From 697c23f8c9d7db5c5e338e8da1316298ee1f8456 Mon Sep 17 00:00:00 2001
From: mitulshah-suse <mitul.shah@suse.com>
Date: Mon, 22 Aug 2022 12:37:17 +0530
Subject: [PATCH 1/2] add gatekeeper 3.9.0

---
 .../generated-changes/patch/Chart.yaml.patch  |  6 +--
 .../generated-changes/patch/README.md.patch   |  8 +--
 .../patch/templates/_helpers.tpl.patch        | 22 +++++---
 .../gatekeeper-audit-deployment.yaml.patch    | 18 ++++---
 ...r-controller-manager-deployment.yaml.patch | 14 +++---
 .../namespace-post-install.yaml.patch         |  7 ++-
 .../namespace-post-upgrade.yaml.patch         | 17 +++++++
 .../probe-webhook-post-install.yaml.patch     | 13 +++++
 .../templates/upgrade-crds-hook.yaml.patch    | 11 ++--
 .../webhook-configs-pre-delete.yaml.patch     | 17 +++++++
 .../generated-changes/patch/values.yaml.patch | 50 +++++++++++++------
 packages/rancher-gatekeeper/package.yaml      |  3 +-
 release.yaml                                  |  5 +-
 13 files changed, 138 insertions(+), 53 deletions(-)
 create mode 100644 packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch
 create mode 100644 packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch
 create mode 100644 packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch

diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
index 67f4cba05..66e3b56eb 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
@@ -10,12 +10,12 @@
 +  catalog.cattle.io/os: linux
 +  catalog.cattle.io/permits-os: linux,windows
 +  catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
-+  catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
++  catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
 +  catalog.cattle.io/release-name: rancher-gatekeeper
 +  catalog.cattle.io/type: cluster-tool
 +  catalog.cattle.io/ui-component: gatekeeper
  apiVersion: v2
- appVersion: v3.8.1
+ appVersion: v3.9.0
 -description: A Helm chart for Gatekeeper
 +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
 +  policy-based control for cloud native environments
@@ -28,4 +28,4 @@
 +name: rancher-gatekeeper
  sources:
  - https://github.com/open-policy-agent/gatekeeper.git
- version: 3.8.1
+ version: 3.9.0
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
index a31725488..3524fdae2 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
@@ -1,11 +1,11 @@
 --- charts-original/README.md
 +++ charts/README.md
-@@ -79,7 +79,7 @@
- | psp.enabled                                   | Enabled PodSecurityPolicy                                                                                                                                                                                                                           | `true`                                                                    |
+@@ -98,7 +98,7 @@
  | upgradeCRDs.enabled                           | Upgrade CRDs using pre-install/pre-upgrade hooks                                                                                                                                                                                                    | `true`                                                                    |
- | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
+ | upgradeCRDs.extraRules                        | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole                                                                                                                                                                                       | `[]`                                                                      |
+ | crds.securityContext                          | Security context applied to the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
 -| auditInterval                                 | The frequency with which audit is run                                                                                                                                                                                                               | `60`                                                                      |
-+| auditInterval                                | The frequency with which audit is run                                                  | `300`                                                                      |
++| auditInterval                                 | The frequency with which audit is run                                                                                                                                                                                                               | `300`                                                                      |
  | constraintViolationsLimit                     | The maximum # of audit violations reported on a constraint                                                                                                                                                                                          | `20`                                                                      |
  | auditFromCache                                | Take the roster of resources to audit from the OPA cache                                                                                                                                                                                            | `false`                                                                   |
  | auditChunkSize                                | Chunk size for listing cluster resources for audit (alpha feature)                                                                                                                                                                                  | `0`                                                                       |
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
index 12a4c9953..97f735591 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
@@ -1,11 +1,9 @@
 --- charts-original/templates/_helpers.tpl
 +++ charts/templates/_helpers.tpl
-@@ -38,4 +38,27 @@
- {{- if .Values.podLabels }}
- {{- toYaml .Values.podLabels | nindent 8 }}
+@@ -40,12 +40,35 @@
  {{- end }}
-+{{- end -}}
-+
+ {{- end -}}
+ 
 +{{- define "system_default_registry" -}}
 +{{- if .Values.global.cattle.systemDefaultRegistry -}}
 +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
@@ -27,5 +25,15 @@
 +
 +{{- define "linux-node-selector" -}}
 +kubernetes.io/os: linux
- {{- end -}}
-\ No newline at end of file
++{{- end -}}
++
+ {{/*
+ Output post install webhook probe container entry
+ */}}
+ {{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
+ - name: webhook-probe-post
+-  image: "{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
++  image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
+   imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
+   args:
+     - "--retry"
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
index f668175b0..a33cb2dd2 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
@@ -1,6 +1,6 @@
 --- charts-original/templates/gatekeeper-audit-deployment.yaml
 +++ charts/templates/gatekeeper-audit-deployment.yaml
-@@ -40,11 +40,7 @@
+@@ -42,11 +42,7 @@
          {{- toYaml .Values.audit.affinity | nindent 8 }}
        automountServiceAccountToken: true
        containers:
@@ -13,16 +13,16 @@
          args:
          - --audit-interval={{ .Values.auditInterval }}
          - --log-level={{ .Values.logLevel }}
-@@ -72,7 +68,7 @@
-           valueFrom:
-             fieldRef:
-               fieldPath: metadata.name
+@@ -86,7 +82,7 @@
+               fieldPath: metadata.namespace
+         - name: CONTAINER_NAME
+           value: manager
 -        imagePullPolicy: '{{ .Values.image.pullPolicy }}'
 +        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
          livenessProbe:
            httpGet:
              path: /healthz
-@@ -99,16 +95,20 @@
+@@ -120,9 +116,11 @@
        dnsPolicy: {{ .Values.audit.dnsPolicy }}
        hostNetwork: {{ .Values.audit.hostNetwork }}
        imagePullSecrets:
@@ -37,6 +37,8 @@
        {{- if .Values.audit.priorityClassName }}
        priorityClassName:  {{ .Values.audit.priorityClassName }}
        {{- end }}
+@@ -130,8 +128,10 @@
+         {{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
        serviceAccountName: gatekeeper-admin
        terminationGracePeriodSeconds: 60
 -      tolerations:
@@ -46,5 +48,5 @@
 +{{ toYaml .Values.audit.tolerations | indent 8 }}
 +{{- end }}
        volumes:
-       {{- if .Values.audit.writeToRAMDisk }}
-       - emptyDir:
+       - name: cert
+         secret:
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
index 5d954e7ab..4f111240d 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
@@ -1,6 +1,6 @@
 --- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
 +++ charts/templates/gatekeeper-controller-manager-deployment.yaml
-@@ -40,11 +40,8 @@
+@@ -42,11 +42,8 @@
          {{- toYaml .Values.controllerManager.affinity | nindent 8 }}
        automountServiceAccountToken: true
        containers:
@@ -14,15 +14,15 @@
          args:
          - --port={{ .Values.controllerManager.port }}
          - --health-addr=:{{ .Values.controllerManager.healthPort }}
-@@ -84,7 +81,6 @@
-           valueFrom:
-             fieldRef:
-               fieldPath: metadata.name
+@@ -98,7 +95,6 @@
+               fieldPath: metadata.namespace
+         - name: CONTAINER_NAME
+           value: manager
 -        imagePullPolicy: '{{ .Values.image.pullPolicy }}'
          livenessProbe:
            httpGet:
              path: /healthz
-@@ -115,16 +111,20 @@
+@@ -133,9 +129,11 @@
        dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
        hostNetwork: {{ .Values.controllerManager.hostNetwork }}
        imagePullSecrets:
@@ -37,6 +37,8 @@
        {{- if .Values.controllerManager.priorityClassName }}
        priorityClassName:  {{ .Values.controllerManager.priorityClassName }}
        {{- end }}
+@@ -143,8 +141,10 @@
+         {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
        serviceAccountName: gatekeeper-admin
        terminationGracePeriodSeconds: 60
 -      tolerations:
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch
index 5b0f4b852..36e7056c4 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch
@@ -1,6 +1,6 @@
 --- charts-original/templates/namespace-post-install.yaml
 +++ charts/templates/namespace-post-install.yaml
-@@ -26,11 +26,11 @@
+@@ -28,8 +28,8 @@
        {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
        {{- end }}
        serviceAccount: gatekeeper-update-namespace-label
@@ -8,6 +8,11 @@
 -        kubernetes.io/os: linux
 +      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 +      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+       {{- if .Values.postInstall.probeWebhook.enabled }}
+       volumes:
+       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
+@@ -38,7 +38,7 @@
+       {{- end }}
        containers:
          - name: kubectl-label
 -          image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch
new file mode 100644
index 000000000..2409cf8c4
--- /dev/null
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch
@@ -0,0 +1,17 @@
+--- charts-original/templates/namespace-post-upgrade.yaml
++++ charts/templates/namespace-post-upgrade.yaml
+@@ -26,11 +26,11 @@
+       {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
+       {{- end }}
+       serviceAccount: gatekeeper-update-namespace-label-post-upgrade
+-      nodeSelector:
+-        kubernetes.io/os: linux
++      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
++      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+       containers:
+         - name: kubectl-label
+-          image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
++          image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
+           imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
+           args:
+             - label
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch
new file mode 100644
index 000000000..07619be08
--- /dev/null
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch
@@ -0,0 +1,13 @@
+--- charts-original/templates/probe-webhook-post-install.yaml
++++ charts/templates/probe-webhook-post-install.yaml
+@@ -28,8 +28,8 @@
+       imagePullSecrets:
+       {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
+       {{- end }}
+-      nodeSelector:
+-        kubernetes.io/os: linux
++      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
++      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+       volumes:
+       {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
+       containers:
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
index 173ed369f..e1ebb6dac 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
@@ -1,6 +1,6 @@
 --- charts-original/templates/upgrade-crds-hook.yaml
 +++ charts/templates/upgrade-crds-hook.yaml
-@@ -75,18 +75,14 @@
+@@ -80,18 +80,14 @@
      spec:
        serviceAccountName: gatekeeper-admin-upgrade-crds
        restartPolicy: Never
@@ -23,13 +23,14 @@
          args:
          - apply
          - -f
-@@ -95,7 +91,6 @@
-           {{- toYaml .Values.crds.resources | nindent 10 }}
-         securityContext:
+@@ -102,8 +98,6 @@
            {{- toYaml .Values.crds.securityContext | nindent 10 }}
+       affinity:
+         {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
 -      nodeSelector:
 -        kubernetes.io/os: linux
--
+-      tolerations:
+-        {{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }}
 +      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
 +      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
  {{- end }}
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch
new file mode 100644
index 000000000..e5aed301d
--- /dev/null
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch
@@ -0,0 +1,17 @@
+--- charts-original/templates/webhook-configs-pre-delete.yaml
++++ charts/templates/webhook-configs-pre-delete.yaml
+@@ -28,11 +28,11 @@
+       {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
+       {{- end }}
+       serviceAccount: gatekeeper-delete-webhook-configs
+-      nodeSelector:
+-        kubernetes.io/os: linux
++      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
++      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+       containers:
+         - name: kubectl-delete
+-          image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
++          image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
+           imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
+           args:
+             - delete
diff --git a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
index c772c8b5b..b35112c12 100644
--- a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
@@ -1,44 +1,62 @@
 --- charts-original/values.yaml
 +++ charts/values.yaml
-@@ -30,8 +30,8 @@
+@@ -33,8 +33,8 @@
    labelNamespace:
-     enabled: true
+     enabled: false
      image:
 -      repository: openpolicyagent/gatekeeper-crds
--      tag: v3.8.1
+-      tag: v3.9.0
 +      repository: rancher/kubectl
 +      tag: v1.20.2
        pullPolicy: IfNotPresent
        pullSecrets: []
-   securityContext:
-@@ -47,7 +47,7 @@
-   deleteWebhookConfigurations:
+     extraNamespaces: []
+@@ -52,7 +52,7 @@
+     extraRules: []
+     enabled: true
+     image:
+-      repository: openpolicyagent/gatekeeper-crds
++      repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+       tag: v3.9.0
+       pullPolicy: IfNotPresent
+       pullSecrets: []
+@@ -60,7 +60,7 @@
+   probeWebhook:
+     enabled: true
+     image:
+-      repository: curlimages/curl
++      repository: rancher/mirrored-curlimages-curl
+       tag: 7.83.1
+       pullPolicy: IfNotPresent
+       pullSecrets: []
+@@ -81,7 +81,7 @@
+     extraRules: []
      enabled: false
      image:
 -      repository: openpolicyagent/gatekeeper-crds
 +      repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
-       tag: v3.8.1
+       tag: v3.9.0
        pullPolicy: IfNotPresent
        pullSecrets: []
-@@ -60,10 +60,13 @@
+@@ -94,10 +94,13 @@
      runAsGroup: 999
      runAsNonRoot: true
      runAsUser: 1000
 -image:
 -  repository: openpolicyagent/gatekeeper
 -  crdRepository: openpolicyagent/gatekeeper-crds
--  release: v3.8.1
+-  release: v3.9.0
 +images:
 +  gatekeeper:
 +    repository: rancher/mirrored-openpolicyagent-gatekeeper
-+    tag: v3.8.1
++    tag: v3.9.0
 +  gatekeepercrd:
 +    repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
-+    tag: v3.8.1
++    tag: v3.9.0
    pullPolicy: IfNotPresent
    pullSecrets: []
- podAnnotations:
-@@ -93,7 +96,7 @@
+ podAnnotations: {}
+@@ -128,7 +131,7 @@
              topologyKey: kubernetes.io/hostname
            weight: 100
    tolerations: []
@@ -47,8 +65,8 @@
    resources:
      limits:
        cpu: 1000m
-@@ -118,7 +121,7 @@
-   priorityClassName: system-cluster-critical
+@@ -159,7 +162,7 @@
+   disableCertRotation: true
    affinity: {}
    tolerations: []
 -  nodeSelector: {kubernetes.io/os: linux}
@@ -56,7 +74,7 @@
    writeToRAMDisk: false
    resources:
      limits:
-@@ -150,6 +153,12 @@
+@@ -196,6 +199,12 @@
  pdb:
    controllerManager:
      minAvailable: 1
diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml
index 336d8b289..457e5c390 100644
--- a/packages/rancher-gatekeeper/package.yaml
+++ b/packages/rancher-gatekeeper/package.yaml
@@ -1,6 +1,5 @@
-url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.8.1.tgz
+url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.9.0.tgz
 version: 101.0.0
-doNotRelease: true
 additionalCharts:
   - workingDir: charts-crd
     crdOptions:
diff --git a/release.yaml b/release.yaml
index 1c17d92b4..74f76e6ab 100644
--- a/release.yaml
+++ b/release.yaml
@@ -4,4 +4,7 @@ rancher-cis-benchmark-crd:
 - 3.0.0-rc1
 rancher-csp-adapter:
 - 1.0.1
-
+rancher-gatekeeper:
+- 101.0.0+up3.9.0
+rancher-gatekeeper-crd:
+- 101.0.0+up3.9.0

From d2767177385f2729219f5ebebd05ed5ad04f0e7b Mon Sep 17 00:00:00 2001
From: mitulshah-suse <mitul.shah@suse.com>
Date: Fri, 16 Sep 2022 11:36:40 +0530
Subject: [PATCH 2/2] make charts

---
 ...rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz | Bin 0 -> 10384 bytes
 .../rancher-gatekeeper-101.0.0+up3.9.0.tgz    | Bin 0 -> 14274 bytes
 .../101.0.0+up3.9.0/Chart.yaml                |  10 +
 .../101.0.0+up3.9.0/README.md                 |   2 +
 .../assign-customresourcedefinition.yaml      | 498 ++++++++++++++++++
 ...signmetadata-customresourcedefinition.yaml | 430 +++++++++++++++
 .../config-customresourcedefinition.yaml      | 105 ++++
 ...intpodstatus-customresourcedefinition.yaml |  67 +++
 ...ainttemplate-customresourcedefinition.yaml | 303 +++++++++++
 ...atepodstatus-customresourcedefinition.yaml |  66 +++
 .../modifyset-customresourcedefinition.yaml   | 450 ++++++++++++++++
 ...torpodstatus-customresourcedefinition.yaml |  65 +++
 .../provider-customresourcedefinition.yaml    |  50 ++
 .../101.0.0+up3.9.0/templates/_helpers.tpl    |  22 +
 .../101.0.0+up3.9.0/templates/jobs.yaml       | 108 ++++
 .../101.0.0+up3.9.0/templates/manifest.yaml   |  14 +
 .../101.0.0+up3.9.0/templates/rbac.yaml       |  72 +++
 .../101.0.0+up3.9.0/values.yaml               |  11 +
 .../101.0.0+up3.9.0/.helmignore               |  21 +
 .../101.0.0+up3.9.0/CHANGELOG.md              |  15 +
 .../101.0.0+up3.9.0/Chart.yaml                |  26 +
 .../101.0.0+up3.9.0/README.md                 | 167 ++++++
 .../101.0.0+up3.9.0/app-readme.md             |  14 +
 .../101.0.0+up3.9.0/templates/_helpers.tpl    | 105 ++++
 .../templates/allowedrepos.yaml               |  35 ++
 .../gatekeeper-admin-podsecuritypolicy.yaml   |  38 ++
 .../gatekeeper-admin-serviceaccount.yaml      |  11 +
 .../gatekeeper-audit-deployment.yaml          | 146 +++++
 ...ekeeper-controller-manager-deployment.yaml | 152 ++++++
 ...ontroller-manager-poddisruptionbudget.yaml |  26 +
 ...atekeeper-critical-pods-resourcequota.yaml |  23 +
 .../gatekeeper-manager-role-clusterrole.yaml  | 165 ++++++
 .../gatekeeper-manager-role-role.yaml         |  37 ++
 ...anager-rolebinding-clusterrolebinding.yaml |  20 +
 ...eeper-manager-rolebinding-rolebinding.yaml |  21 +
 ...guration-mutatingwebhookconfiguration.yaml |  55 ++
 ...ration-validatingwebhookconfiguration.yaml |  98 ++++
 ...gatekeeper-webhook-server-cert-secret.yaml |  12 +
 .../gatekeeper-webhook-service-service.yaml   |  38 ++
 .../templates/namespace-post-install.yaml     | 119 +++++
 .../templates/namespace-post-upgrade.yaml     | 108 ++++
 .../templates/probe-webhook-post-install.yaml |  38 ++
 .../templates/requiredlabels.yaml             |  57 ++
 .../templates/upgrade-crds-hook.yaml          | 103 ++++
 .../templates/validate-install-crd.yaml       |  22 +
 .../templates/webhook-configs-pre-delete.yaml | 119 +++++
 .../101.0.0+up3.9.0/values.yaml               | 217 ++++++++
 index.yaml                                    |  44 ++
 48 files changed, 4325 insertions(+)
 create mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz
 create mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/Chart.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/README.md
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assign-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/config-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/modifyset-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/provider-customresourcedefinition.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/jobs.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/manifest.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/rbac.yaml
 create mode 100644 charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/values.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/.helmignore
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/CHANGELOG.md
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/Chart.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/README.md
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/app-readme.md
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/allowedrepos.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-serviceaccount.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-audit-deployment.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-deployment.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-critical-pods-resourcequota.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-clusterrole.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-role.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-server-cert-secret.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-service-service.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-install.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-upgrade.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/probe-webhook-post-install.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/requiredlabels.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/upgrade-crds-hook.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/validate-install-crd.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/webhook-configs-pre-delete.yaml
 create mode 100644 charts/rancher-gatekeeper/101.0.0+up3.9.0/values.yaml

diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..3d672deb7b0cef7a3d7a2382bb54948caf7b2152
GIT binary patch
literal 10384
zcma)?Ra6{J)UF{|@ZbbVfZ*;rSa5eHxVyUscXzko5?q73JHcHC8{BP9lK(q$dHQ0P
z?5?+a)#}<+^;Cb3e2)$F_kz$s(HTf8GaE_Damsq|a2T?wGaIXLSZJ#7a4M*)bIJj&
zEe&jqJyezK_$5uOZJ<uSdpYfL)}6nB6=sUowdB1S9$BjSt6CfPi4~MP`PdvLzBD%_
ztl@|@krS!F;z5Cx>aN!nen2Z0_NTsNN%{HGCqlhv_Y-$3@HHQqHIH%RHX>lcU`y(g
z97JFO$sW%nFeC`B3lM+$^hv<?De3J`S_R?vc71tKkWk1aA}0PsOq}j5F_rVjOU2zD
zXy;a}Z9xffc0aMJbUUMyqL&Lc&4^UZK7|sMtrr~^$C%^o!N5bnke(<Z+QqVWD&kzt
z8e%D?VxDFl61GW6Vo)@p@5QP?A4`;HNFEfk;R#1%4Hi-9H1A&tS~vIz!6@1x<M*#9
z$i`PA_b5JsT&r57kR#m?ZSS|S!Ksj1(Gq|ge7-WV0iaV%5M#p(`G9Yc5}^_WeKXsT
z$$F{+2m$dK;I8ye0rdnDLBUhbX9%Tp0vV~_y}gC(9EyE|pvS+Vm~oqU<oBR?^vyCS
z8a7;;JuriiTHe7!0N<}Yxp5qO8V2!;0m6yfC<Q@ML3ETnndGHH$Y~_TvNTctC7RvJ
zdzkEubwL)Y1=-meWR&y{FA`MdKG5G%wleO~%(N|j0sMRP%|e-$q8z2hgLX92@T%q!
