From b8932ea3cb891ade4bb72aba198058d11ffa0ba1 Mon Sep 17 00:00:00 2001
From: nicholasSUSE <nicholas.paolillo@suse.com>
Date: Mon, 24 Feb 2025 21:32:39 -0300
Subject: [PATCH] release chart: rancher-webhook - version: 105.0.3+up0.6.4

---
 .../rancher-webhook-105.0.3+up0.6.4.tgz       | Bin 0 -> 2807 bytes
 .../105.0.3+up0.6.4/Chart.yaml                |  15 ++++
 .../105.0.3+up0.6.4/templates/_helpers.tpl    |  22 +++++
 .../105.0.3+up0.6.4/templates/deployment.yaml |  82 ++++++++++++++++++
 .../105.0.3+up0.6.4/templates/rbac.yaml       |  12 +++
 .../105.0.3+up0.6.4/templates/secret.yaml     |  11 +++
 .../105.0.3+up0.6.4/templates/service.yaml    |  13 +++
 .../templates/serviceaccount.yaml             |  11 +++
 .../105.0.3+up0.6.4/templates/webhook.yaml    |   9 ++
 .../105.0.3+up0.6.4/tests/README.md           |  16 ++++
 .../tests/deployment_test.yaml                |  73 ++++++++++++++++
 .../105.0.3+up0.6.4/tests/service_test.yaml   |  18 ++++
 .../105.0.3+up0.6.4/values.yaml               |  30 +++++++
 index.yaml                                    |  19 ++++
 release.yaml                                  |   2 +
 15 files changed, 333 insertions(+)
 create mode 100644 assets/rancher-webhook/rancher-webhook-105.0.3+up0.6.4.tgz
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/Chart.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/_helpers.tpl
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/deployment.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/rbac.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/secret.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/service.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/templates/webhook.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/tests/README.md
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/tests/deployment_test.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/tests/service_test.yaml
 create mode 100644 charts/rancher-webhook/105.0.3+up0.6.4/values.yaml

diff --git a/assets/rancher-webhook/rancher-webhook-105.0.3+up0.6.4.tgz b/assets/rancher-webhook/rancher-webhook-105.0.3+up0.6.4.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..7984ff948aab848f50db61cf129b9edb719badf5
GIT binary patch
literal 2807
zcmV<T3JCQdiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PGuGZ{s#{pY<yS&K>sQR<i6kPAjwrxZbq4z{VRS!4`+2NNH(o
zvrCa$k#g#0^WP67C0UZ?c)JOl?ZNY6n;$bnaz4p%N_e=y)V;;&LWmFD@q(nvTalQ(
zcrx&P-yaSJ=F|86=4a18K7P>~oSvNa`p2jJ!3)1P=nwrD;6EJ;+aZ&Rq%ZtO(`qj6
zZvupKp@^b_%fJB$i6TtQy^tuy(4(RoVyftjViZ6wE3Ly8G>VW1&{1iIoz@{AvMIVt
zOeGaOfbXE^9rr!o^;-wWgp;`@`T#;sVw4F9F#y}>%9T_Yw+<FE07iNCM{93_X-t)L
z%TcdxDUZahY#m)FO}Utt|Nb8OUeDLdf$#L!p8oo>eKs;A5?#%Hxv7N$IwYa*3$)9=
zLz1NY>3c(O;6y0HlqSkFy(f%DL{UB;MKP6n+|L#f%tQ*87CER@g3@UxST3UHpLo7^
z{I4vrgq~Y853mPl+W#eC8Oo=10K4q}$+6$G|0n%}{of1Fn9NaI{uC1-sS@d`G!fmV
zsQ^%99>CJt2LLnqB4g}AFdD7`cr%*_b&;Y(t{i91#FVhytte*509YIS8fPS9>JsNv
zDowMaZTvz=H9>VN(hmX52$SeIaTx1~$jOvxhoJp|;~aq!3{&g5jIC1(gq%@`Fkxa9
zBUc_=A;LnbL<U{sf>MqOr8dNo2xT`EJj6uFt_&9#WsLH<i%S}6#9c)wS1#d^yQbDP
z)MAk$P(Bk*g^vJ!`PJbf!YgDLDv<_ockehyM{to+ky5o9Ga}`L#0W%6I_DUH5><Ac
zq&d=TjdKKvNL4;d!tH{F3)`dwWD?<afgI9|bIRu%HeL@5;M>9ASYx^%DTz^GYB!E#
zYJptQ(D)IvkH%G#gi1`8n0k&Lq7UH+#-p}5_3;ogid=yX9i#_uW`J>`R<Fu-!8wNZ
z<ZdZrz=eV-R*_=l8FJ^DG+k37aX4_1ha$3l7T0)`OU@CD7!$XQN(EvD<B46{XEH|k
z$}~cLCexMKhVclJR4i$P5l~)|v`lM;LoGU%AEL=)G@e)~cy7J^Txi;Vg>k}&LfO4p
zAWJZno=P6+3U=6k|MaBau>Zs1uz#@s`+&PU7b2Wdj?l4|`6jZa`6kV6a|hh}dq)qX
zGw|Nq0KwY!BC2h*>E*N}rCiOR^H16Bd=Ua<63ZW*H9yFsjqgr%MGfip7?~oI76D0;
