From 102622cc019a14ac1a439ac6bbab1e29129913ba Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen.murphy@suse.com>
Date: Fri, 18 Aug 2023 13:24:27 -0700
Subject: [PATCH] make charts

---
 .../rancher-webhook-104.0.0+up0.4.0-rc1.tgz   | Bin 0 -> 3218 bytes
 .../104.0.0+up0.4.0-rc1/Chart.yaml            |  18 ++++
 .../104.0.0+up0.4.0-rc1/Chart.yaml.orig       |  18 ++++
 .../charts/capi/Chart.yaml                    |   4 +
 .../charts/capi/templates/service.yaml        |  13 +++
 .../templates/_helpers.tpl                    |  22 ++++
 .../templates/deployment.yaml                 | 102 ++++++++++++++++++
 .../104.0.0+up0.4.0-rc1/templates/rbac.yaml   |  12 +++
 .../104.0.0+up0.4.0-rc1/templates/secret.yaml |  11 ++
 .../templates/service.yaml                    |  13 +++
 .../templates/serviceaccount.yaml             |  11 ++
 .../templates/webhook.yaml                    |   9 ++
 .../104.0.0+up0.4.0-rc1/tests/README.md       |  16 +++
 .../tests/capi-service_test.yaml              |  20 ++++
 .../tests/deployment_test.yaml                |  94 ++++++++++++++++
 .../tests/service_test.yaml                   |  18 ++++
 .../104.0.0+up0.4.0-rc1/values.yaml           |  34 ++++++
 index.yaml                                    |  22 ++++
 18 files changed, 437 insertions(+)
 create mode 100644 assets/rancher-webhook/rancher-webhook-104.0.0+up0.4.0-rc1.tgz
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml.orig
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/Chart.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/templates/service.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/service.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/README.md
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/capi-service_test.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.4.0-rc1/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-104.0.0+up0.4.0-rc1.tgz b/assets/rancher-webhook/rancher-webhook-104.0.0+up0.4.0-rc1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..a1a1a96997701ba70e6cf60cb7d11d3ea22dac24
GIT binary patch
literal 3218
zcmV;D3~lotiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH+bZ`(MNeb%oSICtp7RkG|jb}QT-;B~Wm1)4NSf-Vk=MV6Mv
zHn%jXid3@MH2?iTQj#TEw$s?>?B3^jNi2~wLvm&~GaM=*Je*<T-r;yA#FzGHMiS-S
zlR0~}Gw^-i@ArD<ukZWyznxCE^QzP9^#_BKPH)hA<#&4B{>dxwcgMnNNTnjlD}QTR
z^}+o^fN(ApQB-glH~=A0go&va5~Ub=RJ21(6rE6v0?1^gvDu795%K_9DoL@`*yKw(
zM)wvINd*t!^?&^U9k0{(eAkEngpSu8=zm`~cI9M_GA1DgU>~~jUMie7HWo4fMtS;Y
z<J%aMIaSgvTD`fWJQ8=Zv30H<6}G$H+l=e3_ii=Q2{I%SUCn$kdAXuFB&MHpq_<s%
z#BuS{_j;c1CSk{kFh(9B4=KvPaUm2uqRKQ1NlZQDWXv#f04x#x&;dv=7LqEF+y~HV
zIT6Y*p|S1vnJ^j=Mfr3X&8gHBf3YmVL?m!&*#vbTqjZ{CFD9eo_dMV8|09hTEWfls
zAK<&7ZvSryOHuB21K4E$`~H&sKk4=l_J1Eh=VXdO&1Pgm(XJ~#fFjcXZWr1PU=UoS
zj9myu!}|a}OwNV6NKhhIjx%LqOjx$HC}v0jSnK^BCnRO+5~ozE%vJ%+gjDCK?nLq>
zfC*s|9Y@<W-7~Xy`E!6+Br1TngTcUY=Ha~3M(;$9a|B8-OzakCOq`k_WFvwIV<ztB
z$dw0Ih%i$smO<O>RS8FhQd{y!gt8q99%8IyTZS`?QbzgI#akL`#BD_=S1#d^yP(!K
z)aD{VpnM{n5+4El`kTW=gjdKgR3ZuB;n8u9j^HApBBAPj#E6vVWR5_jq*IO&C{bqD
ziR&%R{5eNvPO@GS?q)Qc*+)u1DiQ8x$RSBNr+m6(+U<P4>-CN`rVEmgIVw!-#F13Z