zQXgTz{OKigPPR3DXK!xaw}^#3k>ZeBy{O5au7fmV>Ul{sE)zK76UgDkvVqI%=g%1u
z2CsrbPi*Z@ZBLVSU8tmkGzu8-uHaX?rpR->*~(666hYtOC~u^K&tOUeVD)B=70^bB
zJ`pglg8#zg!rY<+mo`Y)<>vDY*0%#eF4=Jxk@Crb1QgoW<j}Z7TfER2m#SF4GVU3^
z0jm9_cW$yNh?F}k{0n5l78GQCZB@bTvapdjqGSrP>WVW&yMUgh_C=>3HQKwA8~#?g
zRFoY=8L55B`za|REuwwD)pueP#l6XFy>~`45V*4q3l;P))Z5)QxnjjkkFl;`;j7=W
z>y2yV(^pKXWtnHcu5jXq(5SGtr*--owyBgI)q*S}?-O|+A-<6#Hv8RZZ;+RVf!3G%
zossL^Zpde{<lADzxtW)(V{=eK$tB{89?P;uo+-=R_^_rr&l8vnU*n`(t4ZkL#RFf;
zm_P@<WGh|!{O5-F;~|UpTRTi#4I<@egggD1rR5s*Hx(IZcqduhFC2nt$PPT*{<75k
zd+N2T&5-?N**g4nUuE)<AhFcUqEHsfQirtgAc?Ua#A%Ua2@J!i%a~DS*3Y+A-JE%{
zh>5&q2FkyxD_`L*^olmAtKEZ2l*q4CyKEk21B$H0kGUHq`X4rGT}CJ7s7H1wI|TzE
zLZfr|DyY7}6LKBe+22t$UlJJ-o`@j+x2@xY+pX~X{Ef9X$(6Mg9{X~wO)mQ=#L+7F
z`w1ueGVzu#g}?%e>l@V$oFhKc8$|PTquY6j;Mv2s(9kmva^)|^dGx4{(-YWyOejuj
z1AI^w!}tjg%L`;)(OcJMY^d6JWvAvv&^@3jD#B`x%t}v9?@Ka;1mui2Dtm$NbT`4G
z!DWp5k^P1}vk!$g=I;@(a#C(8=8;oOM(VDNxhqpdiHSwYvagnf$&J`N9<h@fSyCKz
z!^!ow2-(in9#>7iR!IX{@onM;1PezTZECDF(|DQEa&nUh>vv@`Y=pcrUgCU)+!JK<
zLT%J$@)nAhJU458uDwv&DkXhF3*~d`j%2X%GS{VdxZOrDX)3CQH+@DhY69#(nIQKi
zw|oF{XI&*xya1E@!9E_=%{G0`QM+!f2I}04i`>q!okjvp2RF}>*-ySEE9<9(*`O{a
z&eN`;p{c+($OjAX+HdJhrq_T|3a69>r_W_`z~-Jg`7ObQx9IVURO(brl~)1GkG&%h
ze+&&$V71B5@m)Ld%}dz%!)H-hDENI|^t-##m7eD0{DdO5pe|$Csrzjv2y1f7@#wFr
zUpdtrhPMPS5=yHP(pPgTT^{)U8;b`~rF!}NjZUv)h>>TDZ})o_4+9~u=iFHk0ZH0w
zUjoaNlV5Q!KunNCs&5gSKaN>VDBZbez;};8mCRPP39|ZetS>zHmnptXVmV4IPk4eB
zvT|0*Rs`A5bn#>Fb*iX=n)ELsyf0gY8K+R%Ke9@(9xN6$ja=^y+(K4fMxr`xe7^Nq
z-=~g(wo7y>y3gK}A4&LQJLE+)xM@fC1WaZX+J5y)OBseW{hBcT#)W9j1@Hw~jL$9e
z$0SHz5X;NyDwL*ho<Uhp=AGe|d0%bfTV$X%y*x*>Zd9mzcP(-;#3R>v-f-P(r=yeI
z&8n%t`ZG8KG9D@Q!X7#@6Vw5|r|Mo#GL(-v3ictFh_V{_<0$%4WK~Qrkw98Q#ClsT
zfgx?`SKQmixYYSj5FS$nI^*P&I=Z?#jAgz7Emh4kCGbgS<abRQOx^{D!nH!OcM^zQ
zXZ9H|hN-Pzu2Humk*RjJQX<|>O(TGulhdvAW0`)b1k3&HbUD$C4@$*kae`P4)W|c(
zf~h3Qq8neBpM+}Atk~}QiWM9$+VMOPMn$^rWElt9=-}n|y0&ZxJKrJHdD@&wEIE1e
z4V91(e)9^u0a4m5s+{A)#%~|xfn;GeFA67c2AMS$Jm&;lH@_asqn>o-OR^O`&=Yea
zE@ZD5JU{tfp1Suz&X?zQw;-1!W%RNOM?i}8fDlMF;ak1o16}X_poRgtGJ{w`8coR2
zA#3gyIY=rhftINs+&7~q5o)Du5}sQ6=#OU#FGG&bLpQYYi$`<stfD~r$JeVYjoU(+
z%tQ~cnT?x5nW1N#eGx>-^C5$8*Ck~yfua-R&N#lL9$-*+!<<;EsJlIM!-}(b<VKYE
ztulxeCmaR2W7slg6l;2QqB`bV!bE!Vvnu<Lm;)y*tE>Xkq_6i?=M{clfPW1Gf~`jL
zgmh=zf!?YrcL(=poFX<F)}#!heZ?Q_I<%p1$#&q3gC*_B$7!E=7ZjsKm=7w`PE|sN
zrm-sK_Txq=0VET4qDc7CaF+6KsqvE4ik5Ns;Tog943;VjgjoKk>ZaAR)G8_8fTQ2_
zEl`k~V8e@bhv$@0(axakf<(8DRI|FZPh_)+h{jv)WJob1#c~`w0C^e{RKIYQiTmAy
zNBno{NfT$XtfHJ5Fa1osC8OoQQCj`Jj3@|gI6E5p;j^=cCly2N=vt-L#f7&6&0;o8
z>iz7oDEu28o{%3kfNud>D^+#nIO(Y2?!00aPVz<H6dBS6)3?fsee;8i%7yn6;TBC_
z-m(j3O<~0^65OF=KU~q966|7Rm0Tn+Fnd`19)6~*`%z3luygz6y0uz(^#;M0x$!RQ
zre-m1^5z9LM{wDF^}+(uizaa-wk-I=^bl<5lWU-=p~phYIN>=hTc9Dvxmjv9bjbV|
zxOA#@yUK~jBKE8?_f23w-lWd5OJBcX&z!^$=jY;+iNf@|vf)rq)oy9!C`B5|ROX(r
zeI)2=MMhxoV=uOH+{gHaaVmfeOYTpAQa8B+H--ZnVWmZv`Srcvn@BXL=Qsx==i!`W
z1U|<o9BN-<e1cqd6H>myjQdbe*yL~UITlMTn2j!ko)q7%sn}-PIwScfW@cF}7bl1O
z<So6dbkolX;lLO7T&DB1*qMM3wKX+%3|xt&+8tNDHt(~`eg-#QkGezJ3`6|$xtN&T
zB{G={*g?~jSakthK@APV9`~m)_lDJ6nU8nH1s)Q7n`r=7+*SC4(NnSzHTss26Q0-u
zx>cTW#b?({VzL7uU{b?S5H5a?fWoYSSAH`GHC$y}aY`v>i#-_7_>)PONeGf(mnAag
z!Mm!h1U^9&jPFy`#s?4{$h#!z+9cIw)*B>+sNtxqJzK$oRE9cszw3)vDQRMgiWQE`
z)=FSns<X3M2b5GPM*&@8@(!-)l>(wtzgo^E$nGThz9SXhSGl(8jk*(%={JVGShqYr
z?Q02vzetSV2=(fULMBiM%IQn{q;=^ni?SpzawXMUP@CL-Ot<DV;Hmn{AEzp_XS#7|
zaZi<rC*GkTFNt)xA7Dxl<<6Ge8x_IM8uw@VMxm#GcV(-`vRAac?%w;9RLZ;*+M|0}
z*Z5mp0^y4vI(bnhVilvmR(Rx{XZ=>S2d0E<YqCD2H@``D4ayhn+-?Zu0Mr3_Y3F*m
zvlFb{t`6;kJnd)ZhMX<t_}+jwWvjNQyf)v!OqJfX!7fc~lPTW|Ak1%l()db2>5NR=
zW3kEW7m@Yt35u)~a^q+MIIOZ`wnYe>5@omyL<kkuN4UnOoX(n4k$@S1%z~AJ8ov4g
zEPDNcMS3Lmx-7{hf)Q8o0Ucd>b{asTvg#WZi4Zy|G*mfNxm+3To^}>rFVFhr&CZ%j
z^{k{A32%K$|9jVa*YHP*@G<G%4hq?mwRXuIm>HFnVR@LJJ|5G~ein`R;tn$PRH^0z
zMac2rxgU~R2&L9sPfu9j@V8cwILT~}tQn<x=`e1Uh?3)C<=~FCb>fngLdmR=@%gh%
zIMP-T$&^r43#2~^?W``b@&>C0YGtQm0|DY;kIoUZ=Gn-<oec0wTxvOgW^gjq_oewV
zLRvMQU1PDz*idDe{bjT@Ik!m8Cxv-A>Bf)HbZLm7vnazMF_O^0iN;nIFmSX}O;@va
zdipC9l<tBmZkW7N#FbbM^F;MD+fA_2VC4MP@LKm|+u}2?e<sM-ByKTMZ69AoWV1=S
zPohCVtyTF$p~tH$V=AqnrG;O8$OBjZQuaf|nm(b@31+G~HH*>CMLlP|DC;MTTP6pM
z404;(67*e;Bg|Cr$Awl)%`NqBEDkn&WAz2(G))|sPfppG<?fjWxP{v3$@H~u$rL}+
zWt?)-iwwlWO%t2jUxzV2;i)ZoIOUx6Y5kbU1?CQ~=@0J8=6TYw^Z%+xTQ#+w*O>yy
zR?z!W#Hg|kEbB}~sR<KQZ2>sOM{gs?^P9-Df;XR)<Ix=Ak4$WcV~D=0m(D0>S45oB
z-$iq@QPTI~?_?3kg@_hA41W2RmlYrJaiT43&8ThFlKu(Yt2o?klS}FT{lrUQVN$2X
zBo@4QFbls#mN&rC%m)%<s+x@~&s<yQ?7JF+8yg>gov0DZ0OXPyX_sSU%{qt&B)hHI
z7VTTgqH6npjHOG#7q?DvM>6j)l?9)8jS6Vb4IqXT&B)u);%o0X)^xF~B7ly%Sx=)M
zb?n_RixF;Y?dxqyOUUQberzzd3%}_&#yDE9Cu#7Vm8QY9FrGwMo3@r$M97W2J3)E(
z1?ow><VmmML5om{a%X!3ziLF^qRSS?={kVtapEP%{dFT{mC%%|if-r>d6f6ZrkwJ`
zdU+}FNda@7H7QJ&4%6;lLHV~GgbMr>oqe;4?M6DQIF-9B`{Bl3<5oNJ!7G((|KwV#
zus~rVlpXyK2!Y(+r2l5O@F>yl1Ocs6A_XBZUs?(h^KYu;!)EPSvE@U&>vSE~>4ps1
zWIo}0AKO6@DHDtTj6@I8mU~_5`o@6KhknW)DFIb-Ms3l~wGmqDG){P)$%2m;N%<*u
zi_mQ!ilOCl<6#x77Kh82z%qhcY{cQz^ffS&tf1>;ig^%mav2A2Rx9ynTzc3By|2<v
zKQ`WeQhWi?hVgVHV|VHdc5ET|67?4E#hCwTlC!;$fbh0l)p+82?;?Dy2Po!ap%u-q
z#!Q?&g{KUz2%nwK$6>Dw8*qMnrV^D<s&ba)`SXlY>F@pe9hqPqp`KeJis*Mfvk7AA
zCV4Sff!6{Wqc#f+HwNYGEUPBMve#l>cA;7>PVYY_Tg)21=0{i_(`a}~+X-v9#UDoe
zTsWz6_N^n;t(u<Zvnj|I&6c@}gGrh-w~^0EU(sSGs+nSTF8F8x9T<zG0|O5>K412|
zr*QL^=#qLQ-j(w8{0@BUC79QSMCnVO*{@=r-m%$<O~pik>Q#sDXt+*`Wv7%bi8l;2
zb=?UnKjLJTc_3VugkrKM8(tPK{A#MD+f0sVS?>)iaJ9gx8m4n95iD-x?X&S<SF3~D
z9!c!#HTGcFvq~)aMa#3|73ySnU{AF!{$2yIXE#|9;FES)2SmFkq&8etS0g13DuRQd
zKc^D&jrQJKCmxE<ePGwt5d+-Rgd5m8V2PYdDLSbrRSTHPP6_5|c2SI!ysh+X_0Fq;
zPR*5+Uw~g=bgFrf5j~{dSq=`z_plF-<Y<4K_k;xzG#CS^lQUTg-(O(|MU7mtND1vH
zDl0`7{)qr=m+E}`@97LC5Q6#B<1j+5D_$*ETU;2O<(Kb7jFJ^(fkS>}DW)M_&oj~@
zSt)}quq8(c&g8u)bz!2)8ORwr`EI?6A%e>zz1Z4p2xR2j<k!!6z;D(rfJ*NJ5Vm|Z
zzQPi@aE%C(*99eT;R3Ed9vM%=l6@ALloa>3(uv2hv`6H!I89=G=brg=q2#ST$3V*s
zr&HGrh4k0c+pKm2pq#ior23G=xY27;{R?@nLp_c2Qcdgq%=WQS_AhTbTdNMo#H$qb
z8m&h;4qV#+C-Y*bdDO!^YaGeYv=8X*EX783?H@R_GzGo;2rF20!<L$U0-qO<*I_69
zj#P(Bmy@hU02pM#>eZ}qQSK@LAz}>O_#|DPQTstfx-JR&+=-D9e&M>61nBjnwX?85
zYtCjIW!%yvWS`lrCI_ZdrgQIartbmK9-<|N*1`GVn8m|36PSI}lj6u3^fC_$VWLsS
z-R#;8JFu2AJnrML!gF9i?eeFv-KP$}A{i15KTRJ5Wu^P{o@uNX&IGkZ1E}+~BZdxp
zw$t554W^m>4&2$@cdvUd?mh=_>DnG$1Ck>2kE-W^qXj%Rzr{tg<c@e$n1yA94fjH=
z%A;}faoWAz#0lFvWNF~zt>`*IG&HoHo4sr%IXKJ%R&1kO6oDX-O`~Jmd>gV*R1Igt
zPRNVJ2}l+h2z;yh&O}$W)bTOagJ@jI=0|jBN)m;zmIdk2idw8ju}+KQIquIUo(HfK
z+%M~D$^a;BwC;T<?M}BXM<HwkQHQ_gQWGg`$B!B<Y-fw>%IlsG@xRh4I~7R;Og^`e
z<hvkpAxYc$Z75R24+${`u<xb(;$Z)$vBTf!x3s=Sf(Gw!!8l0vHzvMF5A^)g`xE#+
z3_vRp{WaQ&@AA3->a}G3m-$!vpDISU|J44z4-2eltpc>tTE(Fa#y|xX*l%YjCh^rv
z?sd1zi^2Js`vQEqnJdWWbLGwO_8eKT3nG1c7Af46c)9QW_13x5?S+Ne@hukNT#vIq
zSTAX;YABSc<0W9H9}l;_$qEmtUbV%CRJ-d#m7aO#+Xcly^nGO8xedC2uO6~6+xu7f
zt*r$HrDTJoyY3SG<Hnc>=saSml^#^k<+}YlAwH-E7@=p*2}CF`)HGUHmftX9SeBLx
zH;LmrvXTNG=y<FTJpUT}G5tLxXs%pbe|w}oviAMoiK0u{f%&fjUlt0S-`zS)157Ee
zUpY)^D~$@28iJw=lp2>YQr<CC`J1%R{5@<Cz4xbQ7_w#;FKZ}q_2j7Q=5xJ{XQ&c0
zGtlQrUw5x3f(>8p*NaPjZ@0JO+m9%(E_|8Mj+l&DOi{YM%HQ9eUtz-|yN1J5yiU-o
zA|m2}YE+Ohu8(HRIkbC{s9MU<VJ}Rf?BM@1W1x5L*JFqXgcnlKx!4y{VB^l`iyCO|
zhBrp2(0BIKMCfo^icn~Oj15xv4=AEPW{akEKxhdYAQo6+eu0geli#CqbAL=j;3opj
zjqNA$f2K!wE+dS;-QiQTqyJBV`{VzXSYSl>PxY^3n)ZJ`0}8FO2#UyZ6zi{+suVQ0
zC=FDoCl0F8rVmq@!b`Jcp^Ct&z*(lkpRXYXEtmLn^?<L}-QIvh807B5kyR|j6jV&G
z+yz$Jw7mWu<n1N(c-TYxJM()B#?Hj|P1bs{CapcIL%cZ~6Y9?D8r!B@RC}q#P`^YJ
z?h(I4YrIHa`vli?m)$Qmot^Lj0v{x_jBJCYG?y!O_22Q8@}77V*e{o9+z0X7mVAL+
z#wed}GvA^)zaxOWPj0=e5s1+=#CE{VGy%>v#Oy04!7^w#YZO#BRwLFo%~vGJB~Y>n
zwKbL%^;xEiYuyiFYxZ&3tQMFMyv9+Ynn@&2C9({9Wb@RJ5gbI1=9jh9>C$f4(zD16
zKVfCsXm+FHmE6KdH)$*kO`1@2G0v%_dYCy;bqZ4eT^#2YZr70d7L^|&C;+z1?#|;4
zYBLN}X&UAo+Bv#>=p_kR2FS5n=U=A`;^>lK5-#8yF42+B2X^R>d=7wFOqwOYTTxP_
z0O=(aMkbUOdxuuXDYtb`JM`e85-C<nl?<9-Aa!cSUE*`jOtLE>r9NR30kqp2H_jgr
zgqlmbRh{@0ZM>rFp;rQ$99V5@``+5FX2OqqjeC20g~{RcqAsHD)M<JAg84WjH+7oz
zvJUbtlZWlXsy{H&a&D602m4Msv18Q|2UbS;gYUZf%!VYU%I~_ULWibuVV^hu40Hci
zyYII71k0bn3*9S#+XbQf;2nC;Irf&Ef=T(7<w?1UZO@!GcG8WroyH7#&P*(>HiD?g
zo)-M5$Ywmdg++Zm4YLkyz13Yymc>?hc3!xoY0A|{xFjTjI4hyZq}5ZQ-=^ahjs(Xb
z1{XH;ADGKO`S&T`l;gt)U)_0K{0~;2J=LeT<9{o4PQaN-@>hJHIZbvFK{n1tmzSA)
z=FVzp%V^+9Z}^qUJ~{XaKgsLry@$2I1A1E19E6>b^$WBO2zj;&Lfqwk`Qokv;X`@a
z>?_=ieFOdZS}T1TY5nAuHC?*Vs}u{64%r&a{RTn_Zv{J^qy=xMpwS6ky7&~Iy@z-k
zJM+E7LCCavijM)KZpgj~jq{6R&Bm3ob~*|R!&Ss){e<9iAX;9piJdz14e$Js2YkW7
z*W+feTtFu<<wii_*hxo9&>XmXRH?v!QG+=7t-<+On5I=k=a>tSOrS-hq_4Oth}@yi
z$H{SKKauR3)zbqOw(jV3VJjr`Gj$B{Bs8hE!p9QuVE;@~@O!F18jP5N&qeR!Rufiv
z>Is**Ir+1hp~TLQ=#EYC_4_Yg=%ptAZfxp)Y)Y9giI?pEc!07pwk@;FIa=|30!lQ~
zX7(+6->>ItR?3Oh?_vF9yNIu%#Ot_)i>7h)Wgz)EldRS9y0$>HyPgS-w6m8JiQsv)
zVzfZOK4cQZ-MW8>Mnc0}B0Y@QQ4=XT7^2X5lnAt)#e-2jA=zPQ>Nj2CON4M1--iYi
zturuxIb0O(LVI$Vt`77;^`(AoRTFFHx^2C!_|R~Yr*mH+V7@5aW_zx_t_Ta}HD9!%
zF<<ok0Di*A7en}47H&gZaha~tL0aJ`%G3FOtL!v^(^Y}4uN;<(Y7j`~wqR2mLLM>%
za`VXh26?!6@aXmhh(5h;3!XtfK{0)B-bAR0uScLQoO*>K^yupMddJDTxq63thWg&L
zML(o1)(eJnVGq^iN98$23o+%}8%HKo^rrhI$@D`bHP`)zf&+A@&d_&bE8nGthOXJh
za^+0atLuA+vfsJ;s0Z<ZERyz|yZVP>L1vb)7j9Ab!CfL@VyzY1q0QA0DN;@9p-y51
zyhYw^*XR1|AG3E=NKcOatbO!27)<jGSd%OxDD_>UiocvI*>L8x5{5}|vByk8uyem>
zd|*2lJlxI+uskk+ESnT7ZZgA)w!PiI4AhsLTz<~^%#ZrC8CY1Y1ED)O7?yAZE8b_+
z&6|7Mm7d*~F5a~5Jce)r8%*V#=mfh6g&+(D2x53I6SCqLW69C6R$4M#ym~vBM#rt1
z>%T>xqS_KtM>K4A3stOH@l-pA0$2~Nh0UH}POK*);28E%M@)JIItHDKK~xtnBMkc)
z^61e4sLp(**c#84-q`o|A`=+qxANARV|8g);Qn}%r9T+Xui?U++xvmLelSw8P$R`Y
zLX<ZET^>n}g_So-ySE>)$~pM1oLMjJEB2)(uqD`x{va`#iZhB%MOrk=wy+?xEt1n0
zvMXpwrgo>|$WJ2;eOw(4WqsVB_Oln9KFB9vx=WX7>zf-EZj-C=hYFk+@7kIyD!*OE
zOj^W!KEK{4zGu<27rAX+9#u5C7r=eiY=4P5`V|?Ypn|gdopol1s%aP#;9r}*Utkyt
z6y!mSy1YrnNMz%vLUfw_8YN(0v!N)PLhzAd8@WnH^uUmdymFdj!y0!0x&sxADOIK9
zC@!;i1740>8bG-v+J7&v(#ktq)9u~?^%_}z3;%W}HqWIm?^61gt35ZQcB-@Z9O8+I
zx#%oa>mo_9@X*JqF68Z4n7YF$=oH~s9}@{rfHd;^X_?X4W>5bwO~W3<t~L7$)877r
zX{c-0V=Z}?qK7<DGD_~+g{R6FIkh;w$8<MJ-~V7VjO7wrc#*{jNMI;)>ot`4`lM3j
zTD{5jp<ooG#!wvFpm+><Qf#)iO<;^$tb<yHl5v3#^&iJNEBQYh>-2;@p`l{VQ+F@?
