Replace init-certs webhook initContainer with Helm template

- Replicates the functionality from the webhook init-certs cli command from Flyte: https://github.com/flyteorg/flyte/blob/master/flytepropeller/pkg/webhook/init_cert.go This produces a ca.crt, tls.crt and tls.key value needed for the webhook, rather than needing to create a container that needs to have network and Kubernetes access. - Uses the Helm lookup helper to prevent regenerating on upgrades - Update CI check to only fail when lines are deleted or removed from the generated Helm output, not when values are modified Signed-off-by: ddl-ebrown <[email protected]>
flyteorg · Jul 12, 2024 · 7070739 · 7070739
1 parent 81afb76
commit 7070739
Show file tree

Hide file tree

Showing 8 changed files with 93 additions and 204 deletions.
diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml
@@ -1,12 +1,42 @@
 {{- if .Values.flytepropeller.enabled }}
 {{- if .Values.webhook.enabled }}
-# Create an empty secret that the first propeller pod will populate
+{{- $secret := (lookup "v1" "Secret" (include "flyte.namespace" .) "flyte-pod-webhook") -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: flyte-pod-webhook
   namespace: {{ template "flyte.namespace" . }}
 type: Opaque
+data:
+{{- if $secret }}
+  tls.crt: |
+    {{ index $secret.data "tls.crt" }}
+  tls.key: |
+    {{ index $secret.data "tls.key" }}
+  ca.crt: |
+    {{ index $secret.data "ca.crt" }}
+{{- else -}}
+{{/* Produces a 99 year valid CA and cert signed by the CA like:
+    https://github.com/flyteorg/flyte/blob/81afb76b44931d827f8e898d097a7e8054a5b836/flytepropeller/cmd/controller/cmd/init_certs.go#L14-L36
+*/}}
+{{- $certValid := 36135 -}}
+{{- $name := include "flyte-pod-webhook.name" . -}}
+{{- $namespace := include "flyte.namespace" . -}}
+{{- $svc := (printf "%v.%v" $name $namespace) -}}
+{{- $cn := (printf "%v.svc" $svc) -}}
+{{- $altnames := (list $name $svc $cn) -}}
+{{- $ca := genCA "flyte-ca" $certValid -}}
+{{- $cert := genSignedCert $cn nil $altnames $certValid $ca }}
+  # ca issued cert
+  tls.crt: |
+    {{ $cert.Cert | b64enc }}
+  # private key for cert
+  tls.key: |
+    {{ $cert.Key | b64enc }}
+  # ca cert since the CA is generated here
+  ca.crt: |
+    {{ $ca.Cert | b64enc }}
+{{- end }}
 ---
 # Create the actual deployment
 apiVersion: apps/v1
@@ -47,40 +77,6 @@ spec:
       {{- if .Values.webhook.priorityClassName }}
       priorityClassName: {{ .Values.webhook.priorityClassName }}
       {{- end }}
-{{- if .Values.webhook.enabled }}
-      initContainers:
-      - name: generate-secrets
