From 9584d56d5b23c27b7817e2c8104b1cd0b9b1e683 Mon Sep 17 00:00:00 2001
From: Chad Roberts <chad.roberts@suse.com>
Date: Mon, 29 Apr 2024 13:14:37 -0400
Subject: [PATCH 1/3] Bump rancher-webhook to v0.5.0-rc8

---
 packages/rancher-webhook/package.yaml | 2 +-
 release.yaml                          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/rancher-webhook/package.yaml b/packages/rancher-webhook/package.yaml
index ebddc19d8d..f6fb6ae087 100644
--- a/packages/rancher-webhook/package.yaml
+++ b/packages/rancher-webhook/package.yaml
@@ -1,3 +1,3 @@
-url: https://github.com/rancher/webhook/releases/download/v0.5.0-rc7/rancher-webhook-0.5.0-rc7.tgz
+url: https://github.com/rancher/webhook/releases/download/v0.5.0-rc8/rancher-webhook-0.5.0-rc8.tgz
 version: 104.0.0
 doNotRelease: false
diff --git a/release.yaml b/release.yaml
index bb4108a245..8c44870fd1 100644
--- a/release.yaml
+++ b/release.yaml
@@ -158,7 +158,7 @@ rancher-vsphere-csi:
   - 102.2.0+up3.0.2-rancher1
   - 103.1.0+up3.1.2-rancher1
 rancher-webhook:
-  - 104.0.0+up0.5.0-rc7
+  - 104.0.0+up0.5.0-rc8
   - 2.0.7+up0.3.7
   - 103.0.2+up0.4.3
 rancher-windows-gmsa:

From b8c8ab2e47f6ae416533efb64a24e2a2857cabac Mon Sep 17 00:00:00 2001
From: Chad Roberts <chad.roberts@suse.com>
Date: Mon, 29 Apr 2024 13:16:02 -0400
Subject: [PATCH 2/3] make charts

---
 .../rancher-webhook-104.0.0+up0.5.0-rc8.tgz   | Bin 0 -> 2805 bytes
 .../104.0.0+up0.5.0-rc8/Chart.yaml            |  14 +++
 .../templates/_helpers.tpl                    |  22 +++++
 .../templates/deployment.yaml                 |  82 ++++++++++++++++++
 .../104.0.0+up0.5.0-rc8/templates/rbac.yaml   |  12 +++
 .../104.0.0+up0.5.0-rc8/templates/secret.yaml |  11 +++
 .../templates/service.yaml                    |  13 +++
 .../templates/serviceaccount.yaml             |  11 +++
 .../templates/webhook.yaml                    |   9 ++
 .../104.0.0+up0.5.0-rc8/tests/README.md       |  16 ++++
 .../tests/deployment_test.yaml                |  73 ++++++++++++++++
 .../tests/service_test.yaml                   |  18 ++++
 .../104.0.0+up0.5.0-rc8/values.yaml           |  30 +++++++
 13 files changed, 311 insertions(+)
 create mode 100644 assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc8.tgz
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/Chart.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/service.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/README.md
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc8/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc8.tgz b/assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc8.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..963b06993182e168688b4506f2444b50900e136d
GIT binary patch
literal 2805
zcmV<R3JUcfiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH($Z`(MN{j6UxaPH6#SIM&DIIVDdfY;6L6=>Wb3A%W&SY&Bw
zY;#MIDoHu(P4nL$kb1Es%W<~}obCh9msot68Ito#P9)*s0;PM4(}fV9y5j|r+FOyB
zy?8S4ecvAr2KKM-`^~>Szc+Z%8w`8Lrzid4$;k`9H|P(0FTj5~7PdpGG?6d-N7HI9
z?jHh#bD@c*f~&v*2#F?4%)O9k&CsKw8=};7MllK?mzCCG3mQep1L$a(VyAV;r*w+$
z5~ZSo2k`R$et@3WKlXgrhyOJ{-<Y2-Tc>goqe@7K0c4G?S}Bcj>tLY*V3enSw)Q3{
zW2%)~j(T-Vc_eOC>*zu~YHattH#ygRujg;)S|UTD&^6qbyH{wMLlXM2z`E=^BuUCo
z-#hVqSB9^h2vsO)qHXg>!e~S^<?~S#Q)R~fk|BeckZ_q10KH03IqgKtb@cp!=X?JD