zK%-7KvZA-9jw~k-x#NqnGn>CLNz{5;M)l8rx1Ae6Ba&HSy~1Z;ZUBmnJcpVTXlD&$
zGW&gwZdTiw8bO(UKsd9NRFuA(U22+MLd#E4;`;_ncwW-S<xpxR#MqiJgfGfOJ$zhq
ztG%T+7fIkF$KOLTO=>$HhX*&#m)7M0vfSq^J(7_jVH8&Hq<;D3V#a@yb=N$+eA4vG
zdq)p_p3GLPAwQ68bab;fPsR3GGK5e|yd=)jzJe`rCt~P5ORl^U0i3hHC*$dk>hBMI
z<rddhlo!fG49!DI#&iwq!G8gkJ_FRGtNdkU`@8MiK8$XQgopDmZ2Nib3d%X3qEoH?
zA{<P0^-<`Hy4E@&=VO&5rmG+epWvJyTGvr}s4?THr|n)H)mSYhb~~Q6<wQmnhpXxq
z4`Fv@(m<pD_Ug^aedT=#22}eH3`humTcW?3gL3cqgVvA!C`96yhjC1XtYJk6W@?et
z?4Zxnpk!-*$b&Vi4hMrh-Osd^rtJM?r3CENf?Ydk+zZv^@?UT?bP}DZEo*8iHKvRc
z9;TJCNEVzPU)Eyjw;hy%v$;S=0_`{}FCMqy)@Y`HN!aq{uXBlfCp9*M>g%`TeV_6^
zzDX0687J4beIlOonze@ml^Lj4=^2wY;w;m?Yyg7}D=PcqMTU_$G|QdT;%f&wYjKx?
z#PFZLxYyCJMzekDdAA>RGj6^iwx`RT%rKb0$+$LDhNo|Sp!XlPf~lKX|Nq8To}tlK
ze74QAjvU4CRoziTI5N|N9Qri+hRbznwx=}D_WXFGjv6aRa&Un%+GuxNrq5dd;%^}x
zEM3TF^1U~H8>qHTsOxC-bH-#FB#<g4KYlGPlLdJJT2tt%u~xFo^s3`>Llsm^Gg=~O
z4>Z>bNMl472et{>r?cqojGrlYC+aL*OlgUm<LBXv=Qh7O3@CS69mhNKequeXlh3bJ
zMy%8dAi<2{vR<s-vdRmTM^O0GMEqD+^JyZ`ZL5RlF_}UP)uxjzeik>R7v%W-?W0!!
zH~!ycIJ^UMSYQ$MzZJQ`jy|NX;2FSf$;}+V$4eu9ejG%NN+q&wJWO?>x!B>jk?C#1
zg(46<{IrW&hW2G)0O4y@vCpaA&y=uj1lNp#FMcX+N$eYh=Y2~a_tEzg_));LpO^1D
z9o(d*0|?KfyViB#EVju$CR!Wts<WBVvA0mO@@@!4IRrSl4g}vU81vR+I<EFz^s;qY
zFt6DVkdr#cE~0m~CP?(%X2sm{)46rBVl}uVXuM@Yzkc$TDTo^Z4B&TuoQ~~j{=!{9
zVZUK-nppE_MHpn!S$aNEQ$#58yqsyC{&DUaz4VxIe2HW_c*-g}Rp<vhk&Y~Mv|^}5
zP+sLG@evz6M^eNAzD_>rimGC5@@mr6nR@eHILu}pFCO}d^`x&@TI5ON7iCf=3k}n#
z7&{b}wTNA5jFm0zz?4&@qTYldTCM~K*|Sel?`U(AA_$Puioi+MSK+k?Vte$K!Np%A
zDHo?{cEeYyo1(Q+kt9f-f7Fgr6;~K_t73sWez&jSl`!9Z0{l6DDwbLKNRq)eLZ%tk
zKg`i4>U&eT)Qd=mEtE_n!pBS5tB{Uo3dn4lzihZl&sE{>Fa#JR!uH5hEd_G@s@v(z
zE(mt}z>!fLrNM$0Zt!ZOO;b%}oy5v>A`^3rrz)7;jGwwO`YNNBAEJT%f60veSDb_?
z_tAv2Hn)t&K)Js8Azr6P^)+=<w?Am64#J=ix%zu&wENYZ$79}NqW0b}n|BIq7|3#B
zc*?$Ch8?-6edN&Lx3L_nwTZ2yaxaIGO*gbI@Gw#N-ObKrXp)c)+ZusIhshbMdH%qB
z!o;w7y~D-L?Xu-<jXtd&t0D_0vj1vzW6;U%ext>@5=Tw)(jc95Jq0^{JF&98s33@j
zF60AClxsX)&`2FDAz3@sQK{)z>BHlaGTn^)Gs(6q0wbqD3Zp+RO=J7|g0mSA0yth5
zSobsJ>$BX>=j0G~y-##%t2yiZ4Kv_;E)^2m5nf7+X+4K`r1gfg@j?h?3%!L4Wvh3#
z-VN=68)wErLo)U5ivB;NjRcC+n|d@9%7NR{5XxCE=J|J1&pdYv0RnLM&zApR`Ui#p
zcegBw;>`ZJ|802PoC5z2vo`$5e^7)D2La}<Z10HTe`5a>{~4QNKLGM@y&s^0IM@$h
zCHqfA;E#&}Zg1J9kK-%Xg>@rXV@d|JY~{3KZVyAp@T6#WV@C>Gj`eVqO8jgP<$GiM
za<FYA@nEIUu_L&G)1WgAQ9h1<K=#ZT-XNEeW=uIj53%U+olg(3R!-M3fp68wp*Q8&
zh>qY}Q=#GL0}b1T2$Wwb+hd4(T^r3Ihp!t?9}Mph+^zkFHgv|{yrxaG@~^p$t8Fq)
zz=ltPK{+c$e;9m~Pn*CKhh;u7vF)6|>dho!uk=a7IH#&vr0Ju}NfJZ$S%E~8Rh&($
zQRc!@%cxh@hmFMi`=#C+VA|86@8lqZ9sXOF48+Ux#aajAb+_|ap9kR=eOkE{6y%y8
zW?v6Gf_1i1d((7WDD}fTL$)f<^=<!gg~OmZcT=av|H=*kmCuxJ)RJdze(ky@HlIF;
zSS-N<38x~rYESRmdd|-bqDl<RUP=3zq<v3r4148Q*ew*lENvysTCsNJluhdeDTJmG
zsF77Yz~I^z7u$T+?FvmTVRjHxX>q?DM2y>8?gi$20#ZLZTdWH|(3^zZZSaq=wdugc
zAHliQiG$7KaXiYIM=5;VU*BFSrhE#kU2Y!Rt58a1a&X3r^O`M=#cbI86`)l(rH%oX
ztJsDUc+`&TGsEbdsi3y1I5mbp=g`_u9LM2Hzr#G!`BSANU<5k7z=Anrg<B5;AaD4S
v&wF+mtYcSuTToFeyXuFyyC3(S<Gv!%6f)7hD*XNV5E2bOdIyE}4(fja;@5)0

literal 0
HcmV?d00001

diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..5dc6e28621d6750981a2b2b8434d2acbda6ab43d
GIT binary patch
literal 14274
zcmV;zH$BK7iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKBfbKAJKV1FI`3OxDV>ZG5k#aj~1&7E@F?ry)%;<4R*>s2Zh
zLFAEyXOiFrK-uaz^V_GekOUV=lr1}6gzD;8#C~vaaBwy-9J*s*&Ik**0EmFK55|~@
z))WW+535O?PN%cCv!nj)bUMX<w>mpJKXiAtyWLK=+m+?IJFmLiKcLQv`k$L(E-?F{
zbL+l}lY1lyhanYM5E}Ac10fd+?9)-p#X|VdBD9TTK^+oufqlP+%IM;_%zGPP;f^b-
zyTAk)67bTxmBl>5BOgzl5C_mhA5ZqtuW1jJ6)xfdI1^x;(6EPo{O4QLZEba09jAl-
zA^+T!fBslmRrbLn>_QLekM?Z%lnV$d>rviAJ_+Ni%G?N8Km>QvQk$0~^ynq8F3sqK
zc)*>}g!Pb1!yy^9vSGCNxTQa~Ctd7EW8AH5CRvUgAhues3>>yvuV;gSfe)C20eN|0
zD=Ud<B*Es#TmW+frG90xm^dyCA{s&{ddO-MN950Btdp$<j-u@6cI!>6)9`@1j6_0x
zdrv)yJRE(DAVeqBC+-yOk02C3aui2gFu;M;K5`}PLSl>sN<iE|C{h)j0p{RIU<*cl
zG^7l<K8-yTVnHT=Ae<0J!vI3T8)GV=G8Q7@y>@#<#5f+bTpF}#1fgRZ#BwBUYkI_$
zqfTn6!SI#=t=deSgWzqSjwo;2%RL!2E?{~|na6t#2gy#%sFCWV;UErf%!rsaW-b_~
zF>^sRu;jp7BO)3p5_LP>R;ShZ&p6Uc^1W%)I^A8WIR7WukAbg{0hoXOce}e=uL|e?
zZg=<9`ux9-#31sCi+K-iH*o9`aU2R@6YTfUUZ)X&V8rD=WA_3=kN420X2fU!Vhk~F
ze%3YK%ftV75_%s)f7(Ms>~m<iG~|L|5{f?w^)-X>js!&X&{jv+`-Rcq0J~#I>Uf0X
zfe-Iv&5#s6|A~F#VL`&tzhE$?^diZh6f@3A05le7;8Hc{?Q)S{F!5ss`b6oW<55Ui
zMN3Cl5Jcib!Z7f6cmO`{p|9V{Wj_x72V8LmKDdIi>M{poa4&Rcg%QY~73E_tXmA?)
zpgV<7LgEm75b!YqW*9dE2%UR$C4hz4Kg0s(bI#wL{RY?<V^<C%$qN*?7eJ;^=oCme
zp|0vaDfs~=z={Ru0I*Q90(^xM#bxal3lyOh7)08)cw94Sg@6a+IJ`I`e?brJb~+88
zj^4op{2n^~@XJT}^AJJ;X&s-A64cB<9uTqb1%%6!^JpSjhg_EICjXg%KBoU~Oy&9r
z7DFSVT>KG@81_Ii;l2b?3N!fyA-#fL(u({<0z5Lg2r-B#CxWtR${Hvh*%iJiA@Hb&
zCW=emGM}Q@_tS+QexTxn0hioHmVE{;13CInpY=Gd1jE^Sn(qm3azH}?S3(a8`#!xq
zVPryl7{L*Dv7g)5vW$x(JRm+163(VukI^Xk+mWp_^aQaYFsGD?Ux*KyQ8xfo1>$g@
z|H^0__0XF)Z?bP6XecWci~hlZNnWSZQSd)DSDab!m-9BLm4G5ylC<50D-saKC<D)t
z%$VlI6f0J^Px0K6X(nvND;6<2fP|3VdOB{*d{vsOKkebaYQ5fWb#FfWOH72>`RYiL
z-z0aNe$&WILWP6y+xhv)S%zVc9WfdF5t0luJw^Ewa;GkcG0Sf6^U-t(%5ndA`p6eb
zBfso3gHW$=3-C6|aLqDZ=H06CZ0+(r%vrVKibd4R9jjlz$xqht9#QXr#-T7wU$@g~
za8<upP2=Zj910S^Aq;Ws%QN1kL3G0CkoaKWZZ7UVu=hB`BMo3EFc=1%3ZG9H49QiR
zJEmNG0C7p#MTSaV$dkDrX!*u3gmE=@%0v&n-r3o1AY@qL6aDS=>({b9#Z~D~Z#r)j
zC>fy&pMA{v2X$lD_~s<S6PFP|Tr6?ZaJUD+#3>a86vx9M35l5M6<2T<WIy*&b_YXX
z47|gbk#Kb8j=_t45{@+gW<DQXfg7vVO*OeaWQ(S?b6`Q1C6hV|Q>HAJg^-f^9bH8X
z6#K)A`Lgv3nA!rM79Y21!nl@-Bc$^r|94!Kt*@r#eso`#nl9#Y1&ydrN7LWsI3z>F
zLJ+`PgtjFXgg5}J{3Vdl*kG%y>t`&sLY$C#kYiEh7EHx13Sbi5(-FE+tO-P5J_Hb`
z&AQv&dQZ$2{&x(#T%}lJYj;o8c;tjqVenbi9EQafc^pMP1P}`Bt1O-kRhKE8c8aO*
zEx*6-ZA%-dq&r$;P%SjOWJJI@J>7qQNVqktHTpdm^mCQ))?O05bPo+=d%L^aTQz~E
z%SPTnDTk^KV1xn^?oTlBCBDmB`N*dO>>F*8@C~D>hh)z8Qy390BwjU}4TQ`^bv939
z-(++5SPpDLTu_iUTh9AACcYqQGc~`;t3r!I=zVK`ZbV$cE`QUB^~L+(^pKY`t9EB$
z+1UWQYO)NlNO+a+E!L}@D&)Tcg2=}Lc>Bv3{0JCtiRd<>;05~M-B+DXLH_${yW3gI
zfA1qTzJ6{0)Hu3|aOfd11|&HmM2G5crNC-6erkXF*7*9>K^_cA2&ifCbFz37IavX@
zy-`cs5XeIkwf@xl1X=Rq1Q;V8pli8JLKp3At3OF_77vHy3N@XqF$g{Nw;tkw+Fl5!
