🚨 Breaking Change - Dataplane - Sane defaults

charts/controlplane/templates/_helpers.tpl

@@ -284,7 +284,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- include "unionai.fullname" . | trim -}}
   {{- end }}
 {{- else }}
-default
+union
 {{- end }}
 {{- end }}
 
@@ -575,7 +575,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- if .Values.console.serviceAccount.create }}
 {{- default (include "console.fullname" .) .Values.console.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.console.serviceAccount.name }}
+{{- default "union" .Values.console.serviceAccount.name }}
 {{- end }}
 {{- end }}
 

charts/controlplane/templates/union-serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if (index .Values "controlplane" | default dict).enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: union
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "unionai.labels" (dict "key" "union" "Release" .Release "Values" .Values "Chart" .Chart) | nindent 4 }}
+{{- end }}

charts/dataplane/templates/_helpers.tpl

@@ -1055,6 +1055,114 @@ Added complexity here is necessary to support extra pod labels while maintaining
 {{- mustMergeOverwrite $podLabels $labels | toYaml }}
 {{- end -}}
 
+{{/*
+Webhook certificate helpers
+*/}}
+
+{{/*
+Get the webhook service name
+*/}}
+{{- define "flytepropellerwebhook.serviceName" -}}
+flyte-pod-webhook
+{{- end -}}
+
+{{/*
+Get the webhook secret name
+*/}}
+{{- define "flytepropellerwebhook.secretName" -}}
+flyte-pod-webhook
+{{- end -}}
+
+{{/*
+Get the webhook service DNS names for certificate generation
+*/}}
+{{- define "flytepropellerwebhook.certDnsNames" -}}
+{{- $serviceName := include "flytepropellerwebhook.serviceName" . -}}
+{{- $namespace := .Release.Namespace -}}
+- {{ $serviceName }}
+- {{ $serviceName }}.{{ $namespace }}
+- {{ $serviceName }}.{{ $namespace }}.svc
+- {{ $serviceName }}.{{ $namespace }}.svc.cluster.local
+{{- end -}}
+
+{{/*
+Check if cert-manager CRDs are available in the cluster.
+Uses lookup to detect cert-manager, with fallback for template-only environments.
+Returns "true" if cert-manager is available, empty string otherwise.
+*/}}
+{{- define "flytepropellerwebhook.certManagerAvailable" -}}
+{{- if .Values.flytepropellerwebhook.certificate.certManager.issuerRef -}}
+{{- /* User explicitly configured cert-manager issuer, assume it's available */ -}}
+true
+{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" -}}
+{{- /* cert-manager CRDs are registered */ -}}
+true
+{{- else -}}
+{{- /* Try lookup as last resort - this works during helm install but not helm template */ -}}
+{{- $crd := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "certificates.cert-manager.io" -}}
+{{- if $crd -}}
+true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine if we should use cert-manager based on configuration and availability.
+For Flux/ArgoCD compatibility, when provider is "certManager", we trust the user's configuration.
+*/}}
+{{- define "flytepropellerwebhook.useCertManager" -}}
+{{- if eq .Values.flytepropellerwebhook.certificate.provider "certManager" -}}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate self-signed CA and server certificates for the webhook.
+This uses Helm's genCA and genSignedCert functions.
+The certificates are cached in a lookup to ensure consistency across template renders.
+*/}}
+{{- define "flytepropellerwebhook.generateCerts" -}}
+{{- $serviceName := include "flytepropellerwebhook.serviceName" . -}}
+{{- $namespace := .Release.Namespace -}}
+{{- $secretName := include "flytepropellerwebhook.secretName" . -}}
+{{- /* Check if secret already exists to maintain certificate stability */ -}}
+{{- $existingSecret := lookup "v1" "Secret" $namespace $secretName -}}
+{{- if and $existingSecret $existingSecret.data (index $existingSecret.data "ca.crt") -}}
+{{- /* Reuse existing certificates (new key names) */ -}}
+caCert: {{ index $existingSecret.data "ca.crt" }}
+serverCert: {{ index $existingSecret.data "tls.crt" }}
+serverKey: {{ index $existingSecret.data "tls.key" }}
+{{- else if and $existingSecret $existingSecret.data (index $existingSecret.data "ca-cert.pem") -}}
+{{- /* Reuse existing certificates (old key names - for backward compatibility) */ -}}
+caCert: {{ index $existingSecret.data "ca-cert.pem" }}
+serverCert: {{ index $existingSecret.data "server-cert.pem" }}
+serverKey: {{ index $existingSecret.data "server-key.pem" }}
+{{- else -}}
+{{- /* Generate new certificates */ -}}
+{{- $dnsNames := list $serviceName (printf "%s.%s" $serviceName $namespace) (printf "%s.%s.svc" $serviceName $namespace) (printf "%s.%s.svc.cluster.local" $serviceName $namespace) -}}
+{{- $ca := genCA (printf "%s.%s.svc" $serviceName $namespace) 3650 -}}
+{{- $cert := genSignedCert (printf "%s.%s.svc" $serviceName $namespace) nil $dnsNames 365 $ca -}}
+caCert: {{ $ca.Cert | b64enc }}
+serverCert: {{ $cert.Cert | b64enc }}
+serverKey: {{ $cert.Key | b64enc }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the CA bundle for the webhook configuration.
+This returns the base64-encoded CA certificate based on the certificate provider.
+*/}}
+{{- define "flytepropellerwebhook.caBundle" -}}
+{{- if eq .Values.flytepropellerwebhook.certificate.provider "external" -}}
+{{- .Values.flytepropellerwebhook.certificate.external.caCert -}}
+{{- else if eq .Values.flytepropellerwebhook.certificate.provider "helm" -}}
+{{- $certs := include "flytepropellerwebhook.generateCerts" . | fromYaml -}}
+{{- $certs.caCert -}}
+{{- else if eq .Values.flytepropellerwebhook.certificate.provider "certManager" -}}
+{{- /* For cert-manager, caBundle is injected by cert-manager's cainjector */ -}}
+{{- /* Return empty to signal that cainjector should handle it */ -}}
+{{- end -}}
+{{- end -}}
 {{- define "operator.dependenciesHeartbeat" -}}
 {{- if .Values.flytepropeller.enabled }}
 {{- tpl (toYaml .Values.config.operator.dependenciesHeartbeat) $ | nindent 8 }}
@@ -1067,4 +1175,4 @@ Added complexity here is necessary to support extra pod labels while maintaining
 {{- end }}
 {{- tpl (toYaml $heartbeat) $ | nindent 8 }}
 {{- end }}
-{{- end -}}
+{{- end -}}

