From 69f56a516547a67e6d549a296516baf2ebe15609 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Thu, 18 Jul 2024 20:45:02 -0300 Subject: [PATCH 1/3] adding make auto-forward-port feature to CLI Commands --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8d36ba9e2d..70b0d8958f 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ validate: @./scripts/pull-scripts @./bin/charts-build-scripts validate $(if $(filter true,$(remote)),--remote) $(if $(filter true,$(local)),--local) -TARGETS := prepare patch clean clean-cache charts list index unzip zip standardize template regsync check-images check-rc enforce-lifecycle lifecycle-status +TARGETS := prepare patch clean clean-cache charts list index unzip zip standardize template regsync check-images check-rc enforce-lifecycle lifecycle-status auto-forward-port $(TARGETS): @./scripts/pull-scripts From 2edf8766500f346e645eb634ac68f46c505fa07f Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Thu, 18 Jul 2024 20:47:15 -0300 Subject: [PATCH 2/3] cleaning release.yaml --- release.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/release.yaml b/release.yaml index 4127a0f1c7..e69de29bb2 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +0,0 @@ -rancher-webhook: - - 104.0.0+up0.5.0 From 4c46b2652a7730164feea8406417e20adcaa8278 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Thu, 18 Jul 2024 20:47:17 -0300 Subject: [PATCH 3/3] forward-port rancher-webhook 103.0.7+up0.4.8 --- .../rancher-webhook-103.0.7+up0.4.8.tgz | Bin 0 -> 2801 bytes .../103.0.7+up0.4.8/Chart.yaml | 14 +++ .../103.0.7+up0.4.8/templates/_helpers.tpl | 22 +++++ .../103.0.7+up0.4.8/templates/deployment.yaml | 82 ++++++++++++++++++ .../103.0.7+up0.4.8/templates/rbac.yaml | 12 +++ .../103.0.7+up0.4.8/templates/secret.yaml | 11 +++ .../103.0.7+up0.4.8/templates/service.yaml | 13 +++ .../templates/serviceaccount.yaml | 11 +++ .../103.0.7+up0.4.8/templates/webhook.yaml | 9 ++ .../103.0.7+up0.4.8/tests/README.md | 16 ++++ .../tests/deployment_test.yaml | 73 ++++++++++++++++ .../103.0.7+up0.4.8/tests/service_test.yaml | 18 ++++ .../103.0.7+up0.4.8/values.yaml | 30 +++++++ index.yaml | 18 ++++ release.yaml | 2 + 15 files changed, 331 insertions(+) create mode 100644 assets/rancher-webhook/rancher-webhook-103.0.7+up0.4.8.tgz create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/Chart.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/_helpers.tpl create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/deployment.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/rbac.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/secret.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/service.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/serviceaccount.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/templates/webhook.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/tests/README.md create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/tests/deployment_test.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/tests/service_test.yaml create mode 100644 charts/rancher-webhook/103.0.7+up0.4.8/values.yaml diff --git a/assets/rancher-webhook/rancher-webhook-103.0.7+up0.4.8.tgz b/assets/rancher-webhook/rancher-webhook-103.0.7+up0.4.8.tgz new file mode 100644 index 0000000000000000000000000000000000000000..db208008bbfc0682005979ce42e6978e6a2ef730 GIT binary patch literal 2801 zcmVDc zVQyr3R8em|NM&qo0PH($Z`(MN{j6UxaPH6#SIM&DIIVDdfY;6L6=>Wb3A%W&SY&Bw zY;#MIDoHu(P4nL$kb1Es%W<~}obCh97u$T98Ito#jwRvY0;PM4(}fV9y5j|r+FOyB zy?8S4ecvAr2KLkU{pM%S_m5xn2E)Oy-|zYU@P*$S^auSH;6EJ;+aXn&$QS;jX*C!3 z4*|lt&_q+gRp0=GL=z_FUP!cN=uy!PQEED)7zL2aO6#x%jUwa$bhJ#d(>ml+Iz@Mh zQc=MJc=>-nK+o$Rd%o+#|C+CF%-5H#Q#pxIB_zZEvPM^}l*YJquuuUo%F{nvdlQr~ z)ygeLy}G4561S>#bfF$Kw)@`eoa?^#0Mil~5{0f|zTCV*(HxS{j|I|Y-yum-{`9?p z_u7e2g_0)PHhmhs!OoXCZ$W>`Nx=j-TpvgRd zWo9=3?Bt7-u?xXyxC-FiY$Ei9M1@>C&YX!UVYyq;%#s1fEcaWSk(B96oKvL@&5m&z z3!