zeGFsYpQ3-q*jM^xgri6ezSZ~_=+;$vA^VUM;b;IZjyWJs13<s0yr7=)kbv)Tgc;~V
z6g(s-5@W*Ai@{WZ<M6|oEK9->;t{wnTaDu(GHO)ah@_C1gxu&M)i)y0CGmYU02FgM
zPL8k|ycz90=*nVw2$Nw7&?GYjYEouqfm%@adDhb3)C_uW>o2S|&J-BBmDZ_-l&+kP
zHTQMt0Y;33Vu+f5=g!}Gv(TFEcNtWh^>+>ht+kb##;8r@x~lax$f8TB`_ue2Rt1|g
zXJi9h|7|qp=vp3?K6U{$|FemjUz#`ARr{XAdCw#AfWyAzj`Wzh#(s&?K|n)9L*R3#
zk>36*aW&0FCQs1+#(`gve~m&CdJqcq8d*awk3JiPW-Y!L9R0!!b5S`E&735r3YAPr
z#Zt7JH)<e<s?GW6rq|<N+GZrNu+WqPdtSN$<&F}{c0n1LsH+0sY{()5@ad)bY;i4e
zA>~cTr`Y4jrLixIBCbUQ37MlD>=w&Qtuh^%=~#{HIhkvI)3%k7e4V<k_e@>+0fs|x
zMGrMUP$QxM`8m7wH;*JiZ_Zw8YZ%<zkn|Yxcl*p%rwrqdv4~=UBFY6aveiU%pvB?|
z<pPEv6l}Tx?^E4@k;|UQHV%>|5(sIl4bzXK`f+64Mk0<y&97fk!h6j@>K6L;?dw--
z=cN6&Y@vQjwc5(KY4q(|uYNs&N9fzPW-_`HOEOr$kxZT__b)=2jm$;HK~2YDASaak
zej`(}kn05a$`K@hG^0-Mmd?OTBG;w|KF<2>TKPBX&C*7sy_Lw{EI8R}3k@VQlq4r>
zPf-)Qh>KldA{nbPwc~9Uw_GN&N}6^ibtdV|QVXF>Dx4svxm2~}<n04hiBi$GZ!JD?
z+mmh^djS#ZwD><l&;RX~+V>SV-b$LE0i{sGIt6z0@F&!d19(s4P|GSD6v)3%uo(Bu
z)YZ)NHj}?|7h`iRy9qJSJ>Q%X{Hf~a$$%N37KoesvHDw!m1e97Fh^CiXK`EpfA0NH
z2`Ru+G~^ccK#S~uw_k1L?|)mJ?cJUA{qH`KZIGEReBKhZJ?RcW;BMoBgkBFFq?SGB
zrhFp+fjum+#AJ=&7q7XEJPmnY(n1oWxk^4Hd)5-_>u!F3&G&T+r>X^=msrTyDvS*z
zd5Hiku1K=1{RlH0fB?q(`d*ior4fYtC&zzo>ngS;A!3pZv1M&KsR<NS4%!YDGlr*y
z93mj7&`{_KTrd)j8VCu@Mj+C|Q2*>9oS2fdE?yT_A=TE7Xb)Yd?MK+Xz#}LDJS{Lu
z%&$IuZ3cYQ?4f{<zI{etts!RoPVX%uVHArNg9(Al7FAX`ExB5)v=smJ<+D|rV?nsO
zg7@B{Pa{e_eKnydX)Ie0&5wNg@)`Yaq)NU;a{mc_NyPX?+JojFHdQMx?Y=@P5Dup=
z(mr2WnE@ZkA#lyNzi4LD`p4fV|3qVX^9~US6%uK_MvqfwZz2Ofz2Hg^@b^h`6Mf1?
zB@uNKl}1@T$<Nu)zTL%gkdTOj^^)9pNxnDbeHdx(`ET(dk}`!(M7@Ml)0PFbxPk@e
ze|Kl6AphOk+1u%^&;R>K#fu7$T1EpR`EHv#&<kE*22L_<n!f1ec!7d*kz#UP8bm3(
z-%`FUt^D2HY<gq-p)MXh^y5!ICYE`oEgVHX^keSMT#`%6yYi1(mo~;sEKxqs0VVph
z<`lTTL5+bCp|0&e+SjBreRWEkG1B2eDJ9L*MZzM(uQpoBFD+IRCVETV9S%p3auor-
z(i*(oM43y%9_kt$pAS9sKIY;y4)=LOYk~;_?~u{xprCnl(Ehu34O=r<)rip~s*BA#
z62@0{DOF-Wl<d+h&FXDNuWxB)u-bL%J&x3`h*5cJf~S7zdzSjsqnF_&X5RkEvHA@`
zB&LUi*+R$fy+7|dEl2;2WB|LaynNTa5-y<so!w5iNdG%~Yx;jLDd&)vP<2Da_VqI7
zNcyv(z~)-2{X|Q36H(ZYkDWl&-v6;jgyTWv)2XD~%ZP&(_<wD6I=hAazrD4ymjB#K
zviCoZBHm7kz+t-9--!Sib0a76aR@!6F)*`1svr`nWvMCso#}`fLOnW?aD16VURN<v
zw&|@hxP50Wz_LrQ{36s_hFS};cqwWxMvdi2W@jL0VXy*Q@n(Xmls2}Bd!j{23YHbv
zc44i4FDkR``j%oQ+f-@<q3g%qOyzpZZfM!nzsdU7#ekYPPzMW^z=Il?kQX-Ng5`YW
zYN`RZlA_hih+{#O4l2(rozn{lEn`YcoM#!38kO&lH&Xd(XA@gIJX6bCE~*u~8Tc}t
ztR9(Tj(TGJfZtlJ<s5`<Je1XZI&yrNK(0pOQ&}vWxd%I`M3g(q@XD?}(~G#+o*wg%
z(ZF%BJBHGzQ)lDqn(jCbFC0$(D%VWCM5}8mn(W9U)1je1EmhBXM;DubfC$qLC@)dF
zdclFTSU25YZ}ZzLpT`9jF}HACQn-+cw3mX@^|x>N`iT#%qZ=wwu5|4M<-!BTa^JNT
zy@NfEz3mkt)5>h@i|u7j=1xSJC;_!)ne3Nfs>D|g7&mA~lKmW5OJ34;3puKw1QKb*
zf-`)fTa)VybhheoF3s1~4EU8|*J0-TD9^XToxpC%r9ps0&)&!FK-*}ipCFvr`I=oh
z`FQx{!~XlDvy=UUBTH_tEO+Fd$!oHdGVK(GMg3Oc7Magfm9(NhIfh#)Pc(BxHy_Nb
z{z_dvtcf3d{BXX1{Nd=da{4_~T+fnS&W~lfpEJP8XueM-5CZ4QKEa;SScvG?#3CU{
zk+!kWyY;Vpmhz9Oxv}*$i_?%z<PM<pxIC$De8$#K+t=B7#jc<(^?T_2;ADx8s%Me(
zQwB$MKMb%(mIk)0HN6F_3vNL=&17`a(iW%F?bz*A`mkiJT3qvDcg{RCdEV7CH)X9f
z&$m_Rxj<6qOmen~QMY5YP&713u%+7E$i|4&=qOuw%k-$aB@smJ{PCT%CW6S(V=-Bl
z|62KYNb)jR<b2@DSd-;uRZ@zQIQq_Gku3^iidVDA1z)zW+5M){l(SW30BoU`9=_eE
zE>ykdxpLQNhGB6f9_t25K7U#H3U|OVoafXp4PfRTn~Bn8U$*Ks;JF)0$;K=Zc&aT2
zEFhs`Fn(p&g%e;z^`c|0>?IEVIk%`8tD3VDuD7tZ-SV7uwTmrSR!cF2tkX8PS#3K!
zv)MGUc~3p)p`EQxo?z8A)SH7?d4JAqxS1Bp9!>xriGv<`ue>qSc5^17xw_i(uoBHG
z2+a2uLax(yOLgV{nYhO>99(^6zykUIcIQ<g{_EE6tDUv~-@T;ABmXaBV1;<!5<1$^
zAikRppmNYRRR~zzMe<RT^@pb=n6X$jmusylu<JiwO~FhosEr4YLR(OZi|{-&2e%MF
zm6Z-fF>e{BQH88`mVCKf`$n?nax-(}&a-6TJ{>up3M5%jjOgf+)hdC+4`7yBARlt_
zR;m~sD$7X^rMI(=q+G2`Lr~nXx0k^uQ%H0VMZl#|IE$51Wranw?Yb2KL6?@tmvLf&
zY(7Uh?pULs)jN48=cB%A{f=25;d8TvRNl-6Z=x?UXi?GT9Do!<xXf4_8ewOki`0S2
zoDR#YSqvywXSdv8|4HP!1;cP6Rj$rx*1Dn^{gt|USQB4XS9Es@pSmaQt(8BE83I)B
zvDcC~D|>lGP;CZamD;DeAbmKRsJbJrtCcFZ_rx_+<q1CsZB@0(se%KluYRgPmB*@z
zDo<sxT53U^<y2G^B=N@Ts-@bxmFlXBkUt$YR(W;{Ra*0_JYe<K_m*9+)9uqO^gj{x
zJi=M5-s&2}-UwzWf)@Gz?rs<Te_!qGuJu3nk`nS|dwjO`Pmaw^g|~jg95qwl-}VXh
z4%0>dSuJ{Vrl)YjQc=%wC6=X3IGfa~xY)^ab3$8z;wT@N*N$Z64XSQ7R`Io3>9%U6
z@4c_<rrPx1gf>?pAe`hn_V1VqywDYJ5&iG(?G^R^J6l_8`hOp(z`o{Qrz(=|)HLAK
zF7@mvv%M3RCdy-+M8J~O3&9kv7gG!cc4-7>WiniPbi=87IYZUfocxJ>nM<w?xyLk|
z8{Y<<nr4sBD5}EaNp<Oe!t^uhL-O8*{JV}H_yYRBv-|2*G5*7=?mGU%y`&=jA7Hno
zUot3Cf0cz}F{X_CrMN2<q>j+cWX!y)a!UPtOhDBjq2W0RfD0T%Jru_3>56A?Uf4UQ
z!PK)64F}<fWT9^y6W%B%A5T6`fDO!tkqKPm6R!WbRPU~rT1(9bj3J1<T2?n7a2hek
z9<O;+GZp!`_B(UsQ6}Y0@my)XVEmDJH{L;U<Y57GClwL65)kTZX=yS^=pXe4X!21-
zX(bgS(I~E?0I4_iZa==NN8BsMr%FAr(X>-9(Tc??^;*@J@zO2FtXzcBcQEzD>O|>K
z7mUX|63^~_K~iIuhX5iifLTZi5{Y^dXoV<%1Pb7bc?Fhe9D4|}pAqM_a(fuWPOCiV
z!L^4Z#6J0}gwGX&TfD7rHImy=lv^EO*(=(0kFcypjYI7AYyOZfLO0_7>oWc(Et3Ci
zcZ%`9x3~88*8Kl{q?PjjYsP;j<6l=!H0y$(-pMPFEo~b-lR8D!2TWB<TIqWygzl1v
z@mzDq<S{)hP_hjMELD4F##=xSfrLKlbQAhNAfYEuS4#|JKHW_J+u7SL>VJ3l*7E;*
zNp~gx`B@{xb5jmfY?Frk+n56<q<9WA8_5G0wlHnc>B3|6Fn~HZDnq#5I?U;s;6BZC
z8~VSH@SC(y|JyCbf8FcuuKE9aNh|07*MvVM{Iz-hn;j7AlVP21ooXw7oOybl`NE(D
z^ndHsZXy21_D<)~zyC7tU|r3~SCS0<pX1?KJO}2<X0xN<y}=gq65>Hl0Q=m|hWQ#*
z^HocI65yVy2fq?4TqCCLnt!y}EJChNAQT$58iK|}A~EVI4W;nJr&Vk*p*Mac+No&L
zZL4XiCulJ7V+IwjLO~u2ez6N`d5<z@N@^ZmVK+OG5{+3&{g4i~o@JDJn>c$}FOLRf
z6jGMJA+w=6q`*H=adf4nT*ikt^WXj31xz>5-;@az>b;#c;iG~xu{NJg-(yuH`}$S2
zmf2Hfqxe8YYRr|l*0M&T$561wn(3>P`>CIk%eh1qd{YYZ`IxJq8(~1g33b&{Ek=RU
zQfbqQmV1_boC?(slzM-Lyl`=qOrW@xRnLN`6=bEEKGJsHEoG(F#%a#M>CyiAk@@k*
z$zk%N;QyF3ky{f^JUCL%WOIoCp~Ow|x^C*eG#k9<xso*`rAz3|ocU_9**w64^M7}{
z(<z?+d)@8z`F|g2_WA#3y4nV}ZpH|dnt9f&z(U>hV`T=^Ti|nffk_b&mg5Gpmwz7<
zKTw+Vqvr@pGpghXW}N1w%5~23xs|^2iC!66;81BxKSs9OudaD`^zO*2X|2Kx)&QXm
zbaWN@#3jO?Dy1vJzK<?KdKn@f53;}raOFZIP*YppG|>w|5uQ-uArH7v&V7H8aHL+y
zHkvzxLl2SAWq`TN@+tNZ4J{h+vSkMG-!w)p4$+W=9>R#xcr@0-p~L(*22<ow*&0SJ
z=HPG$IT2(6hy!Ns7?Dto;rH~>PvlY$2AG3-!TZOvthE=-9}{py)Z=Z4#t;C*eij+6
zP~ZyO{1=~&3PmQwmCKU<8c`;OlwD%x6*3sTn&v-YA+S5ne={<_^kWtrmAAQzeMobX
z(2Y>akt+wo*ssVkmE^cH9eSz0rsKsiht$h|+d#iiW?O9{F~$M~L=d_1=-|&IXREW-
zabEB4?vxtW_;p*pwX~_roa-Yz02K$b+$nf42KVAvojS`Mh$>{4qt7cxbzHX7OUQ5q
z8EiK1@LrRGklzVrtVPZ%OLg^s74aV&Z8fym5OBf$ud}yReE)T~`{?Drk0i}_|5d$_
zJnJd%Dke?i!rZ{NJDQ|DgIiwpTL2I8J=vS=f8s*&?<(H^-|B9a{Qq{lYyJPdq<QZ@
zKR4k_nH^ltx4U5lG)w|9jfIG~QxTF-2hrQv*;c;<W+M<f6kwrn;fl%AY0k(ovG@MU
zg74X5Nrz%b4J-xpo7q%;r1{8$x$8jbNA(nv2znKL%M5g#gsMVKV-I(H(zGQP74w(3
z*q^bFLsynIhfeNWWq(!G=1nRe9cBF#!lMj-^6b;x^WO?DOu2AK$OZQOWuAUlX~Fsb
zYP)3ry|sS-{hm_kB?~T&%`&SKKRxM;Y||@hfd*K(<4oQ2Uv!XT8%l?)b`r57S0^%)
zr^jHFo(^e_!4G7gk{UOA$lg`u0?s9n(O5KlsOjuBEAq8hj-#D<n?0nthS+rhJn%LL
zFr*9|tz<HeSShb^!$(hU{+5ZKiyU^72T7KEx`Tn-*&-31eGH9w&Ei(-A-)PPn~N^H
zFifp%{6;NbClI#c{cg<-ylNYB*4t=k1)*?tE4PoHx^OKbMh9R7fi?-!6${Z%XFrOQ
zHfWksA+Y~cwP%isghU*aUSL_WkF<fglh3Vb`PG+<g};ag;0iytmMJ3M^i`OJ7&`Nj
zn1wZqZ^l%-8naAux#wi8M)U8<Xn++#q=3i^9~QoKf-0YFn0HKG35GNMZn3SRGIj<I
zB!%azso#cFZqlK?1!$9VySC%d2{854q?I!#Qu+)cpG|g7SaL<C9LK2+8CS46zdehP
zo(2_%LE#jyKExmB0WBeTw@%q>c-!!vts}FvWTl4-3MwwkZ(8SSFKPXE>K3hkCjQbD
zVJvFVq}5QPIYuERukA(cFLvMFn(e-QC-`3FgtSKc9NMqe=V%5jGw&m1+*Iv<w9L}v
zM6%Tz<r@7vrlJ^ea;-A1PRq!D;%LOMw@l<0ofgP{_V&8P_%B;qTWkIAy`+k(*B@q?