z&0x5|)I?-*0#}>%iYLesx$ptC1FPm5+9a7!D#+*R2As_>Q~`7*;>tQ3lh}wv<I~Qf
zbM`SKth0SR6*gq<Vk{4J$F|OODwx{Of4lxyoYEts!5#WP82YCT{XZS}rw9Gt2WSEL
zhjzRWd|&FO`TYrULjVyC6&Q_Kr=}!HWOvzfK2RP7@Vb;0Cq_jgqKFO`+7nKhV5oZw
z3ASNjOjNjdYxL7L0JLf-Kp~>}yb3)HtcGGM5`cmY4Y_eM8{w61{{BAiUJ91QSR!@v
zh1r2_NJ?T7!xYt;c+oOx9bYjvH8vV1vJw=pht?ux6B2L1*$7APfbx)K(Kch^!6)F9
zM><UUW-Dh^q+kp%DDhtsv-T06pdDk4(OMk6h0mJpt+G1Y%4#)DXyvpzpk#FT0HdMc
zIxoPqA`r-z>r*e}<LY{Jeo>Ky!Xez<6||)yadLm(*_e7Z8U66~?B;xY{^0yLjJ-TD
zYQr)fU0=UFySaFGdA*5djm4x9YjxLY0(^pxnNV0RdX024IzPL*7>&=GD1S^vTorwQ
z8ATRd;;i19w_gyo2uk(!%FDcRY)vWG;Wf1IG<y5?-Op#QZ^o0W&4s?ayMx~a<<NQ6
zX~XuiMzMC(d5UXs6n5u<K*@vq`@6eRw9I60oms>EeX!B3$h^ixyV0!iQ%$)$8weXi
zpeh;qsO6@ln*6x3bESx1n8dL{qD@vR+oheU%94vzOtE_En!rzW%LtGd3FveeNSIpu
z*{OFL${oX5y+<eNCN2KY_4UP7wQoi!%Tl~vq$n4HMF9-`N_T=O710%jf=4odld_A^
zC32MVnb_XS*ABN-IHq%v@wQXl^iKe>9&1&vtKy{l;Tu`Vm}`^dZrijJN%W4hRn6D5
zDon%th9sGw`hoK33ezPGu_i4TX6CL#aD{)=wmBpTnNmg-MOoi|5=Hd}7ba)dH$S|Y
zyuP_QyL|tqVwpDhla`5580vkPJfLcgb!=SAtZ}y8*i?*bvv;kI74Dub{@Wh^r&AI>
z%{}n0{C{xVYv%vG{>dT!-v?A<dUN91)`*n;X(A%;!#5_OECc;9%cR2eQZUpyP5JyY
z0{&Dm%%cF3(4SI~B@YmD05)iqs6*T4k|?I!k=gWj47KTV^Ep>F{ocxvZO`8h@9w-y
z`y}U0iq>uE^8X!d*MFP2JcR|=rT@qMlcxTk_y_&p3;dP*e``2Wd$aC2g*6C?7v|yP
z=A1%bwUD*gkZKUJ^_^d>5)9y7LOy2bd=1|8?*|X*zcHmxU;uXN|FHS~I~<-I?*H}z
zHMiMR<lV0Q0p%?2*UFUB&6A_S;MfGfillQ?e<j0AQlUgBSOC{!d$CeaU+XuDtv7$q
zz29FO?9_i^L#fA@ft~Tc-+2G)`~BnILI3vw4UKP&qIa7C*L9n=<I6C)GK+Ku&?rkR
zDo9M#Mz#K}b2Z9qAwt4oia_H8Qz<x6wzOipN{EzAGO*0+<^=CN_X#{NY}fzd&2$g`
z|75WF{(q?d+6&a)^okPF{6f3^3SeDwnpc{R1)tG*W`}QA@pT34hPn7W!snTK9NFjI
z>#q?u^<OI4y*wMeK0ou~=t*eo^#7+#{U4kT2M7J%2RKJZz(hzGM7RWf`jpRsa;ehH
zmgqUoJL7Dj7r>7hV-PM#s$l#E(u~6`RSO{I1*N#0bDZCP`)x|(!tuJ+Rm-lKBfB95
z-C3gS2XKv2X-pExoM^hH^3Ku_oULGu?#S>(7&Ai_$YMxXHm4kBG?fb6T3a!;sQsK%
zwaBJkDB`Xj=4PBKz25pSZ%&n?sp<W23-;?n<ialExzFw?pk4phwLdpz#gB^tcIf}{
z>7e=lpVMLQQ2)0VkQr5&Yhk5|rwjva;@+qQa~vZkwvVa+<U(XD0*R_pf^GA6lg`_J
z71*p?O02v=yMP}vTO?k8UzG`lUcrWEeys~He(`@b_XOrk?Xi0E`TyJEzCjbq$I36D
zhkV(1AxGYL8GfkhVqLzW8R|G~dzU4V$y<s&Oo|1`^&7OkL+Ky)zI~qUEGd62+o>7a
z+)gf(+0yDeGE7&6SbFW7N981AU$T3Rm+aQl<xO@>$^Pa8IhE#--D{rw#>mQJ{KiTi
zaWajycvYS~5=AY?w)q0T?L6{QIuL2Cc%gDMk3N~4#FtOCEVZ8Dcw~#0^1~aCKqR(w
zjHIYXG!L!z?h!Qp$KZxos#v2gsanlZ{}V%{<9G2Cr(fT%9opDd9MV?z2s>&YA0?r+
zV|oPJUsw#Yr5t8I=CHlgtu%*qS$U-;<U#-69{=TczfTeTeMbIwa=cOh?Vld*fA#{^
z_^)^cY6O4Phrqo>eq}haekIxx+C3CV*~w2HM|~D^2K93v?*R^QfCFrW{{;X5|NlA;
J1cd-b0043!gqi>V

literal 0
HcmV?d00001

diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/Chart.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/Chart.yaml
new file mode 100644
index 0000000000..6922a0cd5d
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/Chart.yaml
@@ -0,0 +1,15 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: < 1.32.0-0
+  catalog.cattle.io/managed: "true"
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0'
+  catalog.cattle.io/release-name: rancher-webhook
+apiVersion: v2
+appVersion: 0.6.4
+description: ValidatingAdmissionWebhook for Rancher types
+name: rancher-webhook
+version: 105.0.3+up0.6.4
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/_helpers.tpl b/charts/rancher-webhook/105.0.3+up0.6.4/templates/_helpers.tpl
new file mode 100644
index 0000000000..c37a65c6f3
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/_helpers.tpl
@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rancher-webhook.labels" -}}
+app: rancher-webhook
+{{- end }}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/deployment.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/templates/deployment.yaml
new file mode 100644
index 0000000000..b8a7201dac
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/deployment.yaml
@@ -0,0 +1,82 @@
+{{- $auth := .Values.auth | default dict }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rancher-webhook
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  template:
+    metadata:
+      labels:
+        app: rancher-webhook
+    spec:
+      {{- if $auth.clientCA }}
+      volumes:
+      - name: client-ca
+        secret:
+          secretName: client-ca
+      {{- end }}
+      {{- if .Values.global.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- end }}
+      containers:
+      - env:
+        - name: STAMP
+          value: "{{.Values.stamp}}"
+        - name: ENABLE_MCM
+          value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $auth.allowedCNs }}
+        - name: ALLOWED_CNS
+          value: '{{ join "," $auth.allowedCNs }}'
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+        name: rancher-webhook
+        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        ports:
+        - name: https
+          containerPort: {{ .Values.port | default 9443 }}
+        startupProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          failureThreshold: 60
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: "/healthz"
+            port: "https"
+            scheme: "HTTPS"
+          periodSeconds: 5
+        {{- if $auth.clientCA }}
+        volumeMounts:
+        - name: client-ca
+          mountPath: /tmp/k8s-webhook-server/client-ca
+          readOnly: true
+        {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+        {{- end }}
+      serviceAccountName: rancher-webhook
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/rbac.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/templates/rbac.yaml
new file mode 100644
index 0000000000..f4364995c0
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: rancher-webhook
+  namespace: {{.Release.Namespace}}
\ No newline at end of file
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/secret.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/templates/secret.yaml
new file mode 100644
index 0000000000..9fd331dc1e
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- $auth := .Values.auth | default dict }}
+{{- if $auth.clientCA }}
+apiVersion: v1
+data:
+  ca.crt: {{ $auth.clientCA }}
+kind: Secret
+metadata:
+  name: client-ca
+  namespace: cattle-system
+type: Opaque
+{{- end }}
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/service.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/templates/service.yaml
new file mode 100644
index 0000000000..220afebeae
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/service.yaml
@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: rancher-webhook
+  namespace: cattle-system
+spec:
+  ports:
+  - port: 443
+    targetPort: {{ .Values.port | default 9443 }}
+    protocol: TCP
+    name: https
+  selector:
+    app: rancher-webhook
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/serviceaccount.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..9e7ad7e1fe
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
\ No newline at end of file
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/templates/webhook.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/templates/webhook.yaml
new file mode 100644
index 0000000000..53a0687b6f
