From 00ca3f7f3326f18e8e6aee79050aa7e4ea2900e9 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Fri, 19 Jul 2024 17:56:10 -0300
Subject: [PATCH 1/3] cleaning release.yaml before release

---
 release.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/release.yaml b/release.yaml
index 119bf98c35..e69de29bb2 100644
--- a/release.yaml
+++ b/release.yaml
@@ -1,2 +0,0 @@
-rancher-webhook:
-  - 103.0.7+up0.4.8

From 184a65b56d2460ff8b6e5815595807df318447b2 Mon Sep 17 00:00:00 2001
From: Eric Promislow <epromislow@suse.com>
Date: Fri, 19 Jul 2024 12:44:30 -0700
Subject: [PATCH 2/3] [dev-v2.8] rancher-webhook update (#4273)

---
 .../rancher-webhook-103.0.8+up0.4.9.tgz       | Bin 0 -> 2801 bytes
 .../103.0.8+up0.4.9/Chart.yaml                |  14 +++
 .../103.0.8+up0.4.9/templates/_helpers.tpl    |  22 +++++
 .../103.0.8+up0.4.9/templates/deployment.yaml |  82 ++++++++++++++++++
 .../103.0.8+up0.4.9/templates/rbac.yaml       |  12 +++
 .../103.0.8+up0.4.9/templates/secret.yaml     |  11 +++
 .../103.0.8+up0.4.9/templates/service.yaml    |  13 +++
 .../templates/serviceaccount.yaml             |  11 +++
 .../103.0.8+up0.4.9/templates/webhook.yaml    |   9 ++
 .../103.0.8+up0.4.9/tests/README.md           |  16 ++++
 .../tests/deployment_test.yaml                |  73 ++++++++++++++++
 .../103.0.8+up0.4.9/tests/service_test.yaml   |  18 ++++
 .../103.0.8+up0.4.9/values.yaml               |  30 +++++++
 index.yaml                                    |  18 ++++
 packages/rancher-webhook/package.yaml         |   4 +-
 release.yaml                                  |   2 +
 16 files changed, 333 insertions(+), 2 deletions(-)
 create mode 100644 assets/rancher-webhook/rancher-webhook-103.0.8+up0.4.9.tgz
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/tests/README.md
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.8+up0.4.9/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-103.0.8+up0.4.9.tgz b/assets/rancher-webhook/rancher-webhook-103.0.8+up0.4.9.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..b7ec0c96b515c75db07c62a12581bcccfca213a9
GIT binary patch
literal 2801
zcmV<N3J&!jiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH($Z`(N1{j6UxaGnSKaFr}4j?)Ua2YB7=UV+99lAw#jVv(h#
zvCW1eRg!Yno94eCNWEB+<+$4fPWRyXVw*2BLvmipu_Qd4qjYa^G8f{eJDL-zy(Nj+
zizfr$_x(Y?Z$EwCZ+`ZC|L8@pKj;sRkB<Fb?}gv%ANB_?z<)XxHbbg3kuUs5(`qj6
zZvupKp^2t~tH1#Wi6%_UypU+k(4(RoqSSOsF$y4;mDXW%8b!zh=xCW@r*+6pIze}V
zQc=MJc=@j%pywSPdA{qzKh4)S=IhJWshq^95)xtnS);3#N@LtQSf~IP<>?=-y$Q;g
zYUP%rUfoh2iCfh=x=@cA+lSukoa;mH0j4D~Bnn-_e7SjrqB$g?9}A?5Lx&_u`P29M
z-Ww-E6-t_D+w_qz8WBzTY#7B<nQ^~lh+rxtTx7^WFB4QwJHc`ZJ^#q_z1ROplZ?=F
zi{Kuf5t{aYL0F3FX&t~e`+t1oH|_s%ueZ1Vy8s%K85+wkF%gPtA(y4;=r&CVfF`p5
z7Ma}uu#?YI#?A$!;WB`C)3MO!5*2doI5Q?Dgyn8UGfM^_v)pfSN>ZjTa7L9jG&{y=
z%!Sfp)VD(31TZB`q2t71Y$hTn6K1@SaWIZ^09r7Vndh=LP|p!^Mj^t4iDisjdvJ*e
