Merge remote-tracking branch 'upstream/release-v2.8' into sync-up-dev…

…_2.8.5_emergency

charts/rancher-webhook/2.0.11+up0.3.11/Chart.yaml

@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.3.11
+dependencies:
+- condition: capi.enabled
+  name: capi
+  repository: ""
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 2.0.11+up0.3.11

charts/rancher-webhook/2.0.11+up0.3.11/charts/capi/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+appVersion: 0.0.0
+name: capi
+version: 0.0.0

charts/rancher-webhook/2.0.11+up0.3.11/charts/capi/templates/service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: webhook-service
+  annotations:
+    need-a-cert.cattle.io/secret-name: rancher-webhook-tls
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: {{ .Values.port | default 8777 }}
+  selector:
+    app: rancher-webhook

charts/rancher-webhook/2.0.11+up0.3.11/templates/_helpers.tpl

@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}

charts/rancher-webhook/2.0.11+up0.3.11/templates/deployment.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if .Values.capi.enabled }}
+      volumes:
+      - name: tls
+        secret:
+          secretName: rancher-webhook-tls
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_CAPI
+          value: "{{.Values.capi.enabled}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: CATTLE_CAPI_PORT
+          value: {{.Values.capi.port | default 8777 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        - name: capi-https
+          containerPort: {{ .Values.capi.port | default 8777}}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if .Values.capi.enabled }}
+        volumeMounts:
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE 
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
+

charts/rancher-webhook/2.0.11+up0.3.11/templates/rbac.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}

charts/rancher-webhook/2.0.11+up0.3.11/templates/service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook

charts/rancher-webhook/2.0.11+up0.3.11/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"

charts/rancher-webhook/2.0.11+up0.3.11/templates/webhook.yaml

@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io

charts/rancher-webhook/2.0.11+up0.3.11/tests/README.md

@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+

charts/rancher-webhook/2.0.11+up0.3.11/tests/capi-service_test.yaml

@@ -0,0 +1,20 @@
+suite: Test Service
+templates:
+  - charts/capi/templates/service.yaml
+tests:
+  - it: should set webhook default port values
+    set:
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8777
+
+  - it: should set updated target port
+    set:
+      capi.port: 2319
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319

charts/rancher-webhook/2.0.11+up0.3.11/tests/deployment_test.yaml

@@ -0,0 +1,62 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 8777
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "8777"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should set updated capi port
+    set:
+      capi.port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE

charts/rancher-webhook/2.0.11+up0.3.11/tests/service_test.yaml

@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319

charts/rancher-webhook/2.0.11+up0.3.11/values.yaml

@@ -0,0 +1,26 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.3.11
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+capi:
+  enabled: false
+  port: 8777
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443

index.yaml

@@ -21468,6 +21468,28 @@ entries:
     urls:
     - assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0.tgz
     version: 103.0.0+up0.4.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.3.11
+    created: "2024-06-13T11:27:20.782619874-03:00"
+    dependencies:
+    - condition: capi.enabled
+      name: capi
+      repository: ""
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: e2f551b3b0f8565c200471cc9acac3694c43da35be6e6588c3083083e180ee0c
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-2.0.11+up0.3.11.tgz
+    version: 2.0.11+up0.3.11
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"

regsync.yaml

@@ -1793,6 +1793,7 @@ sync:
     - v0.2.9
     - v0.3.0
     - v0.3.10
+    - v0.3.11
     - v0.3.2
     - v0.3.3
     - v0.3.4
@@ -1805,6 +1806,7 @@ sync:
     - v0.4.3
     - v0.4.5
     - v0.4.6
+    - v0.4.7
 - source: docker.io/rancher/security-scan
   target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/security-scan'
   type: repository

release.yaml

@@ -5,5 +5,3 @@ neuvector:
   - 103.0.4+up2.7.7
 neuvector-crd:
   - 103.0.4+up2.7.7
-rancher-webhook:
-  - 103.0.6+up0.4.7