zq{*7tbIalZ_76?_za%V0^|TIPm;FCE-mw2C{o%p>?*nK|=4dRx#6&2ng<O?ZquaC|
z0GiALSguV5fJJbTGIk*t4OaoYn@xnikf@Mr$C)!RB`kL>npsi+ne~2)Gm<iWiF2y7
zq1!QzV<D8DpuQFIQvfr<6go~E#%3aNGG)dS87Jd7N1z2mnRzd30`&qRXBHw%m{`Tg
zwFg&-u+TbDLD#w=$x)*+HaZfa>V|@cm}u2i;R2(SQ9gHZNkfCUs|n@WB|LK1)Vh{h
zEF=QuGvQSD2;kS>94;cfLWZFhGJv~#$2mHJ3rU5fdNpQ5sR@Y@h*EUUF#;{B>^ezv
zq}>|l2ofQ6K1;#vf`*H%Nef67!tDY%$dq%+=NqQq3=H7SU~p_OT@XoP)F`u!BdJ~>
z*EF>5#qOhZ*Ce3|<r1amm?7p6j$k}$n^PYTA*0AOnD9Y)@NNbeCwld&Y!{qkn4R1$
zWem8`FvTiTj66&3JXN-9N)!$UF7i-BSzm^0Jjx~K2u6&FTSk=zF@y0WTiaJMM)=A$
zLVhOGmEDH%2ofolG{OidFG*%h8-_z8IvGF2kjH2|$)w=9b^B|eY5z6G2_qU+_hx}C
zL8&~QJkk~Hu>bz)NxxzLhr{9EVE^|4cXuvCIHMe)lUe1PC^O49GPlbeaPRLOGmy@}
z`<Mj?nO!e}-Bx>EPD>=^dIp{UR^84wAwZ_E{OGLtK^|@VcB(6CNVmtx6q(8pkR;iR
zj|)sqL^e}!jajdFfgF(wpU^n3Y6fD=kqxDSe6DH0*$hJ+KxZPZGDl-GC6O3>#!+<6
zKBt6rwy&qchRWSb#zWnytuvqsruOsSuKyK>^vGy%hyD+S{%J%1PY1n2{=XM60`gzR
z=|b>Bshjru3*?3XA{uJ28nez=Ns_4UvgdrFJPP1#DJxElnnXks6DqXlpen)8^cE7F
zg@iHD;o`m3&#VEURYL&^5zXgS=ow%&6kCx16l@sCjho#FuXOSE_j&hHur$UJshck>
z8|a3lB&INwsMo}cmPzaQim|D&(J+yffOtK$7A4zocni)(D0&B!hb)b@850k_0H-`M
zA=2xuoK=y6HNc?7zevp5M|^>Hj5S7UG4vKbYqqz_>ToNo)fAzX)9Qed(cuG(hJu@%
z0A)oWkT2J#UdYGQ_2~SfA`68>xVtN8D^23${=Ty@^=vZw@%`D&`S|?7`EeL~c~aDd
zWjwmRet&jz@!|4%6U`cnO(E9mZc+sJ0-sZ%v0U^T>11?%c6BitpEXhbBt={meSjH7
z7G2`3-kP^x5WNUW_4UdtzH)3$Dc7MjwD2@~|Ng@-XK!!DldH{zzP!7GKLq8_dDUsd
z_OeE?cGP)#o8c(z&I5sx2lw}Pccp0A$=*7%hWq<qqg#`Cjfr-nS>vagZg(~iHike|
zGR#q{O-Z%6ab@R95x=lWV}(SUtW>tkI8&V_7g9{Idg_M2&vnZPkXQ-mbQegNUi{Um
zcUsCF%UQk0B<VIK{{QRii>qqij8K+Jyk1CD3&ElQhJK|xK}kh)g`wb)3gD#dVswcd
zm3k(&xAL{aEftRGT%^41R5$$-Ky1cls@K(V(*5*W6*A^#339h>nnV(P;A~a%HLVKM
zFux&5Ca8a;Ji0=;q#@R%1;f<da|o{S&)PPJBq3AEsHUju+fSmX-r&OI?E2=%cayg_
zS7(<W-&HKr27fAJVibmEA0`i|T4Nm>S2AmyZMQWQ<J#<9t7C<`XN&)~$NzFl!l$_h
z-j)9kj(g4gzt=xK#Q*z%YD{lW+}Ii+>0dS?@;<$`31u1Rk6EfT%1gn}=rrZ?uL$_1
zV3<b%B%wb`ktPoia{xAIm8iq4%_UJxxueqQ9~c_b=jL;+YWlsEqpUrDQM|kJF0+?9
zZ&I{wOPBxSV7vZjnafjHfL;23+&^jR|A~Ll|GmK9$^W;8BekdOo>N$Zka%GpK5ot_
z^wkJiiw&s;AzNSn^(w&tJ|yIGiq7}oP5*iDkp5d!`UD1Gr~VK9&HMku{oh`o<~Ey(
zyxX-upq$11TA6aXd2%!u9NPd`6FEoycQVXG3N1px0=OP$7c2GjwSJ@6dh_?(`~AJa
zPW>lYDD@aKurvPm8}EO8zkhsu(EoivL*rYc=-p<(b={`z_%=+gN+Xj2G|Cc->JeM9
zQ7wt<T#fQNh>&oYBG5QNsRSoFE325U5~5U-3@r0fI>9^7eFD!5+x5SAGu?y#KWWx~
z4Tr=2LI3vwwKu(@sx-gQZodLpSE1&`r(?lqbe?9zx2yQNFm}USd>!HQR6maFbMN){
z2%Gw^wCY}-jozN0d2#e4G<N#`(~bJi)8V21b1&c=9RU*|VG!XG%;{4;2g;R}X;z-+
zI3KLDg<b$ZrHnziAX3Bl9mtf!E!7Jk_64Q5oO7JtfB$_-)WY$)nX6V^J4bax3Z}C}
z*$?0vl{T0ZkU24QZPi^yLvXf&HM%3q7h%i}Ss;rcVd<Q5m{F-TxV5%oY*F_)r+Sf2
zy->tmGt5mn)n>i*FK<q@W2l+^a0~Y9L)0Q$#B-nBQ$V}^uWNs9?1~>31MJZM<I}-$
zv;Jq;JJkQ}1yo8k=2}>(;wi(xEOBqtf;o;AldO;G0MtUHECPkPQhuG~?>3#!{;MF%
z%9X;(8?+1fIn4^h>+h>7!O$z%@a)&R@ZwkhH+xTDf7BkUH=qCC6!#5=SUy&L13l!+
z#tS*}#>?<SRTt~>4Z~2!Y1_LriEQ3d>|s(YNUh(XvpbajaqrFZY-dUNd)ZFI(B^h>
zq3xDd-;rUuD#X%j-#n@&Df^b)YrJH)o-S{)W6Sk7AIPb)kL+Ia<TplE9^*Gw@`#gZ
zti`MH?2#yHIkwFg_-*Hrm(qcdwc>@!(LDNOauVM@HDjsu49BCacqu=;@d!kcm5vdK
zW<>MQYVRIF<9`_35K9$n)FoA`IqLtwQ0e$XJjLnP_iKkXwiSo8)jh(F+Q&ypXziFD
z!S**6!)z&s*^fDFFLf);VO>^U83}pN|F_3~`Q7hR1b<(V|D7Cf)PMV@hx?zsKsEj=
zUV$3HU-cnyZ;@Xaj;vpawuE*M1yb4MCy%4PiaCq=xsUe%2ROh1w!*&y00960u8?No
H07d`+3q6f}

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/Chart.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/Chart.yaml
new file mode 100644
index 0000000000..0d5deb92ef