z?^FJhL$GHo49XzzaD+jRKyot!Wmh1%sonCOOKyr=1U)!0&UX=9%w3?lf{VE|mls?t
z#FU33xR^!XpQPX-ne2BIT+BP$?(ceWzbDIskzzbY;6D+O#<Fy3fk@+l${U^~g5HPl
zArIKqN+Qa<*kct-%)S3B<y&eoc4HfmMfRV&uZs2`+nwF@{r_IllK#J@I1WAZ!mhK}
zZsg@s>fPH&7-nPbGZrkYtxWDkR`CI{C&%krHLTFSWI?;j$|xR|c;QZsJ<76+6&iXx
zqyxW@=AQoy{v8trp59eU%l(tI;QZg-DV_hFy><NG`$_geJLAEJ^qp1{mp1hqJ~!nn
zj^m5hJdZr-k>Dop-`P|&w6BW^yZ`%Zernp#Q4$h5kVb;YYHXl0cMJhm9^_&Ss2^d5
z0}#M?9}NlkURst$5bmEG|GBNJ*kYuJ(Fm9zP!P%mz_~oCa~~7m1uj@of>k_*?BbX)
zJT2r90YRyFQbEULC}qwXs{tWQt3J;evrgFe=_PolFoLUE4QPLm)bm&WwBu{YOI*=0
z8L5+VM0@Bu?IXhO1s*{K>ZC<RAikKTc#*B|CQ2m5FVR~R@DciI4P0`mS=pAUZWWLf
zdT-M<(wuL%>(?|pr)#T&38B8i=ucmp0UtGcvic@!dLS_Id9#PUHWfU>(H9LASww&M
z_U&`7WAmhuCwu>@3adBdqgb?<a-(l)glZ+bRx|AUlltegEyzvQA=i}txA)exX-&|y
z^W}5v0;YC5W~8!G+GP6nl4liE7x5RS_)GLpWWP-B!SIWLDvuZm#qdRQN@EnnTqKPp
zI}iPR(%eL!OiQ0%mKVle)8b4vlfGWoUaZ0*q=8`S0R94|pRKxZ6@e=>)MvxEqJjiF
zdiz%HeJghZc~tEJ6-z+f-mE>22v?cvr8Mw15oPid4iN;An3f4e+F7oZ|9G3o6|-H(
z;EU?=MP-#u4WpL}7Fbb!^pC$!<dXgqc@*?`ITnNur^#F-HG!*S*;Oze)%<4lcvpfD
z-}~rZNt(<583C8$GLNep-pyFRMfM+CTgCUEyWLl7|DStFg-fbg@q^PtZi{2?<(1It
zIMj}fg!dsIw}l@)6fsC-C!6wbTjo1kOwvQm8e)=WxfLyp>7iz~S*^xFpPE$<VKzS(
zlsf2BbLLZ+rm)uUpij*ah~_40>IId5X`#3LOKEnRpUXC(IYfDQMxYB`B3Ywa9@TED
z9jOFc4Q0r;Z?+Do)_W(FUDeSZ70_&1CI70Cpx(sl#-Mt*C{={@4ebO|)}v7mttuq^
zi>1G|e7|Pt`qKTGn6MC^R<*eHvaDw16WPrGyBBmgd`AKzdg`(^U*cb9mC;>j25ezd
z-tz84O`5ihs9#Cm`Enxt%K23^bW<O~#1Kz`I&VdIODjAx$P9!o^JZJ#RhBMV+m&qX
zek`|;GpWm}<}K<Z>lFD@>$fwsen?=nE!9uKBxc5{$Xcx|;H9NZ>DY#FbIjFdH9E&i
z&1xDC6)QKLi#j%gmQ<)lo`<64d1$JUXOZUK|Ba+QJ!T{|ynzT{k^RS3>HV+n-tJ?M
z|NcnQhB>-M0=@7dL@#_wFX9L_=UuXzX*4Futv69q{`c}F>LBOax5kDdM}HgAI8-uB
zkGR6h;2@IB=8Q-2+mkN#qcQHb_c<q{u!)A)=Wx45-Wy(Ieq%Zs`>d99aM}4SRK0Vb
zsL<M(^6Z3qXC_kfyw+yx<l1FL+)4(PG*)wf3!(p>dSo~~196Mdsn>)kt2rdN62L<2
zD;fKYQJrXg0V}s;3{ekoq+(_Z0=%_<a-2lTwMvp98e{%DOp~5p2zsXE<*4=2l>1+W
z!R3kw7TZ0`!*A9v6WaaDCi)v(5iYpgS*Fe0h+e?I(;{kWxsjymmu8|`MUq26m_eeY
zX`vH!5kZFN>ww{uG2jtZq7+$0Uzd=+9wbF|cyYpYW=j!<h10Wsd~ag-4Ab26KmSAp
zcjPTo-xpVD|M}|GPBH%P)~i=*`_Fqxwm~Old85u*hM+GiizV;Hy|gSn8T=6@7Q-5G
zsvd#itFrtwvWx=SK2xjDbg!;$KEJPjYTZq6TRYI3_p?IZ)tOuHAxRo^J9XSutsP{o
z#Etz`ms_IQ-mA;Cv!pNU@_1C&v$X`xbhFg;KghQ?|3SL;GVg8`$5i3eTJNdU{0Qeg
zn%l1bMCiiNE$td>FY+R(<4SyEYn{#a<M4LhC*xgex7R>l<OI7kg{kzKo%h&b!Ste0
zk38{QwSvR!vZSlvtD8c)Dh&HV0=6;$%%gsFr(c6I)|h-brdjQ)$>TR}dCpYeW}e0i
zY*A(a^rlucb9m-EcPp-t|Fk63b)1gX$QTyLe>%HG{ZDtdyN>^LKWPJ<U?G5o90`i_
zs-w#>glG^GUrBq7V+L<EHqiN)aKz(Cy>o*27<?a%d^*s^<s=+!N<xCwbB_@gW9vH(
zy~YL#VWdx*7ZHOYxdKnq<^OouLLWnaifE{6$|0c$81hL7tw!tc?8}*;3>q8gfCd2#
z(Vqur$Rmt5S|cLb>i_2P*4E%J)>i*dK8#0g`M=~RpM>qKp#gR;;s_0i54`bHi(f{K
zpIQTa(fFw)f~fJ+|7&cZKQSXT=IHqFh&Nghqsk?xMLfW5U5?TJd5mi7iv54^+x~}N
zkKTR!wH0_P>0{CUf3;V5|EasP*In=bdr2GUV2r~N_;l3R_kGD6N`?@*>MKV>Mgye*
ziX$!<-~fF**+;*o*kbfRm&Etc01);(@FXQsY9P6#8jXz&^y$PncNsPZbvmDsgVZCV
zoi|Rm)7aS9K>M<C!$C(z8Z5ibR81oY^()ATgs5+blF~!;8>+feG!oUqAIhxE%Z^Vu
zq`r%V@WDcLM+<KHR*fNL=r`~Kw2fREL|71|1k@Hp4th@~;3=~q-6HdNUs53@u}TV^
zLZFJt?8J1Uuh<o?1nsGUMMGDan5h|<iVdrY(qOYtBzo=$b9AaVF&g90lZ<K>$Vbgb
z!_N#v^F`_USM2}Oqy5A8N2}WWi}ruFySuwv+W%X7Yx|FTNgMWFR)~Kfu|@6LUqPT#
zh$uP^hqTe?_xmmlx#Wo@hlrTW!k%ZbviiBRUb{^r2o0z1;1PsE9?#==An!32swvFm
zR&yq>RKMSEG`^expigPu=NC!i$*sVnE>}O)|GvmV?Ux$kX%NVr=215eAk=q~))zG^
z<GY{C)0)+W20)_sR(wfm|5-Ez`wXx*MfxJ=HU6e7Yt#BpSW)}a>CwBR{j;MlANJoL
zeYOf%U}+RbBBx?*i)rsG>kT>jx?}}8YS;^qdBJ^tv620Fi3Z@)O9@nKq0DF&u9YcQ
zW4TNeuw=P@`bmF~jH#lY|3H)N)=sPQ(@zam1gT%hgNT8vh^%2(Gt$1L0E&H15mR)Q
zYa0i1X+(6WUC7G^1<Ed7s&k1V<~eh1@}L>yA@zNF$&-WRXW#;zFzgEAN;bOjF;e|>
zdyRd>Nf7yfF7Z^JD8_0N5p}-AiG%_T3FATyJ2U#$2&$(`85*fYWUU-Z8zjjZvasy#
z5y;GQtJgS<HI({l^#d|uSU`)9`-r=YMAe2QP?}s0%8KXE3#bY!XzO=q(=Y&(kr4^8
zpNKa$(dC%<faJ*48}+`QEO#ouYN2Bxzl4SwY3#6M8>JeEQ~iXx{2IcgIdNSaA`&Rv
zlPjm6>XT)HsztJ(Qfq0f1*oPXY6(jF<)3e}4O4+A2LEnOyNaZHOCs|241yqNL|opU
zY<-z*oB0zO8meISYWlfM9wdD@x`H4Qa(W*!>^o1;K`#W31r4wuF82K?;vn>rS|{Jo
z$0O8t98j%gi2Qbzqe)+Kp_F;R<ot9sz5HpR%P}y>XoK9-W<kN*)FjCB^ho;i!=?6(
z)4k%W?Jm4nnUdjLj3>ouwvt7tfDg}Bqvkn%2?I_9=tV2Si0kDF^!^=E7TEOrBt0=2
zjqB_es*|qKA!zy_m;bpWIcxpq=?dCvT%(?|L_$lJe;R3(vsN&#@s46{#rHkWNaJU2
za@i!Zw>Vz`etge#jrxMc&|gVg3t(P|8LN7ihlI+o@5|~K4?znt#@MhHn*7=eksOpy
zWFbC%Udb{nUWt-ri|qbbe$?!&F}#t`H)mdMFFc)ejr#KN)n~6ddTo0UEm*4ERvnlN
zJhFS&FwcE_^645K#Ed~GlIsAPBx=|GWV`jI)u{pVTEMofqB3CTK0f($jrzyK4^*5m
z;1G&i(U;mVPb?a9Fi$@|`Ls$(Ugt>Fb`e?cN9s6LrZ?#od|@zc71w(;WBwlLE@567
z9=XuFiawe=@sIXTj&q!13;k;hAxi3EpN1oS()JhgsQpc?$BA?oO5PHO2y+z43oRYa
zYow3<iw<O29Oj?WT?L%(kaetxp_^k@3Ji-IGsUfF7)gY;m*NSfYt)x>)!z4Q`RC2S
zUjya^&g8i=Ed5ul*W0b`3NXC}%nJ<4nr~S(-?AV+H(K*8D`;yT%r7w!=Oh3c3%mDo
zDzJ|P36!CLER?b@HZ>O%4Zx)VAUwguSB4UgHeI9sUY+|+t+wXDd@Mv%0rTI^&rgu+
z6L}pI#q1}Vu2FyMt^_T4+7c?K4v;`T%X&Z7_I(`K1Q<Fydxu<Lf((g^#Un=Lx#=49
zl^^^n;9i7z(Q~G%_cK#Q`J2f?IEs7%9->BZyh6VCp`>fn|B9L_;_e9}6XL@Nj<}1p
z^-;5@BNJ?*rfWr6X!cOkV>D{^&?oHspEpsH0rozI{`8bm@eA=mD<Ydc6*)oX$KgI#
zR^81Wdh_N@^63K&WtBp~KRB>v4|O}84*J$l7jwaTx4CK6mD4{l@$kwv&_bZE1@&{%
zoe1jdKA^f5)UQrZzwqf<tM})5?_HswzV5@k>kIGdF1)p$&3@Jw-U6`J++=lnJly0=
zr&3<QPF|x!RU{EH@Wcqxvg{**gFi%sXC|CQ4ZtHyE5DA-fq9vSnZ?5BinhS#DN&)7
zvoH%`ZnG<E7Up&=%tBz>?8=&jSqTeM3+7q)r02`Rtf;L;hiA#yV4<x+wNw4t)*x%E
z2=j&P=bHO`*xV<Ns%=DOOe=A-J)vH*u225NShe9u)q7d<dQZLCP7gVX)uV{kGaha0
z8ILC+uvF<zVP3XEEA_tMpeVohVTXTN#h|}KTJ=Fu`8vg%-e(>ZMr*P@C{}b(?CtJu
zZ`C>~RLSJ5z_CZfaVUUIuwP?l=VL%a2LFyBbf^0Ed^slWST}?SSB8O4D_x`hc4w6q
z5^fq}|Ig$JS+1T=n$f)kdVsG;5C>=j(V+o$`u;3ee(_9b{tH{}uV&2OBVD8Z)+%AH
zK=uox!2x#13#s`vI>#4U48*8B0wmNkH(x=`5~NX4KA!9&w@%9sIjveGr(kq2j>C&H
z@>dO*tD=a@vhsZP30MBAu0Dk=_{&_q058-t4rmBi#0*}pVBq(hu2FwgXr96RJr?fx
zcM_`OV}9?dggXZJ!h)~yYri0&$5q5@6;B6|Q2EJc<b@~CMWZD6fnKWCiY9bNY1Mc>
zGmPkr-Vb$o1+gruXKG>iB-0(iJPla7sP_csLA?r3BCQ(clOlo}YtA!psiYLe-X-6X
zSac>At_pl7A>x%SJjNuM#Z}Vt63opT1Jx25!=UGi%z^w9N!O@<Y~o|wzO5>le^l{Y
zlNSq0y`QHBXUUrdl0zKEOpF!VB9BOOO-c=;JnOhkg68Sk;Gx0P)<C8YF@;pACb2*`
zG@(W$CDUC8fJ2UA4vedSGcI9n984e-R(z8mc{({7rf3j{K5#Bu;4uUJ2$aAV5Xx!D
z8#<#t8q>>SpSmM8aIwshFE7a7R><3z*6Tp>Ga4nz+hyJ!QH+qIgRK~+#3!<Cu2Elt
zVr9a&63lgcnapJKoyL%)_kGV(kIrM?G7d~EXeCM~o4|z7NpDtV_*d?SDGi~(g(4+i
z@s%rwiMeFiji!+*O$mNMBE{ZX(SWSIGEnh?)G%aEnnUL46bu3pmUYp(2Rv6V`_B-2
zUL&1tNjx=yQJ_@RX#eEczSS}^8Uf3bp7*hcRkS3yl3*nhV>8j$Qf_Uz@-a#tS?RaX
zhmYq+J#;)oQyQD_p~`!76G15HivseL#w>S{kTi!2y(V&i5DqDG!CUq!v1*uCPjhzf
zTA5NsHRJ*q^Aegi)Ix_8xC+I8N!f*g?YxCv6?3t|v}!(6!~Dp+-gt-wp5MEHdGg#N
z@??!iFBzDh?gr-P@6LV$?2ECM2+Zl-z&v7fU?aJtDB2y`@+abgGA$#JUk}M+751+h
z<^c#sT>dk5FJSTQ=Ni4&<q=#dX)n{UAvv^=5<OVoF@qlJM~ns_#t`%VChBv6-3yPA
z39!BnJEx4nTuGH5B304p8udRlvxzisqs&q;H_wRFxlPUI6_b`8HCtGjR(+o;!2A?Q
zIH9gO04o5mVb02ho;2XEQU3$Tt+|S}$}peHo!^Q-FRsR;;m%jjD;8irS8DL+<OZqW
z^gBrn?s&20iZW*jGfR}{Nr^I7FU%~!eD3viRTtRrdmX(2oK}5-4T#uJq6#0$eLW91
zuhCIJ1p56oN1)3RI|8(IHYgoz(yncb@CYwnE5A%hn8zLw3*n8Hhk4QV;}OCe-2u#f
zIy!`q%r*cl^!|>HkOu-2UtLXy6wwd?cE`wr@QIqf-T}<t!2}i?j+x%ylTaBk`E-Q*
z`V}8_l9#CuzkFPo;Jq?J*PPxZ-$GKi6cjym%WiZBZa|gM|K{|r-GJ(re;R47Z{d<F
zV8dKrVHWqE;dxR=;E@rK-F#LLJFU#OurdVQoNmvQP1sc4CoyAqDsSBBTk=oT^=;Lr
z^x3_oUhn7DOEXBBU~|#-NkByA&XAeY>#gwE(>2l)?4d3?IQe4}?RK}`lg(uMTsb}k
zDrakV?>(8@R^u9l)PtD<nTp;e%w?UNfJPD&3Gj$|h`VF(V)ahZQ%TpTe-RIWg&;t^
zH%)mD`6P_5mPdYNkvbfbkcgUxpat`^;<JGHN-zC_`ioT6x!#p<%c}GAA$|w0QCj5b
z1ADK;*{n5Is?-z8Dt&0Rq7|i2(q;9HJp8e$N#~?%)PK`?vl@f<YM4ir&`x?cf=9;$
zzI+z2zefGnJ3Fh9<5t7m=&>siJ=0o03t*chVgCB{>$}8rMyT?^^fBijZ~(d9PfRXy
zWww$aK6%hzqrQ0=*=QIYml5^W-_7`zD%z4d$d_DSD_mV^s18pp=z99l|2ovps3vFu
zk0T${D~-PT%zNn5n>TMhf2-A6CH$eF#LoAxql02s<f4P7Z!#L)Xr{7w3f2R6&%+d8
ze!^f#t_<i6ub!$Wq9pT4L;W83M#{wp5XvC5+`G2C<K=ofEIsld^66Cj0?%vdF{M>2
zF3K?XLOxTTE@``d)HN%Wr{~EEMD&Sh{x!@^{EJ@*<F^;0mtj6Hj>I~~(1VUKRCQ3y
zj=-`o_KIPL97cV3<e|B;wCaOGY5wOj{`uZ#T>`WPfyInIp|t8tfPwiO#y{VCiD+d2
z&s_(eOj<qPuR&gybIJH24dtiH1KH_LB6ZB=f%3gq^Fw+Co)Qmar&aSq8s>FlX|4I8
z2h9%|qBTe0pPyDy_^-Fl(@v`v{%e@e6F%pAFA1Wb0nk@1h-MJ^#KkoUyb%z^!9YjQ
zvYa>4hE&jXd0LlV+Iy^N)mHNn_4dP%ihBB74RdT&5ENlAjksv7!4o>EuTeie|KyqK
z(jZFD)|Rr6Zsn~S%$2i;SR4uxK-+^Mj(w552j&%Aq~`aYy7D{^aI3UxqlJii2Q&`F
z>`;jL-tDl6l{7{HT+pW!lJXk$yQ_*tDPhi)tzKR7vIK46Psa#w<#_H5S`|uk67E+$
zCR;p1E0l;D&&ODxAm$?VTe2Rf#X|v1dH+p_`xwHXNjzWW8Oni8hzl(-jcUji<z-8i
zNA=1-jg(z*k56t3dmH9H#oo`@$Du1*p542|^WzgqPZ)3&gz}wLGimOY1AAcU8ueEe
zdclUdzKQ;|;8v93xw;bxYP+2!K`h7CRrN`vRo_F|0J|-hLA|Gw)6gkOW+Q7!a!iNl
z^ymG9C5^%#Pg-s4|Hj4!I*{ie8N|vP_(1vf@<zjWyfYYTefXzbF+tI9;0Lle6Q5s<
zg@|~s-KG(Qj&@vel;=uoM8r5A$ZJBjA=;NP;6y;%qb_fc!H+gvt8qtAXAFMexU%t=
z>NXotj|``(=P~H6Rc@>C!$V69hwd1dW6c*wk;4Fc0ki^d6@7F%ozC9Qj{3LL=@kFn
z-rnv0(B0YYc01i}SC;GUZg1`WfI6$_d{K(I!0d<4t@|oY?vbPobgD5xg)+|=`9|Y>
zOt?l{L^v8?4j!VzVG<-dj<{fe1N13hG232dGr2S<?=*XV2?o#(uw+2msy}Y!zD#yb
z;}^BD7$~P*78v>&s!$WgZe5Pc_(N}Iw1CD8eUh6u8=Ap-H8!=a&4>16t98|euuUUu
zwuBtv%a#NOB+$^0wQ$`X^?iD&!j;n?q9KHW_ZkhS08UM|6#MQZMkA#%gd?0dYC<?7
zp|QkgbV5A+ptZ`=YcZk|V4>uZRH@%nDMu1%g|`%IWnCQ7kz?7@Co5Q8W~gNqHv+i~
zY<WqF2AqU4gf6tP>jLKvj>R}s|NpC<w(4Z9^7cm7Z(6`~^)gjzm|!tD^biRJFc%`h
zRm_HLsEId_z60r#coW5uCr{)o>K@MArwZZ98xH!U{PmYc+6^T`eu*5kk0M}%dc;li
zy~ErLvXdQ;uv`F@o5YpSOG<#Z(0({YaAjiOrz2KV(_a5zp+^z|hJj0&2cBHfEH;3e
z*g^Ih#5n|!Y+(6mX0b6GVH)9j*2zzewFjq%=tV#4GU>7ZQqMrgi`QF*yJHBjTG~?>
zQRLGRan<t{$?UW;xA<g?0q9_w4^T4?b>$Aos91{qXb6|c$o){&sF7<TkR*#&faq-i
zY2ar))}bI+=&=fHG=ltl6y^z*Bvij^H=3>wAJf?P6f`Ad6QU4AYI7KflPskFV5*)H
z2?iugdDIFR@jiM%TF^q5a-ed6X;UwCl)0=<zHBx{nv5!|E$GX|v|c~v7c(gER~FGv
kGft2858od>K+bEO)@hyA>HDVt9{>RV|7$r>LIBPI0EmwPVgLXD

literal 0
HcmV?d00001

diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/Chart.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/Chart.yaml
new file mode 100644
index 000000000..4fd1295f7
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/Chart.yaml
@@ -0,0 +1,10 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cattle-gatekeeper-system
+  catalog.cattle.io/release-name: rancher-gatekeeper-crd
+apiVersion: v1
+description: Installs the CRDs for rancher-gatekeeper.
+name: rancher-gatekeeper-crd
+type: application
+version: 101.0.0+up3.9.0
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/README.md b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/README.md
new file mode 100644
index 000000000..26079c833
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/README.md
@@ -0,0 +1,2 @@
+# rancher-gatekeeper-crd
+A Rancher chart that installs the CRDs used by rancher-gatekeeper.
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assign-customresourcedefinition.yaml
new file mode 100644
index 000000000..466ac2b5f
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assign-customresourcedefinition.yaml
@@ -0,0 +1,498 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: assign.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: Assign
+    listKind: AssignList
+    plural: assign
+    singular: assign
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Assign is the Schema for the assign API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: AssignSpec defines the desired state of Assign.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  pathTests:
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: AssignStatus defines the observed state of Assign.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: Assign is the Schema for the assign API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AssignSpec defines the desired state of Assign.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  pathTests:
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: AssignStatus defines the observed state of Assign.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
new file mode 100644
index 000000000..1759e9e64
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
@@ -0,0 +1,430 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: assignmetadata.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: AssignMetadata
+    listKind: AssignMetadataList
+    plural: assignmetadata
+    singular: assignmetadata
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: AssignMetadata is the Schema for the assignmetadata API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: AssignMetadataSpec defines the desired state of AssignMetadata.
