From 7070739bfce830eb244655093b6fe29ed7ea1dbe Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Thu, 11 Jul 2024 21:18:47 -0700 Subject: [PATCH] Replace init-certs webhook initContainer with Helm template - Replicates the functionality from the webhook init-certs cli command from Flyte: https://github.com/flyteorg/flyte/blob/master/flytepropeller/pkg/webhook/init_cert.go This produces a ca.crt, tls.crt and tls.key value needed for the webhook, rather than needing to create a container that needs to have network and Kubernetes access. - Uses the Helm lookup helper to prevent regenerating on upgrades - Update CI check to only fail when lines are deleted or removed from the generated Helm output, not when values are modified Signed-off-by: ddl-ebrown --- .../templates/propeller/webhook.yaml | 66 +++++++++---------- .../flyte_aws_scheduler_helm_generated.yaml | 38 +++-------- .../eks/flyte_helm_dataplane_generated.yaml | 38 +++-------- deployment/eks/flyte_helm_generated.yaml | 38 +++-------- .../gcp/flyte_helm_dataplane_generated.yaml | 38 +++-------- deployment/gcp/flyte_helm_generated.yaml | 38 +++-------- deployment/sandbox/flyte_helm_generated.yaml | 38 +++-------- script/generate_helm.sh | 3 +- 8 files changed, 93 insertions(+), 204 deletions(-) diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml index 4cc05796c5..f0e64c485c 100644 --- a/charts/flyte-core/templates/propeller/webhook.yaml +++ b/charts/flyte-core/templates/propeller/webhook.yaml @@ -1,12 +1,42 @@ {{- if .Values.flytepropeller.enabled }} {{- if .Values.webhook.enabled }} -# Create an empty secret that the first propeller pod will populate +{{- $secret := (lookup "v1" "Secret" (include "flyte.namespace" .) "flyte-pod-webhook") -}} apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: {{ template "flyte.namespace" . }} type: Opaque +data: +{{- if $secret }} + tls.crt: | + {{ index $secret.data "tls.crt" }} + tls.key: | + {{ index $secret.data "tls.key" }} + ca.crt: | + {{ index $secret.data "ca.crt" }} +{{- else -}} +{{/* Produces a 99 year valid CA and cert signed by the CA like: + https://github.com/flyteorg/flyte/blob/81afb76b44931d827f8e898d097a7e8054a5b836/flytepropeller/cmd/controller/cmd/init_certs.go#L14-L36 +*/}} +{{- $certValid := 36135 -}} +{{- $name := include "flyte-pod-webhook.name" . -}} +{{- $namespace := include "flyte.namespace" . -}} +{{- $svc := (printf "%v.%v" $name $namespace) -}} +{{- $cn := (printf "%v.svc" $svc) -}} +{{- $altnames := (list $name $svc $cn) -}} +{{- $ca := genCA "flyte-ca" $certValid -}} +{{- $cert := genSignedCert $cn nil $altnames $certValid $ca }} + # ca issued cert + tls.crt: | + {{ $cert.Cert | b64enc }} + # private key for cert + tls.key: | + {{ $cert.Key | b64enc }} + # ca cert since the CA is generated here + ca.crt: | + {{ $ca.Cert | b64enc }} +{{- end }} --- # Create the actual deployment apiVersion: apps/v1 @@ -47,40 +77,6 @@ spec: {{- if .Values.webhook.priorityClassName }} priorityClassName: {{ .Values.webhook.priorityClassName }} {{- end }} -{{- if .Values.webhook.enabled }} - initContainers: - - name: generate-secrets - image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}" - imagePullPolicy: "{{ .Values.flytepropeller.image.pullPolicy }}" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.webhook.podEnv -}} - {{- with .Values.webhook.podEnv -}} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config -{{- end }} containers: - name: webhook image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}" diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index 0ce940cfa9..f36d592ed8 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -78,13 +78,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte type: Opaque +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQUk0NFVqbWVtMTQ5SHJTaCtXT2d3Y1F3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1UYzBNek13V2hnUE1qRXlNekEyTVRreApOelF6TXpCYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTHhXc2l0d0FNbzhRZkc4YmloRXg2cGwKTUZSTk5QdkhWRGhwRjRYSWIzWmtwQmhtWnRBV2xIS2ZybTR2TUZEc0NMSG5JOUx1WUJqelRRLzF4WUIyT0d4VworUkY2U0xNZkFqejFqM2NvTUdxMWFscGw4RG1PZS9IY2xiWHl1dXBLTWs3WDBPblg1elh3dG5PM1lyckJ6M3pWCkFQeUxXTXpkTFVlbWo1eTRLZ0pOVmNUTHZiREpkSjVGUy9KbnlWVE4yQWVPNEw3NGppSnlkdk80L2FYZGU3Q1AKdDlsTXJuc09kTFYwSnNEcHgwYkhxL20wVVBEdmhleDZaZ3Q4TVRaUllRS3NwOFZWeEMxUmxXRlBlOHJqWHltSApMSExCdTllVk91WllJUW9VMWQrb3pzMWg3cmMreCtWRGZLa3hJcGJCSFlmeGRsUVBwdWtacS9yL1JhSFZ6MmtDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVbzlpRTVqaUR3WkYrRDN5NgoxUFlwN1lqV2t1Z3dVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBRWFJcEF2b2c0U2NZZ2pvWEZXMEUwK3NXUDRCb3poejc0NmpFQzRHQVBmMwpTczM5YWxTRXl4SjVXaURqRGFUZHNuNTcwa3pzY3JESzBYZEFGbUFsOGo0bTFNdElOV3AyNjlUM3M0UXhIZ3VtCmZJRkRlREZzdjFvQ1RiY3Q1Yk5zNk1qV2lYZVNuZkR2UFN3YXMveE9jM0hjRmZyTEdzMTB5ejN0SnUrMm5MVkcKU1o4ZTNMeGNpZkhwYXBtbDlqcHkyOGhuYzE0VmdjOFpPdHJQTDdzVEZZK2pYTnRzbFRWYm1EVGhlQ05qMUg0dAppcnVnSVNuVU5WT3NhcUtRYURKb2ZRdDFuZytuMGt1MDlxTUhkU2lXbHVEcmFhZWgvK2Q0eGJWNGRrdUdaMUVJClVQbkFkNjdQMldNUEZHK2tUSGN6bWVUbkw5dUJxSEtoL2JleW9GYzBQTUU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdkZheUszQUF5anhCOGJ4dUtFVEhxbVV3VkUwMCs4ZFVPR2tYaGNodmRtU2tHR1ptCjBCYVVjcCt1Ymk4d1VPd0lzZWNqMHU1Z0dQTk5EL1hGZ0hZNGJGYjVFWHBJc3g4Q1BQV1BkeWd3YXJWcVdtWHcKT1k1NzhkeVZ0Zks2NmtveVR0ZlE2ZGZuTmZDMmM3ZGl1c0hQZk5VQS9JdFl6TjB0UjZhUG5MZ3FBazFWeE11OQpzTWwwbmtWTDhtZkpWTTNZQjQ3Z3Z2aU9JbkoyODdqOXBkMTdzSSszMlV5dWV3NTB0WFFtd09uSFJzZXIrYlJRCjhPK0Y3SHBtQzN3eE5sRmhBcXlueFZYRUxWR1ZZVTk3eXVOZktZY3Njc0c3MTVVNjVsZ2hDaFRWMzZqT3pXSHUKdHo3SDVVTjhxVEVpbHNFZGgvRjJWQSttNlJtcit2OUZvZFhQYVFJREFRQUJBb0lCQVFDQTdwVGdXYmVndXVtbQpGSW9ROVN6L0FIQzZkWFJkSE5NU0h4ZWtWVmZBNUJyV1BWd0svam8zMGdyMmtVVnhVSFNQWFozUHE3S0x3aHV5ClhsMExtV0w4Ly9sWU5xK0lPQ1V2R0NoVHVXYVQxb2Z0UkxYVW9TOUdudXk2ZDJYd09FVUNab28xVzhHRDByc0UKc3JsYkFvMEpkMFJLbnhaMmdMK2J1bkc4SnZOVFNQTGZEMWorZG5Zc1BYK05LRVMrOVpZOUFYME4vbnBvYUc5UApGVjcrZjdKOS8zN0xmdUhuN0dvNFNXck4vaXNMb0tjVUV2WXNZZDVBMzZxUlhMdFdWZTUveUZOR0EycHpORndtCk1rNDBya0dIUDZTT2JBVDBGdDBXZ0dtL1UrTCtneVRrbVhlOE5WRnZRS2t2UVhQbEVTd0tOcjBHY0M5NCtxNGcKbFpMZmw4T0ZBb0dCQU0ralhsN1FpZUJ2SWR1V2dHc1dqMUkzQ0JRSzlNOTRqcmxvSDFlNk8wcmJ6bmFlcEVobgpsVTI5UzNaN1l0dDR6SmFiN2FldnpiNlJ6Y1BLNTFrSHVmNXRlV1ViTkQxbVVURmoybERLZ1dPdXpFZzVyU21sCjNSdG5VMy94NjlJQ3FnM2QydTY4ZFJvRFJ1YmNaNWd4WVp2SFJzUVE5Q01qNXg4QWxrSTRORE9yQW9HQkFPZzAKazBsbVR2Sjd1ZkVWTUxVL1BhcHFTeWo3MGxudU1RQlpLVEdXVFU3b3Y3TEFESWx2OHR4TDYyTnVvaDJmK3c1OQovSGVtYjZnSkQ5R2NxY3I5UkdBQzB6WDc0SUowVVIzOXhrNGEzSmVCM2daRk5VSTJaakgyNUltS25RY2RDR2xmCmE0cHJya3hTNjE0ZGtid3BLeW8vc0lEeHNXYVBjTGVQZ29jcDByVTdBb0dBQnMxZ1V4VGIzM2xrajVBUHB2SjMKUVlkQ0FYNFdaUkdiQTJIdzNPdmg4MkxlRWE3Q3pRaHZzTHRKMUpqWU5UNXczV0pBVitUL2hZVzdTdlhEdkh2dgpVUEYvTDV2RGkxdGx2NHQ0NUhxdDRIa2lnaDg1bUFxeUFxclE1bmtqYzU3WXVWbVNTWTNzL0N3dFQzVGJBL1ppCkx6dEpDelZPK2pPNzU1MGFUeE1PU3I4Q2dZRUF5M2grYzN2ZHcrY2M2UjdMWHBhNjMyQmkyZGZIM0J1Mi9ub2kKZVp3ZHcvNTVOQlhMSm9kZFJTS1ZjYnlZKytLYXFIbEhTRVVrWkJjRXNJVloxMUNVb0pqNUlMM0VYaXUwaE5aQgo5V0RlV1Rob0tCQnUrY1VYU2NMeFFZQ2Yxb0xmUXc1aytwY2UxU3gzcURHNjZTa2Q5Tmg0UHBVTEFUYkI2MmNxClZtd1VnYzhDZ1lCa1NnbGZVUHpLb0ttSTE2YkN2Z1JxTWNKMDZVejhpYkI1RWhCY3kvOUJ1d2hyV3lEMEUvZEcKSnZwUDdIRFFrYTBydzN5OUYvUTlnZE8raVZaRE9nb29XclhPSkNYU2ZtaHZiblB3RFNHcFFuR25DNW12WnU2TgpJZTFKTkVHTFVBYnUrL1dLNWFnd2tNT3ZRaXJzaTcrVGtkMXZlWjVuZ1VKSXZrWCtJWUVFZnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRS3RjT1UzbkFGaEowV21TQTJaYTZFREFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNekJhR0E4eU1USXpNRFl4T1RFMwpORE16TUZvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRG96d0NtWk9xY2R1UHU4NWJCWVprYnlMVGVCbFg4ZFBjNFMyUEY1WmdxNEZKV01NaXYKUXpQT2tUbTNZUk9iMXFpcHp0K004Y1QwYXRiV2JKUzVtZlhSQU41OVBBS0kvQXZISkFBeDNWRS9PbENIejAwdAp2SGwrNFdjVlowSS9UeldQcCtaM0hKQnhWcUJoYm0rKytlb0NmbUdBaGV6S0IzUHVpNDFRaEg0Tjc3aEZWVHV4CjE5STJTVWNWWFZxczJoTXd1YSsvYkxtL2drNnd2U0xRQVJncmxmcnFCK3luV21OcVJFWFR4alY5NmM0ZUZ6ME0KSnU4TDc0eWFpa0FxVHJmNzAwMStzMlhqSS9QUjJMeTFZR3dVVEQ1c2dXdkFWOE11YXBDTDd0N1MwRVlZbDAveApCdmQ2a1Q4bmhaUmg0N3NkNk1IMitmbU5SeDJVWEVzOWdKS3RBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVvOWlFNWppRHdaRitEM3k2MVBZcDdZaldrdWd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFIeTZjYlBzQVVCSm91aWIrMklsWVBxV1A4VHkyS01iSHpSVDZpRndkd1hwQmlzV1ZjWEFFelU2CjdYeDFlKzVKc3FNSUg1SDlNL0M4Z3U0QjJWdXBScXZaUjlUNldDaTllWnFQVGNQSTloQi92RzFUazU5ZTR6ajIKMEd3S25XaHp3TjJMRkZFRGFCTnM4WFpqVEZJZUV3Q1RvZUJWN0hkekZrU3JsVVRTaDg1cTFKOFkwbk95RG53ZApDbEp4SHdyNjYxdDVET1F6UG5ockJ6Q0lDc1lySkw4Tk0wL3ZvWGx0K0dleG1KSFVzSW55U09ITVFyV1BnSG1UCnVOejhGbG9jdnpXNm9kZDl3WVV5TWliSDlWTGtndWxRbHRTTlJBZ2U2cnZ4alVqdkhHbWZLaVZTTlhFbkdYY2MKa1lTWDMwbGZIV1krMTVIT0F1Y2pUUUpCc1BhYk1KQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/admin/configmap.yaml apiVersion: v1 @@ -1373,33 +1382,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/eks/flyte_helm_dataplane_generated.yaml b/deployment/eks/flyte_helm_dataplane_generated.yaml index 040cb007f7..811b6ede75 100644 --- a/deployment/eks/flyte_helm_dataplane_generated.yaml +++ b/deployment/eks/flyte_helm_dataplane_generated.yaml @@ -55,13 +55,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte type: Opaque +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRUmVFbjF3TmM3TWY2YXpOVlo2RFIwREFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNalphR0E4eU1USXpNRFl4T1RFMwpORE15Tmxvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1bFNtQ1BwZW5UQ01RQlRtcFBzeC83OUMKRU8wTDYxKy9uL0h5cW53Yzh2Z29DUWQxSFgxeFFLQ2JBT3p5dU5pZmR3MjBLMFVqR0d0dnI0eE8zWkc5STVQTAo4bjNqWXZHbzRxdE5QWUs0Um1sTlVSU21XcmVYSlhYSEd3Z3RzeG1ESVYwSG1tREJvUjlsYXNqMWZBLzAxZ2syCmh0blhPMS82K1d3WFZGNlZlY2wxYzRJenZnUHVlSDhHRXROUXUrcmtyYkUycTcvcU1wR2l0N3hhajlqNzVURVEKZkNLTU40RUJFcy9XbDB3MGMwSUV5Q3I2NEViNHZjenhhWndkOTFIcEVsdmthZUdqcG95Q0JuOVhmUEI5MjlHaQphWldDK2NpVmRIZVg3S3JFTVhkQ1ByL2dNS0wwbDFUcXFBbVpvVHB4UGtBeVVBMXd6Y0dMa3RFTG9lSTBOd0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNmYnJvMkJsOUx3dWJ5clVsRQplbGdJNzBUcFBEQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFUNkF0WTYvMmM2cThPNTFJNDlTbFJzK092d3RlMzdQT0VKZ014d2VVZlM3cApYSGRkSHhwZTNFb0RhaUxEeWZHWmpOYzVIYU44QlF3ZVNucDk4aldMWHkzUk1iRjZ5WVhHUXMzMThUZjN4M2gwCk1Wc2xsRlNKbmxEblpiQUdNa3JWcjJBdWozcjhkNllQeVFJd1VvbndHQzNxZnJMSlRZRGVaMWdsZk1TSVphSFAKSkhIME5ZSURYNnN3RmlmMzJTQ1ZGaFVLMThjK2NzRmN6dGxDbGFoOTg4VE5JN0FYWmM2RVNaTldDWktsZ2hMTQpsZnZGcExkRm9JbUZULy9Ec3ZhTVp4TmRNWjJONGJJQzlBOUp2QlJoNjdJay9malFKbC9YaHJ6UDZ0Ujl6T3RXCkozU1VBZTJoeExmL0FMV2YxZFI1bCtNMjRqSGlYVTI5SGtyVVdXVVQ2dz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdWxTbUNQcGVuVENNUUJUbXBQc3gvNzlDRU8wTDYxKy9uL0h5cW53Yzh2Z29DUWQxCkhYMXhRS0NiQU96eXVOaWZkdzIwSzBVakdHdHZyNHhPM1pHOUk1UEw4bjNqWXZHbzRxdE5QWUs0Um1sTlVSU20KV3JlWEpYWEhHd2d0c3htRElWMEhtbURCb1I5bGFzajFmQS8wMWdrMmh0blhPMS82K1d3WFZGNlZlY2wxYzRJegp2Z1B1ZUg4R0V0TlF1K3JrcmJFMnE3L3FNcEdpdDd4YWo5ajc1VEVRZkNLTU40RUJFcy9XbDB3MGMwSUV5Q3I2CjRFYjR2Y3p4YVp3ZDkxSHBFbHZrYWVHanBveUNCbjlYZlBCOTI5R2lhWldDK2NpVmRIZVg3S3JFTVhkQ1ByL2cKTUtMMGwxVHFxQW1ab1RweFBrQXlVQTF3emNHTGt0RUxvZUkwTndJREFRQUJBb0lCQUFaQis0V0hxdy9LWnB0cwpXRWFvTFFpeXlxdzQyZEtnMTVXdWtZREtSRXFnck8rSXNaVTQ5a20rV3haUDN1TDRXM3FyR2lidDNuemVkdFRGCmVJeVdiV3k1ZFBzQzRWVWNXcGlxT2lEYnVBYWRXTHhsWGlUano0NnhndXRVZmZ4cTJlMlA2MFp6QTIyKzJUQVoKNmF5dCtJSUxzeW9hUE5GQXF2UWZmalVXTEJ6MzZWWWVGeHl3ZGx2b1JaTmMzYmpyOXZMWXZ5WEZzemtrRytheApTMUlCZnd1eVhoQmpmeldFQy9uaVBFb2xaRURXRXV2dThKamZ0cXlRNUFYV3lNeFVCSHJxR04vTDhIaHNHbWl2CjFaVXZha1FnN3JwR2Q4cmZCc0k3K0FjSVNiZzdCd0xvZW03UzczY2w2TUxFVXFIMkpaZ1JyTzgxNHZ6Y0xBUTUKMFdwaFArRUNnWUVBd29LSW1zeDFERXVLaU5jdDZXcy9BRlYvTXY1cXJiL0MzeWFWNTA1YmVUTHFsZjR3MDc1Mwo0Q2lDNUNKSnE1MUhPRVBsVGErYTYzb1VwWjFpTDJZM2Jqak5iRFl0UFR0cWtQanZzRkMvalQvQXdpUUhCR0I1CmhMZHJQeTVldG5tRE1mdWlaSlo4alBJNWN6ZnRMN2U2a1NXcUt0SFh5dXZFUHZLdUVuZ3MvZEVDZ1lFQTlUd3QKclk1bEFZbFpSa0t3anp3QktiQUxvZXBwOEtIZitSZlF1a2xydFlCeVBUbDgvY3JqZ01OdG5EbjJDdllMSEU0VwpaSVIrK2M3ZzBlOTlxcjZhTmg0Nm9sR2VSUnlPWE9YQks0Z3hlQXhtSmdpMERoWS9hQTY2NWcrUHhubmZjc2p1CmtlWU80RjJtSHAwNjF6WU93YmE4d3FaNVVWcXprcGt0WGQxeWE0Y0NnWUFsdVBjUlBuRzh6ckd4VkRuOU9PVmgKQlRQRUNmOWFid1EyRHQrbm1sUzNMcDY4TkMzNEFzcHcyS3A1NEFSMW1lMEVCbmJrR0JodGJxR3VkTlZqNStqOApJVndGam9RN2lkaGpBVVJLNTM0ZXdLeDdlazA2RmhPN0gyOVhNNEQrMXBZUkRZSXpDOVJmNldJbTdFTzlxMTR0ClpDYWFZMVA4Y0xrQWxFUWFKT0JrNFFLQmdEMmJjSjQ1TjRhN1NvSXNIczdjOUMzVTNCZEJISHduTG0wVlhvcHUKQjNFQlk3R2R6NWl5YjVUWmc1L0xyOVB4Rzdsd3BJOTcrYW9vSHJLZXg2TXRYdkJaaDhGZlg3TmRDU2F0VVdudQpQUDg3bmkzUDRldm9DdVhKVFlxZVBqQk9UYVE0ZGphUTVRdllldk1WN01KRUFsRUg1ME8vTHBzUmZpdEY3KyswCndobmhBb0dCQUpkenUxM2JKSjY4KzBFUmowU1JuSlZoaVpBMXZ5cytyRnJkQVpXekZlK0FzOHRoZmpLdW84ZzAKNVRudWJwWU10VFUzZHdaNHIya2s1dlNkOTRjQjVhTHl2akhEWE9uU1hNdHNlM25PYldhWmRxdFJTRStmVE5EdgpmZ0NnckJnb0FHNXB1aWpPaWtDeGVWRnQxVUM4VHIvcWtQdDBkRjV1dEJCSnJyNjNTdUpICi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRTGFiNkVnSHNKaTJQM1FMbVh5K0lrakFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNalphR0E4eU1USXpNRFl4T1RFMwpORE15Tmxvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRE1vZ3JBb3h6UC9VamJjNzdSV1E1eExFaHc5OXpWWGxLUzc3MWprNHBrRzl2a0F3cGsKbGhmUUZaOXkybzBLdlJGRW1vcUFOeFVIRzc1MnNDUitjZSszUURId01rNUdQK0dHVXdwNzNjQVVkRXJVMVk2NgpYRlFxb2NYQUsrUUxnZ3REYzl6VEZRTlNKL21KVktRb1gyTkxIZTBtZlp2NG02bHhqMlhIbFl6RHpOdk9xZGdNCkFoOWVZWk05T3lxblY0akxBRUo4NFdmN2JJUjNNLy9TWFZLZGRsQVFPTEZXSnJQSUlKZlJ6WHB3QTlkWEdnOEEKbkdnNkhmc1o4RkhnMWw4RjQrK1l5WU00U3MzN2FWUGJGTlJPMmhtYkRaNVR6TFVkMlFkZkhLRFdVRFRHNElUSwpUT1hUMXVZdC9SOURZSGIyQ3JqK3M0V0VTU0l5Zmp6TGp6RFpBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVuMjY2TmdaZlM4TG04cTFKUkhwWUNPOUU2VHd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFDcFNSSVhmTGFDbk9QS3gwWWZZdWFHSE5GRDFqWk1UOTl5eXJpUTdneUJaK2dJeTQzYm5OUkFpClN1Ry9SSTJPczZOemVzN05SWWFTMnkxb053b0xIalhFWHgrTUhqb0V4SDZvMjA2Umw3WWF6T1p2OEtPc011WHIKeWt1bWYrdmhrUEtVcVpRT1o5UElXSjVDSzQwOGp4V2JndEIxSU9WSFA0L2JUV041M1I2d3d2NEljVXJ2NW1KNgpscHppWHJ2Nnp5MTFCdkcvY1lvS3JiK3MwZHFsM2hCdmt0SEdZOTQyeTZLWkcvQWpQUzFQNkQwMDBpb1RPaGhICnRWKy9rL1Qxc3NDNGpPZXpyTHdHQjRoWWlhNlk3dkYvR2R2Sk5xMHBHeDZwVC9oYnp5MzVianQxbGlQa1d5cmkKMERSWE9pcnU3ekNRVXB6clVEMkh5VG5qeC9TS3gvRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/propeller/configmap.yaml