zkSiLR?ZeEY+0#i(B__9+c#dwO7vTs-!=^sf_7F0PT!Hp6qz4}+fb&@0zbT#z&M~wr
zcSjimE)<Nhj1(i!kULAIc{L^y`#l$VC?fmL;u;Mz@j8MbW8#icsX$C%bZ*D?M8*ie
zHxD6OlkvTohS3n>MBLH{BcQw>X_?jxhgx(jKSYzqXmoC+;Dz<SZvPd|V@4Fp_RS1g
zjEVGAyyaG~!T$S$lWxua_xpp+!T#?99v)nXa6&mk%Ub1|$eQJwB(uvca33EX-H=Ye
z`)nNqYu9scx6z&#-Qt9DHG$T@%XaHo2#`rEezX?+Adi;*cgiEGNw>$y7@4#PNE|P_
zwmGIcA`>aN+G3Xse1^z{FQ_-Kas;9+jd7)dtgn86lL>|@fY!OVvU`Y$ltirY={=xz
z`ZXo2wR$`yHe|MQSRShT)gl5aVQOCg)%suBYqs<TH|T%A<NG!JAN2g*LI3vwT0s6y
z@23#_Q0S)l{S7ih01*up7>!wktR#+Q`?lkJp*#xUeIYB(92JR(B0&+9)^$wA80xpV
z1Y4JIPE<JiX!O%Q0BF=ufLuhgekFPuSOvvOBmg-Z8ZzT1l41(V;kBJ0uh`WeAG2<^
zf~9kmWh|NTsGx1cSu}F9X;MrUOiK(CREt66PtKbr)Lryk#lflp<h1P@HzZHwpx%Dd
z$TMSKa_tvQEB?Om*;nAK`O6PLdC1aem09%Q8*s`a?Z>@c$ypgGn5_hq_#ZN7%`Lt`
zGsX&|6-R#spOsyt%xZrntK~SRk<)U6g3<mOMnl1M;DSjZ!n(ojV%2l`xVj#mU6f=Y
z-`XA?a@tandHnd;TIzawKK$|H>CI?(@nJ23vU04!b2d6#i)J3q*I^kAudhFz-dudT
zyk17Lz+&R1g#py@5PXBLsZdx<-V#zh#EqEEFl*>____xD`S9%Y>S8!Lt>gVE5%aQ!
z0!%2f=n^N@r`huhqGmy1FTEnCTC}Ygi$$0M4Ll7$e*E;y>HC|}`PK4hUq3v+AA)jd
zy=gUJdtISek;p8cU~%MzevN19!Q<n@L!kktv$sfPz~f`E^jeW=g^A`}s=`k>ztLJk
zSZe}h!P84Emlew78A>x(XySzlz)K{WM6qE(v|PDQ$GS=kOPIA^q|*2z5o0XNlP2<W
zb!z~Kjcm2rGbBvS{%TcU8tN^>UG<F&XJ`@^|9yRZaaDddA(W*FUe6MgGr^(&`hMwk
zj0qLd6^4RGGJuof6{EMvQOXx$dnI4b^e}QC<4mNyEJqEB^CV}Z+1&t`Yy8$gwADOr
ze|akl_rj(`+WHUWQ`h7~N?j8q(I?LCE1UN^4p)zLwL9`84x74tH+QA^J4f{+<<XTM
zc!=e;62sKw-UL_pXGN$&5|c4yR8f>wVIxsgec;0R>GjQzAI{(3T%BHi{!p^;OZ-X8
z#4rr?JT&@&&0fP&ns9-$DT7$r1M6=WX062COUEw<*bY|5|H+tyyEzBil>h4;*Ux|Y
zo#R9NzZWRS^k&7iaTW>v%fu1hm$xRNR0R4XmP&=mrC_K{BjwX41pJ9$m^q~+ravbl
zjn@!!0G4Pi4!G?zmqc^Q9hr{*z)+c^aogvrVkTE|WS?gh1rHD2r9G<m&hw|M(q;ee
zV730+cz+ibV3YnIcTej2f6_VV|6bsG@_#G+w@NKb$H}chNW3tMJC^(8`l^Mj!G@H5
zxs}yF>ORH*KE>o~iq63)c@C`8e`88_U;sAif4`pp@AvzM`j5RpW!tPP^5(65jdJGs
z^&$h}W)XF-cWmMaMUpA1?@4&XiBKXGEP(5gO-EL<Db*8&#?1dq&-dRAHtIjIuGBVW
zV59%<*UtaDez)fz^nV{v)A&X&db1gDUAJyKo`=bmX`~~7T3K>lJ!Xor%GIo`t6^5+
z6cP?&1Uio~k%ALtE2hTxF_E%P25z$|SixH_y#g-_tMxyxnb^brf6`mt{|5*C-v?CA
z^z(x7?0ls;1+XX}&+5iUf=}o)war(n_@Xj?$y_{*@L8(1Bm2^G{da`b_kTQ*(CJQS
zY|#Hs#~;-6|D=0-*#Gwehx<Rzx&JdL?*F{~SHAyqxb^dohh_gyD%rj~9lk$1_2$t|
zXl#uC26g|hHy9ir?EgN%IXVI+Lc$=zThOad`4lLZDoO3l3&;6nOb2uV_$g%!LhT~J
z=mR7vhdZifKup<1emLVezyJRGn8=yqwXNZiZPQ1#Lkjw3fwCLGHA<y1Ngz|A>6!}_
zmWJT$9v0}13}1vX(`1Hh4lzrol*5E3Qh{4}mbcBX^h~LmrDHD?^R{m0rkpB0-s&%J
zN|mFj>G^PT_Nz_g%nstE*KQZktpBE(C`$m{m@#h?1#Z&+e!o}G|M;EmLI3vwGNlSL
zEzGmPMGnAbZFAivF<o&y;25c~t*Ht?&P2*0kf=%*?QA;NWOwZ)Q(J|-D9I{&G^KJK
zA|;k;=v=_Bsl8E{gRSC{F@`32EPwTX^A^eF<@!W>U9f@KG>&ZE$aFTmHZp1R*xlpK
zyM426Xzp_ToArNj_hWnQ->Cm5{-A#TJLq>0_rLZ6W&JPR;;5N`+Fc-L3x)qKoyghn
z%&$ecx>l1yUn*6u%PR9OKX2NeSZ5<KV_I@zSzGxGddP2Ub-c)HwX5q2+834adi1TA
z;Haq@e!-TWr`B2<oXb&@5w6+ay^B=I^8Y<nSu?bLI`t0q<PB}d6S`S#UTQ+u3u*JL
za-q!3mJ5Ahe4iUUuXzTkJWttkrm$9O+_=cR&W^d`zg)pgrSVO?1{tWfT<61Vu{^c0
zcx9eF5=9Mbw_GB<YCW>ccp#EW&3tKTwqBWx#PhpamKxV^G_<#Lvc($>LB#ed7fDdJ
zs4rTjqAI9;_`p=@mm8M8I#4RNuYUEQ^x_Y(i`B2r*9Mhrs@`w9hX@<)B5oz2m1Ww3
z?PuOrSaDxrKQ^)XPFG<LtFrP&OUO$*uLsx~n&ZEnrG5--%Kw}k*U$e3{@`%_zZZBy
z{-=`Z*;nNEq-==&PSNucIor6rFO#bIKY_abmy><F`WEOW{r3mQ_4=RQ;E?~_3#>hc