+            properties:
+              location:
+                type: string
+              match:
+                description: Match selects objects to apply mutations to.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                type: object
+              parameters:
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                type: object
+            type: object
+          status:
+            description: AssignMetadataStatus defines the observed state of AssignMetadata.
+            properties:
+              byPod:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: AssignMetadata is the Schema for the assignmetadata API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AssignMetadataSpec defines the desired state of AssignMetadata.
+            properties:
+              location:
+                type: string
+              match:
+                description: Match selects objects to apply mutations to.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                type: object
+              parameters:
+                properties:
+                  assign:
+                    description: Assign.value holds the value to be assigned
+                    properties:
+                      externalData:
+                        description: ExternalData describes the external data provider to be used for mutation.
+                        properties:
+                          dataSource:
+                            default: ValueAtLocation
+                            description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
+                            enum:
+                            - ValueAtLocation
+                            - Username
+                            type: string
+                          default:
+                            description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
+                            type: string
+                          failurePolicy:
+                            default: Fail
+                            description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
+                            enum:
+                            - UseDefault
+                            - Ignore
+                            - Fail
+                            type: string
+                          provider:
+                            description: Provider is the name of the external data provider.
+                            type: string
+                        type: object
+                      fromMetadata:
+                        description: FromMetadata assigns a value from the specified metadata field.
+                        properties:
+                          field:
+                            description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
+                            type: string
+                        type: object
+                      value:
+                        description: Value is a constant value that will be assigned to `location`
+                        x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                type: object
+            type: object
+          status:
+            description: AssignMetadataStatus defines the observed state of AssignMetadata.
+            properties:
+              byPod:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/config-customresourcedefinition.yaml
new file mode 100644
index 000000000..b88014158
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/config-customresourcedefinition.yaml
@@ -0,0 +1,105 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: configs.config.gatekeeper.sh
+spec:
+  group: config.gatekeeper.sh
+  names:
+    kind: Config
+    listKind: ConfigList
+    plural: configs
+    singular: config
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Config is the Schema for the configs API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConfigSpec defines the desired state of Config.
+            properties:
+              match:
+                description: Configuration for namespace exclusion
+                items:
+                  properties:
+                    excludedNamespaces:
+                      items:
+                        description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                        pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                        type: string
+                      type: array
+                    processes:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              readiness:
+                description: Configuration for readiness tracker
+                properties:
+                  statsEnabled:
+                    type: boolean
+                type: object
+              sync:
+                description: Configuration for syncing k8s objects
+                properties:
+                  syncOnly:
+                    description: If non-empty, only entries on this list will be replicated into OPA
+                    items:
+                      properties:
+                        group:
+                          type: string
+                        kind:
+                          type: string
+                        version:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              validation:
+                description: Configuration for validation
+                properties:
+                  traces:
+                    description: List of requests to trace. Both "user" and "kinds" must be specified
+                    items:
+                      properties:
+                        dump:
+                          description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
+                          type: string
+                        kind:
+                          description: Only trace requests of the following GroupVersionKind
+                          properties:
+                            group:
+                              type: string
+                            kind:
+                              type: string
+                            version:
+                              type: string
+                          type: object
+                        user:
+                          description: Only trace requests from the specified user
+                          type: string
+                      type: object
+                    type: array
+                type: object
+            type: object
+          status:
+            description: ConfigStatus defines the observed state of Config.
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
new file mode 100644
index 000000000..fcc0a9e00
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
@@ -0,0 +1,67 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: constraintpodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: ConstraintPodStatus
+    listKind: ConstraintPodStatusList
+    plural: constraintpodstatuses
+    singular: constraintpodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintPodStatus is the Schema for the constraintpodstatuses API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus.
+            properties:
+              constraintUID:
+                description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
+                type: string
+              enforced:
+                type: boolean
+              errors:
+                items:
+                  description: Error represents a single error caught while adding a constraint to OPA.
+                  properties:
+                    code:
+                      type: string
+                    location:
+                      type: string
+                    message:
+                      type: string
+                  required:
+                  - code
+                  - message
+                  type: object
+                type: array
+              id:
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
new file mode 100644
index 000000000..86a28ff45
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
@@ -0,0 +1,303 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: constrainttemplates.templates.gatekeeper.sh
+spec:
+  group: templates.gatekeeper.sh
+  names:
+    kind: ConstraintTemplate
+    listKind: ConstraintTemplateList
+    plural: constrainttemplates
+    singular: constrainttemplate
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplate is the Schema for the constrainttemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
+            properties:
+              crd:
+                properties:
+                  spec:
+                    properties:
+                      names:
+                        properties:
+                          kind:
+                            type: string
+                          shortNames:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      validation:
+                        default:
+                          legacySchema: false
+                        properties:
+                          legacySchema:
+                            default: false
+                            type: boolean
+                          openAPIV3Schema:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                    type: object
+                type: object
+              targets:
+                items:
+                  properties:
+                    libs:
+                      items:
+                        type: string
+                      type: array
+                    rego:
+                      type: string
+                    target:
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
+            properties:
+              byPod:
+                items:
+                  description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
+                  properties:
+                    errors:
+                      items:
+                        description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                        properties:
+                          code:
+                            type: string
+                          location:
+                            type: string
+                          message:
+                            type: string
+                        required:
+                        - code
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      description: a unique identifier for the pod that wrote the status
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              created:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplate is the Schema for the constrainttemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
+            properties:
+              crd:
+                properties:
+                  spec:
+                    properties:
+                      names:
+                        properties:
+                          kind:
+                            type: string
+                          shortNames:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      validation:
+                        default:
+                          legacySchema: true
+                        properties:
+                          legacySchema:
+                            default: true
+                            type: boolean
+                          openAPIV3Schema:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                    type: object
+                type: object
+              targets:
+                items:
+                  properties:
+                    libs:
+                      items:
+                        type: string
+                      type: array
+                    rego:
+                      type: string
+                    target:
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
+            properties:
+              byPod:
+                items:
+                  description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
+                  properties:
+                    errors:
+                      items:
+                        description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                        properties:
+                          code:
+                            type: string
+                          location:
+                            type: string
+                          message:
+                            type: string
+                        required:
+                        - code
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      description: a unique identifier for the pod that wrote the status
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              created:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplate is the Schema for the constrainttemplates API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
+            properties:
+              crd:
+                properties:
+                  spec:
+                    properties:
+                      names:
+                        properties:
+                          kind:
+                            type: string
+                          shortNames:
+                            items:
+                              type: string
+                            type: array
+                        type: object
+                      validation:
+                        default:
+                          legacySchema: true
+                        properties:
+                          legacySchema:
+                            default: true
+                            type: boolean
+                          openAPIV3Schema:
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                        type: object
+                    type: object
+                type: object
+              targets:
+                items:
+                  properties:
+                    libs:
+                      items:
+                        type: string
+                      type: array
+                    rego:
+                      type: string
+                    target:
+                      type: string
+                  type: object
+                type: array
+            type: object
+          status:
+            description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
+            properties:
+              byPod:
+                items:
+                  description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
+                  properties:
+                    errors:
+                      items:
+                        description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                        properties:
+                          code:
+                            type: string
+                          location:
+                            type: string
+                          message:
+                            type: string
+                        required:
+                        - code
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      description: a unique identifier for the pod that wrote the status
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                type: array
+              created:
+                type: boolean
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
new file mode 100644
index 000000000..1efe6689f
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
@@ -0,0 +1,66 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: constrainttemplatepodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: ConstraintTemplatePodStatus
+    listKind: ConstraintTemplatePodStatusList
+    plural: constrainttemplatepodstatuses
+    singular: constrainttemplatepodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus.
+            properties:
+              errors:
+                items:
+                  description: CreateCRDError represents a single error caught during parsing, compiling, etc.
+                  properties:
+                    code:
+                      type: string
+                    location:
+                      type: string
+                    message:
+                      type: string
+                  required:
+                  - code
+                  - message
+                  type: object
+                type: array
+              id:
+                description: 'Important: Run "make" to regenerate code after modifying this file'
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+              templateUID:
+                description: UID is a type that holds unique ID values, including UUIDs.  Because we don't ONLY use UUIDs, this is an alias to string.  Being a type captures intent and helps make sure that UIDs and names do not get conflated.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/modifyset-customresourcedefinition.yaml
new file mode 100644
index 000000000..b2a831a9e
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/modifyset-customresourcedefinition.yaml
@@ -0,0 +1,450 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: modifyset.mutations.gatekeeper.sh
+spec:
+  group: mutations.gatekeeper.sh
+  names:
+    kind: ModifySet
+    listKind: ModifySetList
+    plural: modifyset
+    singular: modifyset
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
+            type: object
+          spec:
+            description: ModifySetSpec defines the desired state of ModifySet.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  operation:
+                    default: merge
+                    description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
+                    enum:
+                    - merge
+                    - prune
+                    type: string
+                  pathTests:
+                    description: PathTests are a series of existence tests that can be checked before a mutation is applied
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                  values:
+                    description: Values describes the values provided to the operation as `values.fromList`.
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
+            type: object
+          status:
+            description: ModifySetStatus defines the observed state of ModifySet.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ModifySetSpec defines the desired state of ModifySet.
+            properties:
+              applyTo:
+                description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
+                items:
+                  description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
+                  properties:
+                    groups:
+                      items:
+                        type: string
+                      type: array
+                    kinds:
+                      items:
+                        type: string
+                      type: array
+                    versions:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              location:
+                description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
+                type: string
+              match:
+                description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
+                properties:
+                  excludedNamespaces:
+                    description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob.  For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  kinds:
+                    items:
+                      description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
+                      properties:
+                        apiGroups:
+                          description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
+                          items:
+                            type: string
+                          type: array
+                        kinds:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  labelSelector:
+                    description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`.  These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata.  All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix or suffix glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
+                    pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
+                  namespaceSelector:
+                    description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  namespaces:
+                    description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace.  Namespaces also supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
+                    items:
+                      description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system".  The asterisk is required for wildcard matching.'
+                      pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                      type: string
+                    type: array
+                  scope:
+                    description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
+                    type: string
+                type: object
+              parameters:
+                description: Parameters define the behavior of the mutator.
+                properties:
+                  operation:
+                    default: merge
+                    description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
+                    enum:
+                    - merge
+                    - prune
+                    type: string
+                  pathTests:
+                    description: PathTests are a series of existence tests that can be checked before a mutation is applied
+                    items:
+                      description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist    - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
+                      properties:
+                        condition:
+                          description: Condition describes whether the path either MustExist or MustNotExist in the original object
+                          enum:
+                          - MustExist
+                          - MustNotExist
+                          type: string
+                        subPath:
+                          type: string
+                      type: object
+                    type: array
+                  values:
+                    description: Values describes the values provided to the operation as `values.fromList`.
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                type: object
+            type: object
+          status:
+            description: ModifySetStatus defines the observed state of ModifySet.
+            properties:
+              byPod:
+                items:
+                  description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+                  properties:
+                    enforced:
+                      type: boolean
+                    errors:
+                      items:
+                        description: MutatorError represents a single error caught while adding a mutator to a system.
+                        properties:
+                          message:
+                            type: string
+                          type:
+                            description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                            type: string
+                        required:
+                        - message
+                        type: object
+                      type: array
+                    id:
+                      type: string
+                    mutatorUID:
+                      description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                      type: string
+                    observedGeneration:
+                      format: int64
+                      type: integer
+                    operations:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
new file mode 100644
index 000000000..f6fd581ff
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
@@ -0,0 +1,65 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: mutatorpodstatuses.status.gatekeeper.sh
+spec:
+  group: status.gatekeeper.sh
+  names:
+    kind: MutatorPodStatus
+    listKind: MutatorPodStatusList
+    plural: mutatorpodstatuses
+    singular: mutatorpodstatus
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MutatorPodStatus is the Schema for the mutationpodstatuses API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
+            properties:
+              enforced:
+                type: boolean
+              errors:
+                items:
+                  description: MutatorError represents a single error caught while adding a mutator to a system.
+                  properties:
+                    message:
+                      type: string
+                    type:
+                      description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
+                      type: string
+                  required:
+                  - message
+                  type: object
+                type: array
+              id:
+                type: string
+              mutatorUID:
+                description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
+                type: string
+              observedGeneration:
+                format: int64
+                type: integer
+              operations:
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/provider-customresourcedefinition.yaml
new file mode 100644
index 000000000..76ec5c4f2
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/provider-customresourcedefinition.yaml
@@ -0,0 +1,50 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  labels:
+    gatekeeper.sh/system: "yes"
+  name: providers.externaldata.gatekeeper.sh
+spec:
+  group: externaldata.gatekeeper.sh
+  names:
+    kind: Provider
+    listKind: ProviderList
+    plural: providers
+    singular: provider
+  preserveUnknownFields: false
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Provider is the Schema for the Provider API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the Provider specifications.
+            properties:
+              caBundle:
+                description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate.
+                type: string
+              insecureTLSSkipVerify:
+                description: InsecureTLSSkipVerify skips the verification of Provider's certificate if enabled.
+                type: boolean
+              timeout:
+                description: Timeout is the timeout when querying the provider.
+                type: integer
+              url:
+                description: URL is the url for the provider. URL is prefixed with http:// or https://.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/_helpers.tpl
new file mode 100644
index 000000000..6a89079bc
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+# Rancher
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/jobs.yaml
new file mode 100644
index 000000000..671d11f8c
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/jobs.yaml
@@ -0,0 +1,108 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-create
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade, post-rollback
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ .Chart.Name }}-create
+      labels:
+        app: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-manager
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: create-crds
+          image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/kubectl
+          - apply
+          - -f
+          - /etc/config/crd-manifest.yaml
+          volumeMounts:
+            - name: crd-manifest
+              readOnly: true
+              mountPath: /etc/config
+      restartPolicy: OnFailure
+      volumes:
+      - name: crd-manifest
+        configMap:
+          name: {{ .Chart.Name }}-manifest
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Chart.Name }}-delete
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ .Chart.Name }}-delete
+      labels:
+        app: {{ .Chart.Name }}
+    spec:
+      serviceAccountName: {{ .Chart.Name }}-manager
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      initContainers:
+        - name: remove-finalizers
+          image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/kubectl
+          - apply
+          - -f
+          - /etc/config/crd-manifest.yaml
+          volumeMounts:
+            - name: crd-manifest
+              readOnly: true
+              mountPath: /etc/config
+      containers:
+        - name: delete-crds
+          image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
+          imagePullPolicy: IfNotPresent
+          command:
+          - /bin/kubectl
+          - delete
+          - -f
+          - /etc/config/crd-manifest.yaml
+          volumeMounts:
+            - name: crd-manifest
+              readOnly: true
+              mountPath: /etc/config
+      restartPolicy: OnFailure
+      volumes:
+      - name: crd-manifest
+        configMap:
+          name: {{ .Chart.Name }}-manifest
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/manifest.yaml
new file mode 100644
index 000000000..31016b6ef
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/manifest.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Chart.Name }}-manifest
+  namespace: {{ .Release.Namespace }}
+data:
+  crd-manifest.yaml: |
+    {{- $currentScope := . -}}
+    {{- $crds := (.Files.Glob  "crd-manifest/**.yaml") -}}
+    {{- range $path, $_ :=  $crds -}}
+    {{- with $currentScope -}}
+    {{ .Files.Get $path | nindent 4 }}
+    ---
+    {{- end -}}{{- end -}}
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/rbac.yaml
new file mode 100644
index 000000000..bdda1ddad
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/rbac.yaml
@@ -0,0 +1,72 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-manager
+  labels:
+    app: {{ .Chart.Name }}-manager
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs: ['create', 'get', 'patch', 'delete']
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ .Chart.Name }}-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}-manager
+  labels:
+    app: {{ .Chart.Name }}-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-manager
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-manager
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Chart.Name }}-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}-manager
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'configMap'
+    - 'secret'
diff --git a/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/values.yaml b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/values.yaml
new file mode 100644
index 000000000..657ccacf8
--- /dev/null
+++ b/charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/values.yaml
@@ -0,0 +1,11 @@
+# Default values for rancher-gatekeeper-crd.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+
+image:
+  repository: rancher/kubectl
+  tag: v1.20.2
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/.helmignore b/charts/rancher-gatekeeper/101.0.0+up3.9.0/.helmignore
new file mode 100644
index 000000000..f0c131944
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/CHANGELOG.md b/charts/rancher-gatekeeper/101.0.0+up3.9.0/CHANGELOG.md
new file mode 100644
index 000000000..c68d23c24
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/CHANGELOG.md
@@ -0,0 +1,15 @@
+# Changelog
+All notable changes from the upstream OPA Gatekeeper chart will be added to this file
+
+## [Package Version 00] - 2020-09-10
+### Added
+- Enabled the CRD chart generator in `package.yaml`
+
+### Modified
+- Updated namespace to `cattle-gatekeeper-system`
+- Updated for Helm 3 compatibility
+    - Moved crds to `crds` directory
+    - Removed `crd-install` hooks and templates from crds
+
+### Removed
+- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/Chart.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/Chart.yaml
new file mode 100644
index 000000000..f7b7a564f
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/Chart.yaml
@@ -0,0 +1,26 @@
+annotations:
+  catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: OPA Gatekeeper
+  catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
+  catalog.cattle.io/namespace: cattle-gatekeeper-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+  catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+  catalog.cattle.io/release-name: rancher-gatekeeper
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: gatekeeper
+apiVersion: v2
+appVersion: v3.9.0
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+  policy-based control for cloud native environments
+home: https://github.com/open-policy-agent/gatekeeper
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+keywords:
+- open policy agent
+- security
+name: rancher-gatekeeper
+sources:
+- https://github.com/open-policy-agent/gatekeeper.git
+version: 101.0.0+up3.9.0
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/README.md b/charts/rancher-gatekeeper/101.0.0+up3.9.0/README.md
new file mode 100644
index 000000000..07792eb39
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/README.md
@@ -0,0 +1,167 @@
+# Gatekeeper Helm Chart
+
+## Get Repo Info
+
+```console
+helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Install Chart
+
+```console
+# Helm install with gatekeeper-system namespace already created
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
+
+# Helm install and create namespace
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
+
+```
+
+_See [parameters](#parameters) below._
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Upgrade Chart
+
+**Upgrading from < v3.4.0**
+Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
+
+Option 1:
+A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
+
+```console
+$ helm uninstall gatekeeper
+$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
+
+```
+
+Option 2:
+Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
+
+```console
+$ helm_migrate.sh
+$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
+```
+
+**Upgrading from >= v3.4.0**
+```console
+$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
+```
+
+_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
+
+
+## Exempting Namespace
+
+The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
+
+_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
+
+## Parameters
+
+| Parameter                                     | Description                                                                                                                                                                                                                                         | Default                                                                   |
+| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
+| postInstall.labelNamespace.enabled            | Add labels to the namespace during post install hooks                                                                                                                                                                                               | `true`                                                                    |
+| postInstall.labelNamespace.extraNamespaces    | The extra namespaces that need to have the label during post upgrade hooks                                                                                                                                                                                               | `[]`                                                                       |
+| postInstall.labelNamespace.image.repository   | Image with kubectl to label the namespace                                                                                                                                                                                                           | `openpolicyagent/gatekeeper-crds`                                         |
+| postInstall.labelNamespace.image.tag          | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.9.0`                                  |
+| postInstall.labelNamespace.image.pullPolicy   | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| postInstall.labelNamespace.image.pullSecrets  | Image pullSecrets                                                                                                                                                                                                                                   | `[]`                                                                      |
+| postInstall.labelNamespace.extraRules         | Extra rules for the gatekeeper-update-namespace-label Role                                                                                                                                                                                          | `[]`                                                                      |
+| postInstall.probeWebhook.enabled              | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer                                                                   | `true`                                                                    |
+| postInstall.probeWebhook.image.repository     | Image with curl to probe the webhook API                                                                                                                                                                                                            | `curlimages/curl`                                                         |
+| postInstall.probeWebhook.image.tag            | Image tag                                                                                                                                                                                                                                           | `7.83.1`                                                                  |
+| postInstall.probeWebhook.image.pullPolicy     | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| postInstall.probeWebhook.image.pullSecrets    | Image pullSecrets                                                                                                                                                                                                                                   | `[]`                                                                      |
+| postInstall.probeWebhook.waitTimeout          | Total time to wait for the webhook API to become available                                                                                                                                                                                          | `60`                                                                      |
+| postInstall.probeWebhook.httpTimeout          | HTTP client timeout                                                                                                                                                                                                                                 | `2`                                                                       |
+| postInstall.probeWebhook.insecureHTTPS        | Ignore server SSL certificate                                                                                                                                                                                                                       | `false`                                                                   |
+| postInstall.securityContext                   | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| postUpgrade.labelNamespace.enabled            | Add labels to the namespace during post upgrade hooks                                                                                                                                                                                               | `false`                                                                    |
+| postUpgrade.labelNamespace.extraNamespaces    | The extra namespaces that need to have the label during post upgrade hooks                                                                                                                                                                                               | `[]`                                                                       |
+| postUpgrade.labelNamespace.image.repository   | Image with kubectl to label the namespace                                                                                                                                                                                                           | `openpolicyagent/gatekeeper-crds`                                         |
+| postUpgrade.labelNamespace.image.tag          | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.9.0`                                  |
+| postUpgrade.labelNamespace.image.pullPolicy   | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| postUpgrade.labelNamespace.image.pullSecrets  | Image pullSecrets                                                                                                                                                                                                                                   | `[]`
+| postUpgrade.securityContext                   | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| preUninstall.deleteWebhooks.enabled           | Delete webhooks before gatekeeper itself is uninstalled                                                                                                                                                                                             | `false`                                                                   |
+| preUninstall.deleteWebhooks.image.repository  | Image with kubectl to delete the webhooks                                                                                                                                                                                                           | `openpolicyagent/gatekeeper-crds`                                         |
+| preUninstall.deleteWebhooks.image.tag         | Image tag                                                                                                                                                                                                                                           | Current release version: `v3.9.0`                                  |
