Replace init-certs webhook initContainer with Helm template

- Replicates the functionality from the webhook init-certs cli command from Flyte: https://github.com/flyteorg/flyte/blob/master/flytepropeller/pkg/webhook/init_cert.go This produces a ca.crt, tls.crt and tls.key value needed for the webhook, rather than needing to create a container that needs to have network and Kubernetes access. - Changes secret type from Opaque to standard kubernetes.io/tls - Uses the Helm lookup helper to prevent regenerating on upgrades - Update CI check to only fail when lines are deleted or removed from the generated Helm output, not when values are modified Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
flyteorg · Jul 12, 2024 · 74a5b67 · 74a5b67
1 parent 81afb76
commit 74a5b67
Show file tree

Hide file tree

Showing 8 changed files with 100 additions and 211 deletions.
diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml
@@ -1,12 +1,42 @@
 {{- if .Values.flytepropeller.enabled }}
 {{- if .Values.webhook.enabled }}
-# Create an empty secret that the first propeller pod will populate
+{{- $secret := (lookup "v1" "Secret" (include "flyte.namespace" .) "flyte-pod-webhook") -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: flyte-pod-webhook
   namespace: {{ template "flyte.namespace" . }}
-type: Opaque
+type: kubernetes.io/tls
+data:
+{{- if $secret }}
+  tls.crt: |
+    {{ index $secret.data "tls.crt" }}
+  tls.key: |
+    {{ index $secret.data "tls.key" }}
+  ca.crt: |
+    {{ index $secret.data "ca.crt" }}
+{{- else -}}
+{{/* Produces a 99 year valid CA and cert signed by the CA like:
+    https://github.com/flyteorg/flyte/blob/81afb76b44931d827f8e898d097a7e8054a5b836/flytepropeller/cmd/controller/cmd/init_certs.go#L14-L36
+*/}}
+{{- $certValid := 36135 -}}
+{{- $name := include "flyte-pod-webhook.name" . -}}
+{{- $namespace := include "flyte.namespace" . -}}
+{{- $svc := (printf "%v.%v" $name $namespace) -}}
+{{- $cn := (printf "%v.svc" $svc) -}}
+{{- $altnames := (list $name $svc $cn) -}}
+{{- $ca := genCA "flyte-ca" $certValid -}}
+{{- $cert := genSignedCert $cn nil $altnames $certValid $ca }}
+  # ca issued cert
+  tls.crt: |
+    {{ $cert.Cert | b64enc }}
+  # private key for cert
+  tls.key: |
+    {{ $cert.Key | b64enc }}
+  # ca cert since the CA is generated here
+  ca.crt: |
+    {{ $ca.Cert | b64enc }}
