From 3fe787110471d800d5a55be6236476b56c6d3751 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Wed, 18 Dec 2024 21:55:43 -0300
Subject: [PATCH] fp: rancher-webhook 103.0.13+up0.4.14

---
 .../rancher-webhook-103.0.13+up0.4.14.tgz     | Bin 0 -> 2799 bytes
 .../103.0.13+up0.4.14/Chart.yaml              |  14 +++
 .../103.0.13+up0.4.14/templates/_helpers.tpl  |  22 +++++
 .../templates/deployment.yaml                 |  82 ++++++++++++++++++
 .../103.0.13+up0.4.14/templates/rbac.yaml     |  12 +++
 .../103.0.13+up0.4.14/templates/secret.yaml   |  11 +++
 .../103.0.13+up0.4.14/templates/service.yaml  |  13 +++
 .../templates/serviceaccount.yaml             |  11 +++
 .../103.0.13+up0.4.14/templates/webhook.yaml  |   9 ++
 .../103.0.13+up0.4.14/tests/README.md         |  16 ++++
 .../tests/deployment_test.yaml                |  73 ++++++++++++++++
 .../103.0.13+up0.4.14/tests/service_test.yaml |  18 ++++
 .../103.0.13+up0.4.14/values.yaml             |  30 +++++++
 index.yaml                                    |  18 ++++
 release.yaml                                  |   2 +
 15 files changed, 331 insertions(+)
 create mode 100644 assets/rancher-webhook/rancher-webhook-103.0.13+up0.4.14.tgz
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/Chart.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/service.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/tests/README.md
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/103.0.13+up0.4.14/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-103.0.13+up0.4.14.tgz b/assets/rancher-webhook/rancher-webhook-103.0.13+up0.4.14.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c1c4ae26a08a0fa2960964f604328695bc5b5495
GIT binary patch
literal 2799
zcmV<L3J~=liwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH($Z`(N1{j6UxaGnSKaFr~_PSOgu2YB7=UV+99lAw#jVv(h#
zvCW1eRg!Yno94eCNWEB+<+$4fPWRyX5{oZ0Lvmipi6lInqjYa^G8f{eJDL-zy(Nj+
zizfr$_x<C+!2b1pzxlW4`^PVOgOk2L==FNXy%&COa5y-80shmmuo+UNiG1NdnpSgh
ze-j{_3r#c?Tm=q5NHk$$=7mISh8`8&5T&M5ictW$th5fB(<nk7Ku60IJFP=*(h0f?
zl!^)-z{`LA06p)p@A<9||1>|}n4d3Or*aabN=S$SWR0#`DvfdLV4(tFl&62R_9iG}
zs+C)gdUZ>AByLsf=t4beY#(~BbFL4)2bh+~kSKHw^X29hisq1nek_nK4jqyt<)`lr
zyxzcxP=%5v+O~Zpj7CILJ{v|cRc7EX877zt2^Sf5(8~ms(@wEmL(lJfzSryjBTaHr
z&n<;}crIw#{{>+ws;6}T+wA{Qzt^<?M}B{A|91g2CNngaUt%H@)j}>y%h7FG5CBbP
z0W5N>0bpmJr;MEoM#E(Q@1|p+&m}74+Hqz~ObE;Uie{D$KxVq%;*_LJU*L=?ZHRV^
z*O&{X$Ea_Gya`}Rm_o;i!`MtjPA1H_A>&~j=K!=|C^Oe(ZJ?eb<eWl;2@}g0x%S`^
z5$0MaD(G4tBspqS#zIFTRNYYU5EHGsDx71KGRkKzE@)^FcQv70yM#yXidxrFi-km>
zd@7s@9|8ROo5Mwfm&h>GLI!Ym?>Gksa4xBkR4+%2C^aTA0#S<2I7XmFm0c%kj<j3j
z96%zZ&SxpOozrlhHE98<Lb#nH2bpqC`E1Shn}Gqm84UUc(>akOMvXGtIFjl)a!o_)
zU+g|wUriFKP%cn<ju~PO;Q&U%wmJ3j5HgBfgNYrK2k)kUaiW*6%67pyhS|y8QpSJ_
z4HK*)#mKYd&QfK&CPd-!z(pR4DC^5`jfT189Ket<am%REAf_-HXKVXP#t2{9M##@(
zvb5VU8bTt)f<_nt<t53CX~S@6L?`2i81fj6#+ej6w_<-KH0{5}IAKJi>R!*0B`B4r
zlSjIOE%x6(IXZ0E|6?<JZ~u1ycXuvCIHeq+lNsjgD6`DhGB?c~aPRLOGmuWf`<Mj?
