[BUG] Flyte pod webhook uses certs with a 1 year expiration

[hamersaw]

Describe the bug

Currently the flyte pod webhook, which is responsible for injecting secrets, creates a self signed cert with a 1 year expiration. This is problematic for long-running Flyte deployments because once the certificate expires all calls to the webhook will fail with "x509: certificate has expired or is not yet valid". As the failurePolicy on the mutating webhook configuration is set to Ignore by default this means that transparently secrets will stop getting injected - resulting in task failures.

Expected behavior

Secret injection should support a longer than 1 year lifetime.

Additional context to reproduce

Just have a really long running pod webhook deployment .. like really long ... and start to notice that secret injection doesn't work anymore.

Screenshots

No response

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[eapolinario]

@hamersaw , what would be the downside of having the expiration date set to some incredibly far out date, say, 100 years in the future?

[hamersaw]

@eapolinario the only real downside is the security implications of a long running cert. If it's a self signed cert we could probably just generate another one if it is expired?

@EngHabu it looks like you may have done the initial implementation. Was there any particular reason to choose 1 year expiration?

[eapolinario]

We sync'd offline and decided that we're going to extend the self-signed certificate expiration date to 99 years.