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/Chart.yaml
@@ -0,0 +1,14 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.5.0-rc8
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 104.0.0+up0.5.0-rc8
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/_helpers.tpl b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/_helpers.tpl
new file mode 100644
index 0000000000..c37a65c6f3
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/deployment.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/deployment.yaml
new file mode 100644
index 0000000000..b8a7201dac
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/deployment.yaml
@@ -0,0 +1,82 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if $auth.clientCA }}
+      volumes:
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if $auth.clientCA }}
+        volumeMounts:
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/rbac.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/rbac.yaml
new file mode 100644
index 0000000000..f4364995c0
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/secret.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/secret.yaml
new file mode 100644
index 0000000000..9fd331dc1e
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/service.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/service.yaml
new file mode 100644
index 0000000000..220afebeae
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/serviceaccount.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..9e7ad7e1fe
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/webhook.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/webhook.yaml
new file mode 100644
index 0000000000..53a0687b6f
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/README.md b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/README.md
new file mode 100644
index 0000000000..6d3059a005
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/deployment_test.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/deployment_test.yaml
new file mode 100644
index 0000000000..bbd6e30444
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/deployment_test.yaml
@@ -0,0 +1,73 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/service_test.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/service_test.yaml
new file mode 100644
index 0000000000..03172ad033
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc8/values.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/values.yaml
new file mode 100644
index 0000000000..2610fddf78
--- /dev/null
+++ b/charts/rancher-webhook/104.0.0+up0.5.0-rc8/values.yaml
@@ -0,0 +1,30 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.5.0-rc8
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []

From 828801b3bc73e87a53d218cb4e0391c520b86817 Mon Sep 17 00:00:00 2001
From: Chad Roberts <chad.roberts@suse.com>
Date: Mon, 29 Apr 2024 13:17:35 -0400
Subject: [PATCH 3/3] make remove

---
 .../rancher-webhook-104.0.0+up0.5.0-rc7.tgz   | Bin 2804 -> 0 bytes
 .../104.0.0+up0.5.0-rc7/Chart.yaml            |  14 ---
 .../templates/_helpers.tpl                    |  22 -----
 .../templates/deployment.yaml                 |  82 ------------------
 .../104.0.0+up0.5.0-rc7/templates/rbac.yaml   |  12 ---
