From be01626a9779bf889ab9403e5b10e1140f3695d6 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Tue, 5 Nov 2024 15:35:11 -0300 Subject: [PATCH 1/2] clean release.yaml --- release.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/release.yaml b/release.yaml index 57e850dd8e..8b13789179 100644 --- a/release.yaml +++ b/release.yaml @@ -1,8 +1 @@ -longhorn: - - 104.2.1+up1.7.2 - - 102.5.1+up1.7.2 - - 103.4.1+up1.7.2 -longhorn-crd: - - 104.2.1+up1.7.2 - - 102.5.1+up1.7.2 - - 103.4.1+up1.7.2 + From 7175eda582dc43a63567ab44a276c1710ed18cc8 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Tue, 5 Nov 2024 15:35:48 -0300 Subject: [PATCH 2/2] forward-port rancher-webhook 2.0.3+up0.3.13 --- .../rancher-webhook-2.0.13+up0.3.13.tgz | Bin 0 -> 2704 bytes .../2.0.13+up0.3.13/Chart.yaml | 18 ++++ .../2.0.13+up0.3.13/charts/capi/Chart.yaml | 4 + .../charts/capi/templates/service.yaml | 13 +++ .../2.0.13+up0.3.13/templates/_helpers.tpl | 22 +++++ .../2.0.13+up0.3.13/templates/deployment.yaml | 83 ++++++++++++++++++ .../2.0.13+up0.3.13/templates/rbac.yaml | 12 +++ .../2.0.13+up0.3.13/templates/service.yaml | 13 +++ .../templates/serviceaccount.yaml | 11 +++ .../2.0.13+up0.3.13/templates/webhook.yaml | 9 ++ .../2.0.13+up0.3.13/tests/README.md | 16 ++++ .../tests/capi-service_test.yaml | 20 +++++ .../tests/deployment_test.yaml | 62 +++++++++++++ .../2.0.13+up0.3.13/tests/service_test.yaml | 18 ++++ .../2.0.13+up0.3.13/values.yaml | 26 ++++++ index.yaml | 22 +++++ release.yaml | 3 +- 17 files changed, 351 insertions(+), 1 deletion(-) create mode 100644 assets/rancher-webhook/rancher-webhook-2.0.13+up0.3.13.tgz create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/Chart.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/Chart.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/templates/service.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/templates/_helpers.tpl create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/templates/deployment.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/templates/rbac.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/templates/service.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/templates/serviceaccount.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/templates/webhook.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/tests/README.md create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/tests/capi-service_test.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/tests/deployment_test.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/tests/service_test.yaml create mode 100644 charts/rancher-webhook/2.0.13+up0.3.13/values.yaml diff --git a/assets/rancher-webhook/rancher-webhook-2.0.13+up0.3.13.tgz b/assets/rancher-webhook/rancher-webhook-2.0.13+up0.3.13.tgz new file mode 100644 index 0000000000000000000000000000000000000000..df9a56db9c43b417b51b5a4ae1f6ebe87634eafb GIT binary patch literal 2704 zcmV;B3UBoviwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PGxHZ{xUepYmikjByZdo^J)(6 ze*_5ULJ>s;m!1XS6GfPqJ3dj0p+iO2$3)Q?#lVAnue73tGzgG;&{0W>omQ0Fbc*%@ z6G;X4;O*c420f>L?6|fIf7M^#>922FyK)ktjERpPWR14GmkOg+WFb9Zl&8P7K8-Pn zsFHSx^_M%!192x?u?zL6iQRWbxzv4UgU|^wBob{cd^vfAqFE%S9}A+3zD44={OLN! zPVd+XFh(9A_bE!xvcVTTpvqwQB&H5>GG!Q802v3}XaOV`3rUqo?mg&qtN^8-&^YV& zkuVw%Mfvp>kIBV?B0aPVoao?;upGt zE%x6XoiyYB;qYX5u>bpjhX)%1oKcR@$qe&NkXh!NBsa|+upb{SjYwzUe9Qub%(NHL zZmUTzyTu9RY6hJ@$!_Oa1dvHAe{`1eAP-i)Th$RYcDKXG6q(EjkT_nAZVO6HLMBtN zwb8EF_?(apx2XMBH3QMU%!E>2-d8u^Y=*w_pfeU%nHw>gl87}u?FKsMpHsp*>&H_O zL*~vSlcDaimKjimQv3R^*Z+#Ud0{lTMgIq*{&7S9M+5he|L+B=X()+f*SMqfWIc4ZdnMMU}GPe$jm27p$r11Pp#-mk(>1FMl(O9Y@0 zLqo%0Ra0iI-Wk$Dur$Jww4D!6F00V)|miYCzQrQ)Sxqo;lcuPg1`0=r` z()E0N`u$JmH)p4l4;u+o_v{8b7iSk6$wYp%iOSjO_4QBZHLG5WY=+q&ud})heb%FSmwJIl-(9v{7x$BNA1@$qfRvE9Jd zJJU~j*+hZL?