secret.yaml |  11 ++
 .../templates/service.yaml                    |  13 +++
 .../templates/serviceaccount.yaml             |  11 ++
 .../templates/webhook.yaml                    |   9 ++
 .../103.0.0+up0.4.0-rc2/tests/README.md       |  16 +++
 .../tests/capi-service_test.yaml              |  20 ++++
 .../tests/deployment_test.yaml                |  94 ++++++++++++++++
 .../tests/service_test.yaml                   |  18 ++++
 .../103.0.0+up0.4.0-rc2/values.yaml           |  34 ++++++
 index.yaml                                    |  22 ++++
 17 files changed, 419 insertions(+)
 create mode 100644 assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc2.tgz
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/README.md
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/capi-service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.0+up0.4.0-rc2/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc2.tgz b/assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc2.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..a41e5ea46a2161a6ca4e473ca5be98ff932917ec
GIT binary patch
literal 3168
zcmV-m44?BKiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH;PZ`-(%{j9%Y;M}1fu99WPv0LHx0I!?fE6}7t5_IvfSY&Bw
zY;#MKsz@c9P4mA$kd$OemhCk5bM`%Wz9go|;gFo)94R3@oMGbL;dmy*m-c8z66M{K
zIeWD;@O|I!_j=~9@B8(?oldv&s?+QB2ZMp%^N(NoonH5({|fxwk+2$4sYvq5-+He4
z;{Hv5a4r;4RB#zM03lI?iK!P7r5Jitv_ni3oluMd$atl(+l)pL@&H;YNwL+~<x4t7
z_ZAaL1rOl$|NQ_RuhaK@*N6Xwj@KRNe_uBa<z$XBCLso38(n!X70w$w3mE{TJpHrr
zX^hF7D(M!z-rP|hi96ZYI~R`%*<J5#Ms?SFx0>h#84`)ECcfCbT+kd6)6Y55+pa_6
zxcKRNJ<oTOu<Jw^Bae`W6lLJJ5DFeqWjci<rXF%KW*9jDb`ss_03;X-NtH<M18B9J
z2xXYi*pB;57>$Ucd^(KgRO%Uju_VDnByefT1a%*ybec&oHlyPod%oxYPZ}>serbk2
zz;{7i|KAdpqTH<k*rfma{*wMb=?o6~e;+{SWQsveXJky#t_wbZBGUkF7t#)35L~2;
zT?j_Q`v5*n&V{;2P$E~3Gi72-SY}!jGgARr?fo7nBxULnr&Ov;R{_j~ROhJfMDito
z31Jc)N9#2`GShc?J3uTF6~NoUVBk3Oa9-)7Es^6Kff5W8YvPQGQ!|8YMG#@k#Qhw(
z^56;)W=h2}Xd7FVa8xL@CXYlY+o9kg#!9wjIKwDqluuo}rJ+XLR)lip5+1pW+1h5d
zxkwNwp9rT!M*zS6=5P_=6*3H!NCJ3xbey9jxJal-sJb69BIP-mBM>R+lw$-+l*x7C
zdQY=|&XL)ZY?Oq%84YK)NeM_L!rcrxBq`^VPnT4?-OqQu-m%7XK@u`Yg^ArblByYU
zMMGmg%sv{MPGTxCxy8hDbQgUHM=%;Tjj8sBkWu6cw2vV@_%H#S$Ljt~(Jna0(4O2K