 .../104.0.0+up0.5.0-rc7/templates/secret.yaml |  11 ---
 .../templates/service.yaml                    |  13 ---
 .../templates/serviceaccount.yaml             |  11 ---
 .../templates/webhook.yaml                    |   9 --
 .../104.0.0+up0.5.0-rc7/tests/README.md       |  16 ----
 .../tests/deployment_test.yaml                |  73 ----------------
 .../tests/service_test.yaml                   |  18 ----
 .../104.0.0+up0.5.0-rc7/values.yaml           |  30 -------
 index.yaml                                    |  10 +--
 14 files changed, 5 insertions(+), 316 deletions(-)
 delete mode 100644 assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc7.tgz
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/Chart.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/_helpers.tpl
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/deployment.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/rbac.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/secret.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/service.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/serviceaccount.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/webhook.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/README.md
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/deployment_test.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/service_test.yaml
 delete mode 100644 charts/rancher-webhook/104.0.0+up0.5.0-rc7/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc7.tgz b/assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc7.tgz
deleted file mode 100644
index a1c4aac5bd30baae36a3ed243d5af29dfa368281..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2804
zcmV<Q3JdigiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH($Z`(N1{j6UxaGnSKaFr}Oj<XeR5AeF#y#kFJBtaL4#Ue{f
zW1CxwR7uKNZ<_ypAoXHNmg8;{INgKiODw+349R&VCz9}RfzrLj=|YH)-SL7*?X5`6
zUOXB2zV8nQ1N+za{pR1E-y6K>4TgTNe|p+G9lr2;gZ|0z1^7?L!gffNCh~><Xj;w1
z{Y`*yE;P|pa1}TJA<=}1xfc?x8G2N7LzJ4%C`JL~veG(iL8AzH039t;?6eN~m`>4M
zqEuAy0ABv<d+2%nW6yVe_^0{#+WdUkI+c?cRYF1xAZv8hN@<K+2MZMdqdfhiwKqW-
zQ?1-`)T>*{BXO%*M;Gc*W4rIY&bjV;J%2mb5*ZSOuHnAiy+YF*lF$zY)@9!zNm73L
z-ihbCGCXx6RH3Aaw#^?1qY=@R&qq;Al^OeUh74vx!evGP^eRE+v=c4Y(enqM@A>~o
zlQpsDmc;|?ADZ@mNmz>NX&t~W`+su0VgFD1#|Qhr51=ubqp|!F6QQUUa#dQ5Zqs@I
zXfh9Axi%R97Qscz*o9y;Tm|rUHWB(lqC&16XU@cwu-vt1W=R2L*82_4NXqmj&Z*Ld
zZpS!|g;08e`c}w~0n7+f=s0m0n~BKDlo?NCoQ&fffffv9=Dn;5)C+{1S%@%UVihCT
z9$X>9LhD2YUF(J<M~%wZ=tzXB8wws`qE%Og3ye}m`P{`N4GrS1CX{QJ@W@?L>so5D
zkO-8|gj3-ofM0%fxQOry8HQTO0PgM`=jaG7Bo&hC)tC{bCL~56O3^vT2(+lO>m<#Q
zc59p?NQBh+ECsg<8ZNRXEg)40w+rMTQ_d-$Z<u~FFo4&C!Lh+~K_rP$qs%srq<Vo|
z)6lvXyN}jglY}aiOO&2thL}S*g7K(rPJKLtj3U=y!UyHS+ZkY-=+&#TU2u+Jc5=6r
zG2lYO6st%v@+`UYRN1a6Q8*m9$U_ljeHpItD3_cg7%?Vp8C4p@491geZC}V3;Vat+
z`I$^tb{obcNTgWO2qU1pB$+X77!Hl-Wc(0A9;5LjlY-~g?Jt3*{nr>LjA&Hdn+382
zrSf$0NLR4K{`;pV{f7M?4u`#i{oe=N-MJ9qjB<odW|eQE%q-u?+%9*(y}x(NKsp2O
zLlz)pcD)F8TkUx{Es>P#8Fc<%bvs{$0GYz_qqF7*d9?A{sjjFY-5w)TWGX{Il4LVJ
zE-*C_*-XJTX1(GCazrkCMB}`w8Hh1QHk1nTxuyYUGYoYAor$>09F5JCL}Kt6N6|U^
zloHn2zMcvjDt9j#4|S)u&VVYI+RuNx{#P8*Bcs6``ac-@rw#o-9r%a*e=lGJ<o}G*
zh2Z;AH|_Ul$PEERG}K@<W}UH;BvIXE&-qAs6u_HOR-70$iHIg9RA|pZRf3`EEhIP#
z31gze#XGB?Spz_;h5{5Kn$N4yGr(#nwju#2*f5YAH@gvD>EiG2^X{c!X^bUOH(yvb
z&<#mROkpTduZb5elh*MSV^d?JVInI5@p@=2O19zf7MzVx^bRNwSsHCKCLVkSPI+WP