apiVersion: v1 @@ -524,33 +533,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 5fc562963e..e9a3c8d607 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -90,13 +90,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte type: Opaque +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQU00R29YZGUzeFdibnI5bWIyTzhQWVl3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1UYzBNekkwV2hnUE1qRXlNekEyTVRreApOelF6TWpSYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVp4SnJKN3pyeXlCWENPbklkdmFkbHUKVGs3V1ZJVzd1TzRMeW0xek5sR2VGWnlvNlRSYlJlQml5QjFtVDl4U3dUZ0piSmZTU016REwrSUNUY3lMMVRiYQp2eUJ5S2I1R0xEeVFwMzFQR3U3VkM5NmM3ampKUG1zRmFQeENHb2s4NGtvOC9vTXhUSEpLZWFKYTd1ZFZQYnFFCnUxOGNqd0ppanRlUHpISkY1cktTbnFXczBvb0ZibmllSzdzS0x4MHVkTHF5T0k2Qk1aQTQxK3dIek5ocUdiWG8KQU5Za1MyZTQ5aUs5T0dxRW1oaVd2Vit2Rk9JNzdaZHhtbHJyRkozUHhXSTFZMGN2Nkt6aEFwSFlJS2V1Tk93ZApuRU9jemRtK0UxZkhyazFmMnZZM3BNaUdQaFNETjZaRGFWNFQ5dkV4NmlRZ2xIbFNNYXFNV1lobmpxTnE2NzhDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVb0VUd01HZEwweWxFN0RHNgoxZU1sK0R3czkyVXdVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXYzTVg3ajdxMHVuRzRmZTVYemdlZ3JBUEtRa1JWNzBnbjJQUEhuaGJzeApTTm1QWFgrSjlvVi8xZmg5OTBsY3I1NG1oNFYyYVlvL2xKaGUxTUpuWDJQN1cyVzFoNU5EeFFvbSt6dTVDRC92CkxsblFnWGZTWWgrVDMwMUp0VTFKSnNLL1VJRzBIZlpid2FFd2lMZXJQd2lZOWswaENyK0ZwT1dkVHFJL1N5UzYKT25Gb1Z1VGRxYjVJeXVZWXR2TC9NVTFMcDZmN3NrKzlMRzZQckNrS3lCaU9lbkFwSGxtcGtacjRCV3h2c3BvUAoyUU1yV0h4RWdpdzJsazdLbHVkT3E2azRlM2VxRmhVcGt5ZWxlaUFMVTBvWjdFY2xlMXVmNHBFVS9abTkvM1BTCk53NlYzZGtvUXplRXdyV1JIbWNlQjA5M3p3TFRQZ044UjBEWlh4dm50WjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBeG5FbXNudk92TElGY0k2Y2gyOXAyVzVPVHRaVWhidTQ3Z3ZLYlhNMlVaNFZuS2pwCk5GdEY0R0xJSFdaUDNGTEJPQWxzbDlKSXpNTXY0Z0pOekl2Vk50cS9JSElwdmtZc1BKQ25mVThhN3RVTDNwenUKT01rK2F3Vm8vRUlhaVR6aVNqeitnekZNY2twNW9scnU1MVU5dW9TN1h4eVBBbUtPMTQvTWNrWG1zcEtlcGF6UwppZ1Z1ZUo0cnV3b3ZIUzUwdXJJNGpvRXhrRGpYN0FmTTJHb1p0ZWdBMWlSTFo3ajJJcjA0YW9TYUdKYTlYNjhVCjRqdnRsM0dhV3VzVW5jL0ZZalZqUnkvb3JPRUNrZGdncDY0MDdCMmNRNXpOMmI0VFY4ZXVUVi9hOWpla3lJWSsKRklNM3BrTnBYaFAyOFRIcUpDQ1VlVkl4cW94WmlHZU9vMnJydndJREFRQUJBb0lCQUJEeHdIZ2xFallTalZ4YgpFUXFQZk41UUNPZTZiV1V0N2xDRk9UZTNTc0FWVzRzUThUakRRbWd5aHh2YmpKNG5ndEFpSGQrbzJRYUM5Q2U4ClFxQmdvRWdhelk4YnNHeksyU1FpeGVweFFyOTUrWlY4bU9ySVpFZ0hJanZIK1RRV3VzdlVBWGQ2VWlqQUt6cXQKd1JDSHVzbWVZOUZ2UXRiVlM1VWtkalNidTJNcjh5Nk02SUlSS0hsVnlBMlRyU0JEK1h6TXhGQ0dZVG4zRjFPRQpmNnRWNFN6d2hTeEhkV0RYU29EVm8yUVZVcjhER0Q0SXpDRUdZdFd2NFVvUEtqcGpSY1V6OGluSEZYNlNFZ080Cmk3em4zZWhXUUc4bVFpQXpySjE0K3RFdlord3duUE5sUnFBUGdYVjVDcnRHOURTdkZzbFJwQlhMLzljNE05YVQKMjMyY0dpRUNnWUVBOTU0SUxkMzQ5UENTNENwNXpPUWk4bkFTQWh6dmJjSElJM2NzQmc4dFhoamgvNm8xdDUxTwplWFVoQURKbUF3Z0VMTjlVN1dyNzhkYjVmMURPZ0NiZE02Y2ExOC8zRllnODRLa3EvVXMwY1J2K0tsVmVhVzJMCmpwa1QrUXBxWlk4VGNPeHEyKzVYWkZFUThsL2dJcHdzNjlvR3M1QTRuTjRCd0NWNVF3ZVNFQTBDZ1lFQXpTangKVzdUd1hJRmFkeVVwbXBYejBzVk91MnFzOHk4NTdyWFR3eUpJRGdNTmwrckNac01RMmx5NUh4STFWWW9zMjNtSQp0NU91Vk4wUzljM2pTcVpGMGszSUM5Z21BcVR2ZnlhWGtnQ2lRbTVtYUxlWEZVSmt6WVdKYkxNSFZ6cDN4cDJiCk13OWlHbmhtUGJRRDZRYTdvN0VhaTlqUFpYRGN6Y2JiSzRUUEsvc0NnWUVBcnl3cVJ5Q0FUZStmU0Z4a1BGR3MKYzJ4YklRbU5URTFKbytWYnpKR1NHNzVvcXpDanZkallPazVsWVRsR042REZLMlYzTkZwNkVCVnYvZVNSb2RGYwpyWHpySFgrdklabDJ6OHg5Y0NGeTRRM1htZVU0M0VhMTh0UlNiOTB4ZGRWcEFIc1FBYlMwT0hDdEYzcENHdG4zCllZYWxOUVN6T0M1S2VMOUo4T1I3TFVVQ2dZRUFnTGlDanJaODVKMW9SRDcxMW43bEIwWXlldGFZZ3RBTHVpRXQKSjA1NEJRcVhXY3k2Z2owN2NyWWdsRVVaWDMwZFhlcm9BNzVOOEFMeEpYWXplSi9RU1AzeVdMUWFUU2hzOThzZgo2RVFyaWlDNGNsVldIc21VYzNxb1dhSU9KZ1dTSnZTMTdwaGxSaFJxbWFZN21kWldub0s5RkNkSklPMXFMRlhyCkoyZmhrRWNDZ1lFQXk4UHBzSEVJaDcyb3Y4TjlOTWNBblU5aVVBbGVEWmR5NEJyV2lJTFlCelVPOVYrbzZJVnEKTWhLUk9KaDYrb0xGNngvV1NoTkdKL2pTVTJGK05UbklrZUhLN1RWaGJEcnZJM2ZNY1AycFlPaHdGaFNVQ3dmLwpzTFRCQ2o5QjNhdE9WYjNvbDM3SzRlOXdmNzlmQVNYL3g5cEREb0FGTHFic1dIUUhuMzNuNDFVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBKRXBuRnJvZldGY0JOU1J2WGlqSjB3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1UYzBNekkwV2hnUE1qRXlNekEyTVRreApOelF6TWpSYU1CTXhFVEFQQmdOVkJBTVRDR1pzZVhSbExXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUE0LzArVTRuMnVqNWkwRTBLeTQ2Q2JxK2tTbXdxalNsUEw5aVJ0ZkVuV1c3WHdrSWgKUjhWMkNwQ2s5dklNSy9zSmRzOTJ4YS9VVVVqaW5rbWNhTnNOeG54MjhqaWM5WXFORno2YTQ5TW5WME80aWVTawp0cFFENll2aVA2NnNvazBsU1ZiZkV1NUNqaXpCV3NRak4wR1lvVml1K1VSZTJqZjVYa2tMUEo4b05aOWdOYmJWCndlU1lMNTZTaFdYS2VabGdhVk9TRUV1Z3VpYUJ5citqNm9hUStIVXlXNWJZWEFHSGlSQURvTDFLaDRLM0hBTGYKRjBYLzVLTEh0bFQ2ZTFueG5qcHRXOXhXaUNBTFlDbFdyMGhGRm1ja1pXM2JuSE5TWUZja3VXY2x6b0dCc3hGYwoyTzA1UWhxTDdXTUMwN2VkektvS1hTL1dEMXI3R0k2QWVORjZRd0lEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGS0JFOERCblM5TXBST3d4dXRYakpmZzhMUGRsTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQmZUUWRuTXZkRTZaNVYvaFljR0U4UEc4bGZmbTFuVXE2OXd4MjZwNStvZCt1M1Rwdncwd0FHCmtXckZ5NUFxWDVza0lwS2IySHhLTWtlVW5QQy9RME9TRzVSY2lNMXAxQXdPOTZkS1JtaXBLUnZhWFlnTENoZzkKenhIdS9uYms1OE5ab0lLR2xqazBtcWRQM3VxSmVGLy80bk9nbGhHc2NSY2oyZURYcklmNnJZZGUyNm9YZ295bwpOVjlLQnVZSzhVend3TWo2RXRRTzZJS01HSmcvaENZOEMxd0F6dzkxeVVxSWNrRHlKcjloc1hBakF0RHVQWHc2ClNNMjR5K1JpZEMrQ1VscGZRbUF6ZFhlUlpJS2hkbHV2TDd6Zyt1alFDRjRLYkdhR1hzUEttWGRHaXh0ZkpVcTYKQUFSMER6aEUyZkZsSFdHblJrUXZwTWN0TldITmdwZzAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/admin/configmap.yaml apiVersion: v1 @@ -1503,33 +1512,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/gcp/flyte_helm_dataplane_generated.yaml b/deployment/gcp/flyte_helm_dataplane_generated.yaml index b5ad82d3f0..0fb047edbf 100644 --- a/deployment/gcp/flyte_helm_dataplane_generated.yaml +++ b/deployment/gcp/flyte_helm_dataplane_generated.yaml @@ -55,13 +55,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte type: Opaque +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRVDcyZlNtZzZKODZ5NzNnVTZhdXRlakFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNamxhR0E4eU1USXpNRFl4T1RFMwpORE15T1Zvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE0UmJJMXF0eHZpYkRSa01yRVpqd0hodUUKaTVMR3A3UjNaNTdaUWhDTDc1Tm9qQmZXV1JDOVRNeUgrclZiTHNtb1JRTHZyK2R3QUJQcHZoVCswdzVUcmpicAozWmNGdVhIS1dpUGZ4eVE2UkVsZUwrcG96MUdGd0RmdWo3QTF2STRwemo1eVBjakpLTmpFUGJTYStQQ2JQSjh0CmNSejdub0ppSlJBK2U5Y1YrV3drR0JJVW9jMjBaUzVZZkdNY3l3dDNzem9uVVBXNFdCK2N6NTQwQmZCU0V0S0EKWTdTeGFXblA5REJwOUVQdm9LV0c2TmcwM3M2UDJGNC9VTHdWUFEzWkJZb2Fxb2Z0eGtOcUR4Vi9zMnREazZlQgo4b01PMDl0WCtXQ3owQWU5dHAybG00NXFJTGpNU2FYU1d2WmxibXEwckMxSG9rWGxZaVNNcUJaOGdtbEVzd0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlFnbm9ZUCtFa01ETk04eTcyUApvOFRKZU9USlRqQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFkSTh3WWd5MGl5aTRUaDBwWlVKVStaNlhsZU5FT3NHeXNGc0YwUm1WcjhsTwpSZVJFa0RJYkF1NStQVTB1TDZENTk3N0QwalR2NFA2TGFTU3ZtRWJpK202SmNjVE43ajRRUlcxZHFCd25GOEE5CmZCbVN2UzBSaTBRWWpIMDQwYVh6aUxIMWR6M2pRNWg2alk3M0FPN3pXbDJwRlhBU3RseVY3MHRVcDJ3RlU2M2gKYWQ0cEVDN0FidGdtYm5pMVZLdnFXeUlCVjZ6U3pPd0hnbjBRbVp4Q2M5NlJ6dDZYQUR1dzlIWGNXcCtBMnY2RgpXZDZFd2VoalNnbWYvNi9yT0VuQWo2L2xxemVRRE5XSXNreU5XS1k2NlVlNlRMYnE3R3ppckJsekZNQ0VLTlphCnU1TWJMWERCQlpEQ3Bldm83L3F3MnI0bmkrNW10dDVsdFc5VENDOTRFUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNFJiSTFxdHh2aWJEUmtNckVaandIaHVFaTVMR3A3UjNaNTdaUWhDTDc1Tm9qQmZXCldSQzlUTXlIK3JWYkxzbW9SUUx2citkd0FCUHB2aFQrMHc1VHJqYnAzWmNGdVhIS1dpUGZ4eVE2UkVsZUwrcG8KejFHRndEZnVqN0Exdkk0cHpqNXlQY2pKS05qRVBiU2ErUENiUEo4dGNSejdub0ppSlJBK2U5Y1YrV3drR0JJVQpvYzIwWlM1WWZHTWN5d3Qzc3pvblVQVzRXQitjejU0MEJmQlNFdEtBWTdTeGFXblA5REJwOUVQdm9LV0c2TmcwCjNzNlAyRjQvVUx3VlBRM1pCWW9hcW9mdHhrTnFEeFYvczJ0RGs2ZUI4b01PMDl0WCtXQ3owQWU5dHAybG00NXEKSUxqTVNhWFNXdlpsYm1xMHJDMUhva1hsWWlTTXFCWjhnbWxFc3dJREFRQUJBb0lCQUZUUTJCY0QvVlV3bUE2Rwp5dGpUcjA4NUFVWHlwY2FWMnhTQnA4NGNIQTdIbGZLTUhPbnN3OWdIamdtcmd0TnJpMnVOd3JHZTNQWTZpcTVrCmpPME1qZjJzbFkwNUZpQWR2Nmtkc1hvQnJhOERrbWt0eEJheTJscG0rUTdOMEVIZnMrTVNac3ZmTitXYllMNzcKcWhXNTNGVUlpZ0FBY3RQMHYzVEYzVFdmQTVtN01CQTlkQi9hZUdLR1F5Uzk3WTE4Z1ZxK1dja3grK203ZGtwYgpxOGxIUG9SbzUvQkxVRCtrbVBJMVAvWTdnTkZycUxqUGtrY1NXMWRUWmpzZjRYamc4VWpTZmpNb2xGbzBpN3EyCnB3UjVnRkt3RmEzeUVrRzFFU0tFRWljcDRzbmUyRU9zR2lzYVZmdU5NMW9wekZOMWR6QXBKS0ViOVhYWUhGR0kKS2pzZkYvRUNnWUVBNkIrVEhpdXo0eG5rQlhDQUJvSzQyd2s2WDNYN0M1WCs3blJFTWszaXRqWTBubDlFYlFMVwpaNUZsakJOdm91RWpMWENFY0g2RTh6cDE0QXp6QzFMYml6dUxFTFRvcWpFRHFuMGtQS3FqUHFldjFuNWUrT1FYClFxUEQ2YmZFcU1HS1ZsSU5Maml5SVZaKzNRVmN6ZXdHOFV1WVNVTmhndWh2NUxFbHpTYVpCR2tDZ1lFQStEMzYKSDMwWGtNaWFtRzNleFlOV29zUnZ5NWVPM01kYjNPOXRPWU1IUVoxb2NLc1Rzd2c0eHloLzc2UXc1SUR1cFlONgpmc3pSWXpYcCtTRCtpSzIwTHdZWHpkNWZWc3RYb2lNUnJqdVBzSjZoSGNPeUlxWHV2alZrTG5zekFRUEhaUWZXCi9MTXBoTnFzejZ0Um1odlF6U2dmYmY2RThlMjk5cWtDcWJTNUxMc0NnWUVBcWt2bjhqMmIxeVI2anFjUHRqY1gKaWRNR1dWekVWcWF3QnArVUhOZlpXVmNCV2FPSkh2VHkrYjdKSW5CcitiSjB6WFI4SmRBY21CbXV1emFrNVF6Zgo5eEV6SUltcEhKdWpGZVNEdm1KdUs1eDR1OE93eDZjSGphTjZLekRnZmZLb0hGWk1Sem5mTGVnNFlNejdYalFvCmo4U25NRERZREdPZEc4bi9jcmc3a09rQ2dZQmM5OWtVc2VTQmRKOXhOclNYZy9pT1BNTWhuRUVFcmlUWk9WSE8KbUNPL2p4UHVIaVBpaU5HNnhKQWxUM2lBRzBsRTgxaU01R2dHbjhwZ1l0cndsUjFGL3lJckYzemRKSXBOVHBUdwppNTNrcDRQdmdiclUvdy9LYkhSNGMrdEdGZ1EyOGhpeHl1