zbFC8<bgc`L95pIqpd%5gZYX$&iB??|&M`_E<uex-G&G32nozD?!XtM@t!t^pLLyK;
z6;6eZ0Dk?=;UdCIWEg581Gu|)oPz^6msCiqmm@}$8j~1-C`D%+BhaGCu9GxJ+O2U8
zAQ4jMvlQIUX*kcCw18A0+|H4MOgX1~wr2ayzyRL#`$q=TIgunrjWXLflIl5fO+)Kn
z>^@poO%ke5E>L=o8Db9M07k>MIrZ@nGKyS-2_2LN@1}rpqL;7AcELG@*~#5f#()bA
z6RaY|$g||mQf0d)MB$+CA`eBB^<}t5!(4I>V91!bWmIVpQy7i2wS6UHgfDF)<YzKj
z+HDvOA(3K1BaDFZl4QoTVK_9Rlkr0gd5lKmObVV`ufG<W_FrS1Frra)ujj}Tl*-e|
zBVEB3`|qC|A2#g&U~qi2xBt6<yE_*moKlX^$t?4Al$qvhncL<LxcB#t8Azw#ear%c
z%(fTNZmUf%rzMhdJ%!Hyt8V9;5Fk@n{^+duK_0Drcd9FDNVmtx1ewYZkR(|Tk_${t
zL^e}!jcKoVf*g?xH)tGKH3Kmw$%axvKG!thbc&%4pfeVinX|E(l1L0b<19L-pHsp*
zo7YoeL**_e<Du@@RvAzQQ~UXE*8hrAdSo=XMgRK)|D>V+Cw<@F>;Epm2+02##|yy^
zrEc2aUm!OG5YbSB)tFVvN|Ho%7d_{O@+g3}rK~tHY7!AmOt{dVh^hob(_2Vz78b@t
zhx7MVKeGmaRt*IxL^PjQp=W^AP;5j3P_SVjH*R(#ywc6z-{;*6!O|E@q;9^jY@i#G
zl9<9!qFxa%TE?y8E5@eAM#Dr_g5uTCTBK}4;te<(;piPu9<nsrWK2Bx0-W;5gh{VA
za#lqO)&PSR{~<AJAMpj+G1eHZ#nBu1tl8cwtAmZKR?~!5POAe-Mh6ct8VYXm0+bbj
zK)zU=dLbW|SHrXOiYyck;qI=Wtu%>~`}@w?)YI|s$M>h#XQQ(R=f`2}<%v-nmeKI)
z>iy~U`G<?Ebu=q1HjP-RyGaw^3w%z6#&Xdsq~qb)>E-!wblODulN51P^Z}+6S#*KZ
zdTZW(PV_t|)z>Sp_{y<0rCf#A(8AO3{reBUoW8vtjW5?1`tt4$J_*X9^QzN^?PZN(
z?Wpq<H^Wibod*IX5AN^p?n=?Jlf6}D4fprKTDK;%8WZhCv&K&~<?gH@Yz%>_WSFB?
z>ym2o<I2vJB7SZY#|nuyS*dK7ai%&=&ZU@O_0$c4pX-(pAh8nA>CTZbJ^!;)@3fRV
zma}?~Nz`px{O_x)^UG@Alu(vRyqZf?bHSnj27aYGK}kh)iJ{<;3gEcxVswEVm3k(&
zH}bW`EftRGOr*T+RM-6zKy1cls@K(V(!F`D3K?^=B)Qu*O(KataJH=ZnpTBrnBR~j
zW7I!V9$lhb&=70Vf?;a!It17FM{S!!l8^~yR8v&-?I%%GZ*XCJdUgHdyYbuW%hQXG
z?<$sQjX#w!F$_bq590?^t+9@^Ync_!wi}y@ac%al)Um?dv&Da#<9|6J;nUm$Z_EGt
zN4;kL-|Ow)|8@e^nBJbau{A={KW#+h-MqF5Wf|y?SgJJ23&GInH086e2>7L7m`4F5
zp+8HJCJzvE0M=-gsKczyB~eVdqteMI42|h?^EsC_{ocq?)}Fs8-rac@*;Ac2E?PIG
z%l~t*S^u-l<tZ${HvK<3JZ|cL|75TKJAuEF|8EROYH!&+r?3Vg@xnZOT%S|us}Zsm
z8&VBIHopGrWr6{GNXX|Do$tY${{7$~{kNv{2@Jqi{U0>ne+Pr({r%rgpyoE4ioD&m
zKcJk&{aTrFx_NTc?;qI!SQ9xz{Z}%~L<%iJ!2-A%Wfv>;^tFDY*n0E#-245#!B+hz
zSt#`wGq5%O_Z#njhyLN=;a>lD0S%3BjiR@k0oQe#w&U9{xhjoJ2GA%=EGkHB)kd{0
zu5&reYav3yVS+&81f>$3=&ZD2vP_6lO){{^>*)mVJogDaFKpKT;>~mi{{OhY?*I4o
zUps-?n_f{`nqO$QUjeL2QS%Dak>FE0OS9pdReV($yJjxFj__HkA4m4N_xgK;b^TXb
zbuUhbZ_iG>IC>HqTmAn@Q~&!X$H#m9-vu}a2f#!~7(}=LbNZCefO4f}nw97|&Ijvk
zp%=hUDPs`MiPSK92QuYwOZ6OxeL*QM=N#wv-+!MFHFvyj=BicK&QaZvg6S+#9tLoQ
zN*hcH$cz}ew(>5cAvjyY3f+O_i!f$~%#p>AuyjT_OsP~F+*(^Pwy6D_Q9Vy5UMS+O
z8Rn*(YO~(@FK<S*W2l+^a0~Y9L)1K5#B-nBQ$V}^uWEm;?TQ~418mX%qmzE~|34=K
ze_#K%6HqDDm}_CBil+<%v&6ko3+6ahOtL<z15k63vIrFFN(pwBzuR;^`&U7hl`Dmn
zH)t2|bD9;2*WXuFf}vNi;n`oS!i!)1-|Rhs{Zf0ZUVr|7Q`|QgV)<D04fK#N8ZYF?
z8!y8TRb8ygHw;4^r)}@jB(ix+v4=^qAhmjf&hAhSk9u#OXFE&E-^+FyhSs-}3vIWw
z`i=~fWg(Vc`{q$KPT9BYUgIUZ^>lfY9b2-${y<KZePs8VC%-nb@)*Cil1H3OV=Z2l
zXOBct%dxG$z;8N_yp#@vtQ9X*j^@!Plau)NsToVHXE+*W#Y_3&jfNnStaOY>G$Wda
zR(tmd8vkQ(Lo8LSQI}M$=BWRPq0;e5JjLnP_iKwbwiSo8)jh(N+Q&ypXziFD!S**6
z!)z#r*^N1DFLf);VO>^U83}pN|F_3~`Q7hR1b<(V{~aH#)qneg{r%5Qpc?-buRx99
zulf+Uv&gRuM^>*y8$!E>0;z2BlgCkC#hgX`+{e3zJ?vo*8{xkJ00960Gbunb07d`+
Dz{+|{