z_C4Pz9W38g-@G*I2iO6u)Bj!F1=x80+o|P$yB+^f|F<9b&iemy3`5PQBbF+4Ib!4z
z6M&YAVQj?KTnl49VAF72p#G_Z=Ug8!-_|hK2M(754sd`29H0#U8vp?R|078;;Q(L&
E07(a8QUCw|

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml
new file mode 100644
index 00000000000..b2ef0415c93
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml
@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.0-rc1
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 104.0.0+up0.4.0-rc1
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml.orig b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml.orig
new file mode 100644
index 00000000000..e60101b65a2
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/Chart.yaml.orig
@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.0-rc1
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 0.4.0-rc1
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/Chart.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/Chart.yaml
new file mode 100644
index 00000000000..388210bef11
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/templates/service.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/templates/service.yaml
new file mode 100644
index 00000000000..de7c255c4e4
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/charts/capi/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.port | default 8777 }}
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/_helpers.tpl b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/_helpers.tpl
new file mode 100644
index 00000000000..c37a65c6f3e
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/deployment.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/deployment.yaml
new file mode 100644
index 00000000000..a0cc77c2da2
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/deployment.yaml
@@ -0,0 +1,102 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if or .Values.capi.enabled $auth.clientCA }}
+      volumes:
+      {{- end }}
+      {{- if .Values.capi.enabled }}
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- end }}
+      {{- if $auth.clientCA }}
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: CATTLE_CAPI_PORT
+          value: {{.Values.capi.port | default 8777 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        - name: capi-https
+          containerPort: {{ .Values.capi.port | default 8777}}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if or .Values.capi.enabled $auth.clientCA }}
+        volumeMounts:
+        {{- end }}
+        {{- if .Values.capi.enabled }}
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+        {{- end }}
+        {{- if $auth.clientCA }}
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/rbac.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/rbac.yaml
new file mode 100644
index 00000000000..f4364995c0d
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/secret.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/secret.yaml
new file mode 100644
index 00000000000..9fd331dc1ea
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/service.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/service.yaml