+| preUninstall.deleteWebhooks.image.pullPolicy  | Image pullPolicy                                                                                                                                                                                                                                    | `IfNotPresent`                                                            |
+| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets                                                                                                                                                                                                                                   | `[]`                                                                      |
+| preUninstall.deleteWebhooks.extraRules        | Extra rules for the gatekeeper-delete-webhook-configs Role                                                                                                                                                                                          | `[]`                                                                      |
+| preUninstall.securityContext                  | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| psp.enabled                                   | Enabled PodSecurityPolicy                                                                                                                                                                                                                           | `true`                                                                    |
+| upgradeCRDs.enabled                           | Upgrade CRDs using pre-install/pre-upgrade hooks                                                                                                                                                                                                    | `true`                                                                    |
+| upgradeCRDs.extraRules                        | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole                                                                                                                                                                                       | `[]`                                                                      |
+| crds.securityContext                          | Security context applied to the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
+| auditInterval                                 | The frequency with which audit is run                                                                                                                                                                                                               | `300`                                                                      |
+| constraintViolationsLimit                     | The maximum # of audit violations reported on a constraint                                                                                                                                                                                          | `20`                                                                      |
+| auditFromCache                                | Take the roster of resources to audit from the OPA cache                                                                                                                                                                                            | `false`                                                                   |
+| auditChunkSize                                | Chunk size for listing cluster resources for audit (alpha feature)                                                                                                                                                                                  | `0`                                                                       |
+| auditMatchKindOnly                            | Only check resources of the kinds specified in all constraints defined in the cluster.                                                                                                                                                              | `false`                                                                   |
+| disableValidatingWebhook                      | Disable the validating webhook                                                                                                                                                                                                                      | `false`                                                                   |
+| disableMutation                               | Disable mutation                                                                                                                                                                                                                                    | `false`                                                                   |
+| validatingWebhookTimeoutSeconds               | The timeout for the validating webhook in seconds                                                                                                                                                                                                   | `3`                                                                       |
+| validatingWebhookFailurePolicy                | The failurePolicy for the validating webhook                                                                                                                                                                                                        | `Ignore`                                                                  |
+| validatingWebhookObjectSelector               | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set.                                           | `{}`                                                                      |
+| validatingWebhookCheckIgnoreFailurePolicy     | The failurePolicy for the check-ignore-label validating webhook                                                                                                                                                                                     | `Fail`                                                                    |
+| validatingWebhookExemptNamespacesLabels       | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}`                                                                      |
+| validatingWebhookCustomRules                  | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced.                                               | `{}`                                                                      |
+| enableDeleteOperations                        | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules`                                                                                                                                                  | `false`                                                                   |
+| enableExternalData                            | Enable external data (alpha feature)                                                                                                                                                                                                                | `false`                                                                   |
+| enableTLSHealthcheck                          | Enable probing webhook API with certificate stored in certDir                                                                                                                                                                                       | `false`                                                                   |
+| metricsBackends                               | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus`                                                                                                                                                        | `["prometheus"]`                                                          |
+| mutatingWebhookFailurePolicy                  | The failurePolicy for the mutating webhook                                                                                                                                                                                                          | `Ignore`                                                                  |
+| mutatingWebhookReinvocationPolicy             | The reinvocationPolicy for the mutating webhook                                                                                                                                                                                                     | `Never`                                                                   |
+| mutatingWebhookExemptNamespacesLabels         | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace.   | `{}`                                                                      |
+| mutatingWebhookObjectSelector                 | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set.                                          | `{}`                                                                      |
+| mutatingWebhookTimeoutSeconds                 | The timeout for the mutating webhook in seconds                                                                                                                                                                                                     | `3`                                                                       |
+| mutatingWebhookCustomRules                    | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced.                                                                                                 | `{}`                                                                      |
+| emitAdmissionEvents                           | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)                                                                                                                                                                    | `false`                                                                   |
+| emitAuditEvents                               | Emit K8s events in gatekeeper namespace for audit violations (alpha feature)                                                                                                                                                                        | `false`                                                                   |
+| logDenies                                     | Log detailed info on each deny                                                                                                                                                                                                                      | `false`                                                                   |
+| logLevel                                      | Minimum log level                                                                                                                                                                                                                                   | `INFO`                                                                    |
+| image.pullPolicy                              | The image pull policy                                                                                                                                                                                                                               | `IfNotPresent`                                                            |
+| image.repository                              | Image repository                                                                                                                                                                                                                                    | `openpolicyagent/gatekeeper`                                              |
+| image.release                                 | The image release tag to use                                                                                                                                                                                                                        | Current release version: `v3.9.0`                                  |
+| image.pullSecrets                             | Specify an array of imagePullSecrets                                                                                                                                                                                                                | `[]`                                                                      |
+| resources                                     | The resource request/limits for the container image                                                                                                                                                                                                 | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi                            |
+| nodeSelector                                  | The node selector to use for pod scheduling                                                                                                                                                                                                         | `kubernetes.io/os: linux`                                                 |
+| affinity                                      | The node affinity to use for pod scheduling                                                                                                                                                                                                         | `{}`                                                                      |
+| tolerations                                   | The tolerations to use for pod scheduling                                                                                                                                                                                                           | `[]`                                                                      |
+| controllerManager.healthPort                  | Health port for controller manager                                                                                                                                                                                                                  | `9090`                                                                    |
+| controllerManager.port                        | Webhook-server port for controller manager                                                                                                                                                                                                          | `8443`                                                                    |
+| controllerManager.metricsPort                 | Metrics port for controller manager                                                                                                                                                                                                                 | `8888`                                                                    |
+| controllerManager.priorityClassName           | Priority class name for controller manager                                                                                                                                                                                                          | `system-cluster-critical`                                                 |
+| controllerManager.podSecurityContext          | Security context on pod level for controller manager                                                                                                                                                                                                          | {fsGroup: 999, suplementalGroups: [999]}                                    |
+| controllerManager.exemptNamespaces            | The exact namespaces to exempt by the admission webhook                                                                                                                                                                                             | `[]`                                                                      |
+| controllerManager.exemptNamespacePrefixes     | The namespace prefixes to exempt by the admission webhook                                                                                                                                                                                           | `[]`                                                                      |
+| controllerManager.hostNetwork                 | Enables controllerManager to be deployed on hostNetwork                                                                                                                                                                                             | `false`                                                                   |
+| controllerManager.dnsPolicy                   | Set the dnsPolicy for controllerManager pods                                                                                                                                                                                                        | `ClusterFirst`                                                            |
+| controllerManager.securityContext             | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| controllerManager.extraRules                  | Extra rules for the gatekeeper-manager-role Role                                                                                                                                                                                                    | `[]`                                                                      |
+| audit.priorityClassName                       | Priority class name for audit controller                                                                                                                                                                                                            | `system-cluster-critical`                                                 |
+| audit.podSecurityContext                      | Security context for audit on pod level                                                                                                                                                                                                          | {fsGroup: 999, suplementalGroups: [999]}                                    |
+| audit.hostNetwork                             | Enables audit to be deployed on hostNetwork                                                                                                                                                                                                         | `false`                                                                   |
+| audit.dnsPolicy                               | Set the dnsPolicy for audit pods                                                                                                                                                                                                                    | `ClusterFirst`                                                            |
+| audit.securityContext                         | Security context applied on the container                                                                                                                                                                                                           | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
+| audit.healthPort                              | Health port for audit                                                                                                                                                                                                                               | `9090`                                                                    |
+| audit.metricsPort                             | Metrics port for audit                                                                                                                                                                                                                              | `8888`                                                                    |
+| replicas                                      | The number of Gatekeeper replicas to deploy for the webhook                                                                                                                                                                                         | `3`                                                                       |
+| podAnnotations                                | The annotations to add to the Gatekeeper pods                                                                                                                                                                                                       | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
+| podLabels                                     | The labels to add to the Gatekeeper pods                                                                                                                                                                                                            | `{}`                                                                      |
+| podCountLimit                                 | The maximum number of Gatekeeper pods to run                                                                                                                                                                                                        | `100`                                                                     |
+| secretAnnotations                             | The annotations to add to the Gatekeeper secrets                                                                                                                                                                                                    | `{}`                                                                      |
+| pdb.controllerManager.minAvailable            | The number of controller manager pods that must still be available after an eviction                                                                                                                                                                | `1`                                                                       |
+| service.type                                  | Service type                                                                                                                                                                                                                                        | `ClusterIP`                                                               |
+| service.loadBalancerIP                        | The IP address of LoadBalancer service                                                                                                                                                                                                              | ``                                                                        |
+| service.healthzPort                           | Service port to gatekeeper Webhook health port                                                                                                                                                                                                      | `9090`                                                                    |
+| rbac.create                                   | Enable the creation of RBAC resources                                                                                                                                                                                                               | `true`                                                                    |
+
+## Contributing Changes
+
+Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart.
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/app-readme.md b/charts/rancher-gatekeeper/101.0.0+up3.9.0/app-readme.md
new file mode 100644
index 000000000..d44cf7b2b
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/app-readme.md
@@ -0,0 +1,14 @@
+# Rancher OPA Gatekeeper
+
+This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart.
+
+For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/).
+
+The chart installs the following components:
+
+- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster.
+- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations.
+- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources.
+- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).
+
+For more information on how to configure the Helm chart, refer to the Helm README.
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/_helpers.tpl
new file mode 100644
index 000000000..b05c7fcd9
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/_helpers.tpl
@@ -0,0 +1,105 @@
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gatekeeper.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gatekeeper.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gatekeeper.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Adds additional pod labels to the common ones
+*/}}
+{{- define "gatekeeper.podLabels" -}}
+{{- if .Values.podLabels }}
+{{- toYaml .Values.podLabels | nindent 8 }}
+{{- end }}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
+
+{{/*
+Output post install webhook probe container entry
+*/}}
+{{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
+- name: webhook-probe-post
+  image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
+  imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
+  args:
+    - "--retry"
+    - "99999"
+    - "--retry-max-time"
+    - "{{ .Values.postInstall.probeWebhook.waitTimeout }}"
+    - "--retry-delay"
+    - "1"
+    - "--max-time"
+    - "{{ .Values.postInstall.probeWebhook.httpTimeout }}"
+    {{- if .Values.postInstall.probeWebhook.insecureHTTPS }}
+    - "--insecure"
+    {{- else }}
+    - "--cacert"
+    - /certs/ca.crt
+    {{- end }}
+    - "-v"
+    - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s"
+  securityContext:
+  {{- toYaml .Values.postInstall.securityContext | nindent 4 }}
+  volumeMounts:
+  - mountPath: /certs
+    name: cert
+    readOnly: true
+{{- end -}}
+
+{{/*
+Output post install webhook probe volume entry
+*/}}
+{{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
+- name: cert
+  secret:
+    secretName: gatekeeper-webhook-server-cert
+{{- end -}}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/allowedrepos.yaml
new file mode 100644
index 000000000..9abb84ecb
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/allowedrepos.yaml
@@ -0,0 +1,35 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sallowedrepos
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sAllowedRepos
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            repos:
+              type: array
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sallowedrepos
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.containers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
+
+        violation[{"msg": msg}] {
+          container := input.review.object.spec.initContainers[_]
+          satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+          not any(satisfied)
+          msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+        }
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
new file mode 100644
index 000000000..eee2ac964
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
@@ -0,0 +1,38 @@
+{{- if .Values.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-admin
+spec:
+  allowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - projected
+  - secret
+  - downwardAPI
+  - emptyDir
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-serviceaccount.yaml
new file mode 100644
index 000000000..4b68998cb
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-admin
+  namespace: '{{ .Release.Namespace }}'
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-audit-deployment.yaml
new file mode 100644
index 000000000..1ca5a470c
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-audit-deployment.yaml
@@ -0,0 +1,146 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    control-plane: audit-controller
+    gatekeeper.sh/operation: audit
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-audit
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: audit-controller
+      gatekeeper.sh/operation: audit
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+        {{- end }}
+      labels:
+{{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        control-plane: audit-controller
+        gatekeeper.sh/operation: audit
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      affinity:
+        {{- toYaml .Values.audit.affinity | nindent 8 }}
+      automountServiceAccountToken: true
+      containers:
+      - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+        args:
+        - --audit-interval={{ .Values.auditInterval }}
+        - --log-level={{ .Values.logLevel }}
+        - --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
+        - --audit-from-cache={{ .Values.auditFromCache }}
+        - --audit-chunk-size={{ .Values.auditChunkSize }}
+        - --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
+        - --emit-audit-events={{ .Values.emitAuditEvents }}
+        - --operation=audit
+        - --operation=status
+        {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
+        - --logtostderr
+        - --health-addr=:{{ .Values.audit.healthPort }}
+        - --prometheus-port={{ .Values.audit.metricsPort }}
+        - --enable-external-data={{ .Values.enableExternalData }}
+        
+        {{- range .Values.metricsBackends}}
+        - --metrics-backend={{ . }}
+        {{- end }}
+        - --disable-cert-rotation={{ .Values.audit.disableCertRotation }}
+        command:
+        - /manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CONTAINER_NAME
+          value: manager
+        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.audit.healthPort }}
+        name: manager
+        ports:
+        - containerPort: {{ .Values.audit.metricsPort }}
+          name: metrics
+          protocol: TCP
+        - containerPort: {{ .Values.audit.healthPort }}
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.audit.healthPort }}
+        resources:
+          {{- toYaml .Values.audit.resources | nindent 10 }}
+        securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
+          {{- toYaml .Values.audit.securityContext | nindent 10}}
+        volumeMounts:
+        - mountPath: /certs
+          name: cert
+          readOnly: true
+        - mountPath: /tmp/audit
+          name: tmp-volume
+      dnsPolicy: {{ .Values.audit.dnsPolicy }}
+      hostNetwork: {{ .Values.audit.hostNetwork }}
+      imagePullSecrets:
+        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.audit.nodeSelector }}
+{{ toYaml .Values.audit.nodeSelector | indent 8 }}
+{{- end }}
+      {{- if .Values.audit.priorityClassName }}
+      priorityClassName:  {{ .Values.audit.priorityClassName }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
+      serviceAccountName: gatekeeper-admin
+      terminationGracePeriodSeconds: 60
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.audit.tolerations }}
+{{ toYaml .Values.audit.tolerations | indent 8 }}
+{{- end }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: gatekeeper-webhook-server-cert
+      {{- if .Values.audit.writeToRAMDisk }}
+      - emptyDir:
+          medium: Memory
+      {{ else }}
+      - emptyDir: {}
+      {{- end }}
+        name: tmp-volume
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-deployment.yaml
new file mode 100644
index 000000000..5e9d940cd
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-deployment.yaml
@@ -0,0 +1,152 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    control-plane: controller-manager
+    gatekeeper.sh/operation: webhook
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
+  template:
+    metadata:
+      annotations:
+        {{- if .Values.podAnnotations }}
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+        {{- end }}
+      labels:
+{{- include "gatekeeper.podLabels" . }}
+        app: '{{ template "gatekeeper.name" . }}'
+        chart: '{{ template "gatekeeper.name" . }}'
+        control-plane: controller-manager
+        gatekeeper.sh/operation: webhook
+        gatekeeper.sh/system: "yes"
+        heritage: '{{ .Release.Service }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      affinity:
+        {{- toYaml .Values.controllerManager.affinity | nindent 8 }}
+      automountServiceAccountToken: true
+      containers:
+      - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
+        args:
+        - --port={{ .Values.controllerManager.port }}
+        - --health-addr=:{{ .Values.controllerManager.healthPort }}
+        - --prometheus-port={{ .Values.controllerManager.metricsPort }}
+        - --logtostderr
+        - --log-denies={{ .Values.logDenies }}
+        - --emit-admission-events={{ .Values.emitAdmissionEvents }}
+        - --log-level={{ .Values.logLevel }}
+        - --exempt-namespace={{ .Release.Namespace }}
+        - --operation=webhook
+        - --enable-external-data={{ .Values.enableExternalData }}
+        - --log-mutations={{ .Values.logMutations }}
+        - --mutation-annotations={{ .Values.mutationAnnotations }}
+        - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }}
+        
+        {{- range .Values.metricsBackends}}
+        - --metrics-backend={{ . }}
+        {{- end }}
+        {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }}
+        {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }}
+        
+        {{- range .Values.disabledBuiltins}}
+        - --disable-opa-builtin={{ . }}
+        {{- end }}
+        
+        {{- range .Values.controllerManager.exemptNamespaces}}
+        - --exempt-namespace={{ . }}
+        {{- end }}
+        
+        {{- range .Values.controllerManager.exemptNamespacePrefixes}}
+        - --exempt-namespace-prefix={{ . }}
+        {{- end }}
+        command:
+        - /manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CONTAINER_NAME
+          value: manager
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.controllerManager.healthPort }}
+        name: manager
+        ports:
+        - containerPort: {{ .Values.controllerManager.port }}
+          name: webhook-server
+          protocol: TCP
+        - containerPort: {{ .Values.controllerManager.metricsPort }}
+          name: metrics
+          protocol: TCP
+        - containerPort: {{ .Values.controllerManager.healthPort }}
+          name: healthz
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.controllerManager.healthPort }}
+        resources:
+          {{- toYaml .Values.controllerManager.resources | nindent 10 }}
+        securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
+          {{- toYaml .Values.controllerManager.securityContext | nindent 10}}
+        volumeMounts:
+        - mountPath: /certs
+          name: cert
+          readOnly: true
+      dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
+      hostNetwork: {{ .Values.controllerManager.hostNetwork }}
+      imagePullSecrets:
+        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.controllerManager.nodeSelector }}
+{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }}
+{{- end }}
+      {{- if .Values.controllerManager.priorityClassName }}
+      priorityClassName:  {{ .Values.controllerManager.priorityClassName }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
+      serviceAccountName: gatekeeper-admin
+      terminationGracePeriodSeconds: 60
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.controllerManager.tolerations }}
+{{ toYaml .Values.controllerManager.tolerations | indent 8 }}
+{{- end }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: gatekeeper-webhook-server-cert
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
new file mode 100644
index 000000000..53e564a74
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
@@ -0,0 +1,26 @@
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
+apiVersion: policy/v1
+{{ else }}
+apiVersion: policy/v1beta1
+{{ end -}}
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
+  selector:
+    matchLabels:
+      app: '{{ template "gatekeeper.name" . }}'
+      chart: '{{ template "gatekeeper.name" . }}'
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+      gatekeeper.sh/system: "yes"
+      heritage: '{{ .Release.Service }}'
+      release: '{{ .Release.Name }}'
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-critical-pods-resourcequota.yaml
new file mode 100644
index 000000000..154646366
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-critical-pods-resourcequota.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.resourceQuota }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-critical-pods
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  hard:
+    pods: {{ .Values.podCountLimit }}
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - {{ .Values.controllerManager.priorityClassName }}
+      - {{ .Values.audit.priorityClassName }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-clusterrole.yaml
new file mode 100644
index 000000000..2ccd9f067
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-clusterrole.yaml
@@ -0,0 +1,165 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - gatekeeper-mutating-webhook-configuration
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - config.gatekeeper.sh
+  resources:
+  - configs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - config.gatekeeper.sh
+  resources:
+  - configs/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - constraints.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - externaldata.gatekeeper.sh
+  resources:
+  - providers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mutations.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - policy
+  resourceNames:
+  - gatekeeper-admin
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+- apiGroups:
+  - status.gatekeeper.sh
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - templates.gatekeeper.sh
+  resources:
+  - constrainttemplates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - templates.gatekeeper.sh
+  resources:
+  - constrainttemplates/finalizers
+  verbs:
+  - delete
+  - get
+  - patch
+  - update
+- apiGroups:
+  - templates.gatekeeper.sh
+  resources:
+  - constrainttemplates/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - gatekeeper-validating-webhook-configuration
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-role.yaml
new file mode 100644
index 000000000..1018dcdb6
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-role.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-role
+  namespace: '{{ .Release.Namespace }}'
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- with .Values.controllerManager.extraRules }}
+  {{- toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
new file mode 100644
index 000000000..1fb9f6c87
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-manager-role
+subjects:
+- kind: ServiceAccount
+  name: gatekeeper-admin
+  namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
new file mode 100644
index 000000000..fbe9580d5
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-manager-rolebinding
+  namespace: '{{ .Release.Namespace }}'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gatekeeper-manager-role
+subjects:
+- kind: ServiceAccount
+  name: gatekeeper-admin
+  namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
new file mode 100644
index 000000000..5cbb7610a
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
@@ -0,0 +1,55 @@
+{{- if not .Values.disableMutation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: gatekeeper-webhook-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1/mutate
+  failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
+  matchPolicy: Exact
+  name: mutation.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.gatekeeper.sh/ignore
+      operator: DoesNotExist
+    
+    {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      values:
+      {{- range $value }}
+      - {{ . }}
+      {{- end }}
+    {{- end }}
+  objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }}
+  reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }}
+  rules:
+  {{- if .Values.mutatingWebhookCustomRules }}
+  {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+    - '*'
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - '*'
+  {{- end }}
+  sideEffects: None
+  timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
new file mode 100644
index 000000000..b231dace0
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -0,0 +1,98 @@
+{{- if not .Values.disableValidatingWebhook }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: gatekeeper-webhook-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1/admit
+  failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
+  matchPolicy: Exact
+  name: validation.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.gatekeeper.sh/ignore
+      operator: DoesNotExist
+    
+    {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      values:
+      {{- range $value }}
+      - {{ . }}
+      {{- end }}
+    {{- end }}
+  objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }}
+  rules:
+  {{- if .Values.validatingWebhookCustomRules }}
+  {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+    - '*'
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    {{- if .Values.enableDeleteOperations }}
+    - DELETE
+    {{- end }}
+    resources:
+    - '*'
+    # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper).