charts/dataplane/templates/common/task-podtemplate.yaml

@@ -0,0 +1,13 @@
+{{- if and (not .Values.clusterresourcesync.enabled) .Values.low_privilege }}
+apiVersion: v1
+kind: PodTemplate
+metadata:
+  name: task-template
+  namespace: {{ .Release.Namespace }}
+template:
+  spec:
+    serviceAccountName: union
+    containers:
+      - name: default
+        image: docker.io/rwgrim/docker-noop
+{{- end }}

charts/dataplane/templates/common/default-serviceaccount.yaml → charts/dataplane/templates/common/union-serviceaccount.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: default
+  name: union
   namespace: {{ .Release.Namespace }}
   annotations:
     {{.Values.userRoleAnnotationKey}}: {{.Values.userRoleAnnotationValue}}

charts/dataplane/templates/operator/configmap.yaml

@@ -94,7 +94,11 @@ data:
   fast_registration_storage.yaml: | {{ tpl (include "fast-registration-storage" .) $ | nindent 4 }}
 {{- end }}
 {{- if .Values.imageBuilder.enabled }}
+{{- if or .Values.imageBuilder.buildkitUri .Values.imageBuilder.buildkit.enabled }}
   image-builder.buildkit-uri: {{ (include "imagebuilder.buildkit.uri" .) | quote }}
+{{- else }}
+  image-builder.buildkit-uri: ""
+{{- end }}
   image-builder.default-repository: {{ .Values.imageBuilder.defaultRepository | quote }}
   image-builder.authentication-type: {{ .Values.imageBuilder.authenticationType | quote }}
 {{- end }}