new file mode 100644
index 00000000000..220afebeae8
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/serviceaccount.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/serviceaccount.yaml
new file mode 100644
index 00000000000..9e7ad7e1fe2
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/webhook.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/webhook.yaml
new file mode 100644
index 00000000000..53a0687b6f0
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/README.md b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/README.md
new file mode 100644
index 00000000000..6d3059a005f
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/capi-service_test.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/capi-service_test.yaml
new file mode 100644
index 00000000000..4ee94a84a4d
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/capi-service_test.yaml
@@ -0,0 +1,20 @@
+suite: Test Service
+templates:
+  - charts/capi/templates/service.yaml
+tests:
+  - it: should set webhook default port values
+    set:
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8777
+
+  - it: should set updated target port
+    set:
+      capi.port: 2319
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/deployment_test.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/deployment_test.yaml
new file mode 100644
index 00000000000..5f153461c44
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/deployment_test.yaml
@@ -0,0 +1,94 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 8777
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "8777"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should set updated capi port
+    set:
+      capi.port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/service_test.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/service_test.yaml
new file mode 100644
index 00000000000..03172ad0332
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/104.0.0+up0.4.0-rc1/values.yaml b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/values.yaml
new file mode 100644
index 00000000000..b442e3813bd
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.4.0-rc1/values.yaml
@@ -0,0 +1,34 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.4.0-rc1
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+  port: 8777
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index 3881cb0854d..d1674527320 100755
--- a/index.yaml
+++ b/index.yaml
@@ -14479,6 +14479,28 @@ entries:
     - assets/rancher-vsphere-csi/rancher-vsphere-csi-2.1.000.tgz
     version: 2.1.000
   rancher-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.4.0-rc1
+    created: "2023-08-18T13:23:25.866583636-07:00"
+    dependencies:
+    - condition: capi.enabled
+      name: capi
+      repository: ""
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 81e0a456e42e781e48bf83d9eb3b2437bbe9349f15151aec14d8e55ebfaa8773
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-104.0.0+up0.4.0-rc1.tgz
+    version: 104.0.0+up0.4.0-rc1
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"