+    # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("'
+    - 'pods/ephemeralcontainers'
+    - 'pods/exec'
+    - 'pods/log'
+    - 'pods/eviction'
+    - 'pods/portforward'
+    - 'pods/proxy'
+    - 'pods/attach'
+    - 'pods/binding'
+    - 'deployments/scale'
+    - 'replicasets/scale'
+    - 'statefulsets/scale'
+    - 'replicationcontrollers/scale'
+    - 'services/proxy'
+    - 'nodes/proxy'
+    # For constraints that mitigate CVE-2020-8554
+    - 'services/status'
+  {{- end }}
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: gatekeeper-webhook-service
+      namespace: '{{ .Release.Namespace }}'
+      path: /v1/admitlabel
+  failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
+  matchPolicy: Exact
+  name: check-ignore-label.gatekeeper.sh
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - '*'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - namespaces
+  sideEffects: None
+  timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-server-cert-secret.yaml
new file mode 100644
index 000000000..d6e906a99
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-server-cert-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }}
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-webhook-server-cert
+  namespace: '{{ .Release.Namespace }}'
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-service-service.yaml
new file mode 100644
index 000000000..3c0f4453a
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-service-service.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-webhook-service
+  namespace: '{{ .Release.Namespace }}'
+spec:
+  
+  ports:
+  - name: https-webhook-server
+    port: 443
+    targetPort: webhook-server
+{{- if .Values.service }}
+{{- if .Values.service.healthzPort }}
+  - name: http-webhook-healthz
+    port: {{ .Values.service.healthzPort }}
+    targetPort: healthz
+      {{- end }}
+  {{- end }}
+  {{- if .Values.service }}
+  type: {{ .Values.service.type | default "ClusterIP" }}
+    {{- if .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+    {{- end }}
+  {{- end }}
+  selector:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    control-plane: controller-manager
+    gatekeeper.sh/operation: webhook
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-install.yaml
new file mode 100644
index 000000000..fca0d0ca5
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-install.yaml
@@ -0,0 +1,119 @@
+{{- if .Values.postInstall.labelNamespace.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        app: '{{ template "gatekeeper.name" . }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-update-namespace-label
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      {{- if .Values.postInstall.probeWebhook.enabled }}
+      volumes:
+      {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
+      initContainers:
+      {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl-label
+          image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}'
+          imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            - {{ .Release.Namespace }}
+            {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
+            - {{ . }}
+            {{- end }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            - --overwrite
+          securityContext:
+            {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - patch
+    resourceNames:
+      - {{ .Release.Namespace }}
+      {{- range .Values.postInstall.labelNamespace.extraNamespaces }}
+      - {{ . }}
+      {{- end }}
+{{- with .Values.postInstall.labelNamespace.extraRules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gatekeeper-update-namespace-label
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gatekeeper-update-namespace-label
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-update-namespace-label
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-upgrade.yaml
new file mode 100644
index 000000000..7e511d3cf
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-upgrade.yaml
@@ -0,0 +1,108 @@
+{{- if .Values.postUpgrade.labelNamespace.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      labels:
+        app: '{{ template "gatekeeper.name" . }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-update-namespace-label-post-upgrade
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      containers:
+        - name: kubectl-label
+          image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
+          imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
+          args:
+            - label
+            - ns
+            - {{ .Release.Namespace }}
+            {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
+            - {{ . }}
+            {{- end }}
+            - admission.gatekeeper.sh/ignore=no-self-managing
+            - --overwrite
+          securityContext:
+            {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - update
+      - patch
+    resourceNames:
+      - {{ .Release.Namespace }}
+      {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
+      - {{ . }}
+      {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gatekeeper-update-namespace-label-post-upgrade
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gatekeeper-update-namespace-label-post-upgrade
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-update-namespace-label-post-upgrade
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/probe-webhook-post-install.yaml
new file mode 100644
index 000000000..a6a11946e
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/probe-webhook-post-install.yaml
@@ -0,0 +1,38 @@
+{{- if not .Values.disableValidatingWebhook }}
+{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-probe-webhook-post-install
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        app: '{{ template "gatekeeper.name" . }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: Never
+      {{- if .Values.postInstall.probeWebhook.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      volumes:
+      {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
+      containers:
+      {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/requiredlabels.yaml
new file mode 100644
index 000000000..e93e6a0a7
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/requiredlabels.yaml
@@ -0,0 +1,57 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8srequiredlabels
+
+        get_message(parameters, _default) = msg {
+          not parameters.message
+          msg := _default
+        }
+
+        get_message(parameters, _default) = msg {
+          msg := parameters.message
+        }
+
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+          provided := {label | input.review.object.metadata.labels[label]}
+          required := {label | label := input.parameters.labels[_].key}
+          missing := required - provided
+          count(missing) > 0
+          def_msg := sprintf("you must provide labels: %v", [missing])
+          msg := get_message(input.parameters, def_msg)
+        }
+
+        violation[{"msg": msg}] {
+          value := input.review.object.metadata.labels[key]
+          expected := input.parameters.labels[_]
+          expected.key == key
+          # do not match if allowedRegex is not defined, or is an empty string
+          expected.allowedRegex != ""
+          not re_match(expected.allowedRegex, value)
+          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+          msg := get_message(input.parameters, def_msg)
+        }
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/upgrade-crds-hook.yaml
new file mode 100644
index 000000000..57be33585
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/upgrade-crds-hook.yaml
@@ -0,0 +1,103 @@
+{{- if .Values.upgradeCRDs.enabled }}
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-admin-upgrade-crds
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+rules:
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "create", "update", "patch"]
+{{- with .Values.upgradeCRDs.extraRules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-admin-upgrade-crds
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-admin-upgrade-crds
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: gatekeeper-admin-upgrade-crds
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  name: gatekeeper-admin-upgrade-crds
+  namespace: '{{ .Release.Namespace }}'
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-update-crds-hook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "gatekeeper.name" . }}
+    chart: {{ template "gatekeeper.name" . }}
+    gatekeeper.sh/system: "yes"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      name: gatekeeper-update-crds-hook
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+    spec:
+      serviceAccountName: gatekeeper-admin-upgrade-crds
+      restartPolicy: Never
+      {{- if .Values.images.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: crds-upgrade
+        image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
+        imagePullPolicy: '{{ .Values.images.pullPolicy }}'
+        args:
+        - apply
+        - -f
+        - crds/
+        resources:
+          {{- toYaml .Values.crds.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.crds.securityContext | nindent 10 }}
+      affinity:
+        {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/validate-install-crd.yaml
new file mode 100644
index 000000000..033c3ddcf
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/validate-install-crd.yaml
@@ -0,0 +1,22 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "mutations.gatekeeper.sh/v1alpha1/Assign" false -}}
+# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignMetadata" false -}}
+# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}}
+# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}}
+# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}}
+# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}}
+# {{- set $found "mutations.gatekeeper.sh/v1alpha1/ModifySet" false -}}
+# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}}
+# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/webhook-configs-pre-delete.yaml
new file mode 100644
index 000000000..0f2fa289f
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/webhook-configs-pre-delete.yaml
@@ -0,0 +1,119 @@
+{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      annotations:
+        {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
+      labels:
+        app: '{{ template "gatekeeper.name" . }}'
+        release: '{{ .Release.Name }}'
+    spec:
+      restartPolicy: OnFailure
+      {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }}
+      imagePullSecrets:
+      {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
+      {{- end }}
+      serviceAccount: gatekeeper-delete-webhook-configs
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      containers:
+        - name: kubectl-delete
+          image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
+          imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
+          args:
+            - delete
+            {{- if not .Values.disableValidatingWebhook }}
+            - validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration
+            {{- end }}
+            {{- if not .Values.disableMutation }}
+            - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
+            {{- end }}
+          securityContext:
+            {{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+rules:
+  {{- if not .Values.disableValidatingWebhook }}
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    resourceNames:
+      - gatekeeper-validating-webhook-configuration
+    verbs:
+      - delete
+  {{- end }}
+  {{- if not .Values.disableMutation }}
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    resourceNames:
+      - gatekeeper-mutating-webhook-configuration
+    verbs:
+      - delete
+  {{- end }}
+{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gatekeeper-delete-webhook-configs
+  labels:
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gatekeeper-delete-webhook-configs
+subjects:
+  - kind: ServiceAccount
+    name: gatekeeper-delete-webhook-configs
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/rancher-gatekeeper/101.0.0+up3.9.0/values.yaml b/charts/rancher-gatekeeper/101.0.0+up3.9.0/values.yaml
new file mode 100644
index 000000000..ec706d799
--- /dev/null
+++ b/charts/rancher-gatekeeper/101.0.0+up3.9.0/values.yaml
@@ -0,0 +1,217 @@
+replicas: 3
+auditInterval: 60
+metricsBackends: ["prometheus"]
+auditMatchKindOnly: false
+constraintViolationsLimit: 20
+auditFromCache: false
+disableMutation: false
+disableValidatingWebhook: false
+validatingWebhookTimeoutSeconds: 3
+validatingWebhookFailurePolicy: Ignore
+validatingWebhookExemptNamespacesLabels: {}
+validatingWebhookObjectSelector: {}
+validatingWebhookCheckIgnoreFailurePolicy: Fail
+validatingWebhookCustomRules: {}
+enableDeleteOperations: false
+enableExternalData: false
+enableTLSHealthcheck: false
+mutatingWebhookFailurePolicy: Ignore
+mutatingWebhookReinvocationPolicy: Never
+mutatingWebhookExemptNamespacesLabels: {}
+mutatingWebhookObjectSelector: {}
+mutatingWebhookTimeoutSeconds: 1
+mutatingWebhookCustomRules: {}
+mutationAnnotations: false
+auditChunkSize: 500
+logLevel: INFO
+logDenies: false
+logMutations: false
+emitAdmissionEvents: false
+emitAuditEvents: false
+resourceQuota: true
+postUpgrade:
+  labelNamespace:
+    enabled: false
+    image:
+      repository: rancher/kubectl
+      tag: v1.20.2
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+    extraNamespaces: []
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+postInstall:
+  labelNamespace:
+    extraRules: []
+    enabled: true
+    image:
+      repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+      tag: v3.9.0
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+    extraNamespaces: []
+  probeWebhook:
+    enabled: true
+    image:
+      repository: rancher/mirrored-curlimages-curl
+      tag: 7.83.1
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+    waitTimeout: 60
+    httpTimeout: 2
+    insecureHTTPS: false
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+preUninstall:
+  deleteWebhookConfigurations:
+    extraRules: []
+    enabled: false
+    image:
+      repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+      tag: v3.9.0
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+images:
+  gatekeeper:
+    repository: rancher/mirrored-openpolicyagent-gatekeeper
+    tag: v3.9.0
+  gatekeepercrd:
+    repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+    tag: v3.9.0
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+podAnnotations: {}
+podLabels: {}
+podCountLimit: 100
+secretAnnotations: {}
+enableRuntimeDefaultSeccompProfile: true
+controllerManager:
+  exemptNamespaces: []
+  exemptNamespacePrefixes: []
+  hostNetwork: false
+  dnsPolicy: ClusterFirst
+  port: 8443
+  metricsPort: 8888
+  healthPort: 9090
+  priorityClassName: system-cluster-critical
+  disableCertRotation: false
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: gatekeeper.sh/operation
+                  operator: In
+                  values:
+                    - webhook
+            topologyKey: kubernetes.io/hostname
+          weight: 100
+  tolerations: []
+  nodeSelector: {}
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+  podSecurityContext:
+    fsGroup: 999
+    supplementalGroups:
+      - 999
+  extraRules: []
+audit:
+  hostNetwork: false
+  dnsPolicy: ClusterFirst
+  metricsPort: 8888
+  healthPort: 9090
+  priorityClassName: system-cluster-critical
+  disableCertRotation: true
+  affinity: {}
+  tolerations: []
+  nodeSelector: {}
+  writeToRAMDisk: false
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: true
+    runAsGroup: 999
+    runAsNonRoot: true
+    runAsUser: 1000
+  podSecurityContext:
+    fsGroup: 999
+    supplementalGroups:
+      - 999
+  extraRules: []
+crds:
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: true
+    runAsGroup: 65532
+    runAsNonRoot: true
+    runAsUser: 65532
+pdb:
+  controllerManager:
+    minAvailable: 1
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.20.2
+service: {}
+disabledBuiltins: ["{http.send}"]
+psp:
+  enabled: true
+upgradeCRDs:
+  enabled: true
+  tolerations: []
+  extraRules: []
+rbac:
+  create: true
diff --git a/index.yaml b/index.yaml
index 0a06ac220..6d4f8a6ec 100755
--- a/index.yaml
+++ b/index.yaml
@@ -3986,6 +3986,36 @@ entries:
     - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
     version: 0.1.400
   rancher-gatekeeper:
+  - annotations:
+      catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: OPA Gatekeeper
+      catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
+      catalog.cattle.io/namespace: cattle-gatekeeper-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+      catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+      catalog.cattle.io/release-name: rancher-gatekeeper
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/ui-component: gatekeeper
+    apiVersion: v2
+    appVersion: v3.9.0
+    created: "2022-09-16T11:36:28.417222521+05:30"
+    description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+      policy-based control for cloud native environments
+    digest: 01b3d1f7b3262ce690848497ddaa3897338d6b186a71cc48d03392972f526e7a
+    home: https://github.com/open-policy-agent/gatekeeper
+    icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+    keywords:
+    - open policy agent
+    - security
+    name: rancher-gatekeeper
+    sources:
+    - https://github.com/open-policy-agent/gatekeeper.git
+    urls:
+    - assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz
+    version: 101.0.0+up3.9.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
       catalog.cattle.io/certified: rancher
@@ -4239,6 +4269,20 @@ entries:
     - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz
     version: 3.1.100
   rancher-gatekeeper-crd:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cattle-gatekeeper-system
+      catalog.cattle.io/release-name: rancher-gatekeeper-crd
+    apiVersion: v1
+    created: "2022-09-16T11:36:28.422458665+05:30"
+    description: Installs the CRDs for rancher-gatekeeper.
+    digest: 3bd634995c5885e7de59558c349bcbaa2e1a324ff0a2bce0a9ac548222623a1f
+    name: rancher-gatekeeper-crd
+    type: application
+    urls:
+    - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz
+    version: 101.0.0+up3.9.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"