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/Chart.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/Chart.yaml
new file mode 100644
index 0000000000..58269b289a
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/Chart.yaml
@@ -0,0 +1,14 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.9
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 103.0.8+up0.4.9
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/_helpers.tpl b/charts/rancher-webhook/103.0.8+up0.4.9/templates/_helpers.tpl
new file mode 100644
index 0000000000..c37a65c6f3
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/deployment.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/templates/deployment.yaml
new file mode 100644
index 0000000000..b8a7201dac
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/deployment.yaml
@@ -0,0 +1,82 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if $auth.clientCA }}
+      volumes:
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if $auth.clientCA }}
+        volumeMounts:
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/rbac.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/templates/rbac.yaml
new file mode 100644
index 0000000000..f4364995c0
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/secret.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/templates/secret.yaml
new file mode 100644
index 0000000000..9fd331dc1e
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/service.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/templates/service.yaml
new file mode 100644
index 0000000000..220afebeae
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..9e7ad7e1fe
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/templates/webhook.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/templates/webhook.yaml
new file mode 100644
index 0000000000..53a0687b6f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/tests/README.md b/charts/rancher-webhook/103.0.8+up0.4.9/tests/README.md
new file mode 100644
index 0000000000..6d3059a005
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/tests/deployment_test.yaml
new file mode 100644
index 0000000000..bbd6e30444
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/tests/deployment_test.yaml
@@ -0,0 +1,73 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/tests/service_test.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/tests/service_test.yaml
new file mode 100644
index 0000000000..03172ad033
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.8+up0.4.9/values.yaml b/charts/rancher-webhook/103.0.8+up0.4.9/values.yaml
new file mode 100644
index 0000000000..fe457dfb14
--- /dev/null
+++ b/charts/rancher-webhook/103.0.8+up0.4.9/values.yaml
@@ -0,0 +1,30 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.4.9
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index 5d08843767..35ec8d67ca 100755
--- a/index.yaml
+++ b/index.yaml
@@ -21727,6 +21727,24 @@ entries:
     - assets/rancher-vsphere-csi/rancher-vsphere-csi-2.1.000.tgz
     version: 2.1.000
   rancher-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.4.9
+    created: "2024-07-19T12:10:02.382765-07:00"
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: cc0db7f86c2ae05f106e6245238e2723cd62bceebfc3d3c1978e64d8fb7e2d2b
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-103.0.8+up0.4.9.tgz
+    version: 103.0.8+up0.4.9
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/packages/rancher-webhook/package.yaml b/packages/rancher-webhook/package.yaml
index f61f51fbee..72056daa3e 100644
--- a/packages/rancher-webhook/package.yaml
+++ b/packages/rancher-webhook/package.yaml
@@ -1,3 +1,3 @@
-url: https://github.com/rancher/webhook/releases/download/v0.4.8/rancher-webhook-0.4.8.tgz
-version: 103.0.7
+url: https://github.com/rancher/webhook/releases/download/v0.4.9/rancher-webhook-0.4.9.tgz
+version: 103.0.8
 doNotRelease: false
diff --git a/release.yaml b/release.yaml
index e69de29bb2..ef65d62a9f 100644
--- a/release.yaml
+++ b/release.yaml
@@ -0,0 +1,2 @@
+rancher-webhook:
+  - 103.0.8+up0.4.9

From 03a45384637ddbc54081eeccdba34a161e3d8b0d Mon Sep 17 00:00:00 2001
From: rancherbot <rancherbot@rancher.com>
Date: Fri, 19 Jul 2024 21:04:10 +0000
Subject: [PATCH 3/3] Updating resync.yaml

---
 regsync.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/regsync.yaml b/regsync.yaml
index b7c88695e2..fbf2786670 100644
--- a/regsync.yaml
+++ b/regsync.yaml
@@ -1819,6 +1819,7 @@ sync:
     - v0.4.6
     - v0.4.7
     - v0.4.8
+    - v0.4.9
 - source: docker.io/rancher/security-scan
   target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/security-scan'
   type: repository