Skip to content

Commit

Permalink
fp: rancher-webhook 103.0.13+up0.4.14
Browse files Browse the repository at this point in the history
  • Loading branch information
nicholasSUSE committed Dec 19, 2024
1 parent 64eab9c commit 3fe7871
Show file tree
Hide file tree
Showing 15 changed files with 331 additions and 0 deletions.
Binary file not shown.
14 changes: 14 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
catalog.cattle.io/release-name: rancher-webhook
apiVersion: v2
appVersion: 0.4.14
description: ValidatingAdmissionWebhook for Rancher types
name: rancher-webhook
version: 103.0.13+up0.4.14
22 changes: 22 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

{{- define "rancher-webhook.labels" -}}
app: rancher-webhook
{{- end }}

{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}

{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}
82 changes: 82 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
{{- $auth := .Values.auth | default dict }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: rancher-webhook
spec:
selector:
matchLabels:
app: rancher-webhook
template:
metadata:
labels:
app: rancher-webhook
spec:
{{- if $auth.clientCA }}
volumes:
- name: client-ca
secret:
secretName: client-ca
{{- end }}
{{- if .Values.global.hostNetwork }}
hostNetwork: true
{{- end }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 6 }}
{{- end }}
containers:
- env:
- name: STAMP
value: "{{.Values.stamp}}"
- name: ENABLE_MCM
value: "{{.Values.mcm.enabled}}"
- name: CATTLE_PORT
value: {{.Values.port | default 9443 | quote}}
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if $auth.allowedCNs }}
- name: ALLOWED_CNS
value: '{{ join "," $auth.allowedCNs }}'
{{- end }}
image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
name: rancher-webhook
imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
ports:
- name: https
containerPort: {{ .Values.port | default 9443 }}
startupProbe:
httpGet:
path: "/healthz"
port: "https"
scheme: "HTTPS"
failureThreshold: 60
periodSeconds: 5
livenessProbe:
httpGet:
path: "/healthz"
port: "https"
scheme: "HTTPS"
periodSeconds: 5
{{- if $auth.clientCA }}
volumeMounts:
- name: client-ca
mountPath: /tmp/k8s-webhook-server/client-ca
readOnly: true
{{- end }}
{{- if .Values.capNetBindService }}
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
{{- end }}
serviceAccountName: rancher-webhook
{{- if .Values.priorityClassName }}
priorityClassName: "{{.Values.priorityClassName}}"
{{- end }}
12 changes: 12 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/templates/rbac.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rancher-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: rancher-webhook
namespace: {{.Release.Namespace}}
11 changes: 11 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{{- $auth := .Values.auth | default dict }}
{{- if $auth.clientCA }}
apiVersion: v1
data:
ca.crt: {{ $auth.clientCA }}
kind: Secret
metadata:
name: client-ca
namespace: cattle-system
type: Opaque
{{- end }}
13 changes: 13 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/templates/service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
kind: Service
apiVersion: v1
metadata:
name: rancher-webhook
namespace: cattle-system
spec:
ports:
- port: 443
targetPort: {{ .Values.port | default 9443 }}
protocol: TCP
name: https
selector:
app: rancher-webhook
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: rancher-webhook
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rancher-webhook-sudo
annotations:
cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: rancher.cattle.io
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: rancher.cattle.io
16 changes: 16 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/tests/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@

## local dev testing instructions

Option 1: Full chart CI run with a live cluster

```bash
./scripts/charts/ci
```

Option 2: Test runs against the chart only

```bash
# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
bash dev-scripts/helm-unittest.sh
```

Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
suite: Test Deployment
templates:
- deployment.yaml

tests:
- it: should set webhook default port values
asserts:
- equal:
path: spec.template.spec.containers[0].ports[0].containerPort
value: 9443
- contains:
path: spec.template.spec.containers[0].env
content:
name: CATTLE_PORT
value: "9443"

- it: should set updated webhook port
set:
port: 2319
asserts:
- equal:
path: spec.template.spec.containers[0].ports[0].containerPort
value: 2319
- contains:
path: spec.template.spec.containers[0].env
content:
name: CATTLE_PORT
value: "2319"

- it: should not set capabilities by default.
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext

- it: should set net capabilities when capNetBindService is true.
set:
capNetBindService: true
asserts:
- contains:
path: spec.template.spec.containers[0].securityContext.capabilities.add
content: NET_BIND_SERVICE

- it: should not set volumes or volumeMounts by default
asserts:
- isNull:
path: spec.template.spec.volumes
- isNull:
path: spec.template.spec.volumeMounts

- it: should set CA fields when CA options are set
set:
auth.clientCA: base64-encoded-cert
auth.allowedCNs:
- kube-apiserver
- joe
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: client-ca
secret:
secretName: client-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: client-ca
mountPath: /tmp/k8s-webhook-server/client-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: ALLOWED_CNS
value: kube-apiserver,joe
18 changes: 18 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/tests/service_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
suite: Test Service
templates:
- service.yaml

tests:
- it: should set webhook default port values
asserts:
- equal:
path: spec.ports[0].targetPort
value: 9443

- it: should set updated target port
set:
port: 2319
asserts:
- equal:
path: spec.ports[0].targetPort
value: 2319
30 changes: 30 additions & 0 deletions charts/rancher-webhook/103.0.13+up0.4.14/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
image:
repository: rancher/rancher-webhook
tag: v0.4.14
imagePullPolicy: IfNotPresent

global:
cattle:
systemDefaultRegistry: ""
hostNetwork: false

mcm:
enabled: true

# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
tolerations: []
nodeSelector: {}

## PriorityClassName assigned to deployment.
priorityClassName: ""

# port assigns which port to use when running rancher-webhook
port: 9443

# Parameters for authenticating the kube-apiserver.
auth:
# CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
# Must be base64-encoded.
clientCA: ""
# Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
allowedCNs: []
18 changes: 18 additions & 0 deletions index.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20042,6 +20042,24 @@ entries:
urls:
- assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0.tgz
version: 104.0.0+up0.5.0
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
catalog.cattle.io/release-name: rancher-webhook
apiVersion: v2
appVersion: 0.4.14
created: "2024-12-18T21:55:40.659033591-03:00"
description: ValidatingAdmissionWebhook for Rancher types
digest: 9838b76a44ff824d3d182b8f1ae4438176861bbbed9c2341078c08180f713f6c
name: rancher-webhook
urls:
- assets/rancher-webhook/rancher-webhook-103.0.13+up0.4.14.tgz
version: 103.0.13+up0.4.14
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
Expand Down
2 changes: 2 additions & 0 deletions release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,5 @@ rancher-monitoring:
- 103.2.1+up57.0.3
rancher-monitoring-crd:
- 103.2.1+up57.0.3
rancher-webhook:
- 103.0.13+up0.4.14

0 comments on commit 3fe7871

Please sign in to comment.