Draft
Conversation
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
# Conflicts: # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Static Webhook
Signed-off-by: Haytham Abuelfutuh <[email protected]>
# Conflicts: # charts/dataplane/templates/_helpers.tpl # charts/dataplane/values.yaml # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
# Conflicts: # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
# Conflicts: # charts/dataplane/templates/_helpers.tpl # charts/dataplane/templates/propeller/deployment-webhook.yaml # charts/dataplane/templates/propeller/service-webhook.yaml # charts/dataplane/templates/propeller/serviceaccount-webhook.yaml # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
…xecutor selector and pod labels, enable tpl rendering for template expressions in label values, rename executor command to executorv2, and update generated test fixtures.
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
# Conflicts: # charts/dataplane/templates/operator/configmap.yaml # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure-custom-storage-prefix.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
# Conflicts: # charts/dataplane/values.yaml
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
# Conflicts: # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure-custom-storage-prefix.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml # tests/values/dataplane.fully-selfhosted.yaml
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
…ommonServiceAccount` helper and `commonServiceAccount` values to consolidate operator, executor, proxy, webhook, and fluentbit service accounts into a single shared ServiceAccount (`union-system`). Automatically enabled in singleNamespace mode. Separate RBAC role/binding names from ServiceAccount names to allow shared SA with distinct permissions.
# Conflicts: # charts/dataplane/templates/operator/configmap.yaml # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure-custom-storage-prefix.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
…ildkitUri` is set before enabling Depot for image building.
# Conflicts: # charts/dataplane/values.yaml # tests/generated/dataplane.low-priv.yaml
…andbox charts to version 2026.3.4/2026.3.2. Add selfServeConfig, sharedService connectPort, commonServiceAccount, buildkit serviceAccount, and dynamic-log-links values. Update billing config from billableUsageCollector to billing model. Enable flyteconnector and knative-operator by default. Add serving extraConfig for registry tag resolving. Expand self-hosted deployment guide for AWS. Update fluentbit and webhook securityContext defaults.
# Conflicts: # tests/generated/dataplane.additional-podlabels.yaml # tests/generated/dataplane.aws.eks-automode.yaml # tests/generated/dataplane.aws.with-ingress.yaml # tests/generated/dataplane.aws.yaml # tests/generated/dataplane.azure-custom-storage-prefix.yaml # tests/generated/dataplane.azure.yaml # tests/generated/dataplane.cost.yaml # tests/generated/dataplane.dcgm-exporter.yaml # tests/generated/dataplane.fully-selfhosted.yaml # tests/generated/dataplane.low-priv.yaml # tests/generated/dataplane.nodeobserver.yaml # tests/generated/dataplane.oci.yaml
Merged
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 9, 2026
\[:rotating\_light: Breaking Change]
Major overhaul of the dataplane chart to establish sane, low-privilege defaults that work out of the box for new deployments while preserving backward compatibility via values-legacy.yaml.
## Default mode changes
- Low-privilege mode (low\_privilege: true) is now the default — namespace-scoped RBAC, no cluster-wide permissions except where strictly required (fluentbit DaemonSet, knative-operator)
- V2 executor is the default — flytepropeller.enabled: false, executor.idl2Executor: true, flyteconnector.enabled: true
- Cluster resource sync disabled by default (clusterresourcesync.enabled: false)
- Common service account (union-system) shared across all components by default
- values-legacy.yaml created to restore all previous defaults with a single overlay file
## Prometheus consolidation
- Replaced the static prometheus deployment (templates/prometheus/) and the prometheus-simple subchart with a single community prometheus chart aliased as prometheus
- Removed standalone kube-state-metrics dependency (now a subchart of prometheus)
- Namespace-scoped RBAC for prometheus and kube-state-metrics in low-privilege mode via prometheus-rbac.yaml
- Scrape configs for flytepropeller, serving-envoy, and dcgm-exporter are now unconditional (no-op when targets don't exist)
- cAdvisor scraping moved to values-legacy.yaml (requires ClusterRole)
## Knative operator improvements
- Split CRDs into knative-operator-crds subchart — solves chicken-and-egg CRD validation error on fresh installs. CRDs are in the crds/ directory so Helm installs them before templates
- CRDs chart conditioned on knative-operator-crds.enabled
- Removed single\_namespace support — the operator requires cluster-scoped RBAC and can't be namespace-restricted
- Fixed \_example key in operator ConfigMaps that caused webhook validation failures on helm upgrade
- Added tpl support in knative-operator.namespace helper for namespaceOverride
- Fixed CRD conversion webhook namespace to use the helper instead of .Release.Namespace
## Image builder auto-configuration
- imageBuilder.defaultRepository auto-generates from cloud provider:
- AWS: `<account_id>.dkr.ecr.<region>.amazonaws.com/<registryName>`
- GCP: `<region>-docker.pkg.dev/<projectId>/<registryName>`
- Azure: `<registryName>.azurecr.io`
- imageBuilder.authenticationType auto-detects (aws, google, azure, noop)
- New imageBuilder.registryName value (default: union-dataplane)
- Added global.AWS\_ACCOUNT\_ID for ECR URL generation
## Other changes
- Fixed fluentbit.serviceAccount.name to use common SA (union-system) by default
- Fixed union-serviceaccount.yaml missing tpl calls (pre-existing bug)
- Webhook templates moved from nodeexecutor/ to webhook/ directory with Helm-managed certificates
- Added GCP test case (dataplane.gcp.yaml)
- Removed values-low-privilege.yaml and values.v2.yaml (superseded by new defaults)
## Webhook certificate management
- Helm-managed MutatingWebhookConfiguration — the webhook configuration is now created by Helm (with flytepropellerwebhook.managedConfig: true) instead of self-registered by the webhook binary at runtime. This removes the need for the webhook to have cluster-scoped RBAC for mutatingwebhookconfigurations
- Configurable certificate providers (flytepropellerwebhook.certificate.provider):
- helm (default) — generates self-signed certs using Helm's crypto functions, preserved on upgrade if the secret exists
- certManager — uses cert-manager to provision and manage certificates
- external — user-provided certificates via caCert, tlsCrt, tlsKey values
- legacy — original behavior where the webhook binary generates its own certs via init container
- Static test certificates (values-test-certs.yaml) for deterministic test snapshot generation
- Webhook templates restructured from nodeexecutor/ to webhook/ directory
## :rotating\_light: Preserving current behavior
In order to preserve current behavior, `dataplane/values-legacy.yaml` is added to revert all defaults to current values. This can be used in conjunction with any other values file like this:
```
helm upgrade ..... -f values-legacy.yaml -f myvalues.yaml
```
## Test plan
- Verify helm template renders correctly for default values
- Verify helm template with low\_privilege: true produces namespace-scoped resources and no cluster-wide permissions
- Verify build-image-config configmap is created only in single-namespace mode
- Verify depot-token imagePullSecret appears in task pod template when Depot is enabled
- Verify webhook certificates render correctly for all providers (helm, certManager, external, legacy)
- Verify generated test fixtures match expected output
- Test upgrade path from existing deployments (webhook secret reuse, resource renames)
* `main` <!-- branch-stack -->
- **:rotating\_light: Breaking Change - Dataplane - Sane defaults** :point\_left:
- \#259
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
main