`zqmHx-|_2jDhY(^+c6TA)+l%ZgO z2Sc~=IL3sE;0k@g1L?s@`H0a4a+LCw#9k}clbmDW9xp`7+jdRWO9Dh1E7Pa0isJ6= zJ6U=~iOB+!uKu8WZu^)hS(Bw^g4@I!qxzom;7U{Qv5G6vPt8$?;0k}M&8SaeGNp_v zin2b_BnavaHjK}&Z@&L9et&aye);jk**UBiP-aq``o11>Yar0>u2zn1mNeT=bSlQT z`E;q&E7E;c{I@>-Po~7*%{lP4{C{xVYv%vGe(w-9f3ayu{q+w}i<=&qjs9Ut_6A5c@9 z`lWR5394OFr25r-k&Blhr=5o|gTb-!REi{XR9_Qe#)(kE7tDj}vn=(hhp+Y1ht^Yq z*Pich4Yuk($xP`>%)nOv?>5f=`)c3R7dwG8P{^Hz;f}QZ#>iw!sFlJCfWD&$Hol_1onn(q9t*yW zh3VAsMby=3cFL*J`2RcKtWU_jv+vW5)cFC}5lZ z4~I?tAB{$%gZ}RWWJ(q0T3DO{lrdnIwHLZeV!Gyd$TGVo!=}mu8H$tzAW>CnEwgmq zWcOK-aduH{n|vv=$pd>`HTCjvpif_y?M+kMq7kU z;~>i$OlKo&tB~0_M*q0?-M&RPJa@VN?fSp0{du|eZ`J?f{;*m9HyR%5fA#}a{jXH~ zG)zFF7R-8q!he-c6k<5$*RnK2t4XOZwQJ>7mHDnXZ+tnk-d1MDv=q#8T=@)s$QO-^ zbL5T7;!VXH%PJ5(`p#=e)K>Yi6id%jXQK@+_EDP=ZrIfsq|29@x3$%GUwTF7L zL)-C$ZdaSvn$XRgw0%~&P-bSU#RV|EFASd3K7&+_Q}&!GY?L>&E;4V5V_x%Et(u_H z#3oM59;jn(ieX-`JdLq9RhbTx z?_S^u`Cl#5+gIfGq-@B9cF#=YUgGjzCsq5eKvVy#$^NeX3u2r8yQAj&AH%`P;rwSW zu<>sQT*tL4|1GenKY4A@53mE+r2o6B1>1W6(>rO@fArkL{qKI@E9<|i1>MxVCb3ef z!4U(Sm>TcOpP^*$Ott?Pig{_OrChA}Zo+fQ$IN>qrhM#B9Cm;M9N+*|_)h=;0RR6@ KP_yO$P5=PJd`}$! literal 0 HcmV?d00001 diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/Chart.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/Chart.yaml new file mode 100644 index 0000000000..f5a64be082 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/Chart.yaml @@ -0,0 +1,18 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-webhook +apiVersion: v2 +appVersion: 0.3.13 +dependencies: +- condition: capi.enabled + name: capi + repository: "" +description: ValidatingAdmissionWebhook for Rancher types +name: rancher-webhook +version: 2.0.13+up0.3.13 diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/Chart.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/Chart.yaml new file mode 100644 index 0000000000..388210bef1 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/Chart.yaml @@ -0,0 +1,4 @@ +apiVersion: v2 +appVersion: 0.0.0 +name: capi +version: 0.0.0 diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/templates/service.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/templates/service.yaml new file mode 100644 index 0000000000..de7c255c4e --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/charts/capi/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: webhook-service + annotations: + need-a-cert.cattle.io/secret-name: rancher-webhook-tls +spec: + ports: + - name: https + port: 443 + targetPort: {{ .Values.port | default 8777 }} + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/templates/_helpers.tpl b/charts/rancher-webhook/2.0.13+up0.3.13/templates/_helpers.tpl new file mode 100644 index 0000000000..c37a65c6f3 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "rancher-webhook.labels" -}} +app: rancher-webhook +{{- end }} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/templates/deployment.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/templates/deployment.yaml new file mode 100644 index 0000000000..13738feae0 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/templates/deployment.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rancher-webhook +spec: + selector: + matchLabels: + app: rancher-webhook + template: + metadata: + labels: + app: rancher-webhook + spec: + {{- if .Values.capi.enabled }} + volumes: + - name: tls + secret: + secretName: rancher-webhook-tls + {{- end }} + {{- if .Values.global.hostNetwork }} + hostNetwork: true + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} + {{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} + containers: + - env: + - name: STAMP + value: "{{.Values.stamp}}" + - name: ENABLE_CAPI + value: "{{.Values.capi.enabled}}" + - name: ENABLE_MCM + value: "{{.Values.mcm.enabled}}" + - name: CATTLE_PORT + value: {{.Values.port | default 9443 | quote}} + - name: CATTLE_CAPI_PORT + value: {{.Values.capi.port | default 8777 | quote}} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + name: rancher-webhook + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + ports: + - name: https + containerPort: {{ .Values.port | default 9443 }} + - name: capi-https + containerPort: {{ .Values.capi.port | default 8777}} + startupProbe: + httpGet: + path: "/healthz" + port: "https" + scheme: "HTTPS" + failureThreshold: 60 + periodSeconds: 5 + livenessProbe: + httpGet: + path: "/healthz" + port: "https" + scheme: "HTTPS" + periodSeconds: 5 + {{- if .Values.capi.enabled }} + volumeMounts: + - name: tls + mountPath: /tmp/k8s-webhook-server/serving-certs + {{- end }} + {{- if .Values.capNetBindService }} + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + {{- end }} + serviceAccountName: rancher-webhook + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} + \ No newline at end of file diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/templates/rbac.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/templates/rbac.yaml new file mode 100644 index 0000000000..f4364995c0 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/templates/rbac.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: rancher-webhook + namespace: {{.Release.Namespace}} \ No newline at end of file diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/templates/service.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/templates/service.yaml new file mode 100644 index 0000000000..220afebeae --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: rancher-webhook + namespace: cattle-system +spec: + ports: + - port: 443 + targetPort: {{ .Values.port | default 9443 }} + protocol: TCP + name: https + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/templates/serviceaccount.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9e7ad7e1fe --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook-sudo + annotations: + cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation" \ No newline at end of file diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/templates/webhook.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/templates/webhook.yaml new file mode 100644 index 0000000000..53a0687b6f --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/templates/webhook.yaml @@ -0,0 +1,9 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: rancher.cattle.io +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: rancher.cattle.io diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/tests/README.md b/charts/rancher-webhook/2.0.13+up0.3.13/tests/README.md new file mode 100644 index 0000000000..6d3059a005 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/tests/README.md @@ -0,0 +1,16 @@ + +## local dev testing instructions + +Option 1: Full chart CI run with a live cluster + +```bash +./scripts/charts/ci +``` + +Option 2: Test runs against the chart only + +```bash +# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git +bash dev-scripts/helm-unittest.sh +``` + diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/tests/capi-service_test.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/tests/capi-service_test.yaml new file mode 100644 index 0000000000..4ee94a84a4 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/tests/capi-service_test.yaml @@ -0,0 +1,20 @@ +suite: Test Service +templates: + - charts/capi/templates/service.yaml +tests: + - it: should set webhook default port values + set: + capi.enabled: true + asserts: + - equal: + path: spec.ports[0].targetPort + value: 8777 + + - it: should set updated target port + set: + capi.port: 2319 + capi.enabled: true + asserts: + - equal: + path: spec.ports[0].targetPort + value: 2319 diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/tests/deployment_test.