+{{- end }}
 ---
 # Create the actual deployment
 apiVersion: apps/v1
@@ -47,40 +77,6 @@ spec:
       {{- if .Values.webhook.priorityClassName }}
       priorityClassName: {{ .Values.webhook.priorityClassName }}
       {{- end }}
-{{- if .Values.webhook.enabled }}
-      initContainers:
-      - name: generate-secrets
-        image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}"
-        imagePullPolicy: "{{ .Values.flytepropeller.image.pullPolicy }}"
-        command:
-          - flytepropeller
-        args:
-          - webhook
-          - init-certs
-          - --config
-          - /etc/flyte/config/*.yaml
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        {{- if .Values.webhook.podEnv -}}
-        {{- with .Values.webhook.podEnv -}}
-        {{- toYaml . | nindent 10 }}
-        {{- end }}
-        {{- end }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/flyte/config
-{{- end }}
       containers:
         - name: webhook
           image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}"

diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml
@@ -78,13 +78,22 @@ stringData:
 type: Opaque
 ---
 # Source: flyte-core/templates/propeller/webhook.yaml
-# Create an empty secret that the first propeller pod will populate
 apiVersion: v1
 kind: Secret
 metadata:
   name: flyte-pod-webhook
   namespace: flyte
-type: Opaque
+type: kubernetes.io/tls
+data:
+  # ca issued cert
+  tls.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQUs0UzBrTEY2UTNHNjZWTGNwbEExV1F3RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakV3V2hnUE1qRXlNekEyTVRrdwpOREl5TVRCYU1DWXhKREFpQmdOVkJBTVRHMlpzZVhSbExYQnZaQzEzWldKb2IyOXJMbVpzZVhSbExuTjJZekNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSm5yQ25VSHU5cHpxMm5LMkt0TktiWUcKVlBvc290QkxWUVpvTnNlYmk3WVpiQ2RqbzUwOFZSSjN0d044MVQ3MkFrWUQ5STJ6Y3ZwUW03Q2hUZGEwdTdwUAptUGpwL3dVd0lvR3ZucC81UzRTMjFsNXpDUkVqWVlyRWNXL2gyM0YxWFU5aU0wdUdPNnppVFdTc3VqczkvQ1FOCnJPekJWbjNYc2s4NzBCWVFRdkJyd2NPSEcyWFNvcGs2bnZNR3FEaDJkSVlhMzc2Wk9nNDZxMHBLUkhWTDk4OWkKUUVLRTBVeTJDNkVScXpzZmNvTjlQS0QyR2FNZXpMTVJZYkp3em55V044SW1UK2ZrZURqcS8rekM4STF4Tm4wTgo2UHIybXRUWUNGRzgyQ2tIZE9rbk1jVndoNjViOGVSa2dYaGpVd2FmcDAya1kxU2NXSitYQjZtT3hlZERZQzhDCkF3RUFBYU9CdFRDQnNqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVUlZ2TXVwb2pXcmZjRjNBSwprQWRJMUg3V2Jwb3dVZ1lEVlIwUkJFc3dTWUlSWm14NWRHVXRjRzlrTFhkbFltaHZiMnVDRjJac2VYUmxMWEJ2ClpDMTNaV0pvYjI5ckxtWnNlWFJsZ2h0bWJIbDBaUzF3YjJRdGQyVmlhRzl2YXk1bWJIbDBaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBRXR2cStOQ1d5VThZWlNzUlllT2hjc3Z6V0NzcVpZOGg4NlQvUGE3M2JmdgpTVXpwZTdVNVZuWVYzcGxBR2czTit6L01DN083VlRIWEV3OXBORTZkS0pyTTREMzY4US84ZFZUd0RmdmtHL0hTClg3YXMzRlVHN1kwdy9WR0hHWTVRN3BrbTdIYXdpaU8zdk5KRVozanBxR1EvMjNRbVlha2YrWXNYaTFOZ2tXWmgKaUtpVVlxWUdFSmxHc2RwUXpLbis3SXp6aXpCK1lpUnduVUVaTExzZ3drSSt3bEVaMjNDcDIyNCtwWjJwS1ZJSwo3NWdCTGR3SWZ0dit6dnlLVWtkWFJ0RElGdk1pWkJjditLajVXdEFKZkdKRHJoNURtSE1FUktqMHBwdFV0Ly9iCnJCZmF5VFNiM2gzaUJTdlJqeVNVUHhQWmNmanNBNTg1eUQyZ0Y2bUxFUlE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  # private key for cert
+  tls.key: |
+    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbWVzS2RRZTcybk9yYWNyWXEwMHB0Z1pVK2l5aTBFdFZCbWcyeDV1THRobHNKMk9qCm5UeFZFbmUzQTN6VlB2WUNSZ1AwamJOeStsQ2JzS0ZOMXJTN3VrK1krT24vQlRBaWdhK2VuL2xMaExiV1huTUoKRVNOaGlzUnhiK0hiY1hWZFQySXpTNFk3ck9KTlpLeTZPejM4SkEyczdNRldmZGV5VHp2UUZoQkM4R3ZCdzRjYgpaZEtpbVRxZTh3YW9PSFowaGhyZnZwazZEanFyU2twRWRVdjN6MkpBUW9UUlRMWUxvUkdyT3g5eWczMDhvUFlaCm94N01zeEZoc25ET2ZKWTN3aVpQNStSNE9Pci83TUx3alhFMmZRM28rdmFhMU5nSVViellLUWQwNlNjeHhYQ0gKcmx2eDVHU0JlR05UQnArblRhUmpWSnhZbjVjSHFZN0Y1ME5nTHdJREFRQUJBb0lCQUNGVlRxbHpxRkl4OUxCdgpscWJhaWlyNmloSzM4ZmFzS2RpK1h3YXhmL3RLM0NwWG9NcGZrNGp4VmpneUk3aUQ3SkFmTVNveTc3YVlHRytUCkwxbE5RTTZqaUZ4M3lKdm1CY01TTm9jc3BSY3p4WThrMkpUV2xieEl1TXhqSEhRZzE3bG1hZmQwTlo1R1VENTYKVGNhZ3NPZFo4dFkvTkswQ05vS0VVSmRHcEVpT3A2WTAvaVJwa0FmcGdrS3M5V0VUMlk0RXppRm5qYjVVYjl2bAo0MzJLdWRkNHpsYm4vTGNnRGhiTnN6VENFMjc2dWNrUjVqaVMrcjBLOHp0N2RLTWkzSndDSU9uVnYxTUl5STE3CnhkcWVNM1dJQXRMdFU1TFNsZXdqRlFRY1c0UG5LU2FqemtmTzYzeTFlaThlWG44azhiQjRaMEh4K242YTJicVQKMU80Q3Fma0NnWUVBeVZhamVFcEZlekdZZjF4YWhRZGdVWkdRZ3B6Zy9zcDUyZmRoWjlIVHFlMThKMGRSQ2orUApqSVd3WFdNWVV1NjlSbzYwOVQwRzRkYWE1R1g2QU1hZ0FaZEZKQzV1TklUZXFaN3l4Ykp0Nmw0ZW95YXBrdkhpCmV1MGxqdVNRaGwxS3ZwWUgvZ0RYNGlURURjdUNwSm1saWh1a0h4aUliUlZWeWl5MFYvU3o3VTBDZ1lFQXc3U2MKYTZlR09ENHNwUmgya1FBdkVnVlRsU0lNemZydk1BTXNIWFM3WlNvcFlSU2c3VGM4SjdoT2EwcEUvSzJuK2VZYQovUkhJMnZoYWtDaGNDTTY4VmRNcmlmeWV2SndUTXRzM3hDVThBU1ZHZFIramxPWEp3MCtLcUZHN3JZU2R0MUNVClRCSDE3SlU5aFVBdEpidEpOYVZtaGdjUUNML2tEZ0dtWnNXSGRXc0NnWUJoWlZib3ZzMER2a2N0L1NnUXlET3cKNGNETlhrUjlITWQ3U0c5SFFMcXFyaVpyL2RUWEowNHl4UTArNzh2NWVtSDNldHRROHZlY1VpdFZwM3NiMnZuVwpLeTRZUlptc01FWmlPWERwYjlvNkVOT3pTdVduSHZuWFMxYnEyK2lLQnlFOE51bWcxeG1YM1A4MlNTZG1wcWpzCnVWaFlibzY0YmlTMUM1RW1KMHJPMVFLQmdGZnRuTjNOZmNObFE5L0ZWdmdjOGdrUnRaVHFvSUFuUHpIK0t1THQKSUlqNllXOEp1cWY1eWlBNmNabEkzQ2YreWRyQVpOM1JFTUk1RlU5eG9yQWVXb1hoQTgzU1gydDBZRGZZUUh6egpFYnVlQ01MMHZTVlgvTWV3eENhTjJsbkNuSzNSR1YvNExkcm16cVpBeUVnTWxuN3cybGhiY2Z2TVkyVmJubXpNClVPa1RBb0dBTjgyTkZQY29vR285Vm1pRVBtR2xaaEYvOGkyYVJUS0ZEWTdIUkJsdU5VcHlMK3o3dkMvNFl5YnMKMkt6T2N0aEVRTHZkT0hmRGF5SXNzZHpMRUxpMFNWclFnTjk2Q1Z5bW1sREw5MFZBekNmS29STkhZZzBtRDQ1cwpMbzUrYWlZaWJLSXVpWWJTK1FPNGt2bGdTODJENGlLSEJrYTlXOW0rQjJ3OHUxdWQ1Mkk9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+  # ca cert since the CA is generated here
+  ca.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQU4zZHFzR1RiWnVZMEp5YUcvNkd0UU13RFFZSktvWklodmNOQVFFTEJRQXcKRXpFUk1BOEdBMVVFQXhNSVpteDVkR1V0WTJFd0lCY05NalF3TnpFeU1EUXlNakV3V2hnUE1qRXlNekEyTVRrdwpOREl5TVRCYU1CTXhFVEFQQmdOVkJBTVRDR1pzZVhSbExXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUFvMlY3Nk9jOEJxV2FYYjc2TWEyY2tNTENkblpuOWp3VVpmZUtXcnFQNW1JcElkZksKcjIyMEpvaUhXM0RlMWFMOHpWS0VmVDJkUkxNSGhCOEQ2L3hId01CV1hIQTZ4ampzc013Y3Rod0NoZmdjZWhvTQplVW8zUUVNTUdCS2doSE5CUks1bGhyUzNNZ2lvaEQwTkhRN25DT29LbEZBOU12d1AxQkp0aHpQTm9ldFRxZFk0CmNScjM0bVNKekIvSlUwNXRwTnpMTUFmNzdITWU3ZlhFc3FhM1hzbm5LZEJlNU4ybnowSm5IQldLUHk1cEVQcUwKMWZMc1lNa3BhQ0FXVGxtV2ZKWEUzODdnNnhxd2hvVklhenM3MTBjYkh2bm1hb3hteHlIejNodUJ4bENvbXlNaQoxOU9FYnRhaitkQ2Z4TkRTdjcvbTk3czdxZndBd2RqSjFyVUNlUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVZiekxxYUkxcTMzQmR3Q3BBSFNOUisxbTZhTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ05qK3F2ZWZiQjczdXBBdGh5TTZ1Mm5NcVpVZmk3Zk9PRFBVVFRaZEFkeThHZ2JqUGdvNFllCnpxK1VTWW9UK0Y5VEdkOW1wSkpBOSsxckxYSE5jdzdpSG5MSFI1WTkxTjVFR2pFNXhvTVVjWFB3WGJPeUY1RVYKODFVSlI4R0R5Nk1QRm9DV3hrQVJMdnFwa00raWVWMWU0djJjR1lEdDZwN2tUU2R4NStpZFFMZ01TU1pWU0xhLwphaXVrcXVEb01iaDdGcFluK0RXd1UxaEVtYWNuZEFtdU9LZ0RCeHhHS3luemI0TVZlVWRUR0VNNU8vaUJTVFhPCmhnZDM0ZTBabjhkZVlSelB1QzZSU1l6anBBWlNGNlQvWFR3ZjlCaU9rQVVmQVdYSTdQczJUZlo3NUpScG5xc3IKL2lJZTBOVDkrT3BzNjloNXd0aDVmbGE3YTJOYmZUM0UKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 ---
 # Source: flyte-core/templates/admin/configmap.yaml
 apiVersion: v1
@@ -1373,33 +1382,6 @@ spec:
         seLinuxOptions:
           type: spc_t
       serviceAccountName: flyte-pod-webhook
-      initContainers:
-      - name: generate-secrets