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/templates/webhook.yaml
@@ -0,0 +1,9 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: rancher.cattle.io
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/tests/README.md b/charts/rancher-webhook/105.0.3+up0.6.4/tests/README.md
new file mode 100644
index 0000000000..6d3059a005
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/tests/deployment_test.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/tests/deployment_test.yaml
new file mode 100644
index 0000000000..bbd6e30444
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/tests/deployment_test.yaml
@@ -0,0 +1,73 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
+
+  - it: should not set volumes or volumeMounts by default
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes
+      - isNull:
+          path: spec.template.spec.volumeMounts
+
+  - it: should set CA fields when CA options are set
+    set:
+      auth.clientCA: base64-encoded-cert
+      auth.allowedCNs:
+        - kube-apiserver
+        - joe
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: client-ca
+            secret:
+              secretName: client-ca
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: client-ca
+            mountPath: /tmp/k8s-webhook-server/client-ca
+            readOnly: true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ALLOWED_CNS
+            value: kube-apiserver,joe
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/tests/service_test.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/tests/service_test.yaml
new file mode 100644
index 0000000000..03172ad033
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/105.0.3+up0.6.4/values.yaml b/charts/rancher-webhook/105.0.3+up0.6.4/values.yaml
new file mode 100644
index 0000000000..3e7a7fc74a
--- /dev/null
+++ b/charts/rancher-webhook/105.0.3+up0.6.4/values.yaml
@@ -0,0 +1,30 @@
+image:
+  repository: rancher/rancher-webhook
+  tag: v0.6.4
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  hostNetwork: false
+
+mcm:
+  enabled: true
+
+# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
+
+# Parameters for authenticating the kube-apiserver.
+auth:
+  # CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated.
+  # Must be base64-encoded.
+  clientCA: ""
+  # Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted.
+  allowedCNs: []
diff --git a/index.yaml b/index.yaml
index 996739d4b9..d726ff3f0e 100755
--- a/index.yaml
+++ b/index.yaml
@@ -22192,6 +22192,25 @@ entries:
     - assets/rancher-vsphere-csi/rancher-vsphere-csi-101.0.0+up2.5.1-rancher1.tgz
     version: 101.0.0+up2.5.1-rancher1
   rancher-webhook:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: < 1.32.0-0
+      catalog.cattle.io/managed: "true"
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0'
+      catalog.cattle.io/release-name: rancher-webhook
+    apiVersion: v2
+    appVersion: 0.6.4
+    created: "2025-02-24T21:32:34.947856009-03:00"
+    description: ValidatingAdmissionWebhook for Rancher types
+    digest: 621e04720c9f84fe03f2bd513d5b8f120f6e3eaadf40825e73da9d9490fa16aa
+    name: rancher-webhook
+    urls:
+    - assets/rancher-webhook/rancher-webhook-105.0.3+up0.6.4.tgz
+    version: 105.0.3+up0.6.4
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 1cf8bc3005..273de79232 100644
--- a/release.yaml
+++ b/release.yaml
@@ -10,3 +10,5 @@ rancher-cis-benchmark:
   - 105.3.0+up7.3.0
 rancher-cis-benchmark-crd:
   - 105.3.0+up7.3.0
+rancher-webhook:
+  - 105.0.3+up0.6.4