zr0=$JRz(Wd0D~6)Au($o@fq4N))=kD&|CPd+1@Iv!>z1VQ-oGds{=|#hYv6s3T|=&
zlof$MzFePrAs<)Qqw|Z3EEEpm?yjJ%G>Mb@`_9JHv&ra(cV{=}<MRjS$6@T{Nl_b?
z@#y;c-Pz5>`^)Q1G;1t2g;=Y*NfF>Pd`gAJa?xv~lhOIv)x~Ih)<pTE6meDb0cI3g
zbcwTiYu<iA^dczL*DJ61%CR-2T!+@s!qe#8yZ1kzy}21rt~M9?^6n0P7nDQiRi_Qx
z%NoVnQRnGxhNG}M4+Kgc+~42bm7--Qd+W>^?(c(*ZcXMjCfbc=jh|||-Pu6c7y?zv
zFh{L6CDrD}m7Oa^{K6)U6%uW-QrRx!Om&)ENHN9gsT%@6)h#1HVkMx{T_9n4@n@&r
zX(@LsXZ0SFq}!DE-`Cd{SJl25p)8eny^yFDf<*xg{YrO&l8WdGL%|~zz)9J~=n^?9
z^-OGU<!gsqDjd_fNO{|-Zu%#H*o@6oudCyv`|&$f$e5cY$lbPS5=r!)vsKO4v?@%)
z{Dvf%p#FjK=nCbMhFFsp3{!j0A-KjrYTF!=giI-;nxd+2KZ&AxgA0?h>zg0mPTt&H
zon3x-Td_<V{HctIQ5c$im^`3rjdg5X$*gg<-PTl$YqNK)juq~nE&kgc|H~-}pXMHT
zSN=aZ?ltrOUVm_i|MvmanBJbau{A={KW#+hef-WQlx3hlW~tIBF9k!R)0EG@AmEpR
zVIBpLg#IK&nmj<v0ob5bq7Jh*mqan;j!LJ$V`xmDo6otb>GxKSviAH%@$SyM%wFoe
zNzuA3UH+eg?fRc(E>B?rcIp3d|D>t^C;mbI_X2+<|KA#p)Sj|?PGJo~;)QwmxH+fL
zS0iLCHl!MaY<>OLs{{jhpO8-}I^Tjf{rkZ~`fp9?6BvM<`akqH?*9+<Kl_22+iWWG
zZrA>Rau)Y%Wy<O1$<bhNYy)6T<Q(;1$uJWsv<L+Y;Ch^0tkl!j`i)}i&EIqH_qPT+
z^`B&+)ML!R&iLPNy#Mw6{;_}1|9wD1<6EQX-Dbdb-KOpMI!vxgBa;C%$`Xs}5nHiQ
zEs5(~jq*B(kZ_nH&^SS<1SdKxtC+45qEwR%Eb~%2!8^}=0?!NE^}l#C-Gl!>Y1V%Y
zhbN~8{oe=F-t>y9()>cZ{R&`Rg_;+ijs>65d72I1uHx&$*bQ^>WrWXD{W!AEz1QC&
zZ0f(#s(X1hdUJl}#nF?{*y;aIH|jr6hll#ly?}Fc1Wbg4L4->%r%(ADC|6phS$Ur0
zytmF4dI9{HG6vy-NDbq+AX5&vR4;(o7nI_1&T)SG?YAjW3&-nbu3B~N9Mugen9dSq
zKY(jg+F(*Z=ETsoRd*Q;!PyGd=#DI3gfTm0fh>lErE|(*My1l=*4m1(McwC|>P0&B
zLJ@b(FgN8?oAuVeygAj5p=S2OE!eLQQHyL5&wX}J0qy#~uKl^OD}G!IutWckPY1`%
z`k!I%Q2)0VP$|`zYhk5|rwjwL#Jy1q<~UYNvOcN<Pz#Z=2o&l{`E{1R+jKtruYxQq
zR|+d{&@SMoG%FCVzpttUL$6@NvtR4Ni(mX-?LC40QG2Z3eExr3+&36v`B?Q8^pGzb
zFXYG@FT)R2U98JD3_~5KZST?~vUy9fhe@#@wSI%n?oj&2z1PpPoh9XOWjhT+o7>5S
zwp&_#M~3OD5KFIp^QfAn>}z(f@sizoy1dDbE!W?CAg9VcvU|;w-xyhWjNe$vBTlBV
z7O%>)N1~|Z*fw9_x1C2`N(VyLiWe$J^XQYwNqqg(jHT8y9FMZ%rTp;5BM?beIz}X#
z5zRxZy?X?W|6y=LELE&gmsG9hsQ&{)rQ>(;6sKR`uN~UhRvgk+_Xs;`A0H*5wPSh&
z+h17>v!xtnKjyH#)U7m!by<03B;-N=-yZ+vcfU^&{Cz?GcXGT@|LqSC_dk1qYW!Ec
z0yToa>O<h(BEK>mS-%o(3GE&Vq_W9R9!Gr<a~Ab;AMXJUaDW4Bh5rTs0RR6(<gmQ}
GMgRbR!h;h4

diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/Chart.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/Chart.yaml
deleted file mode 100644
index 3ea3dde1c4..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/Chart.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-annotations:
-  catalog.cattle.io/certified: rancher
-  catalog.cattle.io/hidden: "true"
-  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
-  catalog.cattle.io/namespace: cattle-system
-  catalog.cattle.io/os: linux
-  catalog.cattle.io/permits-os: linux,windows
-  catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
-  catalog.cattle.io/release-name: rancher-webhook
-apiVersion: v2
-appVersion: 0.5.0-rc7
-description: ValidatingAdmissionWebhook for Rancher types
-name: rancher-webhook
-version: 104.0.0+up0.5.0-rc7
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/_helpers.tpl b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/_helpers.tpl
deleted file mode 100644
index c37a65c6f3..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/_helpers.tpl
+++ /dev/null
@@ -1,22 +0,0 @@
-{{- define "system_default_registry" -}}
-{{- if .Values.global.cattle.systemDefaultRegistry -}}
-{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