znQ1Sg-By!cPD>=^dJ3KYSKZDxAwZ_E{OGLsK_0FBcB(6CNVmtx1ewYZkR(};kqb;s
zL^e}!jb*Pmf*g?xH)#A<H3Kmg$%axvKG!thbc&%4pfeVinXj>#l1L0b<10F+pHsp*
zo7YoeL**VO<Du@?RvAzQQ~UXE*8hr6dSo=XMgIrK{z*gsPx>dlz5ee4jDY-~@w*WG
zQ0k`r{sOrnfQW_~tj4TTR+1#DyXZMLlt%%)EoH@tQIm*hVxooiJX9qZn%+W!v#2m8
zI-I|^`k6HVv}!0oA)@)b3Oxg?hGHWUfPxJJxpA`_;gw$g{yy(s2$sfJB6ahHWdq%i
zl*AN<67`CB(K2owUokc{HX0_f5)-e6)&gZ45pTfRh(_;#@{py`CS&5k7vPjfCQ5p}
zk+UjNum%{k_z#I$`-m^lj<LpQEsWm4XU+CjSv}s!YBft}<+M7WWc2s}Mnl0(T7a@5
z5Xcv+Q!nJ>@@jZ?UXg{uA>7>+w3Q}ta(~}hn|eAP{`mg%`fPOe;QTm@y*w{!!!jCP
zUA;fOKL2oWwT@<m#byyJbvIc8e1XrY&{!^dg>*bTJH0#~j!v5>f081uiax-UB8x6?
zT5rwU&xxJ~rTTj16<;~Frj)Db8d`W7zJLGWm(#b`qw(eXLSNq9!6!jEbY6AZu)VBN
ztQ~cp;bu4ryYoPx<iY*@-CZeKcCxq1tl|DXSnJkgR%4>wXx8|tX55`MgpDCkl?-##
zYF$!odR*DLQpC?~-dG{gCM%WgGR{<|$+;90te(0d@N?ZV0wh)fI^8)Ersscl>YbKy
z$8uKhF?qVpivN9eb$(gxn-a=WiC1%pYA#q5z_DNHPEb-2U1BJBqyji9yBJ*{N2Q*L
z?TvhGaZ80`Iuj{xJJogn1Q46Cnd)_QoOEwqt3t-yEJyCPO_NBX51cJ)zNS@S8s;}7
z$r$yIlt-5+7c|70v|yOps}8|6{!!cJkR)V68Pyb3efvoi)f-$GpI%-6_-_36`ttPR
z<GYGwTH{Y;Obo-&?8Ep0Rcowc?N(-mv+csBVqBZOD|M`J_iXXs=J;PuNcc4Oz}xcw
z!P@=ranC>5$N#&4YD{lW+}Ii+>7O<t@@`(+gt83uM=Vtu<%M8qbei(nR|Nc0FwCO>
zlF*-}NRtPMIRI<4O4MQ2=8`C;+)?S|6Nbk0x%r&SntpHOC~MDO6z}f5i|nb+8yBsc
z(&hg-*sT9q=JFI4V4ME;509GqKRDj&|4!hq<o_GPk=k2!&nc`yNW3r)AJ^v;`f7x%
z#fDUakd3eZdYNDV9}@C8Mdy3)rhh+pNdK)VeF6ipRsWCu_51(*{ohWY<~Ey(yxp}w
zpq$11TA6aXd2%!u^lbpFiJYPSD;Z`Yg%+V;0bGr;i<Nr%TE9_jz4?3Y{r=uytNxQL
zlzNOA*c$))jrYGp|FE~O|JVsMG`=;8-fjk5*KOL4Z^PuOG%^`Lqb#u~AhAUo)v~zG
z<uEUW2nmM?0*w=tN^qjH%8JP{AxbsLz#=cF6TI`>C-A(mS^tYS(;fK#qrtlW-`D@{
z1Zr=3MP+Gzq1}E3u&PAO3s6UbPw6bphHqB!Rb}j&x%fK5XQ_T1+2`Kt?-ADZUuo67
zI32z{JN4q|NoZ{K|0hlTADj%1_xisJa1IWDiI6aeZ~^A@DW3u5O3O5>&~uy**4aWY
zfS*#vAe<AaVe}4U%HfvkIS~7TQe4hC&hNkfJ|SxEc-_oZtFE1+x*-MAS)x1);0l#C
zm=us1F?4O=T}DH2wuBYB1Irg-%nq3&iy>j@jB=P#sWiB?wqk5i`Z=R|o=&__#9cGY
zO*z$Oz4b3|Mzv$8nf-7J_Ul8`JX^$bpWRbHyZ*0gf3EF{9~T2`(f|I*px><jIXc<b
z|Lp`+N;T$MSgGPE!@w+YZ`6W0jun%vkLm!_T%;@lg}PFKo#pQ~ozMQOAj`^?!pa-8
z3-~$BYQ*dBt17|JE7<Vt*Q)U1SN}JAPhfx49;?@%|KAk%4Te}gR(%6K<cr1&Ir7HK
z@IzG>tMU!QP{(Q8yEKVx-csygQY=WV-k`HPl*4}S&GT$$N%?!(PQ%dpc5<QZmR8@9
zVX`d5(re#5s>Uh%mfdT-WVfC!Z?a=6_SYZCsj`pkUi0MFMpho<*H-d~lWDBQtMcrT
zC~7&j^%wX}=aHAvfsnQ0h04)9`ebqv-##^Csr3v;!>o8IKfKWpM3R+`5s79*^U!MV
z9zo;Z7~Bv`6>HQbRjWDb|HDw}_#~d<^y~YzMH}0SL)z*dVN31fqa?I;Opjpu8;fB!
zl*8=C9JZIbmFBQ6E3b@%Jm~-1<G=jw_bGzEugL$7`fK&y{?Y#aXD3jN|B6?jM(|gC
z2;5oZSB4|2SE3D}-9v#?Hu=fpsIOwqqJHk<-NPRCu!oKC-v9sr|Nn*!<8=T=001C+
BjmH20

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/Chart.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/Chart.yaml
new file mode 100644
index 0000000000..5b955a9274
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/Chart.yaml
@@ -0,0 +1,14 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.4.14
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 103.0.13+up0.4.14
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/_helpers.tpl b/charts/rancher-webhook/103.0.13+up0.4.14/templates/_helpers.tpl
new file mode 100644
index 0000000000..c37a65c6f3