zWem7bFvc=cj65^lSt`w=F_GBsxyVBi*=H8lXqd6r5eyj<cZ^B}VgjRcyS671M)<vH
zgzQYl_huVLLx>Y`OCyYc@?uI$v?e&ztYhgRdU}jT=avgzSpMt!U*SAvM4@co%#g*H
zNKeIEnt~1b-yfWGYx=+6?{^RSe;@Gh;6j8G$`M*tE8j#`E#D-WUT%T=_~_`4bOPRI
z>mXRYo_o8E`n(txCzPuRwEkPRThBs(Ok(k)wV(%iwDiAIUQvy^Jx0dJq(wmDc-ghh
zG1U>7NWs+_yQJVVL@s<mZM@16h}Ja5l?t-4x&bE>3{?QFb8%&Dh>4U$tnq0Z&^rB^
z64qM1o)Q@{vmBO&s=Zo7KqXAg=f7J1OSWc9Z*YVB_dC8{lmEf-;N&3x`vA=#|E29I
z1V0qAX?}l$Oc6jtLj^`+79lH%W7)p#IA17_0(f8WiZe$=BBDr81f_KulQD++Y0kmc
zC7cr#&ORFXv<(1_5(<#BXg01ip9WSzu@VVDPKJg|xrwCMf^v9mH^?ij`r~6Z>{hUJ
zj<Sp;QyvwxjW~-=ZnjN|$%1H!VS;M0h`i;zX+zz`$W;`qT0lOxed31Xi4@fPZ(4b#
z>`SiwqHD$9H$M9coHc*>0Voey8m&@`9()5%d8GZgw<{?tBL!nhK#6~lIcx6m4Vp1l
z2(38!E9k6Pkus_Mm86#Am_|y=9STDGYX}Vm*MSQr1q<sAw~JHH`Qz$(cy>|Zh1|3~
zJmhmrMdtD2V{2*X>G|--kEb`I;l+ow2+G2-2G7~(Y%Q93IA4clG`zn4czSd3>GFCR
z%>s*wmlg_8$3yT9zNSK9v3W~K^%6H?Hp{G`*Wv3L^ykB~)2oZ&=(LXar$o%l5(+S(
z$f8S}R9mz53!-L0p)b86r&{!_D2qjy0u3|`KYsl5%jx@@(fQT#YF|G*z#oEgXuWAQ
zVS8PfvBHsAKEdM175y5|)Pu*zhlfG}%wTVk%7DkmVCk_U(+UyIR;ofzIls|bLRjkp
zWyaG-Etdt#<QYmkS4iT83BXHJG_hjCfoQ&RpN@4E8<sF@zeuI=MIy#n<|jSL&sEa^
z5F6fVwP#3}n*G(PJ~Xqp40Y8fGMu4FT>Ss_^~F{B*@RG*CU`wdP|gI40_gjt$1x^U
zL{}IJ9?1YsibsszB1b7-i0qYgJ=4R;eT*}a@-iPa2+ot7jb?WPV6O371<_XXxc%j=
zEZhs55^3u{luuog6DbW%kVKz2yRR7Ubrh~%>uPu8Nfb5>`)=w=`*)7&N6Mosz3>pr
zeI<se$-N1#@XrcUg(N0p%BZ3!tIS5CsM_Gd`RVn|j~~w8-&~zue*RF>@JsYbOT;h?
z^*%KEfz4jSQkrmqvnhjEvVrxd3$<3F?xo|G18fJY<Nst#!rj~hZOZ@kj_db7{Z97~
z|L+CLF}*o)t(-+d|1xoe_vNigC>4SJh^10taw!;U)kyjD2?2j17-mi>iRsUYNaHn=
zIRHy@EiSlin@gfO<&I3pe_*K0)wmsVRZ){GDYETZMZv>^cWJNcz4N?vRl4jy4pz&*
zjrVt<0XE71ardMy|0n)I{`UgklmA=kzg22kI!>+)LgIy4+_5|+msibX4LYRk%dM>b
zQTH(h@F^x=Q*;ha$#Y<x{2Nue0|l^A{`>X(f4_fnsQ=gtRLo{wkT;w5HNu(a*NY5@
zn?=;U-m!@z6iKG2z9-=kCqju(umG+{HXT{brc`ef8Z-Ydz2AQ~*eL(Rx>DPyfsOvZ
zU%UVB`rYHsLH_pvHHmNZqBpAn*LCZ<<9V1|nMOJSsFfw>)nld@t6a_6x*BFBP9fni
zMxgT;6Dc@Rwqk009}_9-)4*+31uJ;#rBC2xVYU3{H4}TV|0liW`XB!w|NDT-oqk>r
zp53oBrvMfO<XPSLNbm`rrndWP5noisFR6>CO?;NB?WTR{z5YAGviwUW+n1-q_h+Zx
zJle?|8}0v~F8{qjzju)TeSmXx1Wbg4L4>!UPoMHBP%c%H+R9tU`DBbObOQJ(Wema@
zNfeAeK$3E}qiP1kT)XATImh|^_ut1v&K$38O|@*BF|r*}&<_ig-2kppDve13nG!v(
zDX6t`2+r<df$qrAMHn+(X2|9cvvf*1OlTq%xRtiNZ(h<prD~Rry->{Cx|^GFs`PrR
zzq~0`j-E~LhntgM?ILG(5ifmqyMSi-H@C@I0B~d0yp0#IN&fr&Ufuuq{o{lD?*n8?