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/tests/deployment_test.yaml new file mode 100644 index 0000000000..66a74d4e5f --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/tests/deployment_test.yaml @@ -0,0 +1,62 @@ +suite: Test Deployment +templates: + - deployment.yaml + +tests: + - it: should set webhook default port values + asserts: + - equal: + path: spec.template.spec.containers[0].ports[0].containerPort + value: 9443 + - equal: + path: spec.template.spec.containers[0].ports[1].containerPort + value: 8777 + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PORT + value: "9443" + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_CAPI_PORT + value: "8777" + + - it: should set updated webhook port + set: + port: 2319 + asserts: + - equal: + path: spec.template.spec.containers[0].ports[0].containerPort + value: 2319 + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PORT + value: "2319" + + - it: should set updated capi port + set: + capi.port: 2319 + asserts: + - equal: + path: spec.template.spec.containers[0].ports[1].containerPort + value: 2319 + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_CAPI_PORT + value: "2319" + + - it: should not set capabilities by default. + asserts: + - isNull: + path: spec.template.spec.containers[0].securityContext + + - it: should set net capabilities when capNetBindService is true. + set: + capNetBindService: true + asserts: + - contains: + path: spec.template.spec.containers[0].securityContext.capabilities.add + content: NET_BIND_SERVICE diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/tests/service_test.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/tests/service_test.yaml new file mode 100644 index 0000000000..03172ad033 --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/tests/service_test.yaml @@ -0,0 +1,18 @@ +suite: Test Service +templates: + - service.yaml + +tests: + - it: should set webhook default port values + asserts: + - equal: + path: spec.ports[0].targetPort + value: 9443 + + - it: should set updated target port + set: + port: 2319 + asserts: + - equal: + path: spec.ports[0].targetPort + value: 2319 diff --git a/charts/rancher-webhook/2.0.13+up0.3.13/values.yaml b/charts/rancher-webhook/2.0.13+up0.3.13/values.yaml new file mode 100644 index 0000000000..ad3339f6fe --- /dev/null +++ b/charts/rancher-webhook/2.0.13+up0.3.13/values.yaml @@ -0,0 +1,26 @@ +image: + repository: rancher/rancher-webhook + tag: v0.3.13 + imagePullPolicy: IfNotPresent + +global: + cattle: + systemDefaultRegistry: "" + hostNetwork: false + +capi: + enabled: false + port: 8777 + +mcm: + enabled: true + +# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info +tolerations: [] +nodeSelector: {} + +## PriorityClassName assigned to deployment. +priorityClassName: "" + +# port assigns which port to use when running rancher-webhook +port: 9443 diff --git a/index.yaml b/index.yaml index 3b729954cb..62e5584206 100755 --- a/index.yaml +++ b/index.yaml @@ -17201,6 +17201,28 @@ entries: urls: - assets/rancher-webhook/rancher-webhook-103.0.0+up0.4.0.tgz version: 103.0.0+up0.4.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-webhook + apiVersion: v2 + appVersion: 0.3.13 + created: "2024-11-05T15:35:37.056651718-03:00" + dependencies: + - condition: capi.enabled + name: capi + repository: "" + description: ValidatingAdmissionWebhook for Rancher types + digest: e5e0df3207229b82a2dc5737db9e73a27d741542ce550ef527d49a455da3c158 + name: rancher-webhook + urls: + - assets/rancher-webhook/rancher-webhook-2.0.13+up0.3.13.tgz + version: 2.0.13+up0.3.13 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 8b13789179..91eacaa2b6 100644 --- a/release.yaml +++ b/release.yaml @@ -1 +1,2 @@ - +rancher-webhook: + - 2.0.13+up0.3.13