-{{- else -}}
-{{- "" -}}
-{{- end -}}
-{{- end -}}
-
-{{- define "rancher-webhook.labels" -}}
-app: rancher-webhook
-{{- end }}
-
-{{- define "linux-node-tolerations" -}}
-- key: "cattle.io/os"
-  value: "linux"
-  effect: "NoSchedule"
-  operator: "Equal"
-{{- end -}}
-
-{{- define "linux-node-selector" -}}
-kubernetes.io/os: linux
-{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/deployment.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/deployment.yaml
deleted file mode 100644
index b8a7201dac..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/deployment.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
-{{- $auth := .Values.auth | default dict }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: rancher-webhook
-spec:
-  selector:
-    matchLabels:
-      app: rancher-webhook
-  template:
-    metadata:
-      labels:
-        app: rancher-webhook
-    spec:
-      {{- if $auth.clientCA }}
-      volumes:
-      - name: client-ca
-        secret:
-          secretName: client-ca
-      {{- end }}
-      {{- if .Values.global.hostNetwork }}
-      hostNetwork: true
-      {{- end }}
-      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
-      {{- if .Values.nodeSelector }}
-{{ toYaml .Values.nodeSelector | indent 8 }}
-      {{- end }}
-      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
-      {{- if .Values.tolerations }}
-{{ toYaml .Values.tolerations | indent 6 }}
-      {{- end }}
-      containers:
-      - env:
-        - name: STAMP
-          value: "{{.Values.stamp}}"
-        - name: ENABLE_MCM
-          value: "{{.Values.mcm.enabled}}"
-        - name: CATTLE_PORT
-          value: {{.Values.port | default 9443 | quote}}
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        {{- if $auth.allowedCNs }}
-        - name: ALLOWED_CNS
-          value: '{{ join "," $auth.allowedCNs }}'
-        {{- end }}
-        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
-        name: rancher-webhook
-        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
-        ports:
-        - name: https
-          containerPort: {{ .Values.port | default 9443 }}
-        startupProbe:
-          httpGet:
-            path: "/healthz"
-            port: "https"
-            scheme: "HTTPS"
-          failureThreshold: 60
-          periodSeconds: 5
-        livenessProbe:
-          httpGet:
-            path: "/healthz"
-            port: "https"
-            scheme: "HTTPS"
-          periodSeconds: 5
-        {{- if $auth.clientCA }}
-        volumeMounts:
-        - name: client-ca
-          mountPath: /tmp/k8s-webhook-server/client-ca
-          readOnly: true
-        {{- end }}
-        {{- if .Values.capNetBindService }}
-        securityContext:
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-        {{- end }}
-      serviceAccountName: rancher-webhook
-      {{- if .Values.priorityClassName }}
-      priorityClassName: "{{.Values.priorityClassName}}"
-      {{- end }}
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/rbac.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/rbac.yaml
deleted file mode 100644
index f4364995c0..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/rbac.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: rancher-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: rancher-webhook