z6=qVHX8{Ty&_?aK?2?$SNDn!NYiw_-0+2J2vIr!q(u)>0oHx<EeaXmH;VrJ@%Qx1g
z>slfumTD+mz^|!&qa+7=i!WmgP4Yng>i^~~k_*fADfV@d24d4VvT=hMY-nvH(&jO`
z$DMckCf&@r%kyuR|3&TZ_R_ym{!jctJ^w%GcMkRcdx5h2m#TPcDxg*i?rb6O-z5_{
z8J_vIC|A^CQpiiC%4u0--sSnm?I-JOoXn_}e6p;se8zmpZ)<g2$ZNGr>k1kdm63Y&
zt(TyvsTy)Ymfok<S{<D8QIis`>EFGxR7vyyJx*B@w0=9ag?h3<+wq2O7Mqva(Dh8(
zysKO&v$N$wFBsqF3eRiaK`PHv_M9!Om6|mkGOv?k-tk<nV58FbCSC&%RC})TVYWD)
z+FHCa%^r!OhO=8Pky~{h*~=Ipl1j~F>1eh-nQV&Z549vUp5bU{tF*Jj8x29kwv?YF
zsC(28t#YFt)LwiwRhs3FrMFH?<(AdAUP}-D5W6`2>V9ny$)@VfruR@_!@DS3acJe3
zwjleN)v7D%RrjM4n``<Dby($<H=09U+Ic;|*3caP?JV_UU{n6*<akhz|NOz>{%0@n
zg#1q>)3dM0?@8GZ`<;sCC33cLd0!?~^DlwA{Fjq`yZRQ~Ci(XV$MyT)UjLB)-3zS!
z44LowPU*v9x78;vP5J?L0PEy`SGAxU?|(bB{BO78AL>8$1K(NyS&m_-d3AWHQi~%-
zE-?XU>0^jCVr%{uqWOS9L%C@ERoUm1kD7O@P5J1dIP?GqIKTnQ@Xr7M0RR7u-CmLa
GS^xlYB0yXK

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/Chart.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/Chart.yaml
new file mode 100644
index 000000000..e072fb79c
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/Chart.yaml
@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.0-rc2
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 103.0.0+up0.4.0-rc2
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/Chart.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/Chart.yaml
new file mode 100644
index 000000000..388210bef
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/templates/service.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/templates/service.yaml
new file mode 100644
index 000000000..de7c255c4
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/charts/capi/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.port | default 8777 }}
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/_helpers.tpl b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/_helpers.tpl
new file mode 100644
index 000000000..c37a65c6f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/deployment.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/deployment.yaml
new file mode 100644
index 000000000..a0cc77c2d
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/deployment.yaml
@@ -0,0 +1,102 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if or .Values.capi.enabled $auth.clientCA }}
+      volumes:
+      {{- end }}
+      {{- if .Values.capi.enabled }}
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- end }}
+      {{- if $auth.clientCA }}
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: CATTLE_CAPI_PORT
+          value: {{.Values.capi.port | default 8777 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        - name: capi-https
+          containerPort: {{ .Values.capi.port | default 8777}}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if or .Values.capi.enabled $auth.clientCA }}
+        volumeMounts:
+        {{- end }}
+        {{- if .Values.capi.enabled }}
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+        {{- end }}
+        {{- if $auth.clientCA }}
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/rbac.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/rbac.yaml
new file mode 100644
index 000000000..f4364995c
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/secret.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/secret.yaml
new file mode 100644
index 000000000..9fd331dc1
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/service.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/service.yaml
new file mode 100644
index 000000000..220afebea
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/serviceaccount.yaml
new file mode 100644
index 000000000..9e7ad7e1f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/webhook.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/webhook.yaml
new file mode 100644
index 000000000..53a0687b6
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/README.md b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/README.md
new file mode 100644
index 000000000..6d3059a00
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/capi-service_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/capi-service_test.yaml
new file mode 100644
index 000000000..4ee94a84a
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/capi-service_test.yaml
@@ -0,0 +1,20 @@
+suite: Test Service
+templates:
+  - charts/capi/templates/service.yaml
+tests:
+  - it: should set webhook default port values
+    set:
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8777
+
+  - it: should set updated target port
+    set:
+      capi.port: 2319
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/deployment_test.yaml
new file mode 100644
index 000000000..5f153461c
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/deployment_test.yaml
@@ -0,0 +1,94 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 8777
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "8777"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should set updated capi port
+    set:
+      capi.port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/service_test.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/service_test.yaml
new file mode 100644
index 000000000..03172ad03
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.0+up0.4.0-rc2/values.yaml b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/values.yaml
new file mode 100644
index 000000000..5da847a6d
--- /dev/null
+++ b/charts/rancher-webhook/103.0.0+up0.4.0-rc2/values.yaml
@@ -0,0 +1,34 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.4.0-rc2
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+  port: 8777
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index 3881cb085..f23fb9850 100755
--- a/index.yaml
+++ b/index.yaml
@@ -14479,6 +14479,28 @@ entries:
     - assets/rancher-vsphere-csi/rancher-vsphere-csi-2.1.000.tgz
     version: 2.1.000
   rancher-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.4.0-rc2
+    created: "2023-08-18T15:30:28.681250851-07:00"
+    dependencies:
+    - condition: capi.enabled
+      name: capi
+      repository: ""
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 509d05ba523fb45fe2e4235668892bfbb94dee67438dfcf3003055f4dde88dcc
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0-rc2.tgz
+    version: 103.0.0+up0.4.0-rc2
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"