(G`^{tSf0+g?&e0KENGc@Nt1%-=O-PJDl%jKv5ol3m*GZZq?bbL) zkO-;sSqg3!G+bm&T0p80ZWqWwrkqng-?05=U;u9hgJXl~f=CjhMwx9KN%aD`rlIvO zb|0;)CJ9w2mnc2Q3^9jr1mjWLoceeO8AYzagbvDscQe2^(W_TwyWkwd?Bs4KW59)m zDOQnU^6)?kVvtl5k^3HNit*FFdQ1u$@n3LJVxV5CI!!}*Ix@w`>!!h7}2P@Hw$D5O6BR~ zk*;8e{r68#`VIR(91czo_J1F6cjrQcGs+PGl|zB2yUxk|di!a)GId z$Yu(zG3^ykkRx*86B-9r%|MJvvY}Lv&ovD=n_;K}=uE^_=4@=HBoc$qIE&8N=ajI{ z_VrZQP`QiAc&IzJbp}+y)PDZk^}phj9vKbp(Eq{EKW*s$>GA2{p#S>-BOw1}94`bv zl)7nue}UW(Ktw|gR%6yFD@hX7UG|($lt%%)EoH@tQIm*hV#0;?L{udhn%+W!v#>BG zI$XTB`k6HVv}!0oA)@)b3Oxg?hGHucfPxJJxpA`_;gxRw{yy(s3YNxLB6ahHWdq%i zl*AN<67`yR(K2ZrUokc{HX0_f5)`k8)*@va5^urT2uJUL@{py`He=$!7vPjfCQN$0 zm9r{Rum%{k_!o&;`-m^lj8zx*nZhRAixW2zPe{ZKX+^+~0RLrk+hkKfXV^IUk=tI6n?!FHelxu#897 z*YD46E;zq$m_*&C#s7bOeQ{Oon-R)ViPsB>Y9Uw@z|gOBCn%|it}qllQURQlU5qY~qf*br z_Ex@jxTV4|or{#Wo$9840*KAnO!c}tPP(67t3t-yEJ^ORO_NBX51g%PzNS@S8s;}7 z$prO}lt))6mo&thv|yOpyAHuM{#o1RkR)VE8Pyb3efvoi)f-%xoL%4i_-^v{=IZS7 z%Rcowc<635ov+c&FVqBZOYjvz}_iXXs_V`~;N%%DPz`OGQ z!Evvd|Mz-__rJYBHKw;GZfuQ^^e-C`d7oa}gt83u$1GJE<)vU~bei({R|Nc0FwCO> zlF*-}NRtPMIRG29O4MQ2=8`C;+)?TD4-AdzbMrY@HT~YoQP!TnDBj(9m)TRDHz``T zrOW?uuwDPN%;hO8z%Kni?w>UEe{g!x|GmK9$^W;8Bel2eo>N$Zka%GpK5ot_^wkJi ziw&s;AzNSn^(w&tJ|yIGiq7}oP5*iDkp5d!`UD1Gr~VI{@4rJc{Gk7PfSTKED)MgE z{(y28_iJU!>E_ANU~p^$U`^y4_20=b6DhO^1qs*cUT8NNvm?F?PL8$~MIxDT1t`eeDlMF2LdOE>7&wT>V3)}U-cr)FD|34XQ`u{`y z*IuCZrdO1f<`>%SR{-l$)Vu<9EclGh(`@*56<=4zZkUU&BYd9f$B}*Rz5X6yQ~#A# z-OIDl+w(Ioj-G_ZPXB+})c?WhN$;Tl`vB+Y2$%>7g9w*kPM`8QP_DF0vl2bW`Cy$b z^aA)PWemavks8MDK&BjSsa^oFFDS+3oa6ld`|net7LM1=T(#=jIjS2{Fr6jJegM~~ zw85l+%!#3EEAKKIg0mH@(H&X72xE500$B_ROXrlsj7p`!t+f?ni`vgQ)r)lMg(B{n zVQ$K)HtVhb^5#@KhML(Aw_v|ML@lyKJoni>1+?q`y7uSBuJ~~=zz+RCJ{>gw|8shB zdZ_=~3#gQ8%(bvm#Z!iXS>oQP1#=uLCRrcV0jPyYSp*7or35?6-)%ad{i`6$%9X;( z8?+1fIn9d1>+h>7!O$z%@a(U3;l;21Z}y(ReyKfHZ$AIODefB#v3#uh271VsjTds{ zjhEqvsxH>$8-}5d)3$eM64|_^*u$h)kXpY%XLl(5Kc9Py!~M@*pc?-buRx99 zulf+Ux5%#yN7k=ITSB{s0;z2BlgCkC#hgX`+{b%>103K0TjAdU00960niep$07d`+ DNDG(9 literal 0 HcmV?d00001 diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/Chart.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/Chart.yaml new file mode 100644 index 0000000000..181d59b63d --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/Chart.yaml @@ -0,0 +1,14 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-webhook +apiVersion: v2 +appVersion: 0.4.8 +description: ValidatingAdmissionWebhook for Rancher types +name: rancher-webhook +version: 103.0.7+up0.4.8 diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/_helpers.tpl b/charts/rancher-webhook/103.0.7+up0.4.8/templates/_helpers.tpl new file mode 100644 index 0000000000..c37a65c6f3 --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "rancher-webhook.labels" -}} +app: rancher-webhook +{{- end }} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/deployment.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/templates/deployment.yaml new file mode 100644 index 0000000000..b8a7201dac --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/deployment.yaml @@ -0,0 +1,82 @@ +{{- $auth := .Values.auth | default dict }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rancher-webhook +spec: + selector: + matchLabels: + app: rancher-webhook + template: + metadata: + labels: + app: rancher-webhook + spec: + {{- if $auth.clientCA }} + volumes: + - name: client-ca + secret: + secretName: client-ca + {{- end }} + {{- if .Values.global.hostNetwork }} + hostNetwork: true + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} + {{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} + containers: + - env: + - name: STAMP + value: "{{.Values.stamp}}" + - name: ENABLE_MCM + value: "{{.Values.mcm.enabled}}" + - name: CATTLE_PORT + value: {{.Values.port | default 9443 | quote}} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $auth.allowedCNs }} + - name: ALLOWED_CNS + value: '{{ join "," $auth.allowedCNs }}' + {{- end }} + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + name: rancher-webhook + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + ports: + - name: https + containerPort: {{ .Values.port | default 9443 }} + startupProbe: + httpGet: + path: "/healthz" + port: "https" + scheme: "HTTPS" + failureThreshold: 60 + periodSeconds: 5 + livenessProbe: + httpGet: + path: "/healthz" + port: "https" + scheme: "HTTPS" + periodSeconds: 5 + {{- if $auth.clientCA }} + volumeMounts: + - name: client-ca + mountPath: /tmp/k8s-webhook-server/client-ca + readOnly: true + {{- end }} + {{- if .Values.capNetBindService }} + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + {{- end }} + serviceAccountName: rancher-webhook + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/rbac.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/templates/rbac.yaml new file mode 100644 index 0000000000..f4364995c0 --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/rbac.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: rancher-webhook + namespace: {{.Release.Namespace}} \ No newline at end of file diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/secret.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/templates/secret.yaml new file mode 100644 index 0000000000..9fd331dc1e --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- $auth := .Values.auth | default dict }} +{{- if $auth.clientCA }} +apiVersion: v1 +data: + ca.crt: {{ $auth.clientCA }} +kind: Secret +metadata: + name: client-ca + namespace: cattle-system +type: Opaque +{{- end }} diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/service.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/templates/service.yaml new file mode 100644 index 0000000000..220afebeae --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/service.yaml @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: rancher-webhook + namespace: cattle-system +spec: + ports: + - port: 443 + targetPort: {{ .Values.port | default 9443 }} + protocol: TCP + name: https + selector: + app: rancher-webhook diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/serviceaccount.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9e7ad7e1fe --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-webhook-sudo + annotations: + cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation" \ No newline at end of file diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/templates/webhook.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/templates/webhook.yaml new file mode 100644 index 0000000000..53a0687b6f --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/templates/webhook.yaml @@ -0,0 +1,9 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: rancher.cattle.io +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: rancher.cattle.io diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/tests/README.md b/charts/rancher-webhook/103.0.7+up0.4.8/tests/README.md new file mode 100644 index 0000000000..6d3059a005 --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/tests/README.md @@ -0,0 +1,16 @@ + +## local dev testing instructions + +Option 1: Full chart CI run with a live cluster + +```bash +./scripts/charts/ci +``` + +Option 2: Test runs against the chart only + +```bash +# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git +bash dev-scripts/helm-unittest.sh +``` + diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/tests/deployment_test.