-  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/secret.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/secret.yaml
deleted file mode 100644
index 9fd331dc1e..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/secret.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{- $auth := .Values.auth | default dict }}
-{{- if $auth.clientCA }}
-apiVersion: v1
-data:
-  ca.crt: {{ $auth.clientCA }}
-kind: Secret
-metadata:
-  name: client-ca
-  namespace: cattle-system
-type: Opaque
-{{- end }}
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/service.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/service.yaml
deleted file mode 100644
index 220afebeae..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/service.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: rancher-webhook
-  namespace: cattle-system
-spec:
-  ports:
-  - port: 443
-    targetPort: {{ .Values.port | default 9443 }}
-    protocol: TCP
-    name: https
-  selector:
-    app: rancher-webhook
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/serviceaccount.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/serviceaccount.yaml
deleted file mode 100644
index 9e7ad7e1fe..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: rancher-webhook
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: rancher-webhook-sudo
-  annotations:
-    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/webhook.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/webhook.yaml
deleted file mode 100644
index 53a0687b6f..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/templates/webhook.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: rancher.cattle.io
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/README.md b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/README.md
deleted file mode 100644
index 6d3059a005..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/README.md
+++ /dev/null
@@ -1,16 +0,0 @@
-
-## local dev testing instructions
-
-Option 1: Full chart CI run with a live cluster
-
-```bash
-./scripts/charts/ci 
-```
-
-Option 2: Test runs against the chart only 
-
-```bash
-# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
-bash dev-scripts/helm-unittest.sh
-```
-
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/deployment_test.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/deployment_test.yaml
deleted file mode 100644
index bbd6e30444..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/deployment_test.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
-suite: Test Deployment
-templates:
-  - deployment.yaml
-
-tests:
-  - it: should set webhook default port values
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].ports[0].containerPort
-          value: 9443
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: CATTLE_PORT
-            value: "9443"
-
-  - it: should set updated webhook port
-    set:
-      port: 2319
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].ports[0].containerPort
-          value: 2319
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: CATTLE_PORT
-            value: "2319"
-
-  - it: should not set capabilities by default.