charts/dataplane/templates/propeller/deployment-webhook.yaml

@@ -1,12 +1,5 @@
-# Create an empty secret that the first propeller pod will populate
-apiVersion: v1
-kind: Secret
-metadata:
-  name: flyte-pod-webhook
-  namespace: {{ .Release.Namespace }}
-type: Opaque
----
-# Create the actual deployment
+{{- if .Values.flytepropellerwebhook.enabled }}
+# Webhook deployment
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -38,6 +31,7 @@ spec:
       {{- if .Values.flytepropellerwebhook.priorityClassName }}
       priorityClassName: {{ .Values.flytepropellerwebhook.priorityClassName }}
       {{- end }}
+      {{- if eq .Values.flytepropellerwebhook.certificate.provider "legacy" }}
       initContainers:
         - name: generate-secrets
           image: "{{ .Values.image.union.repository }}:{{ .Values.image.union.tag | default .Chart.AppVersion }}"
@@ -50,14 +44,17 @@ spec:
             - --config
             - /etc/flyte/config/*.yaml
           env:
-            {{- include "global.podEnvVars" . | nindent 10 }}
+            {{- include "global.podEnvVars" . | nindent 12 }}
             {{- with .Values.flytepropellerwebhook.podEnv -}}
-            {{- toYaml . | nindent 10 }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: config-volume
               mountPath: /etc/flyte/config
-          resources: {{- toYaml .Values.flytepropellerwebhook.resources | nindent 12 }}
+          {{- with .Values.flytepropellerwebhook.resources }}
+          resources: {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- end }}
       containers:
         - name: webhook
           image: "{{ .Values.image.union.repository }}:{{ .Values.image.union.tag | default .Chart.AppVersion }}"
@@ -97,9 +94,11 @@ spec:
             name: flyte-propeller-config
         - name: webhook-certs
           secret:
-            secretName: flyte-pod-webhook
+            secretName: {{ include "flytepropellerwebhook.secretName" . }}
       {{- with .Values.flytepropellerwebhook.additionalVolumes -}}
       {{ tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- include "flytepropellerwebhook.scheduling" . | nindent 6 }}
       {{- include "additionalPodSpec" . | nindent 6 }}
+
+{{- end }}

charts/dataplane/templates/propeller/hpa-webhook.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.flytepropellerwebhook.enabled }}
 {{- if .Values.flytepropellerwebhook.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
@@ -15,3 +16,4 @@ spec:
   metrics:
     {{ .Values.flytepropellerwebhook.autoscaling.metrics | toYaml | nindent 4 }}
 {{- end }}
+{{- end }}