-        image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}"
-        imagePullPolicy: "{{ .Values.flytepropeller.image.pullPolicy }}"
-        command:
-          - flytepropeller
-        args:
-          - webhook
-          - init-certs
-          - --config
-          - /etc/flyte/config/*.yaml
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        {{- if .Values.webhook.podEnv -}}
-        {{- with .Values.webhook.podEnv -}}
-        {{- toYaml . | nindent 10 }}
-        {{- end }}
-        {{- end }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/flyte/config
-{{- end }}
       containers:
         - name: webhook
           image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}"

diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml
@@ -78,13 +78,22 @@ stringData:
 type: Opaque
 ---
 # Source: flyte-core/templates/propeller/webhook.yaml
-# Create an empty secret that the first propeller pod will populate
 apiVersion: v1
 kind: Secret
 metadata:
   name: flyte-pod-webhook
   namespace: flyte
 type: Opaque
+data:
+  # ca issued cert
+  tls.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQUk0NFVqbWVtMTQ5SHJTaCtXT2d3Y1F3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1UYzBNek13V2hnUE1qRXlNekEyTVRreApOelF6TXpCYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHhXc2l0d0FNbzhRZkc4YmloRXg2cGwKTUZSTk5QdkhWRGhwRjRYSWIzWmtwQmhtWnRBV2xIS2ZybTR2TUZEc0NMSG5JOUx1WUJqelRRLzF4WUIyT0d4VworUkY2U0xNZkFqejFqM2NvTUdxMWFscGw4RG1PZS9IY2xiWHl1dXBLTWs3WDBPblg1elh3dG5PM1lyckJ6M3pWCkFQeUxXTXpkTFVlbWo1eTRLZ0pOVmNUTHZiREpkSjVGUy9KbnlWVE4yQWVPNEw3NGppSnlkdk80L2FYZGU3Q1AKdDlsTXJuc09kTFYwSnNEcHgwYkhxL20wVVBEdmhleDZaZ3Q4TVRaUllRS3NwOFZWeEMxUmxXRlBlOHJqWHltSApMSExCdTllVk91WllJUW9VMWQrb3pzMWg3cmMreCtWRGZLa3hJcGJCSFlmeGRsUVBwdWtacS9yL1JhSFZ6MmtDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVbzlpRTVqaUR3WkYrRDN5NgoxUFlwN1lqV2t1Z3dVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBRWFJcEF2b2c0U2NZZ2pvWEZXMEUwK3NXUDRCb3poejc0NmpFQzRHQVBmMwpTczM5YWxTRXl4SjVXaURqRGFUZHNuNTcwa3pzY3JESzBYZEFGbUFsOGo0bTFNdElOV3AyNjlUM3M0UXhIZ3VtCmZJRkRlREZzdjFvQ1RiY3Q1Yk5zNk1qV2lYZVNuZkR2UFN3YXMveE9jM0hjRmZyTEdzMTB5ejN0SnUrMm5MVkcKU1o4ZTNMeGNpZkhwYXBtbDlqcHkyOGhuYzE0VmdjOFpPdHJQTDdzVEZZK2pYTnRzbFRWYm1EVGhlQ05qMUg0dAppcnVnSVNuVU5WT3NhcUtRYURKb2ZRdDFuZytuMGt1MDlxTUhkU2lXbHVEcmFhZWgvK2Q0eGJWNGRrdUdaMUVJClVQbkFkNjdQMldNUEZHK2tUSGN6bWVUbkw5dUJxSEtoL2JleW9GYzBQTUU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  # private key for cert
+  tls.key: |
