From 1692d6e5a2094416035f4a23ef469b029a1c38c7 Mon Sep 17 00:00:00 2001
From: Jonathan Crowther <jonathan.crowther@suse.com>
Date: Mon, 29 Apr 2024 14:12:24 -0400
Subject: [PATCH 1/2] Bump rancher-webhook to v0.4.4-rc1

---
 packages/rancher-webhook/package.yaml | 4 ++--
 release.yaml                          | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/rancher-webhook/package.yaml b/packages/rancher-webhook/package.yaml
index d5ee95e7f1..c4ba7ef1a2 100644
--- a/packages/rancher-webhook/package.yaml
+++ b/packages/rancher-webhook/package.yaml
@@ -1,3 +1,3 @@
-url: https://github.com/rancher/webhook/releases/download/v0.4.3/rancher-webhook-0.4.3.tgz
-version: 103.0.2
+url: https://github.com/rancher/webhook/releases/download/v0.4.4-rc1/rancher-webhook-0.4.4-rc1.tgz
+version: 103.0.3
 doNotRelease: false
diff --git a/release.yaml b/release.yaml
index 9c8be9d245..435476c173 100644
--- a/release.yaml
+++ b/release.yaml
@@ -24,6 +24,8 @@ rancher-monitoring:
   - 103.1.0-rc1+up45.31.1
 rancher-monitoring-crd:
   - 103.1.0-rc1+up45.31.1
+rancher-webhook:
+  - 103.0.3+up0.4.4-rc1
 rancher-vsphere-csi:
   - 103.1.1+up3.1.2-rancher4
 neuvector-monitor:

From d4ea81823253b6aada635659048e8352927d8ee8 Mon Sep 17 00:00:00 2001
From: Jonathan Crowther <jonathan.crowther@suse.com>
Date: Mon, 29 Apr 2024 14:13:06 -0400
Subject: [PATCH 2/2] Make Charts

---
 .../rancher-webhook-103.0.3+up0.4.4-rc1.tgz   | Bin 0 -> 2805 bytes
 .../103.0.3+up0.4.4-rc1/Chart.yaml            |  14 +++
 .../templates/_helpers.tpl                    |  22 +++++
 .../templates/deployment.yaml                 |  82 ++++++++++++++++++
 .../103.0.3+up0.4.4-rc1/templates/rbac.yaml   |  12 +++
 .../103.0.3+up0.4.4-rc1/templates/secret.yaml |  11 +++
 .../templates/service.yaml                    |  13 +++
 .../templates/serviceaccount.yaml             |  11 +++
 .../templates/webhook.yaml                    |   9 ++
 .../103.0.3+up0.4.4-rc1/tests/README.md       |  16 ++++
 .../tests/deployment_test.yaml                |  73 ++++++++++++++++
 .../tests/service_test.yaml                   |  18 ++++
 .../103.0.3+up0.4.4-rc1/values.yaml           |  30 +++++++
 index.yaml                                    |  18 ++++
 14 files changed, 329 insertions(+)
 create mode 100644 assets/rancher-webhook/rancher-webhook-103.0.3+up0.4.4-rc1.tgz
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/README.md
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.3+up0.4.4-rc1/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-103.0.3+up0.4.4-rc1.tgz b/assets/rancher-webhook/rancher-webhook-103.0.3+up0.4.4-rc1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..7bad3661184e73b31a2dfa06651d8032202ca662
GIT binary patch
literal 2805
zcmV<R3JUcfiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH*KZ`(NX{j9%Y;QW5*hpS}y5vMh75AeF#y#kFJBtaL4#Ue{f
zW19^{swCyCH_iWkAoZ{$%W<~}obJK%#Wo)^Lvo(vSP~vAP`bA`T?ld09xsU0-ik!*
z#gl>W`~INcx1YZ6*FQUcr}v`MA9Q*rgHFHOd*OHb-Q&&+@Sl!_?T{!<<O~1NwCaod
zn*iZlXrig$YUlt2L=z_FUO=>F=uy!QP-;4(7!DzmmBwKU8ivS+(9$x&R^yPHWQy(*
zrJ{ll;pM-6fR5MgdA{qzKh4)S=IhJGshmWpViMpG(neRUl*XuWuuwx_lqY{Q_Qoh9
zs+C)edUZ>AC~j5b=v+N2Y<Ioa8P{F!0j4D~Bnn-_e6e}CqB$g{A9JM3u0!Iu`00Cn
zukXsB<AkUJNn>rBKN3bmqA8z`!iXv}_LmeH%!GuClmO^ejLK;yS}ddE_dMV0{UeFj
z#GYFe5AY07xBpAR5>!v?0Cw5`<6ggR|BpK-2m8Mdpb?p)vHTKap{N#eRhW%--FyIO
zG9SWnZ8HEYg7bv2bHQk^8p6BTMCfyg3b}TiITKUDGS{M+B?XXL@3%N33DXxir%D^T
zE#o*ALg@+WTOn_TFe6N%<3vGZCL$+OW;~H`GLCZuS}>HU_p&xnFAy?jA;g%8RfJr7
zaES;Dtz$K8TQ?**YE;HZhaynzK=1%#t=cMBV3;t<=PoX3U=X)8p<KI!hwhqM+fs{!