-        image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"
-        imagePullPolicy: "IfNotPresent"
-        command:
-          - flytepropeller
-        args:
-          - webhook
-          - init-certs
-          - --config
-          - /etc/flyte/config/*.yaml
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/flyte/config
       containers:
         - name: webhook
           image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"

diff --git a/deployment/eks/flyte_helm_dataplane_generated.yaml b/deployment/eks/flyte_helm_dataplane_generated.yaml
@@ -55,13 +55,22 @@ stringData:
 type: Opaque
 ---
 # Source: flyte-core/templates/propeller/webhook.yaml
-# Create an empty secret that the first propeller pod will populate
 apiVersion: v1
 kind: Secret
 metadata:
   name: flyte-pod-webhook
   namespace: flyte
-type: Opaque
+type: kubernetes.io/tls
+data:
+  # ca issued cert
+  tls.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlekNDQW1PZ0F3SUJBZ0lRSHk4UHRBdVhQS01tL21XUVhKS1R5VEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRFphR0E4eU1USXpNRFl4T1RBMApNakl3Tmxvd0pqRWtNQ0lHQTFVRUF4TWJabXg1ZEdVdGNHOWtMWGRsWW1odmIyc3VabXg1ZEdVdWMzWmpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE0eks5NU54UUVHTTd1NHd0d0cwWGIwQUYKL0VBWFFHZ29aVVFTRlZOYnk4L3hlQmRUVWFNSU1jemdIa3ovQmsrdFNCcGx6TlpCOElCZHUzRm9LeCtuZmxscgpSbWRiUVNiTWVlZDJnTkQ0YUE5UXhMQjRSS0FDcHFlcjY2cDk4T3l1ZVVsR0JjQjZPREJrRTNuWXhwWnAxU0dzClo3NzBBN2JmL09uTDljcE9NU3BCeXZWNGJUb0xOSWhMUk1QdjB4WkROWC9EUGZFWDBORG5yWWtNNXpaZ29YcWMKNWNNTWhiSUZtR1NyaWJ5aEhoNStxNGZZQnh5bnlRSDNYQ25WYUw3ZEgvVm1Vc1BCc3RLR1I0RGNieHcvMFB5dgo4L1BaNTlHdnZqQlNlV3J3NHR0TUF5cSswVUtRVEpwZDBxY0xHWXlISlE4WllsdXdOV1N5Z1lvVUlmMjN3d0lECkFRQUJvNEcxTUlHeU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlFUcmp4STNWU2NQTU5HQWVZRwpPNXlpb1RsRVdEQlNCZ05WSFJFRVN6QkpnaEZtYkhsMFpTMXdiMlF0ZDJWaWFHOXZhNElYWm14NWRHVXRjRzlrCkxYZGxZbWh2YjJzdVpteDVkR1dDRzJac2VYUmxMWEJ2WkMxM1pXSm9iMjlyTG1ac2VYUmxMbk4yWXpBTkJna3EKaGtpRzl3MEJBUXNGQUFPQ0FRRUFIN1N4SCthQVhrTmw4RkhiRmJtc2crdEtEUm9Da3Q2QXU1YUhDOWdFQVkvRgpVY0hrVnBORG9udmwrS05CZThpbkw5K1RwdVpoK2dXZHdCWmNzUFN2bGw0ek1oa0wrbkVFUnMzZlBBMWhvNThoCnVjUVZmYlNBMVhQSnVGT2FHbkJFTTFIOGJQVlhPYXFUd2JoV3U5Z3BMOGlsbmZVOUYwWXBxcittUmovem4yclcKeUxaeHB0OGdHaGgrK21sQ0p0QWc5OFJab0J3b2o4RGJZbDB4a1p4OXc2aDYweHA5TnJwY0Y2TXZLWG90QStTZQo0WXpqZExBOWJmbUxpZDE2dGRLd2pZM3Z0UXI3RG5zM0RwMjB0R0NocVdrMUR0ZzczL3pnRURnSll6UHNkOUpsCi9ieHJ1Q1k2aUZxSTNpRk5oNWtjMlVQS1R1TTgwYkp1VWZLcjlEdHlEdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  # private key for cert