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/deployment.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/templates/deployment.yaml
new file mode 100644
index 0000000000..b8a7201dac
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/deployment.yaml
@@ -0,0 +1,82 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if $auth.clientCA }}
+      volumes:
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if $auth.clientCA }}
+        volumeMounts:
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/rbac.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/templates/rbac.yaml
new file mode 100644
index 0000000000..f4364995c0
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/secret.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/templates/secret.yaml
new file mode 100644
index 0000000000..9fd331dc1e
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/service.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/templates/service.yaml
new file mode 100644
index 0000000000..220afebeae
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..9e7ad7e1fe
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/templates/webhook.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/templates/webhook.yaml
new file mode 100644
index 0000000000..53a0687b6f
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/tests/README.md b/charts/rancher-webhook/103.0.13+up0.4.14/tests/README.md
new file mode 100644
index 0000000000..6d3059a005
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/tests/deployment_test.yaml
new file mode 100644
index 0000000000..bbd6e30444
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/tests/deployment_test.yaml
@@ -0,0 +1,73 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/tests/service_test.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/tests/service_test.yaml
new file mode 100644
index 0000000000..03172ad033
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/103.0.13+up0.4.14/values.yaml b/charts/rancher-webhook/103.0.13+up0.4.14/values.yaml
new file mode 100644
index 0000000000..39b3948183
--- /dev/null
+++ b/charts/rancher-webhook/103.0.13+up0.4.14/values.yaml
@@ -0,0 +1,30 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.4.14
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index 0fb0581412..234c21ba27 100755
--- a/index.yaml
+++ b/index.yaml
@@ -20042,6 +20042,24 @@ entries:
     urls:
     - assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0.tgz
     version: 104.0.0+up0.5.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.4.14
+    created: "2024-12-18T21:55:40.659033591-03:00"
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 9838b76a44ff824d3d182b8f1ae4438176861bbbed9c2341078c08180f713f6c
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-103.0.13+up0.4.14.tgz
+    version: 103.0.13+up0.4.14
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 873d16aee0..d2a613917d 100644
--- a/release.yaml
+++ b/release.yaml
@@ -26,3 +26,5 @@ rancher-monitoring:
   - 103.2.1+up57.0.3
 rancher-monitoring-crd:
   - 103.2.1+up57.0.3
+rancher-webhook:
+  - 103.0.13+up0.4.14