zM4)^ooDv^H`1Lo3ix4l7VW5Q^!ri^&938>Aq(V}?8Z)BQghU8LDLUsEf)-_Vowz>I
zZjEyUv5-2OrQmi!gGJh;1tbdLc7YsZ!a3#h4cl)94&hC|-!qubi6jwfl<CHiL@$tQ
z8d(2g_tCm*5>th8iPCe-5OWAeFdj9{sg8$$QREs-_@F#^Hv^1fy?Rx&3(he}Pwtj7
z23%;EVi_rho+WpdDBCq93I}}`c_6~HFU2(;Ws-9QBgVunqe_FA!FZCc?JF50d}SLU
zJCo_kZo_y4u@p-hVhEHMBvYmh!+{Z<lpkWqV>q6qQt;fm{WVax{~Dv15sj*Sy+9VD
zRGy9>=?Zq(fB)pTTeJUz!SV6I{_g|s?pz3QMma(&waV9FYL>5MW|v#w-rqZBAf18t
zF%1w>yPik8jrP2l7E8+Y3|jxM+O2OwfJ|ZWqqXJ-dARZ2DX*v|-5w)TWGY2K;&?Ma
z&N0;y*-XJTX1(MEGDI%ipmAR148)it8%hncxuyYUGYs?)S`%@ZIvSfPiP+#Xj-qw?
zIU%gIeLW>MROVh%9;!}lodK0FHJ|@>{VzGBM@EA?^uIswPip#q()YUu{oe-|0r@}U
zbYb{Ip_}&i7sw0&gf!4#HD;Z%k~miFWyiUpJRHK?LROpzH3^9(CRAunLRE}`>CGiL
z4GANngT;HRpJ@X?qlN<HBAU%B(KEm*D7GR2$k{NE88^ETUg6^J@3ZcuU`d1pQa4*z
zI?xSBK}=yFQLl;TEtAIaC1X=zqh=yY0r7fhB}%s8@D`l4Q1lKc4_FdzGbSE<0Zw^n
zLZsJQIV&RtYk)zE|B#3^kN5)37%PlcV(2Y=R%~yX)xlO)%PB%5r{w_!qk{(+4Foqi
z0m_m<AYZOeJ(rKmtI^qcNfvU4aCeu}R+>cd{e5d=>gi<k<NMR=v+>!3^P?d0vZSa9
z%XoBk_5Sqw{KLi7CYm)Cn?kJB-J}Tc1wJQ2W3lKp(#h!T^zwW(KCPqtNs6c}`T#SE
zEWE&3wKZ!$Cweg~)YmJn_=>R=rCf*B(7@B^{reBUoW8vtPcAnX`tt4$J_*X9^{Ul`
z?PY~x<*2jtHpP+Kod*IX5AN^p?h4Velf89j4fprMjc!fm6(*XEW`&<}y4~79SQ`Rm
z$uLK)HYL^O#-*JrMEu+)jU^IIvQpYE<4koDpGz^t@~ImFKUXayKx`$T)m|WBdhutg
z+G#1bEN9golcd{}_}^Do=a=Qa8KEqZc(stI7J`LC82F{`7$p_qB?f|rY6!<g7o$t$
zsMIsDy_K&WZYg(6XCmQEr@HB%03tIsRlT;3;`YsJmCKl$CdlokX%b2JfwNV`*EA|j
z&HM%=o}m7b^6(Pnk_K3j77P-5&mp+RKPuZCkeEy<qne_sZa)dbYJ&@t)2r(r-%Z|L
zU!Gokd{?qe8~mx1iBS-keV9C;YPEH2T*<6)Hr>{gjBCAjt&Sz`o-O{{9{<ZJ37+O2
zcvt@4?{(_=f2Zpo;{Sa>Ii|NKZfuQ^^iLZRc{i_ZLRkd*W0ok5@<K2)I!*cfD*}Eg
z7-mrbiRsT$B=G~p9Dog41?nJeb4eIc?x<w?2?JyL+-%NeMZdRll(uItig$P3Mfz0d
zP4d=l>GJ;^Y}fxZb9o92uuK1Y-Q&9cANvRW-wXVe{C{gWQhCenIJq?lh!<qx<K~=P
zUyYD8*pPA%vi0>}uVNg+hnRd$(D@#`>E90?(tm48pTGd@)c=9MdH;X7|Jw^x+-6;o
zcf0lnlrz6yD^gB3OOE>eo(+ICk#p34CBuxR&>|3Q2v_6uVx^kCR&Nv=Z~mTpzrQ!w
zssAJmr5<AjcE<mH?ftLocf0+A{_g{78s8X2?=}Oj>(*_@w_$Qs5}FL4R+gAokJyTh
za!p+8a+K9U1cbvBfkrV(B{<P(S;ce}6Q$~8V42m@3Eq0{6L?<OuK)R)=^p(5alQU)
zFgWfV^nV{vdDF|wO0x^?<|}}88ERI2Iu?9J=SezzyNa(XV>isj*AYHT^yA1r_g;UG
zu&Mt_tM<j|=<V657lltkW2gT=*{J_KIX={X?ggBqBVZyR3_@IjIep6KK)KQ~Nz3yb
z=Yw^&&>6x{31bi}h}1BC2QuMsOZ5VXeL=}D=N#wv-+!MHwQ#(4>Z(=S&Qa}vg6S+!