-    asserts:
-      - isNull:
-          path: spec.template.spec.containers[0].securityContext
-
-  - it: should set net capabilities when capNetBindService is true.
-    set:
-      capNetBindService: true
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].securityContext.capabilities.add
-          content: NET_BIND_SERVICE
-
-  - it: should not set volumes or volumeMounts by default
-    asserts:
-      - isNull:
-          path: spec.template.spec.volumes
-      - isNull:
-          path: spec.template.spec.volumeMounts
-
-  - it: should set CA fields when CA options are set
-    set:
-      auth.clientCA: base64-encoded-cert
-      auth.allowedCNs:
-        - kube-apiserver
-        - joe
-    asserts:
-      - contains:
-          path: spec.template.spec.volumes
-          content:
-            name: client-ca
-            secret:
-              secretName: client-ca
-      - contains:
-          path: spec.template.spec.containers[0].volumeMounts
-          content:
-            name: client-ca
-            mountPath: /tmp/k8s-webhook-server/client-ca
-            readOnly: true
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: ALLOWED_CNS
-            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/service_test.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/service_test.yaml
deleted file mode 100644
index 03172ad033..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/tests/service_test.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-suite: Test Service
-templates:
-  - service.yaml
-
-tests:
-  - it: should set webhook default port values
-    asserts:
-      - equal:
-          path: spec.ports[0].targetPort
-          value: 9443
-
-  - it: should set updated target port
-    set:
-      port: 2319
-    asserts:
-      - equal:
-          path: spec.ports[0].targetPort
-          value: 2319
diff --git a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/values.yaml b/charts/rancher-webhook/104.0.0+up0.5.0-rc7/values.yaml
deleted file mode 100644
index 3bb5f56504..0000000000
--- a/charts/rancher-webhook/104.0.0+up0.5.0-rc7/values.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-image:
-  repository: rancher/rancher-webhook
-  tag: v0.5.0-rc7
-  imagePullPolicy: IfNotPresent
-
-global:
-  cattle:
-    systemDefaultRegistry: ""
-  hostNetwork: false
-
-mcm:
-  enabled: true
-
-# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
-tolerations: []
-nodeSelector: {}
-
-## PriorityClassName assigned to deployment.
-priorityClassName: ""
-
-# port assigns which port to use when running rancher-webhook
-port: 9443
-
-# Parameters for authenticating the kube-apiserver.
-auth:
-  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
-  # Must be base64-encoded.
-  clientCA: ""
-  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
-  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index 1d3667b851..f88523f6c5 100755
--- a/index.yaml
+++ b/index.yaml
@@ -19891,14 +19891,14 @@ entries:
       catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
       catalog.cattle.io/release-name: rancher-webhook
     apiVersion: v2
-    appVersion: 0.5.0-rc7
-    created: "2024-03-28T10:28:16.372115943-04:00"
+    appVersion: 0.5.0-rc8
+    created: "2024-04-29T13:17:19.620292214-04:00"
     description: ValidatingAdmissionWebhook for Rancher types
-    digest: 4c1cd7620e584eb0cc53de14665f7eae3f996caaba1afed62a8d44e09c49eac1
+    digest: c3adb76f2c8c762536ba58d19dc380e4159042182d203022c09f7310c2f77ff6
     name: rancher-webhook
     urls:
-    - assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc7.tgz
-    version: 104.0.0+up0.5.0-rc7
+    - assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0-rc8.tgz
+    version: 104.0.0+up0.5.0-rc8
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"