ZGh1Z08rUW9ydEREM0dsNkF0c1lSWWxwRHVMNTJ2CnNOOG93UUtCZ1FDUUZITFNQTzV3U2RLQWRGVHB0eHkzVit3NXdOK3hPWHZVQjBreEEra0Nvc1FSREZhNXlWek4KeEk4Mm1PVlZicXhsNkIwNk5ibU1hTGRsV2xiNDI2VStXUW5JTEdSdDZDNzJoTzNkcVhYSVR0U0Z4NHRLTzFwYQoxSlh2TDVYMy85N0xManUwMlhQMHdoRHc0RG83Vkp6VVpkT0xMSzkveUNLek9YMVdMZjBzVnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRVk5YbTdkai9CancvM1JxbzNsTmRYekFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNamxhR0E4eU1USXpNRFl4T1RFMwpORE15T1Zvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRREZZK2hpeEFNVkpoWHFETTNzSjl6T0lhbGs0R3NSNHkzNVZnaXdLOTJKMUljYjRLQXgKV284cDNLTG03OGRSVzN1OFdONDBrcHlzSkNPeUpIcjRCM00zWWFCS3hsaHBPSHdxTmZhS2ltQjRlY3JDd1RQNgpiOUcwcVVMRlRXR2tmOGcwM2Mrbzl5VUlGR3J5dGVTVFFhOEt6SEczYnFHSk85VFRFQzluUWFGVTNNekRwajkxCmRrRFQvT1FNU0c4bFFKK1hJUkpIM3cyM1YyU0tvMjVBUVRMOWdPTE1iQnhEY09SeTFacmF6cFNadG1xdUFFOTAKOVdaVWxGbEN4S3E3Z0hFdExFZFBwYnp6dWV0WmFEekk4ZWdwNHlBN2dVSytqbnZjb2xjZXpLRlFUbTZPY0tmRgozZ2huVnlrOXdBTDJqc2wwMlhYb09vclZrU0pYcTRFUTZWZzVBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVJSjZHRC9oSkRBelRQTXU5ajZQRXlYamt5VTR3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFKY3hNNTh1ZTh3WTVaOHZCcnBZRmJveXdTVUJBK25EMFA5WEFxOU8xdjE0TVZCaDVGQzNiYkxXCmE2cm1NeHlhSlZySUxpTysrRmNCKzRHYlRqQXdSZEhrSXAxWlNaVnlLcmJGRTIvczhxVDFQd0RsenFnR3oxNjUKTXlybjFDRTFQaFRlcG9MOFhsOVcrRzBHTThybXVPRC9ud1ZHSGJLZzJINXMrZUoweENXaXVqOXIzVUlycHNFbQpFUXVDeTQrVEFyMGdwWkIyeTVsSEwzOC9NYVdURWxTbWRjQnJlRjlmWDNsRm1DTkV0R1h5ME9DSk42SEhpOXJ2CjRZZDd0d3o2UXRYUCs0VmZ4SjI2UUE3VHJtWTV6QXM5WElzK3N1YWJCaTFENXhGalpOMXJwOUx6WEYrOHVoSGoKdUgyaTloUjVpTzQ0RGZucnp4c0FGUm5ubXJkbjFVOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/propeller/configmap.yaml apiVersion: v1 @@ -531,33 +540,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index 4e3fe06e38..942d980843 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -90,13 +90,22 @@ stringData: type: Opaque --- # Source: flyte-core/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte type: Opaque +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRSlVCMTJ5ZWY4NFpndWhORzB0RjN0akFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNamRhR0E4eU1USXpNRFl4T1RFMwpORE15TjFvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1aWF5UmdaNXdDM2RhaTU4YVBoczR2cnoKQzU5QnhmWmRPb0QyOWtyZVpxL3FTWXNRRW4xRDczOTNCaGE0VlhKSmoxM2cwVndUL1JYUFZvRzAwNDJSNkJjaQpyTnJuTmlqOGgvVlZFQm0rT1daN3psN1BQWXM0cFE0RmlZbmtRUzI4THJwT3ZpTHhDN21ZdEtyWnZiL0VWVEdCCmpSdXFKTVRnNjVvNHFmSEs5N3VBWUpOUHdpWTBOSWxnc0lUeEhqdmxaa1pyY21wS2JOd3loWmY3UUpQNkZONnkKa0dITzdOYWNnSW01M29qMEJqK0NFMHJ1bzFvY1YxTG1sa1ovV3Z5NHp4eEJzUjF5Z2RETi9vZlB4cC9JWVJGMQpwbkNmQVZBOTlSK0hqV3hMN3BGckV4d3owbDlKbWo0QXRhYlJoek40eFd3WGdDaFpMOEJZSE1zSzhnVFpMd0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlFCTnIzYi9sMWQwT1FLTnJRcApVdUErOEwzZ1JUQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFnQlVqUEFzYkR2dUpyWFowV2drUDRhb0NSaUlhUkRmL3RkUWZqTmE5Zy8xcgo3ZG5TRVJNYVlXQ3lMZ3Jxa0VramU0MENSdjFSaWpJM05QZlFpTHFzSXZ6YlNEY2pwRlJxWFhrZnZqeW5IYU1OClpLNWEydVRqSVlSbmtVYWZGNFFGdy9VNUFjeGJkcVJBRXdEWW5DTDhrVkpUQkFEaTR2V2ZGbzhhMUlSQUkzTk0KV0pZVVRCdUVBVThQSEJiYndvVVI5Umw0U0JsZVBFSjVNR0FZRStKa0ZNUGdiSFZlQlZMZHNqTGllOHozK1hqUQpOajFSR1RFOVB3WUFITzJBaU5wRGFhRVY3NjhhMnFVSEZNUjFGMEJhd1MwRGlabHFQNmJKM3N6YWhaYUpzTnV5CmpxR0ZWdmx5NmRBWmQ1QWlwWEZjaWE3aWZYM0ZRTTNhTFZlZWVHYmhPUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdWlheVJnWjV3QzNkYWk1OGFQaHM0dnJ6QzU5QnhmWmRPb0QyOWtyZVpxL3FTWXNRCkVuMUQ3MzkzQmhhNFZYSkpqMTNnMFZ3VC9SWFBWb0cwMDQyUjZCY2lyTnJuTmlqOGgvVlZFQm0rT1daN3psN1AKUFlzNHBRNEZpWW5rUVMyOExycE92aUx4QzdtWXRLclp2Yi9FVlRHQmpSdXFKTVRnNjVvNHFmSEs5N3VBWUpOUAp3aVkwTklsZ3NJVHhIanZsWmtacmNtcEtiTnd5aFpmN1FKUDZGTjZ5a0dITzdOYWNnSW01M29qMEJqK0NFMHJ1Cm8xb2NWMUxtbGtaL1d2eTR6eHhCc1IxeWdkRE4vb2ZQeHAvSVlSRjFwbkNmQVZBOTlSK0hqV3hMN3BGckV4d3oKMGw5Sm1qNEF0YWJSaHpONHhXd1hnQ2haTDhCWUhNc0s4Z1RaTHdJREFRQUJBb0lCQUhpSnVDU1o2dHFqbUYwNgpUcnNXS2tQc0pkZGZ2NUoxampiazdZWGNReGtSVGs5aTZmeGUrcytwcFNQZk1HdTcvcUFFTlNDOFZBRXN6ejUvCjdOeVVMbWV3RzNiOHBIMHdteDFhb2tNenVEYXBBd0JGNmtJNjFXb2pvemhGZnZVcHJWSkF0OTVzOTlNVTBpb2kKKzYzZjhEME9Pb3BwNEluQXByaEkrK29udExzbXB4c1QzM2RtNGFyVEN2elkyS0c3QU5sa1ZFMU9IVnhjeHAxUgpPYXpEZ1IzdGROL0FSaWgyZGpkUzdCK2lQVmF1YS9VN0JlZTFSMTA4aG10SXAvSzFOVVpROFhZNkdpMWJjTnYxClM2WUJ2b3BpVkxjdGVHLzE1NDNpRjFab1hkZThZTHJuR2FaSW8vRi8wRkNPTnpGcDFheVpIUTNicGhTemVVSEkKUXhmVVI2RUNnWUVBMWRUbDJScXlKc0ZmTnBDTlp0cmh5UmkxWFpwLzNrdDJoZEhMOWFwNHMyNndHcDlhSkY1Uwo2Y1VqVXU2ellsTWVVcmtkNlB5VUVhOUhab0g4UFRYSWlzaWdPYXQyMUk5akNrTlp5NFN2OVNSQzV2bVFhTEVHCi9md1daTzIybWNNL1k5MjhlTEZhMW1TeUxqR0xGcE5Ob0psRDJaVVNjRXpmNmxkbFJqazBNWEVDZ1lFQTN0eGYKeEp3dXZUQ0pyWVRRRXFFeUFORVJRSUdlWXBXT3YvYWt6SG9kWTFmUGlvTVJ0RzcxL0R1ak1Fa0wyWGZ3d2lxbQo5S0t1dHEvMXowTTcrL0Y1ZFBDZGo2ZTNRSW1VcDVUTTNDbjNxZit2eDNBU3kvaDV0S1JmUU9STS9TVnM1TnVmCnRVSE80dWZUUmFTL01Bb0piZkFrTThRTkh1cSs1b3V3RWpicVpKOENnWUF0U2xlWW9WL2tkNGFzTHZmVU5qNG0KY3RaUFNoOFZQVlNRU1h4eXZ6V3JnNkZITWtOTWVySURFNTlFdkl4QUlpekZCcktBRzZkZEM0d0srVE1zMzh4bgpJTkZYQmFzNG9Gb3czVTBTbnpzSnFER0hiSXFhc2d3eUZZZkV2dGl6UHJpWmRXaXJBNTJpMVZjc0U1QkxLczRCCld4VVU2ODhvL0E5ZE9qK1lIUnVoOFFLQmdIY0ZxUnYrOGJOV3plRGZFcVV3YzkwZHl5SHhWOTU4MDIxUVUzbGwKS25iWStkMlczSWpKemhQMDRkV3kzV0k2ZlZtbG45NzlWMlA0RzhhaXVORjRpSTVjeHpsbXNDY0drMTdneUh3NAo2YTFnQWNmNDRnRVBaaWlFdE42YVQwZlBpaFc3K2RLN0g3dnRaZGRIQWxpc3M1YUViMEU2VG11Wm9YVE5XNjZPCnA2WXZBb0dCQUxuUEd4eEJTT1VCTjJPOEczcjBaY0ZxNEo3Z0VKb0k3ZjdqdEQvU3NJUU9MZVBZT3UwSWhYcjkKK3ZPRGU0bFd0aHR6aFdvRHhwVUhBUnBtYjZYa1hWYVIrdzdsREJlSCtHWXh2bExvZm1FYXovN0pmVnRIT2dMZQp6SEVKbGVEM2hyYjdIMENFZ20xV0p0M2xRYVNrb09WZWhxMU1jZVRLaWtRZURYd3J0OWxXCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWmFpcmgwYWg1MmtxekpCYVJudEhJekFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJeE56UXpNamRhR0E4eU1USXpNRFl4T1RFMwpORE15TjFvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRGJ2MmtoUlN4cTV6dTR5dSs4TFdXOXVtc3Q0WXNyTEFRL3Z4aUpaZTdJbENYbXRWZnEKYUlnWHB2bXRiTmZDaXZQbER0S2U1eGtyRVNZUFJIbFUvSDFwcjZiUUFlY29VTkVNaHhUQnhFY1F2aEdScFpFTgp3bUUwbnJsU3pHSjZuZzRUY1Mxc0lpRHJGWUZSTkdRR1lOWTFEZWhVZkFGajV5MFdjWUFhaUszQXJXZXZVOTNiCm44MHQ4c0NoYlJZNStscFAzU251amd1L3ZqNW9mK1pzMXRHa3lhTEJtL3ZEdm9lQ2lXTnJLUDZqTkJKdXR0ZlUKQVlvOHMvN3RVUmFTM1ErRUhESUZuQ0w3WkZBVzQ0TDIyWS9xazRYcEx4cVN3cVU0UTJIeHFQQUJld2hJTnBTbQovaU5qaXZGWk1rVXcvdGVEeWhtMXVIeDkwZVBpVGxKQnpvWmJBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVBVGE5Mi81ZFhkRGtDamEwS1ZMZ1B2Qzk0RVV3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFKMHlmR1Mrak9teTltU09Kb1lCUmFrNzhDZjd2czBhS3U3OUNCY2Nvb212Rno3cGRBcUVuVzV3Cm9wdFlIZ0ZaK3p2dXlLQWU0dGtIQlA4NkVXUTFaQ2Njcnp5Z3Q4bWRqOEJCQlJCQXAyeUNzU3NhU2oxN29JRGYKSm81MVRPZTVhTUM5NnNGa3RrazJRY2R0OExweTZ3Yy9jMHQwaCtiV2VXTnVEaHNJNnQ0TXhHbXlZaDBmWVVLZgp1dVhIazRYYllKMjAzNTlCSGhjcGZnYUtLYXV4QlpHeU42d3hDL25ISG1SaUR2dUp6dHJiN2habEUxdHJ3d2ZICkFJcEFYTURKU0NxNUlGNTNURS90ajJBMzhsVXorWXR3Y2p2aSt0ZXNVYzlsbEtXTmtOTjIwTkFRTjNLTkIyU0sKd0FMS2tnNThKd3pucFVlVlJYczV2N0xVeWxTTE96RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte-core/templates/admin/configmap.yaml apiVersion: v1 @@ -1525,33 +1534,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index f53025f850..1c2fa8fd9d 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -129,13 +129,22 @@ stringData: client_secret: foobar --- # Source: flyte/charts/flyte/templates/propeller/webhook.yaml -# Create an empty secret that the first propeller pod will populate apiVersion: v1 kind: Secret metadata: name: flyte-pod-webhook namespace: flyte type: Opaque +data: + # ca issued cert + tls.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQU03TUN3SEhaNG9YR0MvcjR6K011Z3d3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1UYzBNekl5V2hnUE1qRXlNekEyTVRreApOelF6TWpKYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVZSckpGWU1idURPUEh1dCtQQjUwRGMKdjVFcjVyTWNQeTc0ZUtPTDhNZFZDRVY4eWtJYWlvSjlaRlFRcnJwZzJ1WjM0amlMcGxaT3RQTmV1NzZOTGsxSApUZEEybGFISi9SOUIySDdwbEYvU1VXcFgvdXBvZllSUXZvci9OYkhmVHFZMGZ0MkVjNzZVSWVsM3I2NUoyYlNSCjNjaStVaDUydGhZWEcxTWJjTEZFdXNCT1RQclF5WGY3QzY3aUlVVUwrTFNTNHJPcCsvb3NheGp4SncvOVVucGgKK25aYko0U1lyYnBmcEgrQ285SGI0WTh1RS9CeFJaNlcwRklYT3FnN2w4MHhPR0JPSzFWM3NENERLNnpzTjhPMgo1a2lpM0JxeEFZMVhybk81aEdzV29TRkdnN1BLWVhFYy9SQkNKeVVYKytzWUIyQUFSZzhiUmdhMnQ5RVMzbWNDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVbVVmU0xVMm1JNUl2Y0JxSQpQRjRNUWoremRXY3dVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBQUY0ZDVhWWFXNU05NkNIT25aVjE2RklBT3V1Yjg4WnYrdWJrU2Qvb3FVbQo1UU1tR2xYWHRXaWZFaGNnWUdBRXppaldubklxUDNqUk12dzhvdjIrZ0lNU3pUelJKMFl6bC93VUlJR3ovVTV6ClNEYlVTRy9zQ1NYM0g2aVFsWVFmQTVzSlpZckwyYy9sNG9tTTZNSjdqR3lvZUZEQ3BaNXkrT3hzUEo2ZndPU0kKOC9SMWFOMlRqbGwyT3hJaGpMZ1BBRzg5MzVmK2hldDJsb0llSVhHYkZyQWt0MUd1VmhEdXpZeE9jVVZsc1hpdAo2aS96Y3V3d1J6TGRDMmRuY21HNWpkQjhhMGp5ZFNNb0JhNjh0L2owd1lJUnEybHZ6blpkTFZVVVdjZWoyM0x2CmtTbVUzWitGSTMzd2RqWk9sRHYxZTdwOGM0ekJlTzZHM0tOb2ZMN0JpN289Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + # private key for cert + tls.key: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeFZHc2tWZ3h1NE00OGU2MzQ4SG5RTnkva1N2bXN4dy9Mdmg0bzR2d3gxVUlSWHpLClFocUtnbjFrVkJDdXVtRGE1bmZpT0l1bVZrNjA4MTY3dm8wdVRVZE4wRGFWb2NuOUgwSFlmdW1VWDlKUmFsZisKNm1oOWhGQytpdjgxc2Q5T3BqUiszWVJ6dnBRaDZYZXZya25adEpIZHlMNVNIbmEyRmhjYlV4dHdzVVM2d0U1TQordERKZC9zTHJ1SWhSUXY0dEpMaXM2bjcraXhyR1BFbkQvMVNlbUg2ZGxzbmhKaXR1bCtrZjRLajBkdmhqeTRUCjhIRkZucGJRVWhjNnFEdVh6VEU0WUU0clZYZXdQZ01yck93M3c3Ym1TS0xjR3JFQmpWZXVjN21FYXhhaElVYUQKczhwaGNSejlFRUluSlJmNzZ4Z0hZQUJHRHh0R0JyYTMwUkxlWndJREFRQUJBb0lCQUh4ZXlvS2lNRmFjazF3Swp0MldiWm9OL29FK0VlRmtVeU01MlZyUGZGTmpQUS9Ob2dLUEJ6dVFJM1NBUGs5SnVFZ3VLTE5DdlZSeTVaMXl1CnJXK2gxVGxvWkNlRkFET0YrVUdtWXlzN1Z3WStyb3AxQkh3RGVIbloyd0FKZEhLMDZnSGd2TVlySWpsUmJUNlcKN2VqUks2T2cvVVgya0JRYmh4SE5acSt2Y0F5S3hGRXZUNUtqbnp1OStHNXd5MVo3VmFicE1abFh3Z0lMWFBBdwpvQU1QRXJCaGFjZ1Z6MXNhcXNzNm01VVJQWmFBRlhURVAxZzdacjhLUXhXajhrc0xqeUhpRXUzWGVPWUFvaTVPCmdQcjE5akNzNisvMm9rTEZoZmNueEFzcENQZUx3c05OK0gydEJzaUliVHR0MTJKbkxMdENZSW12ZzQxSys5T2sKTVdIRHkwRUNnWUVBeDlBeXM3M3pKWFpOYzVwMWpBa09jb3dCV3EwYjRVank0dER6MVpFNVRvRk5SK3dZVFYxbwoxZ1E4QTM5SVUrSyszMHJyTnFNUXVrYnAwaHJLVllBUDBlU1dhWHJFTVRBMDhZbVJWV0RiU0R0TU9jQUxiQmhGCkVVKytuWmtpdmZUQ1V0dDZUaFQ1NDNOVnBoR1VaNEdmVlNOdEgrZTNFMWp3b0hJS0tvcXRTMmtDZ1lFQS9NM3MKOExVWmE4bkZSRkJiZDUyUjBEY2FLdE9hd0RtQ0h6bi9wYlRwVUE0VHF1dWk2aHlkTTU1b05DY1hxajVPRjVTTApIL1U3M01LdmJ4dUVlUzQ3bi9KMm9xeEN0eWZOOWdROHlzK0JpL1pjOWkxbWR2ZHc5MU9BUWJJVGtIRks1WEd4CjlYRmR0dVhwVUt5b0I1TnFyUFpUcFpSTU1KL1F6Wmx1OS9zdHNVOENnWUIzL090bGlteUhrNG9oSUtEejdjQlMKUXdiUkorRDFJVFJSeGo2V2dqWFNrYzBSb3BKWmF2MTRmMlIyaVNtcXpoL213UHVNZk5HZnV0UFFpcXYwT2duRgo5aW5vdjRNdk1vNm9lUDdnTVdDYytKYm1tdytBNHZZZTFpOVdQazVobWFoVHoxNmJvdmNJZ2dydHhlTERZVkNICjlOVWo4cWE2cEk4akdqaEdvYTQ4K1FLQmdBMmp6clR1RUlFUVVlUnRzWUd5cnJ0ZFBid3h6cGV3Z3FUTXJFNTAKaEdJZFlGSkloSEc5T1g0ZmZkL1NmQ1JqV0ROTmdIUW85eUhpSHpVUGR3WlN5RVRKQUQybXJiTFVJdml6SWRTUApmWjNmblFSclRxdjhqY3ZLWlpFbDJvaGdsSG5zdUgxVnNJaTl2dWpyWitXQXZyQzJXYTBGWTFiOFNIZlBYMzFoCndBVmhBb0dBVGV0dHcrOUFoeEhUbHNhVlBQRENtOHYzNEVTZmVXZ09kWVRObHFaZDUwOWFJcmhHVzlRaUxuZlEKM20rVWN1OExta25hT0swazJ1L0s2cU5La3J0VXk4NFhQT2dDemRoeUlPYkp3a28yV2poRmNBUFRQc3Z4T3c4UQpXYkc2a2VjMHR3ekhNTjJSdDMyYTFMMTVVRnZ6aTM2Skora2hRdDVDSEJ0ZFNETm45enc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + # ca cert since the CA is generated here + ca.crt: | + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQU9jN0RMWWwwSVZYVWhieEJwUkFZQzR3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1UYzBNekl5V2hnUE1qRXlNekEyTVRreApOelF6TWpKYU1CTXhFVEFQQmdOVkJBTVRDR1pzZVhSbExXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZDZ3a0hxUnluaU8yTjBnVE5qalpmK2lIUWk1c09sWlJIbkNMcEJxVVB2YmZybEsKT0h1VEptSTRHRVBPVEt3R2tqRzRmclR5OERGL1Njd1hNYzBqWEtwVlZTZlF0OWFIOW8zV3NOZ21UcllPOHlWQgpnblZraDNSNC9KMnFXZDZUL3RmTm9oejJjTERuckFFTkZiMVRMZllmOEhhU0ZhRWFtVUNJSDdkODZzY3pSUzMyCnAwVUlWMm1DS2o0eUNzM3JLUDVGTzlnSCtWcXEzQjBUZk41Rll6THdmZWxEK0t0b3NwdzdOWmtaVEVwZmxQTEMKbXRoajNuTHN5K3lDblNGSXM4bXozZmQxYkNFVkhJTTBxaFVIdCswMzBja1pKRXdWTVFaY3U2ay8wWVptbDJQQgpjTEhkZzB0UFFVSVFGNWlvS0d1KzZsRU9ORzZkM0kwMitrZ2dxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGSmxIMGkxTnBpT1NMM0FhaUR4ZURFSS9zM1ZuTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQkQ1d2ZGT1F4WGNJWXA4YnVETGVWVjE4RHpWd2xoelhVdml6RnAwRlFXSHZwOWJ2cWxJSDQ0CnMzdk40Z2tBZXlHNFlzSVg3Z05EVFVPNmFlKzN5TnNudXdyTFdpTEZyak9WQjZLMzhiSlo5dmtJZ1Z2VFlmV2EKVTJ6VHNvcjkvbjB3YkFhYng1eEw3ZWxJY1lwSklpZkpWNXBRREJaL2RmNXA2VkZWYlM0UXAyZ2tTRGZ2OGJKaQo2SW9WSm5ZVk9GZjhMSFFFYlU5ZlpKc1pURnl3UGxtYUhjNGFlK0htSUNHaDdiUzFaWllEbU5FUGlYVldKMnpuCk55dStjWVU3WUdwWHpISkFoRU4wN0c5ODV4MnQ1TW9mTEdCMlV6NHFUelF0YUJMVTVPNzRvME0xWnBXTnRoSG4KZW5DWDBMTzJQMnFUUkJjNTM0RUF1ZS9hNVBnc0M4eXUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= --- # Source: flyte/charts/kubernetes-dashboard/templates/secret.yaml # Copyright 2017 The Kubernetes Authors. @@ -7269,33 +7278,6 @@ spec: seLinuxOptions: type: spc_t serviceAccountName: flyte-pod-webhook - initContainers: - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: - - flytepropeller - args: - - webhook - - init-certs - - --config - - /etc/flyte/config/*.yaml - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config containers: - name: webhook image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0" diff --git a/script/generate_helm.sh b/script/generate_helm.sh index 1c836b9002..89b2ee7371 100755 --- a/script/generate_helm.sh +++ b/script/generate_helm.sh @@ -56,7 +56,8 @@ ${GOPATH:-~/go}/bin/helm-docs -c ${DIR}/../charts/ # This section is used by GitHub workflow to ensure that the generation step was run if [ -n "$DELTA_CHECK" ]; then - DIRTY=$(git status --porcelain) + # find only deleted or removed lines, not replaced values + DIRTY=$(git diff --word-diff | grep "^[{\[]") if [ -n "$DIRTY" ]; then echo "FAILED: helm code updated without committing generated code." echo "Ensure make helm has run and all changes are committed."