zc873<N*hcH$eb9uw(2gWAvjyX8r_lQi!f$~ERaPIvt&*=%&1fv+)7(MHn01fQ@u#0
zULc~j8RjOOYO~(zFK<q@W2l+^aC7#nL)0Q&#B-nBQ$Vx+uWNs<?TQ~41MJZM-bugy
z|DThAf2jZ43#f!@%(Spn#Z!cVY2se11#=uLCTSnlLr@Emun-jLQu%e7zuR;^{Z~Pn
zl`Dm%H)t2|bCMQ_SKn7vjDeT4;n`p7!i!)1-|Rhs{Ze_X-hBRllixQOV%b>r4fK#N
zYcJ%;YcInORb8yhHw;59r)lq!IJ9|7zK3zXAhmvjPVZ2<z0RBG+0KIU_p+Uaq0Q~&
zLfb7ZzaztRm5Zg<ym?ej680^-S9{5BJY8OA$Cm4FK9EyoAKAV7$#0A-J;raW<Pj%R
zTZ>ob*&|`taBQ0|@Y~KKE2RS=E5!??qj~hnWF)?QYRXdM8IDJ3@ltkp;}M8BEgd5g
z&4~J;Ro*>@wf``<0TwD&t4k_Zb5#GpQ0n+3p5pYY`?W(Gn~Fo4>K<W7?c<{)v~o<3
zVEY@3VYZaR?8h87m%0_^uqrFBjD$Ss|C{5#?C$p|g1@iG|Bibb_22&BaR0LxD93;K
zD^M-?D?bG8E%GbEk@YLlmeB5@Kq{U5<Z;wjF=tUf_wgR!00%h0R`_oK00960CT`#D
H07d`+pG0w%

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/Chart.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/Chart.yaml
new file mode 100644
index 0000000000..d2c80add3b
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/Chart.yaml
@@ -0,0 +1,14 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.4-rc1
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 103.0.3+up0.4.4-rc1
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/_helpers.tpl b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/_helpers.tpl
new file mode 100644
index 0000000000..c37a65c6f3
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/deployment.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/deployment.yaml
new file mode 100644
index 0000000000..b8a7201dac
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/deployment.yaml
@@ -0,0 +1,82 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if $auth.clientCA }}
+      volumes:
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if $auth.clientCA }}
+        volumeMounts:
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/rbac.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/rbac.yaml
new file mode 100644
index 0000000000..f4364995c0
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/secret.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/secret.yaml
new file mode 100644
index 0000000000..9fd331dc1e
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/service.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/service.yaml
new file mode 100644
index 0000000000..220afebeae
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..9e7ad7e1fe
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/webhook.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/webhook.yaml
new file mode 100644
index 0000000000..53a0687b6f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/README.md b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/README.md
new file mode 100644
index 0000000000..6d3059a005
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/deployment_test.yaml
new file mode 100644
index 0000000000..bbd6e30444
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/deployment_test.yaml
@@ -0,0 +1,73 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/service_test.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/service_test.yaml
new file mode 100644
index 0000000000..03172ad033
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.3+up0.4.4-rc1/values.yaml b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/values.yaml
new file mode 100644
index 0000000000..f37c556405
--- /dev/null
+++ b/charts/rancher-webhook/103.0.3+up0.4.4-rc1/values.yaml
@@ -0,0 +1,30 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.4.4-rc1
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index a3328823e2..0f1c4e885a 100755
--- a/index.yaml
+++ b/index.yaml
@@ -19811,6 +19811,24 @@ entries:
     - assets/rancher-vsphere-csi/rancher-vsphere-csi-2.1.000.tgz
     version: 2.1.000
   rancher-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.4.4-rc1
+    created: "2024-04-29T14:12:35.918997-04:00"
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: fe1420d35320cdad57cf3b6d1f3142b30de79372c2f9e9a99823c33bbe45734d
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-103.0.3+up0.4.4-rc1.tgz
+    version: 103.0.3+up0.4.4-rc1
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"