charts/dataplane/templates/propeller/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,132 @@
+{{- if .Values.flytepropellerwebhook.enabled }}
+{{- $serviceName := include "flytepropellerwebhook.serviceName" . }}
+{{- $secretName := include "flytepropellerwebhook.secretName" . }}
+{{- $namespace := .Release.Namespace }}
+{{- $useCertManager := include "flytepropellerwebhook.useCertManager" . }}
+{{- $useLegacy := eq .Values.flytepropellerwebhook.certificate.provider "legacy" }}
+{{- $lowPrivilege := .Values.low_privilege }}
+{{- /* Generate certs once and reuse for both secret and webhook config */ -}}
+{{- $certs := dict }}
+{{- if eq .Values.flytepropellerwebhook.certificate.provider "helm" }}
+{{- $certs = include "flytepropellerwebhook.generateCerts" . | fromYaml }}
+{{- else if eq .Values.flytepropellerwebhook.certificate.provider "external" }}
+{{- $_ := set $certs "caCert" .Values.flytepropellerwebhook.certificate.external.caCert }}
+{{- $_ := set $certs "serverCert" .Values.flytepropellerwebhook.certificate.external.tlsCrt }}
+{{- $_ := set $certs "serverKey" .Values.flytepropellerwebhook.certificate.external.tlsKey }}
+{{- end }}
+{{- /* Create the Secret (for helm, external, and legacy providers) */ -}}
+{{- if ne .Values.flytepropellerwebhook.certificate.provider "certManager" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "flytepropellerwebhook.labels" . | nindent 4 }}
+type: Opaque
+{{- if ne .Values.flytepropellerwebhook.certificate.provider "legacy" }}
+data:
+  ca.crt: {{ $certs.caCert }}
+  tls.crt: {{ $certs.serverCert }}
+  tls.key: {{ $certs.serverKey }}
+{{- end }}
+{{- end }}
+---
+{{- if .Values.flytepropellerwebhook.managedConfig }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ tpl .Values.flytepropellerwebhook.webhook.configurationName . }}
+  labels:
+    {{- include "flytepropellerwebhook.labels" . | nindent 4 }}
+  {{- if $useCertManager }}
+  annotations:
+    {{- $secretName := include "flytepropellerwebhook.secretName" . }}
+    cert-manager.io/inject-ca-from: {{ $namespace }}/{{ $secretName }}-cert
+  {{- end }}
+webhooks:
+{{- if .Values.flytepropellerwebhook.webhook.webhooks.secrets.enabled }}
+  - name: {{ .Values.flytepropellerwebhook.webhook.webhooks.secrets.name }}
+    admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      {{- if and (not $useCertManager) (not $useLegacy) }}
+      caBundle: {{ $certs.caCert }}
+      {{- end }}
+      service:
+        name: {{ $serviceName }}
+        namespace: {{ $namespace }}
+        path: {{ .Values.flytepropellerwebhook.webhook.webhooks.secrets.path }}
+        port: {{ .Values.flytepropellerwebhook.service.port }}
+    failurePolicy: {{ .Values.flytepropellerwebhook.webhook.failurePolicy }}
+    matchPolicy: Equivalent
+    {{- if $lowPrivilege }}
+    namespaceSelector:
+      matchLabels:
+        kubernetes.io/metadata.name: {{ $namespace }}
+    {{- else }}
+    namespaceSelector: {}
+    {{- end }}
+    objectSelector:
+      {{- with .Values.flytepropellerwebhook.webhook.webhooks.secrets.objectSelector }}
+      {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
+    reinvocationPolicy: {{ .Values.flytepropellerwebhook.webhook.reinvocationPolicy }}
+    rules:
+      - apiGroups:
+          - '*'
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: NoneOnDryRun
+    timeoutSeconds: {{ .Values.flytepropellerwebhook.webhook.timeoutSeconds }}
+{{- end }}
+{{- if .Values.flytepropellerwebhook.webhook.webhooks.managedImage.enabled }}
+  - name: {{ .Values.flytepropellerwebhook.webhook.webhooks.managedImage.name }}
+    admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      {{- if and (not $useCertManager) (not $useLegacy) }}
+      caBundle: {{ $certs.caCert }}
+      {{- end }}
+      service:
+        name: {{ $serviceName }}
+        namespace: {{ $namespace }}
+        path: {{ .Values.flytepropellerwebhook.webhook.webhooks.managedImage.path }}
+        port: {{ .Values.flytepropellerwebhook.service.port }}
+    failurePolicy: {{ .Values.flytepropellerwebhook.webhook.failurePolicy }}
+    matchPolicy: Equivalent
+    {{- if $lowPrivilege }}
+    namespaceSelector:
+      matchLabels:
+        kubernetes.io/metadata.name: {{ $namespace }}
+    {{- else }}
+    namespaceSelector: {}
+    {{- end }}
+    objectSelector:
+      {{- with .Values.flytepropellerwebhook.webhook.webhooks.managedImage.objectSelector }}
+      {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
+    reinvocationPolicy: {{ .Values.flytepropellerwebhook.webhook.reinvocationPolicy }}
+    rules:
+      - apiGroups:
+          - '*'
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+        scope: '*'
+    sideEffects: NoneOnDryRun
+    timeoutSeconds: {{ .Values.flytepropellerwebhook.webhook.timeoutSeconds }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/dataplane/templates/propeller/service-webhook.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.flytepropellerwebhook.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -21,3 +22,4 @@ spec:
       protocol: TCP
       port: 10254
       targetPort: 10254
+{{- end }}