From ba968ac4b4b5cd4177b710d4d52ad0e1d6785fb3 Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Thu, 11 Jul 2024 21:18:47 -0700 Subject: [PATCH] Replace init-certs webhook job with Helm template - Replicates the functionality from the webhook init-certs cli command from Flyte: https://github.com/flyteorg/flyte/blob/master/flytepropeller/pkg/webhook/init_cert.go This produces a ca.crt, tls.crt and tls.key value needed for the webhook, rather than needing to create a container that needs to have network and Kubernetes access. - Uses the Helm lookup helper to prevent regenerating on upgrades Signed-off-by: ddl-ebrown --- .../templates/propeller/webhook.yaml | 68 +++++++++---------- .../flyte_aws_scheduler_helm_generated.yaml | 40 +++-------- .../eks/flyte_helm_dataplane_generated.yaml | 40 +++-------- deployment/eks/flyte_helm_generated.yaml | 40 +++-------- .../gcp/flyte_helm_dataplane_generated.yaml | 40 +++-------- deployment/gcp/flyte_helm_generated.yaml | 40 +++-------- deployment/sandbox/flyte_helm_generated.yaml | 40 +++-------- 7 files changed, 98 insertions(+), 210 deletions(-) diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml index 4cc05796c53..1ac23ab8e00 100644 --- a/charts/flyte-core/templates/propeller/webhook.yaml +++ b/charts/flyte-core/templates/propeller/webhook.yaml @@ -1,12 +1,42 @@ {{- if .Values.flytepropeller.enabled }} {{- if .Values.webhook.enabled }} -# Create an empty secret that the first propeller pod will populate +{{- $secret := (lookup "v1" "Secret" (include "flyte.namespace" .) "flyte-pod-webhook") -}} apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: {{ template "flyte.namespace" . }} -type: Opaque +type: kubernetes.io/tls +data: +{{- if $secret }} + tls.crt: | + {{ index $secret.data "tls.crt" }} + tls.key: | + {{ index $secret.data "tls.key" }} + ca.crt: | + {{ index $secret.data "ca.crt" }} +{{- else -}} +{{/* Produces a 99 year valid CA and cert signed by the CA like: + https://github.com/flyteorg/flyte/blob/81afb76b44931d827f8e898d097a7e8054a5b836/flytepropeller/cmd/controller/cmd/init_certs.go#L14-L36 +*/}} +{{- $certValid := 36135 -}} +{{- $name := include "flyte-pod-webhook.name" . -}} +{{- $namespace := include "flyte.namespace" . -}} +{{- $svc := (printf "%v.%v" $name $namespace) -}} +{{- $cn := (printf "%v.svc" $svc) -}} +{{- $altnames := (list $name $svc $cn) -}} +{{- $ca := genCA "flyte-ca" $certValid -}} +{{- $cert := genSignedCert $cn nil $altnames $certValid $ca }} + # ca issued cert + tls.crt: | + {{ $cert.Cert | b64enc }} + # private key for cert + tls.key: | + {{ $cert.Key | b64enc }} + # ca cert since the CA is generated here + ca.crt: | + {{ $ca.Cert | b64enc }} +{{- end }} --- # Create the actual deployment apiVersion: apps/v1 @@ -47,40 +77,6 @@ spec: {{- if .Values.webhook.priorityClassName }} priorityClassName: {{ .Values.webhook.priorityClassName }} {{- end }} -{{- if .Values.webhook.enabled }} - initContainers: - - name: generate-secrets - image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}" - imagePullPolicy: "{{ .Values.flytepropeller.image.pullPolicy }}" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.webhook.podEnv -}} - {{- with .Values.webhook.podEnv -}} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config -{{- end }} containers: - name: webhook image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}" diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index 0ce940cfa90..f0d1a1182f3 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -78,13 +78,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte -type: Opaque +type: kubernetes.io/tls +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQUs0UzBrTEY2UTNHNjZWTGNwbEExV1F3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakV3V2hnUE1qRXlNekEyTVRrdwpOREl5TVRCYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm5yQ25VSHU5cHpxMm5LMkt0TktiWUcKVlBvc290QkxWUVpvTnNlYmk3WVpiQ2RqbzUwOFZSSjN0d044MVQ3MkFrWUQ5STJ6Y3ZwUW03Q2hUZGEwdTdwUAptUGpwL3dVd0lvR3ZucC81UzRTMjFsNXpDUkVqWVlyRWNXL2gyM0YxWFU5aU0wdUdPNnppVFdTc3VqczkvQ1FOCnJPekJWbjNYc2s4NzBCWVFRdkJyd2NPSEcyWFNvcGs2bnZNR3FEaDJkSVlhMzc2Wk9nNDZxMHBLUkhWTDk4OWkKUUVLRTBVeTJDNkVScXpzZmNvTjlQS0QyR2FNZXpMTVJZYkp3em55V044SW1UK2ZrZURqcS8rekM4STF4Tm4wTgo2UHIybXRUWUNGRzgyQ2tIZE9rbk1jVndoNjViOGVSa2dYaGpVd2FmcDAya1kxU2NXSitYQjZtT3hlZERZQzhDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVUlZ2TXVwb2pXcmZjRjNBSwprQWRJMUg3V2Jwb3dVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXR2cStOQ1d5VThZWlNzUlllT2hjc3Z6V0NzcVpZOGg4NlQvUGE3M2JmdgpTVXpwZTdVNVZuWVYzcGxBR2czTit6L01DN083VlRIWEV3OXBORTZkS0pyTTREMzY4US84ZFZUd0RmdmtHL0hTClg3YXMzRlVHN1kwdy9WR0hHWTVRN3BrbTdIYXdpaU8zdk5KRVozanBxR1EvMjNRbVlha2YrWXNYaTFOZ2tXWmgKaUtpVVlxWUdFSmxHc2RwUXpLbis3SXp6aXpCK1lpUnduVUVaTExzZ3drSSt3bEVaMjNDcDIyNCtwWjJwS1ZJSwo3NWdCTGR3SWZ0dit6dnlLVWtkWFJ0RElGdk1pWkJjditLajVXdEFKZkdKRHJoNURtSE1FUktqMHBwdFV0Ly9iCnJCZmF5VFNiM2gzaUJTdlJqeVNVUHhQWmNmanNBNTg1eUQyZ0Y2bUxFUlE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbWVzS2RRZTcybk9yYWNyWXEwMHB0Z1pVK2l5aTBFdFZCbWcyeDV1THRobHNKMk9qCm5UeFZFbmUzQTN6VlB2WUNSZ1AwamJOeStsQ2JzS0ZOMXJTN3VrK1krT24vQlRBaWdhK2VuL2xMaExiV1huTUoKRVNOaGlzUnhiK0hiY1hWZFQySXpTNFk3ck9KTlpLeTZPejM4SkEyczdNRldmZGV5VHp2UUZoQkM4R3ZCdzRjYgpaZEtpbVRxZTh3YW9PSFowaGhyZnZwazZEanFyU2twRWRVdjN6MkpBUW9UUlRMWUxvUkdyT3g5eWczMDhvUFlaCm94N01zeEZoc25ET2ZKWTN3aVpQNStSNE9Pci83TUx3alhFMmZRM28rdmFhMU5nSVViellLUWQwNlNjeHhYQ0gKcmx2eDVHU0JlR05UQnArblRhUmpWSnhZbjVjSHFZN0Y1ME5nTHdJREFRQUJBb0lCQUNGVlRxbHpxRkl4OUxCdgpscWJhaWlyNmloSzM4ZmFzS2RpK1h3YXhmL3RLM0NwWG9NcGZrNGp4VmpneUk3aUQ3SkFmTVNveTc3YVlHRytUCkwxbE5RTTZqaUZ4M3lKdm1CY01TTm9jc3BSY3p4WThrMkpUV2xieEl1TXhqSEhRZzE3bG1hZmQwTlo1R1VENTYKVGNhZ3NPZFo4dFkvTkswQ05vS0VVSmRHcEVpT3A2WTAvaVJwa0FmcGdrS3M5V0VUMlk0RXppRm5qYjVVYjl2bAo0MzJLdWRkNHpsYm4vTGNnRGhiTnN6VENFMjc2dWNrUjVqaVMrcjBLOHp0N2RLTWkzSndDSU9uVnYxTUl5STE3CnhkcWVNM1dJQXRMdFU1TFNsZXdqRlFRY1c0UG5LU2FqemtmTzYzeTFlaThlWG44azhiQjRaMEh4K242YTJicVQKMU80Q3Fma0NnWUVBeVZhamVFcEZlekdZZjF4YWhRZGdVWkdRZ3B6Zy9zcDUyZmRoWjlIVHFlMThKMGRSQ2orUApqSVd3WFdNWVV1NjlSbzYwOVQwRzRkYWE1R1g2QU1hZ0FaZEZKQzV1TklUZXFaN3l4Ykp0Nmw0ZW95YXBrdkhpCmV1MGxqdVNRaGwxS3ZwWUgvZ0RYNGlURURjdUNwSm1saWh1a0h4aUliUlZWeWl5MFYvU3o3VTBDZ1lFQXc3U2MKYTZlR09ENHNwUmgya1FBdkVnVlRsU0lNemZydk1BTXNIWFM3WlNvcFlSU2c3VGM4SjdoT2EwcEUvSzJuK2VZYQovUkhJMnZoYWtDaGNDTTY4VmRNcmlmeWV2SndUTXRzM3hDVThBU1ZHZFIramxPWEp3MCtLcUZHN3JZU2R0MUNVClRCSDE3SlU5aFVBdEpidEpOYVZtaGdjUUNML2tEZ0dtWnNXSGRXc0NnWUJoWlZib3ZzMER2a2N0L1NnUXlET3cKNGNETlhrUjlITWQ3U0c5SFFMcXFyaVpyL2RUWEowNHl4UTArNzh2NWVtSDNldHRROHZlY1VpdFZwM3NiMnZuVwpLeTRZUlptc01FWmlPWERwYjlvNkVOT3pTdVduSHZuWFMxYnEyK2lLQnlFOE51bWcxeG1YM1A4MlNTZG1wcWpzCnVWaFlibzY0YmlTMUM1RW1KMHJPMVFLQmdGZnRuTjNOZmNObFE5L0ZWdmdjOGdrUnRaVHFvSUFuUHpIK0t1THQKSUlqNllXOEp1cWY1eWlBNmNabEkzQ2YreWRyQVpOM1JFTUk1RlU5eG9yQWVXb1hoQTgzU1gydDBZRGZZUUh6egpFYnVlQ01MMHZTVlgvTWV3eENhTjJsbkNuSzNSR1YvNExkcm16cVpBeUVnTWxuN3cybGhiY2Z2TVkyVmJubXpNClVPa1RBb0dBTjgyTkZQY29vR285Vm1pRVBtR2xaaEYvOGkyYVJUS0ZEWTdIUkJsdU5VcHlMK3o3dkMvNFl5YnMKMkt6T2N0aEVRTHZkT0hmRGF5SXNzZHpMRUxpMFNWclFnTjk2Q1Z5bW1sREw5MFZBekNmS29STkhZZzBtRDQ1cwpMbzUrYWlZaWJLSXVpWWJTK1FPNGt2bGdTODJENGlLSEJrYTlXOW0rQjJ3OHUxdWQ1Mkk9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQU4zZHFzR1RiWnVZMEp5YUcvNkd0UU13RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakV3V2hnUE1qRXlNekEyTVRrdwpOREl5TVRCYU1CTXhFVEFQQmdOVkJBTVRDR1pzZVhSbExXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFvMlY3Nk9jOEJxV2FYYjc2TWEyY2tNTENkblpuOWp3VVpmZUtXcnFQNW1JcElkZksKcjIyMEpvaUhXM0RlMWFMOHpWS0VmVDJkUkxNSGhCOEQ2L3hId01CV1hIQTZ4ampzc013Y3Rod0NoZmdjZWhvTQplVW8zUUVNTUdCS2doSE5CUks1bGhyUzNNZ2lvaEQwTkhRN25DT29LbEZBOU12d1AxQkp0aHpQTm9ldFRxZFk0CmNScjM0bVNKekIvSlUwNXRwTnpMTUFmNzdITWU3ZlhFc3FhM1hzbm5LZEJlNU4ybnowSm5IQldLUHk1cEVQcUwKMWZMc1lNa3BhQ0FXVGxtV2ZKWEUzODdnNnhxd2hvVklhenM3MTBjYkh2bm1hb3hteHlIejNodUJ4bENvbXlNaQoxOU9FYnRhaitkQ2Z4TkRTdjcvbTk3czdxZndBd2RqSjFyVUNlUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVZiekxxYUkxcTMzQmR3Q3BBSFNOUisxbTZhTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ05qK3F2ZWZiQjczdXBBdGh5TTZ1Mm5NcVpVZmk3Zk9PRFBVVFRaZEFkeThHZ2JqUGdvNFllCnpxK1VTWW9UK0Y5VEdkOW1wSkpBOSsxckxYSE5jdzdpSG5MSFI1WTkxTjVFR2pFNXhvTVVjWFB3WGJPeUY1RVYKODFVSlI4R0R5Nk1QRm9DV3hrQVJMdnFwa00raWVWMWU0djJjR1lEdDZwN2tUU2R4NStpZFFMZ01TU1pWU0xhLwphaXVrcXVEb01iaDdGcFluK0RXd1UxaEVtYWNuZEFtdU9LZ0RCeHhHS3luemI0TVZlVWRUR0VNNU8vaUJTVFhPCmhnZDM0ZTBabjhkZVlSelB1QzZSU1l6anBBWlNGNlQvWFR3ZjlCaU9rQVVmQVdYSTdQczJUZlo3NUpScG5xc3IKL2lJZTBOVDkrT3BzNjloNXd0aDVmbGE3YTJOYmZUM0UKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/admin/configmap.yaml apiVersion: v1 @@ -1373,33 +1382,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/eks/flyte_helm_dataplane_generated.yaml b/deployment/eks/flyte_helm_dataplane_generated.yaml index 