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/tests/deployment_test.yaml new file mode 100644 index 0000000000..bbd6e30444 --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/tests/deployment_test.yaml @@ -0,0 +1,73 @@ +suite: Test Deployment +templates: + - deployment.yaml + +tests: + - it: should set webhook default port values + asserts: + - equal: + path: spec.template.spec.containers[0].ports[0].containerPort + value: 9443 + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PORT + value: "9443" + + - it: should set updated webhook port + set: + port: 2319 + asserts: + - equal: + path: spec.template.spec.containers[0].ports[0].containerPort + value: 2319 + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PORT + value: "2319" + + - it: should not set capabilities by default. + asserts: + - isNull: + path: spec.template.spec.containers[0].securityContext + + - it: should set net capabilities when capNetBindService is true. + set: + capNetBindService: true + asserts: + - contains: + path: spec.template.spec.containers[0].securityContext.capabilities.add + content: NET_BIND_SERVICE + + - it: should not set volumes or volumeMounts by default + asserts: + - isNull: + path: spec.template.spec.volumes + - isNull: + path: spec.template.spec.volumeMounts + + - it: should set CA fields when CA options are set + set: + auth.clientCA: base64-encoded-cert + auth.allowedCNs: + - kube-apiserver + - joe + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: client-ca + secret: + secretName: client-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: client-ca + mountPath: /tmp/k8s-webhook-server/client-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: ALLOWED_CNS + value: kube-apiserver,joe diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/tests/service_test.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/tests/service_test.yaml new file mode 100644 index 0000000000..03172ad033 --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/tests/service_test.yaml @@ -0,0 +1,18 @@ +suite: Test Service +templates: + - service.yaml + +tests: + - it: should set webhook default port values + asserts: + - equal: + path: spec.ports[0].targetPort + value: 9443 + + - it: should set updated target port + set: + port: 2319 + asserts: + - equal: + path: spec.ports[0].targetPort + value: 2319 diff --git a/charts/rancher-webhook/103.0.7+up0.4.8/values.yaml b/charts/rancher-webhook/103.0.7+up0.4.8/values.yaml new file mode 100644 index 0000000000..44e9f88610 --- /dev/null +++ b/charts/rancher-webhook/103.0.7+up0.4.8/values.yaml @@ -0,0 +1,30 @@ +image: + repository: rancher/rancher-webhook + tag: v0.4.8 + imagePullPolicy: IfNotPresent + +global: + cattle: + systemDefaultRegistry: "" + hostNetwork: false + +mcm: + enabled: true + +# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info +tolerations: [] +nodeSelector: {} + +## PriorityClassName assigned to deployment. +priorityClassName: "" + +# port assigns which port to use when running rancher-webhook +port: 9443 + +# Parameters for authenticating the kube-apiserver. +auth: + # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated. + # Must be base64-encoded. + clientCA: "" + # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted. + allowedCNs: [] diff --git a/index.yaml b/index.yaml index 91da9c97ee..03dde31ff8 100755 --- a/index.yaml +++ b/index.yaml @@ -12915,6 +12915,24 @@ entries: urls: - assets/rancher-webhook/rancher-webhook-104.0.0+up0.5.0.tgz version: 104.0.0+up0.5.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-webhook + apiVersion: v2 + appVersion: 0.4.8 + created: "2024-07-18T20:47:16.817591916-03:00" + description: ValidatingAdmissionWebhook for Rancher types + digest: 843e9504a1cba3275765fe6172b4f1e253dd9a19a96b889fc3c21e59aab58b5f + name: rancher-webhook + urls: + - assets/rancher-webhook/rancher-webhook-103.0.7+up0.4.8.tgz + version: 103.0.7+up0.4.8 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index e69de29bb2..119bf98c35 100644 --- a/release.yaml +++ b/release.yaml @@ -0,0 +1,2 @@ +rancher-webhook: + - 103.0.7+up0.4.8