+  tls.key: |
+    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNHpLOTVOeFFFR003dTR3dHdHMFhiMEFGL0VBWFFHZ29aVVFTRlZOYnk4L3hlQmRUClVhTUlNY3pnSGt6L0JrK3RTQnBsek5aQjhJQmR1M0ZvS3grbmZsbHJSbWRiUVNiTWVlZDJnTkQ0YUE5UXhMQjQKUktBQ3BxZXI2NnA5OE95dWVVbEdCY0I2T0RCa0Uzbll4cFpwMVNHc1o3NzBBN2JmL09uTDljcE9NU3BCeXZWNApiVG9MTkloTFJNUHYweFpETlgvRFBmRVgwTkRucllrTTV6WmdvWHFjNWNNTWhiSUZtR1NyaWJ5aEhoNStxNGZZCkJ4eW55UUgzWENuVmFMN2RIL1ZtVXNQQnN0S0dSNERjYnh3LzBQeXY4L1BaNTlHdnZqQlNlV3J3NHR0TUF5cSsKMFVLUVRKcGQwcWNMR1l5SEpROFpZbHV3TldTeWdZb1VJZjIzd3dJREFRQUJBb0lCQVFDcmFrOUhhc21sYzVsUApxVFdqcHlzMUxwTFZmTzJPRklmVno0UHRQeFZWTXJDMnNMS1dOM0VwVWJBT2JIMUZIN3hYV0VOU1JwMDlmVHc2Ci9oZGY0ZVFYT2hQcjdITTNOclN6ak9VbHo0Ujd6b0pidytFWnRiZ0tVUnN2RlZVci93YXNUNUpiS0p1TjVVUzgKUlFRKzRLRTh3c2szQlNWSjRDSWl5YXF1NlZJUldLcDJWdldyWTVMSmxxYVhtanBMSU1yRTMxZUZxMWcyUCtqOQpEUXdaSUZ2TERBZGJzTXhnSDRycGdBWDE5dVA4bmNjM1p2RURzY2VxVUdaQ2M3U2I5bkp2Yno3WjVpSHE4WVg4Cjh3UHJrNnFSK1d3Z3llVWpzc1h2aWVqSy9SWTgrd0Fsc1VMQStGNjRzZWFYWkp6K2VOS3l4ejdvNWN3SHFDa2EKNUtBdCtQMHhBb0dCQVBnaDNHWXJHcGJNTk04czVFdHdXdmwrNmsvNUgxaEFpU211OW1QL0h2NkduR0ZjcTZTQgp3bkFEMGV2ZkY0UUNmTlNvRS93cmtoRktOdzJhMlVla0RvOGFpeTQxbTR3U3lmcG1VS0kxV0FBQXNHS0Z1bEcxClhHMXVEdFl3T1RKb1BHMUJDRmY2RDZnc3phU1VTWWZuSnFmQzN4aWVtSEZXeVIra1B0OU5rZEo5QW9HQkFPcG0KOUhUNmZpWFhGVTI3MjNMeDlvUjlDQmlHYkNOUUZJMWxDd20yU3djaG9YSzg3ODg1LzVPMkM1U3h5N0lZSjAyYQpEUXRuT1BtbTFZTnMzenlKaEN1OHZKbVdYL012QVFqT21MRWE4VlUvOUFIVVg4QnZqU2plck1GQkRsMnV3QS9ECmdSZnFhVktMYkcybHV2WkF4WERSV3k4UFdUcWpKbDFUTkZrUmQ0Yy9Bb0dCQU1sU0I5VnBRWkI2TEpxdkxLYzgKaU1PSFFxc1NVR2sxSzFTRG5XdHlrZjRtejNoN1ROUVRaK09rWmN5L1hBQUNXSy9ka3lGMVpIVGN4eUFsdEFiWgpSK3E1dVpVTGI2SE5tTXl0K053eTlheEM0dGw4OExmY3N4b2lRcTFyd094eUFCMFF0NmxSdlNSUS9hUjduOUZCCkxXN053RjdrUm9FbXpkWDdWL3VybnhXdEFvR0JBS2hUek9NZ2EyeVRHMHBhU0Vvd05qNklaMEx0YlVTaW9rK3oKcXd5TGF5K3cxL2JFZFZZVUtWUVMzQmdvNGNXQUVPRnFha214RTdvOE00SVFzZk1RTWVrU3ZVRnlPbTh4WndYRApEdVhJR2x5RTg1NUl1NFkrMVZqdko1SVVQTlBMeFVMTXU2ekgrbUI3blI3VWNBR2RHK3hiZTZhODEvQUM3MjcvCmJFMDEvT2NUQW9HQVdzN3dJN0NwUjJjSGRBZ2lEMi9VNDZUcjBaVkttTE81UFNYVm90ZDVpTE00akxpZWk3amQKNGRPaVhmS01WalpDRzlzS1hOVTAzSVJyR3NYaUlCQjN6YXZISTNFM2I2eHdpK21IZkNvSDZtRG9XN05vTVFmUQo5TU5GT2JBV2wwVFNtZWhpZXN1RzRsNDUxM1FMcGw0RXJlZi9qM04zR0Z1NDhVRExOT2w5QnZrPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  # ca cert since the CA is generated here
+  ca.crt: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRSElCaHBQaUNtbDhLSUw5Z1YyNmlkVEFOQmdrcWhraUc5dzBCQVFzRkFEQVQKTVJFd0R3WURWUVFERXdobWJIbDBaUzFqWVRBZ0Z3MHlOREEzTVRJd05ESXlNRFphR0E4eU1USXpNRFl4T1RBMApNakl3Tmxvd0V6RVJNQThHQTFVRUF4TUlabXg1ZEdVdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQytxRmVYK0JXb2F6QWp1NjRUeWozQ3BYZDQrak1CT2ZNK2lUalFkY0J3U3dWajBPSHgKKzIyWUhMcHEzdlBSeWxyRXpRdUZTZkVVZmQycVZjR1ArcVBDM2FKcllZZHYxdW9GN2tFa2h3TUtEQUgzNXpuRwp0Mk5peFVENTUvTHRTVU9VTTJYT0tReUZLdmdSVlZ6NWcwQ21wNDYxVVNkbW1ScnRLQmRmcERSZUF1bFdoWTBqCmZBN3kyS1YvNVZudFMxYUtHN29ucUM1Zk5MNEpiUTdwZFg4WVdlZGNIMC9PODZSeHJZcWNrVTJKU0RzRjVhWlYKVTJwa21oSzZ4c1FNS29jMUlSdFB5akpaaTdreHFMWndpYXU4bVFMTmhYcUhYYjJoNWhkZndvN0dlZGU2bjBrdgovRm5CNFp5bHp1dDhDWDdhZ2EwT3AxSFhmMHdNY3Z4UFZtUTVBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVFNjQ4U04xVW5EekRSZ0htQmp1Y29xRTVSRmd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFGWWRKMmxwNFk1TEJhRzhuUmxDR0xJb3EvRnkvUEs0M2wvMnJtNVp1cDgwUWtadXR5RHpuU3NCCitubEtzcVJWelg3ZkVLcFV4NFNsN0dmRVAzNi9xV3JzdjRoeVhlTDFZaTY2OG10dmhRc2hPblhWUDIrQWZwQ3IKNUpuTTV6blN4c1JRWk81a1N0dE9nRDNwZjlEQm0vKy9hZDhxalIvM2pDR2NaS3Z0TEtFYWpXZ1o0SHZoVGRnZQpWMEx6UGVOcHArQk1MVURCbDNLdXE1d1Z2ZWxKME1sNjJJbmM1NjNPb2UybFNhUldHRitxdVUyYUU1RjFXdEFyCk03TGFUcDF6NjdveXhhTHZoN0hnQld5Y3N3VnU0VEh1aVk4b01RSit2d29WY2ZBWTdyZVVIeDdaaFRlOUxqS28KbHZxTFZGUENGTGpjb2lDb25tNDE5RDBVUExjaDkrMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 ---
 # Source: flyte-core/templates/propeller/configmap.yaml
 apiVersion: v1
@@ -524,33 +533,6 @@ spec:
         seLinuxOptions:
           type: spc_t
       serviceAccountName: flyte-pod-webhook
-      initContainers:
-      - name: generate-secrets
-        image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"
-        imagePullPolicy: "IfNotPresent"
-        command:
-          - flytepropeller
-        args:
-          - webhook
-          - init-certs
-          - --config
-          - /etc/flyte/config/*.yaml
-        env:
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop: ["ALL"]
-        volumeMounts:
-          - name: config-volume
-            mountPath: /etc/flyte/config
       containers:
         - name: webhook
           image: "cr.flyte.org/flyteorg/flytepropeller:v1.13.0"