040cb007f75..595764f2f5e 100644 --- a/deployment/eks/flyte_helm_dataplane_generated.yaml +++ b/deployment/eks/flyte_helm_dataplane_generated.yaml @@ -55,13 +55,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte -type: Opaque +type: kubernetes.io/tls +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRSHk4UHRBdVhQS01tL21XUVhKS1R5VEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRFphR0E4eU1USXpNRFl4T1RBMApNakl3Tmxvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE0eks5NU54UUVHTTd1NHd0d0cwWGIwQUYKL0VBWFFHZ29aVVFTRlZOYnk4L3hlQmRUVWFNSU1jemdIa3ovQmsrdFNCcGx6TlpCOElCZHUzRm9LeCtuZmxscgpSbWRiUVNiTWVlZDJnTkQ0YUE5UXhMQjRSS0FDcHFlcjY2cDk4T3l1ZVVsR0JjQjZPREJrRTNuWXhwWnAxU0dzClo3NzBBN2JmL09uTDljcE9NU3BCeXZWNGJUb0xOSWhMUk1QdjB4WkROWC9EUGZFWDBORG5yWWtNNXpaZ29YcWMKNWNNTWhiSUZtR1NyaWJ5aEhoNStxNGZZQnh5bnlRSDNYQ25WYUw3ZEgvVm1Vc1BCc3RLR1I0RGNieHcvMFB5dgo4L1BaNTlHdnZqQlNlV3J3NHR0TUF5cSswVUtRVEpwZDBxY0xHWXlISlE4WllsdXdOV1N5Z1lvVUlmMjN3d0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlFUcmp4STNWU2NQTU5HQWVZRwpPNXlpb1RsRVdEQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFIN1N4SCthQVhrTmw4RkhiRmJtc2crdEtEUm9Da3Q2QXU1YUhDOWdFQVkvRgpVY0hrVnBORG9udmwrS05CZThpbkw5K1RwdVpoK2dXZHdCWmNzUFN2bGw0ek1oa0wrbkVFUnMzZlBBMWhvNThoCnVjUVZmYlNBMVhQSnVGT2FHbkJFTTFIOGJQVlhPYXFUd2JoV3U5Z3BMOGlsbmZVOUYwWXBxcittUmovem4yclcKeUxaeHB0OGdHaGgrK21sQ0p0QWc5OFJab0J3b2o4RGJZbDB4a1p4OXc2aDYweHA5TnJwY0Y2TXZLWG90QStTZQo0WXpqZExBOWJmbUxpZDE2dGRLd2pZM3Z0UXI3RG5zM0RwMjB0R0NocVdrMUR0ZzczL3pnRURnSll6UHNkOUpsCi9ieHJ1Q1k2aUZxSTNpRk5oNWtjMlVQS1R1TTgwYkp1VWZLcjlEdHlEdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNHpLOTVOeFFFR003dTR3dHdHMFhiMEFGL0VBWFFHZ29aVVFTRlZOYnk4L3hlQmRUClVhTUlNY3pnSGt6L0JrK3RTQnBsek5aQjhJQmR1M0ZvS3grbmZsbHJSbWRiUVNiTWVlZDJnTkQ0YUE5UXhMQjQKUktBQ3BxZXI2NnA5OE95dWVVbEdCY0I2T0RCa0Uzbll4cFpwMVNHc1o3NzBBN2JmL09uTDljcE9NU3BCeXZWNApiVG9MTkloTFJNUHYweFpETlgvRFBmRVgwTkRucllrTTV6WmdvWHFjNWNNTWhiSUZtR1NyaWJ5aEhoNStxNGZZCkJ4eW55UUgzWENuVmFMN2RIL1ZtVXNQQnN0S0dSNERjYnh3LzBQeXY4L1BaNTlHdnZqQlNlV3J3NHR0TUF5cSsKMFVLUVRKcGQwcWNMR1l5SEpROFpZbHV3TldTeWdZb1VJZjIzd3dJREFRQUJBb0lCQVFDcmFrOUhhc21sYzVsUApxVFdqcHlzMUxwTFZmTzJPRklmVno0UHRQeFZWTXJDMnNMS1dOM0VwVWJBT2JIMUZIN3hYV0VOU1JwMDlmVHc2Ci9oZGY0ZVFYT2hQcjdITTNOclN6ak9VbHo0Ujd6b0pidytFWnRiZ0tVUnN2RlZVci93YXNUNUpiS0p1TjVVUzgKUlFRKzRLRTh3c2szQlNWSjRDSWl5YXF1NlZJUldLcDJWdldyWTVMSmxxYVhtanBMSU1yRTMxZUZxMWcyUCtqOQpEUXdaSUZ2TERBZGJzTXhnSDRycGdBWDE5dVA4bmNjM1p2RURzY2VxVUdaQ2M3U2I5bkp2Yno3WjVpSHE4WVg4Cjh3UHJrNnFSK1d3Z3llVWpzc1h2aWVqSy9SWTgrd0Fsc1VMQStGNjRzZWFYWkp6K2VOS3l4ejdvNWN3SHFDa2EKNUtBdCtQMHhBb0dCQVBnaDNHWXJHcGJNTk04czVFdHdXdmwrNmsvNUgxaEFpU211OW1QL0h2NkduR0ZjcTZTQgp3bkFEMGV2ZkY0UUNmTlNvRS93cmtoRktOdzJhMlVla0RvOGFpeTQxbTR3U3lmcG1VS0kxV0FBQXNHS0Z1bEcxClhHMXVEdFl3T1RKb1BHMUJDRmY2RDZnc3phU1VTWWZuSnFmQzN4aWVtSEZXeVIra1B0OU5rZEo5QW9HQkFPcG0KOUhUNmZpWFhGVTI3MjNMeDlvUjlDQmlHYkNOUUZJMWxDd20yU3djaG9YSzg3ODg1LzVPMkM1U3h5N0lZSjAyYQpEUXRuT1BtbTFZTnMzenlKaEN1OHZKbVdYL012QVFqT21MRWE4VlUvOUFIVVg4QnZqU2plck1GQkRsMnV3QS9ECmdSZnFhVktMYkcybHV2WkF4WERSV3k4UFdUcWpKbDFUTkZrUmQ0Yy9Bb0dCQU1sU0I5VnBRWkI2TEpxdkxLYzgKaU1PSFFxc1NVR2sxSzFTRG5XdHlrZjRtejNoN1ROUVRaK09rWmN5L1hBQUNXSy9ka3lGMVpIVGN4eUFsdEFiWgpSK3E1dVpVTGI2SE5tTXl0K053eTlheEM0dGw4OExmY3N4b2lRcTFyd094eUFCMFF0NmxSdlNSUS9hUjduOUZCCkxXN053RjdrUm9FbXpkWDdWL3VybnhXdEFvR0JBS2hUek9NZ2EyeVRHMHBhU0Vvd05qNklaMEx0YlVTaW9rK3oKcXd5TGF5K3cxL2JFZFZZVUtWUVMzQmdvNGNXQUVPRnFha214RTdvOE00SVFzZk1RTWVrU3ZVRnlPbTh4WndYRApEdVhJR2x5RTg1NUl1NFkrMVZqdko1SVVQTlBMeFVMTXU2ekgrbUI3blI3VWNBR2RHK3hiZTZhODEvQUM3MjcvCmJFMDEvT2NUQW9HQVdzN3dJN0NwUjJjSGRBZ2lEMi9VNDZUcjBaVkttTE81UFNYVm90ZDVpTE00akxpZWk3amQKNGRPaVhmS01WalpDRzlzS1hOVTAzSVJyR3NYaUlCQjN6YXZISTNFM2I2eHdpK21IZkNvSDZtRG9XN05vTVFmUQo5TU5GT2JBV2wwVFNtZWhpZXN1RzRsNDUxM1FMcGw0RXJlZi9qM04zR0Z1NDhVRExOT2w5QnZrPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRSElCaHBQaUNtbDhLSUw5Z1YyNmlkVEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRFphR0E4eU1USXpNRFl4T1RBMApNakl3Tmxvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQytxRmVYK0JXb2F6QWp1NjRUeWozQ3BYZDQrak1CT2ZNK2lUalFkY0J3U3dWajBPSHgKKzIyWUhMcHEzdlBSeWxyRXpRdUZTZkVVZmQycVZjR1ArcVBDM2FKcllZZHYxdW9GN2tFa2h3TUtEQUgzNXpuRwp0Mk5peFVENTUvTHRTVU9VTTJYT0tReUZLdmdSVlZ6NWcwQ21wNDYxVVNkbW1ScnRLQmRmcERSZUF1bFdoWTBqCmZBN3kyS1YvNVZudFMxYUtHN29ucUM1Zk5MNEpiUTdwZFg4WVdlZGNIMC9PODZSeHJZcWNrVTJKU0RzRjVhWlYKVTJwa21oSzZ4c1FNS29jMUlSdFB5akpaaTdreHFMWndpYXU4bVFMTmhYcUhYYjJoNWhkZndvN0dlZGU2bjBrdgovRm5CNFp5bHp1dDhDWDdhZ2EwT3AxSFhmMHdNY3Z4UFZtUTVBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVFNjQ4U04xVW5EekRSZ0htQmp1Y29xRTVSRmd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFGWWRKMmxwNFk1TEJhRzhuUmxDR0xJb3EvRnkvUEs0M2wvMnJtNVp1cDgwUWtadXR5RHpuU3NCCitubEtzcVJWelg3ZkVLcFV4NFNsN0dmRVAzNi9xV3JzdjRoeVhlTDFZaTY2OG10dmhRc2hPblhWUDIrQWZwQ3IKNUpuTTV6blN4c1JRWk81a1N0dE9nRDNwZjlEQm0vKy9hZDhxalIvM2pDR2NaS3Z0TEtFYWpXZ1o0SHZoVGRnZQpWMEx6UGVOcHArQk1MVURCbDNLdXE1d1Z2ZWxKME1sNjJJbmM1NjNPb2UybFNhUldHRitxdVUyYUU1RjFXdEFyCk03TGFUcDF6NjdveXhhTHZoN0hnQld5Y3N3VnU0VEh1aVk4b01RSit2d29WY2ZBWTdyZVVIeDdaaFRlOUxqS28KbHZxTFZGUENGTGpjb2lDb25tNDE5RDBVUExjaDkrMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/propeller/configmap.yaml apiVersion: v1 @@ -524,33 +533,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 5fc562963e6..24a1ae92a14 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -90,13 +90,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte -type: Opaque +type: kubernetes.io/tls +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRT2tZMUxxTWN5REdkUUV1c28wbWkxVEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRFJhR0E4eU1USXpNRFl4T1RBMApNakl3TkZvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFwcU8yWUpzMU81T3hDMkdXaFNlS1RkTzQKTXkrMElLZUMwaE8xa0NRaXRlcFZEMEpSSDRXMmlNQURTQzdzckxpeXFJS3IxY2w1T3pkbE41N2dkM2ZKdllLRAppQUVzeFh1TG9Wd2N0aHBkbE1VQVdzbk1jaWFEZldicENDWnBkZWNKK0NsK2gxajdHYkhGSjYxQk16akl3Y0VXCmMzaGo0TVFIZkttNTRYTFBaeVljRzQ5MXBqOS9Wc3RiMUJaRmZycnNqNXRVZm5VTzRHdmhhaklKa3JIYXJ2Y0kKSUc5REF1UjFHT2pxNDlmcWFHazZmbnhoNytzOEFVb2o2K1FFTnk2c2NQc0RQUElpSERsb3VoNTZtd3l2SXNjZQppcGxlS2pPNlJQdlo1MmlueWJNSjUyQ09meUJHeDBwS20zY09WMnNnaFFia09ZRGlFeGx2clZtVUVDVHNnd0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlRJZmZKd3E1aW43dzRmcjk3QQp2OHRHTFdqNFdqQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFwUHgvMW9welpaTGptamdxVDhNeFRxenE3em5jcm9NNmZxbzB4c2JHaWliZwp2YVRYV0h5SHFvbkM0RzhBSWxLTFlSRzc0N1lyaHJDMk94MmpQcTQzaW0vcEhuQkNBSlZ2T1luOExCUkgybHk4ClovMmpyL2RnYTRqSlhCejJBR3JqcDFVZjVRZTN1SEtka1lGTXdVays4K3IzeDRSTG8zUGg1cncwSlV6L1hRVWYKNjV3TG9HbkxBM3NzN1cvb1VKWEluNWtaOXdtSVVvNS9WWWtTWlJDajlsWW9VMmV6RmxJdTVudjlQZEtLOW9lYQovS1o5OE00SWl2cVJxK2hRSUtUcDFBSFhhMzE0d2ViTWNGaXZXUmpKN0c5S2JVWkRUTDQxNUZYR0pWUnpFUS9OCklSOW53aUF3dXBuZVlaL3lGMDdhcDA0NmVqMmh0cHdiS25CWWdnUHdkQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcHFPMllKczFPNU94QzJHV2hTZUtUZE80TXkrMElLZUMwaE8xa0NRaXRlcFZEMEpSCkg0VzJpTUFEU0M3c3JMaXlxSUtyMWNsNU96ZGxONTdnZDNmSnZZS0RpQUVzeFh1TG9Wd2N0aHBkbE1VQVdzbk0KY2lhRGZXYnBDQ1pwZGVjSitDbCtoMWo3R2JIRko2MUJNempJd2NFV2MzaGo0TVFIZkttNTRYTFBaeVljRzQ5MQpwajkvVnN0YjFCWkZmcnJzajV0VWZuVU80R3ZoYWpJSmtySGFydmNJSUc5REF1UjFHT2pxNDlmcWFHazZmbnhoCjcrczhBVW9qNitRRU55NnNjUHNEUFBJaUhEbG91aDU2bXd5dklzY2VpcGxlS2pPNlJQdlo1MmlueWJNSjUyQ08KZnlCR3gwcEttM2NPVjJzZ2hRYmtPWURpRXhsdnJWbVVFQ1RzZ3dJREFRQUJBb0lCQUdDVmFPS0xjd29wNnlhKwpsRUJ2RDRGV1ltQUFtVFdJQVpJRGJHdTBGZzQ4V0xxMFpGS1I3SjlNTTFyR0g5Vm9ZOXk1aUNFc1drRFJOYkJNClBLdmgyU01uSDFkWDN2eERSRVh0SHBNSnF3M01OUTFxQXo1eVJpb0wyS3Nwb0Z4KzRjOWROWUg3TitiSG00OEkKbzA2dDdlWW5KUDBlWFQxc1FTNm5MUjZYcmRDSlhia29td0lMeTlHUkxHTm9ZNWcvcmV1bWsyRDZ5WXhmWCtYcAptanU0MVo4UFlpall3MXI0ZEVaMDFQU1liK09hYzE2MDRDb05LZTY3Y3VENHY0R0JUak9mYmxJWE5ieG1EWUNQCk9kYnVkbXRZS2xVb1VwaWt4STAwc2dFSExPV2tWY0pJdG0xQjkxdk85N0t4WFk0UGhTdGdwdGU5UmxyRG1EaEsKKzhsN2NZRUNnWUVBejcxbEc4MnhYTWVzWkJ6dnAweVVkZklCYWYwbTFDMmJqTE92RWVyZHEwR1ZUYWw3d2d3RwpLVHg5NU9pT3R2VGx2TTdpbURQRE1JK2g2blFWNHl2TjY1cEtSRVc5b2JkRHU3U2RsbTk3KzRnUnRKbEhUWGQ0Cll0OWtmVzJETDUrN0pJcGFZM29JbEs5VVJvc1FyOFZscDZkRmpJenVZY2dsZzllN3dUbS9HTUVDZ1lFQXpWb0UKdDJtcjUzK1VhUmNWR2hxbDAwZ1VrV3NxU211eFBXRDc0dmFQSzZJMmNpREdFSTdXc3dKN1o0R01NNnhoRjd5RwpnNUJUeFV6SVlac0t0UTVCeVloM3JSMnRaVm4wbXQ0dUtVVHNpQnZmdnpBK0xibTJJeDVqQWVLNHJDUGsvU3Q4ClRvWVhPZnZULzRtVFlZR0Z4dmlVWlM4bU92dkZUNW1kQTZsNzhrTUNnWUVBcFc2di9BbzcraVRRdGhFTkVHKzkKc29kOGRNa3lpTG1oSzlWVHo3TDN3QS9FTkVxSjBhZjlxQTBTUEo2dU9DaWlZMDlseDh0QTM0VWliakR2MVM3bgpGMzZSTWZsUDRGNnZRK1c3c1RjcXhzNC9PMUR0SlZYRXV3Z25ZSE03aTB0cW50akd6bjA2SkIzVHdUR3hvaWhTCm9jWmxibDQwNEEyaFFuTWtnK1hXdG9FQ2dZQmZvV1JBNWYwZ09kR3Jmd3hjczd3MXdJT1RsUXlFeTlJbWUxdlMKUG5BK0tiU2hRWkg3ZEFtWUk3ZkVaQmdlbUZBKzlaVFBBQStDK2xiMjNYVUhERFNtM2Q2ZHlBeFAvcXhpMHNVOApndFNFTGpic21sTGFpSG5Cc1F6NmU5TDBsMkswWStQbnpacFRibXN6dmFYYzZxeWFGSGxIQmNZUUFkL0pTZ2hOCkJFaXNjUUtCZ1FDL3haZERZaUpmaHVobENvamhpSVM3SHI3YlVId2Y0NG5VNFdydFBLQkZjYUM0Q3lVZmV1SXgKaE91MXYvZU5ad1l5OG5vV2tLMlFjWStWUkJKVUd1MTU5bzNIOEwydEFORjU2TFpjYU9FR1Q0a3FtWHF3UmlxegpkNVhyMkdjMmxXU1I3OXgwcERGU0ROM2U5UngwT0tITzNnTm1jU2V2QWU1eXdjeXJhRC9hL1E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRS0N5V3R5VkJZUld0UE5Mak44UlI5VEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRFJhR0E4eU1USXpNRFl4T1RBMApNakl3TkZvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRGhKVHVRM0NUc1RkWnBXTDJ3NjRQWkRqNThtaVg1cEwyMS9idFhZckt4YWV4T1VpWEQKdjRyZnZ5SE1USDRMU1pQbHJaUlBNRUMwSCsra2FNdUVWZFJabkU5amVYbWRoYkxob2d6ZGJYU0ZralFWdUVTYQpTNXZSeFBNZFJEMUgzVHExOVRPTllrL2NnOURPNlBvWGhFUEdGVU5CWWRnR0c3MjBBeE9tbEgzOURSd1JmZEppCmhBR2N5bGl5K1d6WUlNY05NTFh3bGVHaW1TdURRaEpRSE1IeUNRRFdYdE0xaHFRNGtoKzl5ZEtndUt4c1MvOEMKd241d3ovNzZmSUp5OFdnamhHWkIzWWpBL0N2M0k3UDlGcWdoV0FsYlQ0bkxHbmIrL09scnZzUDhYZVBjTkdvZwpwMjRVaGVWOS8xY3dheXRvbnMvR1RRbnhENkI1RFFUdHh0NTVBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVV5SDN5Y0t1WXArOE9INi9ld0wvTFJpMW8rRm93RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFJaHlpOWpNTjZVcCtva3JVUS9yci9hSWIwbitjZHpyaFJWM0dSbVdoeHI4bGhzUE5MMm5ucXowClFlSisyUWg3SHZ3WWZWRGtrd2ZaV2hLdzJlQzlTYnc2bTgzUk1SeHdOQ2FrY1B6cG9PSjkzNExnR0xCWDQ5Y2QKWVFBWjJrR0c4UU1UZ2M0NmtISnk1bWxCcDNTQmozMFBzazNWZGhjSzN4OWljdG41cldpRUtEa3lucTZIYjNYVAo1VjE3WG4xcHNwVmdkbG9FblNGTTJXN0lTRnB6WThwaGV6ZndBNEYxQUU4UVk1bDdFYVkzMmdkSXJ2OFp0OGttCjNkWGNKc0taUGtRQS9RTENKeW9aSVBYMWtjMHVNUElMOUdicEJQTVBWdkR1TVRrdk1nVVJNL2toOUFjS095dy8Kb0VYRzdXSlRTMEZlSWZaanJ4L3k4dFc1c1cxRGYrST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/admin/configmap.yaml apiVersion: v1 @@ -1503,33 +1512,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/gcp/flyte_helm_dataplane_generated.yaml b/deployment/gcp/flyte_helm_dataplane_generated.yaml index b5ad82d3f0e..05fbd88fcc8 100644 --- a/deployment/gcp/flyte_helm_dataplane_generated.yaml +++ b/deployment/gcp/flyte_helm_dataplane_generated.yaml @@ -55,13 +55,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte -type: Opaque +type: kubernetes.io/tls +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQUtuY25jTFVod2wyVXQ3Z2YveklaK293RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakE1V2hnUE1qRXlNekEyTVRrdwpOREl5TURsYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHNCbTIwdENhdW5Sek1malR3b0EzVTAKYkFjM3R6SjNNT0NjRWViZ21HOFBDQzZyUlZDV0wvNjRuRVRkdUpQQXdsVnI2L1NtUU5qOFY2QnpZRTJXMm5scwpFSGxCRWlNMDhpZEJPdllkc093NUhtSlZYOUpKeEMrRVljTmUwK2tLalU0QUxNd2ZjMG1OdDkzME1wZTQ5alpzCkZwa2hCTjFDY09TdFBxNjFJaUZpa25FdlIwS1BUSkM4aGZPWHVSWWg5Zkg1UU1IM0Q1RGZJcmZ3VUQwQkJtTC8KcjRSNVhnTWdLNVF2Y2pONHY4RXVseUM2d2prRWlVbmxkdG9UOUxOc2UxcWZXK2ZiTGZ5OVFyNnFrSWRtWHBIeQpRVjVxZmtLWURRTHhaOGtGNE9TSHpMYkVRMjZkTGd1U1pidEkyNjQ4ZE9DcnBURjFLdEoyYnZyWGQ5Y3BDR1VDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVNWxyTDkzeFBLMmdDWitwVApHZVNnRkRGaTlBVXdVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ0tKRnFqV25abHQ3dFVkRGdKZm51KzFFMDlZeDRTeHB0Q1hxSEEwSU0zRwp0blNtaFJ2TzlrcnkrQTlQNmhzdXRHbWtFK0VQeXYvcHZCcSs1VVJ6TnFMd1o4bXRWMlBlcUR5UXRCV1NKZUNmCmxubHFSUkFYRU4xaDIvNmZLbW9maTg4THk3WklTOXgrOGl0TDV5RkJ1TGxTZ2VpelA1N0xIZXdMVk9hRVFTN2IKR3FBdUs4clV1Tld5OUpBeVRYTk9aY254b1ViOW44N2VpZTZqeVZ1V0ZnQXBsQ051ai9DWkJGSHB3eUdDa0JPUwpaZ0F0L2E3NTNXczR0UU1JUXRSSyszRHE3OWk5ZVJBN1JQSFpTS1hVMWxMSFl4Y0NnbWNGeXhqWUorL05iRTcxCnpsZXo0VTJqSmRVUzF4NllHNC9Ta3N0NnNaZ1hMc1hPTGpYeWVBTkxLWFk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdXdHYmJTMEpxNmRITXgrTlBDZ0RkVFJzQnplM01uY3c0SndSNXVDWWJ3OElMcXRGClVKWXYvcmljUk4yNGs4RENWV3ZyOUtaQTJQeFhvSE5nVFpiYWVXd1FlVUVTSXpUeUowRTY5aDJ3N0RrZVlsVmYKMGtuRUw0Umh3MTdUNlFxTlRnQXN6Qjl6U1kyMzNmUXlsN2oyTm13V21TRUUzVUp3NUswK3JyVWlJV0tTY1M5SApRbzlNa0x5Rjg1ZTVGaUgxOGZsQXdmY1BrTjhpdC9CUVBRRUdZdit2aEhsZUF5QXJsQzl5TTNpL3dTNlhJTHJDCk9RU0pTZVYyMmhQMHMyeDdXcDliNTlzdC9MMUN2cXFRaDJaZWtmSkJYbXArUXBnTkF2Rm55UVhnNUlmTXRzUkQKYnAwdUM1Smx1MGpicmp4MDRLdWxNWFVxMG5adSt0ZDMxeWtJWlFJREFRQUJBb0lCQUd0RkE3di9mckdaTmMxTQpodjUvMFdQMDJ4YlV6ZUJENEtTbXdkb1c4VG1iZk0wUWI2VkhVV2FpelBqdjJrWGU1MXFLbW9IdXIvb0gzZGZxCjlzM3EvNDF4QUk0ZFZtTWRwdDMvbSt1N29sWU9lYkJjV3FmTXFwMjdLVDBoY3hzVmMzTFB4T0tlRThxWVlXVVAKQThwbVRjMXYrUktEanovQU1mUHFzSzhVdGV4Qm5JUGVlSzQ5Z3lJQ05WNTNhMjdYTjVBWWRrL093SjFobWYwUgpGOHVJeUEvOW9Mc2N3cDcxTmVVOFRaRlk1YXdYZVEwKzFiK3VZdUtneDd2SnpsUXNTRVFScGw3c2dpeXltajNRCmFXbTV0SHRXQ2JXanBJWU1sWUltU2pUbjV5Nkw5WWIvdGVac2E1MTc0TFo4V1BGVk56b0w2SzM2S09TVzNMMGYKa3lSVlBZMENnWUVBMEtXaTNVM0tCd0pZc1hFUmgzclpPYXMrbXNEZHNFNjczRlRIdWwyNEw4N1YzNGQ3djlkbApObFE5UW1WWlRRd3JOVllHUlIrRmJVMWhrdm16VXluVVltRmpQbE5nZjRxdktvekVMb1ZuTWZQZHArSHhWMDZZCm5wUWdtQUtrN3hsWjJlOWZzcXFyM1NyWTJjditHb1B2Ukk1dFIrUHM4MW1hRFk1cjM4YjZlTmNDZ1lFQTVYS2wKblBhZFh1UlFQRjQxaHB4OEtyNE13OG5XV3F5cFpCbkUzUzRRRzlKMzFYL0dwUExPK3RFd3daNVhueTZMM05OMAoxTFh2eDdIaDNwTVlyMVdRTWZvSU9wWHpjZ09mVlhrbzZhOVZBcGdWbGkrSXNxRnRzUWNLOXZhL2I3ZVBQdmVMCkRGa3RQNTljZG1FYWVpUTBwL2VmL2Nhc0htUzJYM25jVS95S05TTUNnWUI4eWlSUGtqLzcwelp5NGpwbXVsNEQKdE4wYnQ3Q2Z5MmRtanpwcHg3WHF1aDJHdE1TWjU5ejhFb1FWR3dLL0owRU1oR2Y1bmJHeXZ1NVY5b3gvZCt3ego3eVZwV0hyRnJZKzR0anA3eklQOUIyc1NCdnZPaVE2VkFlbEFvWXcrQ1A2SmJ6YmdhRjJrU1FVcnRtdEROcGU3CmZDZjJNR2MrNE45WHJrL3NwbGlXUHdLQmdRQ2VTdXJnais3ZjBVbGRiRzBtOGZ4ampIdkg4dzR6dmh5YWw0Q08KU3NJSVA3bzJpNUZpcUxTTXF4Y2s3SFZzdHpMOFpOR2NFZXhiYTJmMUlxd01BazZaZS9LRFlJSDBMWFdXQlNGcApubkZhZWN1aXNpWnZmaGpyNFh6NkJoN3FGc3YzVjlZUTdkRGVyTFdnWWJ0ZmVtenRXRk9EUTdYb3ZmaG5nKzJ4CjcyNzEyd0tCZ1FESDNVdksxNXd1V2l2TUxyNVYvejBxeDFSOGVhLy9RdkVhNGRXZ1l0WFNaUFo5azBsbHZ6SXQKd1JaRW1jQ05lc1MvTVNTMjd4WDNETnJOSG92bXIzVlI1RmpRVlV5eXlzUFFOaHVSc0JjTDNNQUYvdWc3RmRaVAptWnR4TUplMEFUclZlQXJlYVFvS2t6c2JwclFCT1VsYVlFKzB6aUsrMTJmV2xhTDBidHRSc2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQUk2VEVjVldIcmxzQlF6dDBZZ0hLUVl3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakE1V2hnUE1qRXlNekEyTVRrdwpOREl5TURsYU1CTXhFVEFQQmdOVkJBTVRDR1pzZVhSbExXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFuQm95enVodUYvZ2lWTkVkYVhmWjBCc1RNd3JFdUlPZktMNElnYVM2U0dxUDQ5b2oKTUVkNW1EL3BBMmdHVlNIZWhsMzdINXljaE5jMDFaQS9jdFBGclNXdTFReHEwOHNFMlI3bS9GaWw3Wkd4UHVPUgpaOFRJR0NHN0RUR3pPMEcvaDV1TEFtYVhxSHozMUN3K1NYRE5Ub3dzNGZOSmVRcmluUHU5UXNyd0tGaytsd2IyCitTRFEvUGRXQ2srSWRtUWJFeEY4VGlpN2YzL2o4eWNaYWt6aENSTmx6NmlhZ2JSaXY3QnBaM2JGTGtDcFBsa2MKOEZieGJuWWJqUVEwR2NrMkYyU1h3OHMyNU5nb2pWRDBUUmdLY1ZmTUF1TzlPMXpIamQxd0VadGhpaFpIVnFnLwpPbXp0ckpNMGZJTWtQZUtRWWxyb2MwWHpPaWl6VzdveFpLM2xqUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGT1pheS9kOFR5dG9BbWZxVXhua29CUXhZdlFGTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQWM3RGp6c2tocDhHQ1M5WGF2YVk1NWhKNTRvdmdJcGNGWXdUcUdvdGwzdWlFRHNhODBFNTgvCmxPQWlFRk9GekRud2M2cElES1kzUkg1dFc1VFgyVWRpTk9CbW5hZ0lrbkZhYmJCUU1xTTI3Q2g5Z3ZqbjRqUHAKT3VqS0l4SlhlL0puUXljNUxYdm5VNXhadjMybENmZDM5V29CYUplMUIvanV0U1o4dzViMEtEV1dVZndUcllISgo2c2FZbXBkRG41bmRIWDJlVEtLQzRVUVJIUFVuQUYxb1lHaFNVa3hwdEtHcHF3SHZEaldLZmdtRlRqTzQrTmVoCkt2aElJQVd0QVJQZldqL3pxalpxWFZIMGNIelh0UDdqSERORHp4NmtySEZ3cXZvemJkVTZBNVhIRjFQbGNyUGEKNXZFU1ZzRU9JalpJa0hTZk51QlRJUnBCdHdpY2FpZFoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/propeller/configmap.yaml apiVersion: v1 @@ -531,33 +540,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index 4e3fe06e38e..2edd1f7e76f 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -90,13 +90,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte -type: Opaque +type: kubernetes.io/tls +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQUttMDBodkVraVNoK0lEYndNMEc2blV3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakEzV2hnUE1qRXlNekEyTVRrdwpOREl5TURkYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGVDTlk1eFhmVXhvdmNTMzdYZnhHVmEKNHdJYXNPMGE4d2pEdFdGUjNlZERsN2YzQVUvNmtjcHRqeUt4Z0VNNFZUWHJEanJTdjJQbmRvTllsdThwdnExRwpvd0xiVmQ5a1FyQnJzcHlWaGZVamtqL280MWJSZUxUeVFFdStFZ1FCNlNLWUIyQ1JRTm1wbmY0Y2JtZlluZTVaCmZ3dnZKOW4vSFUrb2lHN01mSHFSaTFjNnNIZ2U2b094WTVsMEN6anE4Ym9VSlJJc3VHbGlvalkvTFpCVjkrVFUKWjErYU5oSnRoNWFZcmQzdkZiWjVJdDB6YlY4WWc3S0JwTWFEeFNNbEhTK1Q5c2crMmZlWWY5MmE3WmdHQitJbQpUaGY0U0xsWEFCV3pEQXdjVFNHSlpGZTIwSTlaenk1amFsY3VOYVlmN3h6RFVabnVSd2FiLzlMSUFmNXJ4UzhDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVSFlpWDJJNWZvRzVmSmR2VApLb01neUtHdXpja3dVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBRnN3dEtueVZwdUlYMFBPRURJc1hiWWZyMTZTRHB5TTZzOG94ZUpVN3hoQgpSZ1BuL0I4NzFqTk9FVjZ4eEE4cUVMaDRiclo4L0swNzl4V1ozcm00SVM2TjdIYVlYaDBQSXJFTUppbCtlWEUrCldZWFVPR2k3c3Jha3A1ZHN0NXFCWjhVS3FLb1BnT2RPL0kwSmw0V1EvK2xSWWR0dFZPRGxjRlNxb05WTDBocmQKUXBtZGZiYmFYengxRTNreFpjUGY5aWc2Qk1JL3IxQzE0WStObE5FM2VCVkRacjNkUWs5TlBmckdRdWVwVE1jRQprUTVrcVMvNUV1RWlJQWRIbXZPZkY5UE12UEl0Qkt3MnpJRHRtTzhSdGV2RWVieDB3WlN3WFBzM3QxbFBkalpBCkYwMWFNV1ovVzU0WTdVOXhGN2pvZGl6c2Zqcit6bXFNck5DY2lEeGFkK0E9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdDRJMWpuRmQ5VEdpOXhMZnRkL0VaVnJqQWhxdzdScnpDTU8xWVZIZDUwT1h0L2NCClQvcVJ5bTJQSXJHQVF6aFZOZXNPT3RLL1krZDJnMWlXN3ltK3JVYWpBdHRWMzJSQ3NHdXluSldGOVNPU1AramoKVnRGNHRQSkFTNzRTQkFIcElwZ0hZSkZBMmFtZC9oeHVaOWlkN2xsL0MrOG4yZjhkVDZpSWJzeDhlcEdMVnpxdwplQjdxZzdGam1YUUxPT3J4dWhRbEVpeTRhV0tpTmo4dGtGWDM1TlJuWDVvMkVtMkhscGl0M2U4VnRua2kzVE50Clh4aURzb0dreG9QRkl5VWRMNVAyeUQ3Wjk1aC8zWnJ0bUFZSDRpWk9GL2hJdVZjQUZiTU1EQnhOSVlsa1Y3YlEKajFuUExtTnFWeTQxcGgvdkhNTlJtZTVIQnB2LzBzZ0IvbXZGTHdJREFRQUJBb0lCQURmdHdYRG1jR0o0ZkZpZApNZjEyYzU4SWNrT0Q2d1I0d0RXZG9EeEcvVUNzd3lMWWIxZjI0RlEzeS9ZZzd4eU5vTHJNSnd3YWl5Wmh0eWNVCjZ2dDlWNVhyLzJheGZweVZMQllrM00wSWJVbG5TLzJhZHg5UXZGODVyZ3JucFFuL294UmVEWEdMRTU3REtWbjMKUkZiMkdEdzZucFAra2NESkZoL2ZGNlhkUU5zQjErZXUreW05eU5LV3VlL3pJK3hQRWREMlVTdytzU2pvaGJ5ZApOMEJvWHc4Q0dESzFvZWZyU1hpZk1pYlEyMkRkcmZKM1AwOEgvZmYwR3FzbWFHYUhIQmpkbXg5Tmo5dnFUb0RCCkN6N3dCZkEyTEtWc1hnRlBtcmtWN0xvM0NJMFdHOXRhUWRhODFvc2ZsM1YxaUhGd2RQNjJkbSs3aG5aa2Yxb00KUFMwMEZGRUNnWUVBd2JIK1NaakY1bnpYSUxLRHlpQm1iQWJzNGlyazVSYWZoaVhDNVVxRXY2UmtMMHY0YzJxKwp4b2YwYitONXkyU1RITU14c1UwajdkeCtXSFd3UVN1anhzY3dLdUJUeGxzV0IvTisyZWxPaS8rd2h4bDlCSStOCmtMVE9waFBSS052emNVZk5zbjYwdE9KbzVOaVJERDIrUGhNcllnWVZYRVZKQ2YrOExvZWIvaTBDZ1lFQThvbGoKQlRuU09uNG41ZDYvWmhkNng2MzVSZjkwVzdLYjlaTC9odEttemEwaWJwMDFSYkxFUGgrVG55NEUvUHpiOXhRZgpGbk1kV3VmYVRXMXg0a2tUcFAvMnBtU0o2Vksxak41enkwdFI4R2tpMTYrL296M0pMYVZUS1l6a21Ud3lDMWdFCkJHU3dHODlGVCtIQU9ya3hJdS9kVmc2YkZrR0hscmZBZitnWVJrc0NnWUVBdjZvenAvdm1pRWFzVVl5VDRHVGoKTks0OXBTY3d6SWZ3WHJ2cStSMGQ4c3ptM2U1YzhVaUZjc3FCVkY1UjNMT3U1dDAzeE94Q1MxTE9LeFo1ekdNMApjclFUczdtNjdDS2gwRWhnRTUxTHZqakxJMFJUY3puaHFYbGdxdklkSEVOWng1UjN0Tkt3V2ZWWU9tc2FUSFNrClZhUitYMGNKeC80L1lnZU8zTFFQNWhrQ2dZRUF4Um81eXFsdTIvSmlZa0Zmc293cVQ5Um0zQ2Y2Vy9zUEc4ZlcKdWE2L3VDNlg2T1VCd2g3QnRPcmNnV1JZMFhCOUlwTExvT2IwV0VoTDlOaVkwSmtxeWREcWxkYm03U00yUDhFWQp3WUg0bVRRWUNNamZLTDZ4bTlMYmZzenRpa3FOTVFMYVlPZWk1emJPMFZoWmJGL01PdVJNTC8rMnNhT1htVGpECnpDN0dhM2tDZ1lCVHh5M2xSWldtaTVzZVVVM0dZK1ZFR0FnSHNWK1NhbmFvMlhodndBTmpHd09DalNQZGR0bWkKZjZPZGhjVGRxOU1XdHNDeUhMUk45SXpWWWVJdStsR21mb1h6YWo1M3VFYU02dCtrVjdmWUREME53QWlkVWVLUwoveUxnVzNvVlNYMlpBQjZKbFJsS0U3RElwOWFzbXNVMDlFTEJSMWxhNXc0ek5iRC9lcGVkK2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRSHZtSWJBNGlVVUM4aXdiNDJMRGMxVEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRGRhR0E4eU1USXpNRFl4T1RBMApNakl3TjFvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRFBXYm5QU0xRRUt6QzgxTTNHL2VuOGZoWmIzMUFvVGpoRS92NVhRaXpMZk4vSnozbXcKekNtV0xzb3Q3c0FiczR6eDdod3cyNithcWw1RDRPSjdpOU0wYmM4THdKR2ZuWklpd3dibjNLOC92dFVsNmcxegp1RnJ0OUp2T29zQWFJZTBuemUyU1NZcE9GaGNteWd2NDRzU2tBUlFCajB4S2RjSXdBUXFIQmFmWDYwRzhuTlFpCkVYMEp1QjkrR0pnVWx6Q1NpQ3ZkenNpbWtuVlNBTGhsYzMwYkprTjRvdm1DN3k2Y0lNREpnL0trN05LQ3pCRkkKRkpzQ2orYm1UR3FMNGZRb1JDNWErUy95NW9Ba1NLZUJXU2ErUVhMSEN1c09VUmoyNGlFMUJ4SkY5MG9Hd1o0bwpaTVZkZk9aa3d3citTWlYrcjc4RUtxQXI4TExwNmlvemhNV0JBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVIWWlYMkk1Zm9HNWZKZHZUS29NZ3lLR3V6Y2t3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFEcGlVTzFwekVhN0Y3eklQYTZpWUltd2ZhQnovODdBc25PLzAvamtheStNd1hXdlpQaElJdDZ6CitoYTdCNVlrUkVXTGpvSVhTUWFtOG54M1FhenlZNHdNb0IvZVhJaVVKMllTK2QwdHp6dVlIcDhaUEFhUWtSQ2sKVXZEQy83b3JkZE8rc2RCU2c5VXpKWlBiQ29RQyt5Yk0wMDNiS2ZDQ0hOZmtlcXd6ZHl4eTVXbTNtamt2THk0dQo2a3pjMitMandrUFR0UHZCYW9IYnFXcEtFZmpSSG5oMWtpemxpWDEvb213V1J2Q0ZjWFlTZUVnKzEyTmhabG54CnIrakhaK0M1YWQ0QUJONHV1cXBPODQzK1VIdlNWbGh3MEZqbWFOY0hsTHJSYVc3eW9sRWVnRDZUdCtlU0dEalUKenFjTDNEZTh6a0tORGNKbC9DZ2tMOWpKMEhJM29Jcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/admin/configmap.yaml apiVersion: v1 @@ -1525,33 +1534,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index f53025f8506..8889a9157e1 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -129,13 +129,22 @@ stringData: client_secret: foobar --- # Source: flyte/charts/flyte/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte -type: Opaque +type: kubernetes.io/tls +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRQWpFSTgyVXZNL2NqQjN3YUttbnlWVEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNREphR0E4eU1USXpNRFl4T1RBMApNakl3TWxvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5czlYZmdNMUovemV6OVU5cm1vM1hVUVkKQTJIV093TVhPUWNmSzNyM1dvbm5GUXlieGNSbkVyU3pOWTRyWWJhTldURjh2UldqckkrUU96eCtDa2ZqZFdoVgpzaGpnakRpaVQwUVpBR3Q3N0pmd3lheXFyOUxwa1BhaFdiOTV1VVp0d3lJMm40aG5IRWFWUTJXWkZpSXdycXZMCkRiZ2EyNUFTNjZHZGUrbEFsWHFzVU1aOEd5LzJ3d3l4dU1LTVUyZzlXM0dhdUVNeTY0dlRUYm5wRkVmUXVaV2wKQ1cxSTFHbDJGL09wdThSRzQzdnk5WWR2eHhJK09Ha2hUdFRhL0RyWEl4aC82UHJNMTdBZ1BvVURjY3RwVGJiUQpBaVFTMkM3ZGNUYXJzTHMya2J3SHhxTXZ4ajJvcE1MeHBvVTZ2eWZBV0VjMDVaaTZqYU1BbUgvTG9RSmc0d0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlJSY0prL0hvcjE1bG5nWEdHZApXVXZieUJONDJUQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFsZko2a1dwZE1nS25MeHdCdmN3d0dZcjI5cTlmNHFCYzJwN0licjBTbk9paQpublVYMlRYMEZ4QXVvNS91WGdlS0c4UWVpOTZ6b2VMOW5odFVITU5oSWJvT0FGbG9peWMzUmdpRithekx3RXBwCjBId1RxQUhGZVRZbEl6NVJPU3ZVWFpadVJkZnNjWkMvNlE0NUhjUVpYa2VlOG9xSHdXNTNYQ2ROL0NpOVFIbUUKa2pUdXcvWjFzQUFxcjFFMEh3UlZ2OUQ5OTRNYlRBeGo5NVdlTXJLcGo1WmpJZWlUbUkzdkVaaGU1VGdOTnFadgpWMlRobEU4YUs1djdMNVVnVnlwbWtGTk9BUDdVWlo4Nld1ZmxSVkpVOWMxMjJMWlNJSHpmK2tScnpNcTl5cW1TClBoUW5QcXd6ejRBUEoyM1lFdTRjUWRHR0xYVnptOWVZeTJiTklGZkU4Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeXM5WGZnTTFKL3plejlVOXJtbzNYVVFZQTJIV093TVhPUWNmSzNyM1dvbm5GUXliCnhjUm5FclN6Tlk0clliYU5XVEY4dlJXanJJK1FPengrQ2tmamRXaFZzaGpnakRpaVQwUVpBR3Q3N0pmd3lheXEKcjlMcGtQYWhXYjk1dVVadHd5STJuNGhuSEVhVlEyV1pGaUl3cnF2TERiZ2EyNUFTNjZHZGUrbEFsWHFzVU1aOApHeS8yd3d5eHVNS01VMmc5VzNHYXVFTXk2NHZUVGJucEZFZlF1WldsQ1cxSTFHbDJGL09wdThSRzQzdnk5WWR2Cnh4SStPR2toVHRUYS9EclhJeGgvNlByTTE3QWdQb1VEY2N0cFRiYlFBaVFTMkM3ZGNUYXJzTHMya2J3SHhxTXYKeGoyb3BNTHhwb1U2dnlmQVdFYzA1Wmk2amFNQW1IL0xvUUpnNHdJREFRQUJBb0lCQUJ3Y2VVZ2lNYkFGUU8wVgo1YUxUWGpFelN4RE04dURqSU1qcXo4czdGQ1ljajBjL3BDZlpmVi8rWkFpOFdBOEhPcmh1UDVnRjg5WHJZRmFWCm4vTFUzQlplQytMUHgvQW51WGU3UEt2dU9oTWxURjduN0JESzcwMEVvb0RLSlpra3hmb1NOL2dNOUIzYk9yMUkKeTl0aGlkWHNRZ3o0dytCRExCdzFIcHNhVGJWcU9HRkJZTmtBajZZWFdSVEVXb2ZxdWdMYmd6WllwS0JSUmdIMQpXK2h2K3RmSzBQN2JQNzZyNzdCRU5zU0w4NWh0Vllta0o3NW1IZzlQTUVraWk2NzhTM2EydTV6TmhOMEJOVDg4CmE4ZnFMaFhmNCtFNlhCUDZuMEwxVkkzSUdncHltc0dUZ0VjOExZUzJKbXBMaktMWVZIU2ZURGlxVTJEZG1waWUKTDQyZmNnRUNnWUVBNlNCVHcxUGU5YjFJQTBEZndHZWZTaXJqUzhMWWIwUlQ1MGQwc2ZLZUd3UUlxT0RiWGF2ZQpLNlZsbEg0N3dEMGxuUmF6bm9HNDVQQXZIZEoyL0R0dnRDL2k1TVUxWHZwOVVDdUh6amd2MFFLYVVHSjFrazlZClZiWlV2Nmc3QmFGOEVkbmlTQjl6QnZ0MFUxdHBwU3FpUEhCRWsrdTd6NmFKb2YwVm9acUREY0VDZ1lFQTNyV0gKRU56cmlGVFJONmIyL29iNUI0eGlabHBzWHhNbjlrM2VlRHgrcXp0c0RBRnlnZTVpK3pJVUpCbEZrQnVva2Q2Tgo0M1hobndUazZzb3VLZ0s5RnVxVWtYVmFTdlh3bEZFcXFmL1dSTU1ieGRJQnhRRjl1VWptY2QwVk9ER2MwQXM5CkU0bVZMYVErYVJNSEdTMGYrQm1BK0hQQ3BybjdMSnRraGViMlg2TUNnWUVBbUozcE9ENTRBRGhpSkg4Yi9FSGEKTGh2Vm9ZdDFWYUpOcTJORUtockRGcnlWVHJtbDRyVFpSWW1KN3FTVlNVeStpeENKbG9NbUgvcDlYZkNpcEkzawptdm1lZUZZQ2txTTUxbm9vOWdBaWpabyttOUZaVnVkSzFSSUFlVmdSQzZha0txdVJUOVlHMzlOT1hDUEVEYlRUCmNPMnVkNGdqODlUNjFXbHg5OUhIYWdFQ2dZQnAxS3R0YVA0SUYvNGZ5eGplVlBkc0Rkc0l0bmwvS0pRNTZFRUsKcy95aGxDaEJBRU1RMlY1eDdoZENIRHhCUWROMkZlTXBMdkJiWjdEOG5iMFlPNXJ0aytXcnhhOTFwYStBVzUzQgprUkNhTm5reEpSMndKNGcrRHhWckVGc3dDK3R2dFpkOWZFakdtcUVKdjRBRkI3dUVZMkkxTHBWV00xVFhtclJICktUejByd0tCZ0R4VnFDZFhIbDlER1I5YjVkS013Z3dqVWt6NmZHQkdOT0lpdTArdVJYUGZLdWZuUnVISHRCb1gKRmlyWEZnK3RpZzdKTkdPT2dQSngzNHVJWVloZjhET0l5aFl5TkxsT3RhQ3BGeGEyQm5xN1U1aHhBNk9sWWljWQpRRGhDWFpwSFNyZkpWWkZZTk9wczM5dU9ES2dLRk5TT0hWLzlSZUVDWkRHN1lNNk5PYlJpCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRZFdGaHZtZlYvdmZDSFoveWtKRGN1ekFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNREphR0E4eU1USXpNRFl4T1RBMApNakl3TWxvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRFFoY041MU9KTTRKdzBXNDFXUHNCR2k3L3BtclpmaFRTdy95WHFWalhEQ0FON2J5bHoKVTZBYkdqTVRzdFZmTFBSaVdpSnBNSVh6c2xnVENmbnZkbWhYUUFCWkl4S3IzeThkSU9VK3RTUDdGSUl5K1BWcwo1dVZFQ3cwYzE1cEt2SzVXTTRvRi9pbkpjdXNqQkhtZThadmZYeENEa1d4WUU2MVJ3TW5hZUF4Zi9SSjJSSUZQCm1NWTUycHlKWkFLVCtjN3dCZElvcVIyT1V2eVcwaU5BN2tsaTFOTXN6VUQ5alZYVllHT1Q1MkIrbDErZTVNYnEKNURLdHZFRVNSRnEraWUzNlpCS250bUNuZitIbkpIL09TMU4vYnRCMXlMSXhCWmdnTmhnWWJjeHJBQ1ViUXlkSAp0aGN5dlVFWGRRMkd0cUlBOUsxYVZaejEyK21vOVFrcHRTbm5BZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVVWENaUHg2SzllWlo0RnhoblZsTDI4Z1RlTmt3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFMSk5YOUg3QlYrc3duYU5zK2dtbDRXNC9BdVN3V081RjA3azRMQ2FubGV3NjJwUG03WU5Xb2RVCnNsWTFTdnZ4MmhBck1RemlmNUl1WTJqTkV3TFR6M242VlhjSmZrbVlaME53RGdGNVYxZjJwcDBSeWI5akxYTkcKRjRKQ0FyMjhLQzk3TWJ3b3J3MFlMUkVnakpTZE1rbmNZTzc4U1NMUVU0R1hHWmlzamxJLzRYQkdWTEZsT3pVNgpKRFFjKzNJOTcrSWlpNmJkSFFCcE4xUTJXQ0dPSy84U3QxNlEyRmttL3pFbnBIUmNiQW1Vbm0xZUwwdllRY0wzCk1xa0lHbGtWUnUxZVdia0dPcm9XaGJwQ3JCcWR2SFJtNTkraUhMaWFQejhFVTRCL3RMQXFoS0ZISTVWWlJsUm0KL2VUSHE0aE5abVVwekRvM1h4Sy9PVTJENEhwT1lWRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte/charts/kubernetes-dashboard/templates/secret.yaml # Copyright 2017 The Kubernetes Authors. @@ -7269,33 +7278,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"