+    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdkZheUszQUF5anhCOGJ4dUtFVEhxbVV3VkUwMCs4ZFVPR2tYaGNodmRtU2tHR1ptCjBCYVVjcCt1Ymk4d1VPd0lzZWNqMHU1Z0dQTk5EL1hGZ0hZNGJGYjVFWHBJc3g4Q1BQV1BkeWd3YXJWcVdtWHcKT1k1NzhkeVZ0Zks2NmtveVR0ZlE2ZGZuTmZDMmM3ZGl1c0hQZk5VQS9JdFl6TjB0UjZhUG5MZ3FBazFWeE11OQpzTWwwbmtWTDhtZkpWTTNZQjQ3Z3Z2aU9JbkoyODdqOXBkMTdzSSszMlV5dWV3NTB0WFFtd09uSFJzZXIrYlJRCjhPK0Y3SHBtQzN3eE5sRmhBcXlueFZYRUxWR1ZZVTk3eXVOZktZY3Njc0c3MTVVNjVsZ2hDaFRWMzZqT3pXSHUKdHo3SDVVTjhxVEVpbHNFZGgvRjJWQSttNlJtcit2OUZvZFhQYVFJREFRQUJBb0lCQVFDQTdwVGdXYmVndXVtbQpGSW9ROVN6L0FIQzZkWFJkSE5NU0h4ZWtWVmZBNUJyV1BWd0svam8zMGdyMmtVVnhVSFNQWFozUHE3S0x3aHV5ClhsMExtV0w4Ly9sWU5xK0lPQ1V2R0NoVHVXYVQxb2Z0UkxYVW9TOUdudXk2ZDJYd09FVUNab28xVzhHRDByc0UKc3JsYkFvMEpkMFJLbnhaMmdMK2J1bkc4SnZOVFNQTGZEMWorZG5Zc1BYK05LRVMrOVpZOUFYME4vbnBvYUc5UApGVjcrZjdKOS8zN0xmdUhuN0dvNFNXck4vaXNMb0tjVUV2WXNZZDVBMzZxUlhMdFdWZTUveUZOR0EycHpORndtCk1rNDBya0dIUDZTT2JBVDBGdDBXZ0dtL1UrTCtneVRrbVhlOE5WRnZRS2t2UVhQbEVTd0tOcjBHY0M5NCtxNGcKbFpMZmw4T0ZBb0dCQU0ralhsN1FpZUJ2SWR1V2dHc1dqMUkzQ0JRSzlNOTRqcmxvSDFlNk8wcmJ6bmFlcEVobgpsVTI5UzNaN1l0dDR6SmFiN2FldnpiNlJ6Y1BLNTFrSHVmNXRlV1ViTkQxbVVURmoybERLZ1dPdXpFZzVyU21sCjNSdG5VMy94NjlJQ3FnM2QydTY4ZFJvRFJ1YmNaNWd4WVp2SFJzUVE5Q01qNXg4QWxrSTRORE9yQW9HQkFPZzAKazBsbVR2Sjd1ZkVWTUxVL1BhcHFTeWo3MGxudU1RQlpLVEdXVFU3b3Y3TEFESWx2OHR4TDYyTnVvaDJmK3c1OQovSGVtYjZnSkQ5R2NxY3I5UkdBQzB6WDc0SUowVVIzOXhrNGEzSmVCM2daRk5VSTJaakgyNUltS25RY2RDR2xmCmE0cHJya3hTNjE0ZGtid3BLeW8vc0lEeHNXYVBjTGVQZ29jcDByVTdBb0dBQnMxZ1V4VGIzM2xrajVBUHB2SjMKUVlkQ0FYNFdaUkdiQTJIdzNPdmg4MkxlRWE3Q3pRaHZzTHRKMUpqWU5UNXczV0pBVitUL2hZVzdTdlhEdkh2dgpVUEYvTDV2RGkxdGx2NHQ0NUhxdDRIa2lnaDg1bUFxeUFxclE1bmtqYzU3WXVWbVNTWTNzL0N3dFQzVGJBL1ppCkx6dEpDelZPK2pPNzU1MGFUeE1PU3I4Q2dZRUF5M2grYzN2ZHcrY2M2UjdMWHBhNjMyQmkyZGZIM0J1Mi9ub2kKZVp3ZHcvNTVOQlhMSm9kZFJTS1ZjYnlZKytLYXFIbEhTRVVrWkJjRXNJVloxMUNVb0pqNUlMM0VYaXUwaE5aQgo5V0RlV1Rob0tCQnUrY1VYU2NMeFFZQ2Yxb0xmUXc1aytwY2UxU3gzcURHNjZTa2Q5Tmg0UHBVTEFUYkI2MmNxClZtd1VnYzhDZ1lCa1NnbGZVUHpLb0ttSTE2YkN2Z1JxTWNKMDZVejhpYkI1RWhCY3kvOUJ1d2hyV3lEMEUvZEcKSnZwUDdIRFFrYTBydzN5OUYvUTlnZE8raVZaRE9nb29XclhPSkNYU2ZtaHZiblB3RFNHcFFuR25DNW12WnU2TgpJZTFKTkVHTFVBYnUrL1dLNWFnd2tNT3ZRaXJzaTcrVGtkMXZlWjVuZ1VKSXZrWCtJWUVFZnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  # ca cert since the CA is generated here
+  ca.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRS3RjT1UzbkFGaEowV21TQTJaYTZFREFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNekJhR0E4eU1USXpNRFl4T1RFMwpORE16TUZvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRG96d0NtWk9xY2R1UHU4NWJCWVprYnlMVGVCbFg4ZFBjNFMyUEY1WmdxNEZKV01NaXYKUXpQT2tUbTNZUk9iMXFpcHp0K004Y1QwYXRiV2JKUzVtZlhSQU41OVBBS0kvQXZISkFBeDNWRS9PbENIejAwdAp2SGwrNFdjVlowSS9UeldQcCtaM0hKQnhWcUJoYm0rKytlb0NmbUdBaGV6S0IzUHVpNDFRaEg0Tjc3aEZWVHV4CjE5STJTVWNWWFZxczJoTXd1YSsvYkxtL2drNnd2U0xRQVJncmxmcnFCK3luV21OcVJFWFR4alY5NmM0ZUZ6ME0KSnU4TDc0eWFpa0FxVHJmNzAwMStzMlhqSS9QUjJMeTFZR3dVVEQ1c2dXdkFWOE11YXBDTDd0N1MwRVlZbDAveApCdmQ2a1Q4bmhaUmg0N3NkNk1IMitmbU5SeDJVWEVzOWdKS3RBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVvOWlFNWppRHdaRitEM3k2MVBZcDdZaldrdWd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFIeTZjYlBzQVVCSm91aWIrMklsWVBxV1A4VHkyS01iSHpSVDZpRndkd1hwQmlzV1ZjWEFFelU2CjdYeDFlKzVKc3FNSUg1SDlNL0M4Z3U0QjJWdXBScXZaUjlUNldDaTllWnFQVGNQSTloQi92RzFUazU5ZTR6ajIKMEd3S25XaHp3TjJMRkZFRGFCTnM4WFpqVEZJZUV3Q1RvZUJWN0hkekZrU3JsVVRTaDg1cTFKOFkwbk95RG53ZApDbEp4SHdyNjYxdDVET1F6UG5ockJ6Q0lDc1lySkw4Tk0wL3ZvWGx0K0dleG1KSFVzSW55U09ITVFyV1BnSG1UCnVOejhGbG9jdnpXNm9kZDl3WVV5TWliSDlWTGtndWxRbHRTTlJBZ2U2cnZ4alVqdkhHbWZLaVZTTlhFbkdYY2MKa1lTWDMwbGZIV1krMTVIT0F1Y2pUUUpCc1BhYk1KQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 ---
 # Source: flyte-core/templates/admin/configmap.yaml
 apiVersion: v1
@@ -1373,33 +1382,6 @@ spec:
         seLinuxOptions:
           type: spc_t
       serviceAccountName: flyte-pod-webhook
-      initContainers:
-      - name: generate-secrets
-        image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"
-        imagePullPolicy: "IfNotPresent"
-        command:
-          - flytepropeller
-        args:
-          - webhook
-          - init-certs
-          - --config
-          - /etc/flyte/config/*.yaml
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/flyte/config
       containers:
         - name: webhook
           image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"

diff --git a/deployment/eks/flyte_helm_dataplane_generated.yaml b/deployment/eks/flyte_helm_dataplane_generated.yaml
@@ -55,13 +55,22 @@ stringData:
 type: Opaque
 ---
 # Source: flyte-core/templates/propeller/webhook.yaml
-# Create an empty secret that the first propeller pod will populate
 apiVersion: v1
 kind: Secret
 metadata:
   name: flyte-pod-webhook
   namespace: flyte
 type: Opaque
+data:
+  # ca issued cert
+  tls.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRUmVFbjF3TmM3TWY2YXpOVlo2RFIwREFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNalphR0E4eU1USXpNRFl4T1RFMwpORE15Tmxvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1bFNtQ1BwZW5UQ01RQlRtcFBzeC83OUMKRU8wTDYxKy9uL0h5cW53Yzh2Z29DUWQxSFgxeFFLQ2JBT3p5dU5pZmR3MjBLMFVqR0d0dnI0eE8zWkc5STVQTAo4bjNqWXZHbzRxdE5QWUs0Um1sTlVSU21XcmVYSlhYSEd3Z3RzeG1ESVYwSG1tREJvUjlsYXNqMWZBLzAxZ2syCmh0blhPMS82K1d3WFZGNlZlY2wxYzRJenZnUHVlSDhHRXROUXUrcmtyYkUycTcvcU1wR2l0N3hhajlqNzVURVEKZkNLTU40RUJFcy9XbDB3MGMwSUV5Q3I2NEViNHZjenhhWndkOTFIcEVsdmthZUdqcG95Q0JuOVhmUEI5MjlHaQphWldDK2NpVmRIZVg3S3JFTVhkQ1ByL2dNS0wwbDFUcXFBbVpvVHB4UGtBeVVBMXd6Y0dMa3RFTG9lSTBOd0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNmYnJvMkJsOUx3dWJ5clVsRQplbGdJNzBUcFBEQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFUNkF0WTYvMmM2cThPNTFJNDlTbFJzK092d3RlMzdQT0VKZ014d2VVZlM3cApYSGRkSHhwZTNFb0RhaUxEeWZHWmpOYzVIYU44QlF3ZVNucDk4aldMWHkzUk1iRjZ5WVhHUXMzMThUZjN4M2gwCk1Wc2xsRlNKbmxEblpiQUdNa3JWcjJBdWozcjhkNllQeVFJd1VvbndHQzNxZnJMSlRZRGVaMWdsZk1TSVphSFAKSkhIME5ZSURYNnN3RmlmMzJTQ1ZGaFVLMThjK2NzRmN6dGxDbGFoOTg4VE5JN0FYWmM2RVNaTldDWktsZ2hMTQpsZnZGcExkRm9JbUZULy9Ec3ZhTVp4TmRNWjJONGJJQzlBOUp2QlJoNjdJay9malFKbC9YaHJ6UDZ0Ujl6T3RXCkozU1VBZTJoeExmL0FMV2YxZFI1bCtNMjRqSGlYVTI5SGtyVVdXVVQ2dz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  # private key for cert
+  tls.key: |
+    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdWxTbUNQcGVuVENNUUJUbXBQc3gvNzlDRU8wTDYxKy9uL0h5cW53Yzh2Z29DUWQxCkhYMXhRS0NiQU96eXVOaWZkdzIwSzBVakdHdHZyNHhPM1pHOUk1UEw4bjNqWXZHbzRxdE5QWUs0Um1sTlVSU20KV3JlWEpYWEhHd2d0c3htRElWMEhtbURCb1I5bGFzajFmQS8wMWdrMmh0blhPMS82K1d3WFZGNlZlY2wxYzRJegp2Z1B1ZUg4R0V0TlF1K3JrcmJFMnE3L3FNcEdpdDd4YWo5ajc1VEVRZkNLTU40RUJFcy9XbDB3MGMwSUV5Q3I2CjRFYjR2Y3p4YVp3ZDkxSHBFbHZrYWVHanBveUNCbjlYZlBCOTI5R2lhWldDK2NpVmRIZVg3S3JFTVhkQ1ByL2cKTUtMMGwxVHFxQW1ab1RweFBrQXlVQTF3emNHTGt0RUxvZUkwTndJREFRQUJBb0lCQUFaQis0V0hxdy9LWnB0cwpXRWFvTFFpeXlxdzQyZEtnMTVXdWtZREtSRXFnck8rSXNaVTQ5a20rV3haUDN1TDRXM3FyR2lidDNuemVkdFRGCmVJeVdiV3k1ZFBzQzRWVWNXcGlxT2lEYnVBYWRXTHhsWGlUano0NnhndXRVZmZ4cTJlMlA2MFp6QTIyKzJUQVoKNmF5dCtJSUxzeW9hUE5GQXF2UWZmalVXTEJ6MzZWWWVGeHl3ZGx2b1JaTmMzYmpyOXZMWXZ5WEZzemtrRytheApTMUlCZnd1eVhoQmpmeldFQy9uaVBFb2xaRURXRXV2dThKamZ0cXlRNUFYV3lNeFVCSHJxR04vTDhIaHNHbWl2CjFaVXZha1FnN3JwR2Q4cmZCc0k3K0FjSVNiZzdCd0xvZW03UzczY2w2TUxFVXFIMkpaZ1JyTzgxNHZ6Y0xBUTUKMFdwaFArRUNnWUVBd29LSW1zeDFERXVLaU5jdDZXcy9BRlYvTXY1cXJiL0MzeWFWNTA1YmVUTHFsZjR3MDc1Mwo0Q2lDNUNKSnE1MUhPRVBsVGErYTYzb1VwWjFpTDJZM2Jqak5iRFl0UFR0cWtQanZzRkMvalQvQXdpUUhCR0I1CmhMZHJQeTVldG5tRE1mdWlaSlo4alBJNWN6ZnRMN2U2a1NXcUt0SFh5dXZFUHZLdUVuZ3MvZEVDZ1lFQTlUd3QKclk1bEFZbFpSa0t3anp3QktiQUxvZXBwOEtIZitSZlF1a2xydFlCeVBUbDgvY3JqZ01OdG5EbjJDdllMSEU0VwpaSVIrK2M3ZzBlOTlxcjZhTmg0Nm9sR2VSUnlPWE9YQks0Z3hlQXhtSmdpMERoWS9hQTY2NWcrUHhubmZjc2p1CmtlWU80RjJtSHAwNjF6WU93YmE4d3FaNVVWcXprcGt0WGQxeWE0Y0NnWUFsdVBjUlBuRzh6ckd4VkRuOU9PVmgKQlRQRUNmOWFid1EyRHQrbm1sUzNMcDY4TkMzNEFzcHcyS3A1NEFSMW1lMEVCbmJrR0JodGJxR3VkTlZqNStqOApJVndGam9RN2lkaGpBVVJLNTM0ZXdLeDdlazA2RmhPN0gyOVhNNEQrMXBZUkRZSXpDOVJmNldJbTdFTzlxMTR0ClpDYWFZMVA4Y0xrQWxFUWFKT0JrNFFLQmdEMmJjSjQ1TjRhN1NvSXNIczdjOUMzVTNCZEJISHduTG0wVlhvcHUKQjNFQlk3R2R6NWl5YjVUWmc1L0xyOVB4Rzdsd3BJOTcrYW9vSHJLZXg2TXRYdkJaaDhGZlg3TmRDU2F0VVdudQpQUDg3bmkzUDRldm9DdVhKVFlxZVBqQk9UYVE0ZGphUTVRdllldk1WN01KRUFsRUg1ME8vTHBzUmZpdEY3KyswCndobmhBb0dCQUpkenUxM2JKSjY4KzBFUmowU1JuSlZoaVpBMXZ5cytyRnJkQVpXekZlK0FzOHRoZmpLdW84ZzAKNVRudWJwWU10VFUzZHdaNHIya2s1dlNkOTRjQjVhTHl2akhEWE9uU1hNdHNlM25PYldhWmRxdFJTRStmVE5EdgpmZ0NnckJnb0FHNXB1aWpPaWtDeGVWRnQxVUM4VHIvcWtQdDBkRjV1dEJCSnJyNjNTdUpICi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+  # ca cert since the CA is generated here
+  ca.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRTGFiNkVnSHNKaTJQM1FMbVh5K0lrakFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNalphR0E4eU1USXpNRFl4T1RFMwpORE15Tmxvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRE1vZ3JBb3h6UC9VamJjNzdSV1E1eExFaHc5OXpWWGxLUzc3MWprNHBrRzl2a0F3cGsKbGhmUUZaOXkybzBLdlJGRW1vcUFOeFVIRzc1MnNDUitjZSszUURId01rNUdQK0dHVXdwNzNjQVVkRXJVMVk2NgpYRlFxb2NYQUsrUUxnZ3REYzl6VEZRTlNKL21KVktRb1gyTkxIZTBtZlp2NG02bHhqMlhIbFl6RHpOdk9xZGdNCkFoOWVZWk05T3lxblY0akxBRUo4NFdmN2JJUjNNLy9TWFZLZGRsQVFPTEZXSnJQSUlKZlJ6WHB3QTlkWEdnOEEKbkdnNkhmc1o4RkhnMWw4RjQrK1l5WU00U3MzN2FWUGJGTlJPMmhtYkRaNVR6TFVkMlFkZkhLRFdVRFRHNElUSwpUT1hUMXVZdC9SOURZSGIyQ3JqK3M0V0VTU0l5Zmp6TGp6RFpBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVuMjY2TmdaZlM4TG04cTFKUkhwWUNPOUU2VHd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFDcFNSSVhmTGFDbk9QS3gwWWZZdWFHSE5GRDFqWk1UOTl5eXJpUTdneUJaK2dJeTQzYm5OUkFpClN1Ry9SSTJPczZOemVzN05SWWFTMnkxb053b0xIalhFWHgrTUhqb0V4SDZvMjA2Umw3WWF6T1p2OEtPc011WHIKeWt1bWYrdmhrUEtVcVpRT1o5UElXSjVDSzQwOGp4V2JndEIxSU9WSFA0L2JUV041M1I2d3d2NEljVXJ2NW1KNgpscHppWHJ2Nnp5MTFCdkcvY1lvS3JiK3MwZHFsM2hCdmt0SEdZOTQyeTZLWkcvQWpQUzFQNkQwMDBpb1RPaGhICnRWKy9rL1Qxc3NDNGpPZXpyTHdHQjRoWWlhNlk3dkYvR2R2Sk5xMHBHeDZwVC9oYnp5MzVianQxbGlQa1d5cmkKMERSWE9pcnU3ekNRVXB6clVEMkh5VG5qeC9TS3gvRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 ---
 # Source: flyte-core/templates/propeller/configmap.yaml
 apiVersion: v1
@@ -524,33 +533,6 @@ spec:
         seLinuxOptions:
           type: spc_t
       serviceAccountName: flyte-pod-webhook
-      initContainers:
-      - name: generate-secrets
-        image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"
-        imagePullPolicy: "IfNotPresent"
-        command:
-          - flytepropeller
-        args:
-          - webhook
-          - init-certs
-          - --config
-          - /etc/flyte/config/*.yaml
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/flyte/config
       containers:
         - name: webhook
           image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"