Add Pod Webhook deployment to Helm chart

helm/templates/_helpers.tpl

@@ -60,6 +60,10 @@ helm.sh/chart: {{ include "flyte.chart" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
+{{- define "flyte-pod-webhook.name" -}}
+flyte-pod-webhook
+{{- end -}}
+
 
 {{- define "flyteconsole.name" -}}
 flyteconsole

helm/templates/propeller/deployment.yaml

@@ -1,3 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: flyte-propeller-auth
+  namespace: {{ template "flyte.namespace" . }}
+type: Opaque
+stringData:
+  client_secret: foobar
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:

helm/templates/propeller/webhook.yaml

@@ -0,0 +1,158 @@
+{{- if .Values.webhook.enabled }}
+# Create an empty secret that the first propeller pod will populate
+apiVersion: v1
+kind: Secret
+metadata:
+  name: flyte-pod-webhook
+  namespace: {{ template "flyte.namespace" . }}
+type: Opaque
+---
+# Create the actual deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "flyte-pod-webhook.name" . }}
+  namespace: {{ template "flyte.namespace" . }}
+  labels:
+    app: {{ template "flyte-pod-webhook.name" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "flyte-pod-webhook.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "flyte-pod-webhook.name" . }}
+        app.kubernetes.io/name: {{ template "flyte-pod-webhook.name" . }}
+        app.kubernetes.io/version: {{ .Values.flytepropeller.image.tag }}
+      annotations:
+        configChecksum: {{ include (print .Template.BasePath "/propeller/configmap.yaml") . | sha256sum | trunc 63 | quote }}
+        {{- with .Values.flyteadmin.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ template "flyte-pod-webhook.name" . }}
+{{- if .Values.webhook.enabled }}
+      initContainers:
+      - name: generate-secrets
+        image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}"
+        imagePullPolicy: "{{ .Values.flytepropeller.image.pullPolicy }}"
+        command:
+          - flytepropeller
+        args:
+          - webhook
+          - init-certs
+          - --config
+          - /etc/flyte/config/*.yaml
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        volumeMounts:
+          - name: config-volume
+            mountPath: /etc/flyte/config      
+{{- end }}
+      containers:
+        - name: webhook
+          image: "{{ .Values.flytepropeller.image.repository }}:{{ .Values.flytepropeller.image.tag }}"
+          imagePullPolicy: "{{ .Values.flytepropeller.image.pullPolicy }}"
+          command:
+            - flytepropeller
+          args:
+            - webhook
+            - --config
+            - /etc/flyte/config/*.yaml
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/flyte/config
+              readOnly: true
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+      volumes:
+        - name: config-volume
+          configMap:
+            name: flyte-propeller-config
+        - name: webhook-certs
+          secret:
+            secretName: flyte-pod-webhook
+---
+# Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "flyte-pod-webhook.name" . }}
+  namespace: {{ template "flyte.namespace" . }}
+  {{- with .Values.webhook.service.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    app: {{ template "flyte-pod-webhook.name" . }}
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 9443
+---
+# Create a ClusterRole for the webhook
+# https://kubernetes.io/docs/admin/authorization/rbac/
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "flyte-pod-webhook.name" . }}
+  namespace: {{ template "flyte.namespace" . }}
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - mutatingwebhookconfigurations
+      - secrets
+      - pods
+    verbs:
+      - get
+      - create
+      - update
+      - patch
+---
+{{- if .Values.webhook.serviceAccount.create }}
+# Create a Service Account for webhook
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "flyte-pod-webhook.name" . }}
+  namespace: {{ template "flyte.namespace" . }}
+  {{- with .Values.webhook.serviceAccount.annotations }}
+  annotations: {{ toYaml . | nindent 4 }}
+  {{- end}}
+{{- end }}
+---
+# Create a binding from Role -> ServiceAccount
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "flyte-pod-webhook.name" . }}
+  namespace: {{ template "flyte.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "flyte-pod-webhook.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "flyte-pod-webhook.name" . }}
+    namespace: {{ template "flyte.namespace" . }}
+{{- end }}

helm/values.yaml

@@ -105,7 +105,7 @@ flytepropeller:
   image:
     # -- Docker image for Flytepropeller deployment
     repository: ghcr.io/flyteorg/flytepropeller
-    tag: v0.10.9
+    tag: v0.10.10
     pullPolicy: IfNotPresent
   # -- Default resources requests and limits for Flytepropeller deployment
   resources:
@@ -170,6 +170,24 @@ flyteconsole:
   # -- affinity for Flyteconsole deployment
   affinity: {}
 
+#
+# WEBHOOK SETTINGS
+#
+
+webhook:
+  # -- enable or disable secrets webhook
+  enabled: true
+  # -- Configuration for service accounts for the webhook
+  serviceAccount:
+    # -- Should a service account be created for the webhook
+    create: true
+    # -- Annotations for ServiceAccount attached to the webhook
+    annotations: {}
+  # -- Service settings for the webhook
+  service:
+    annotations:
+      projectcontour.io/upstream-protocol.h2c: grpc
+    type: ClusterIP
 
 # ----------------------------------------------
 # Sandbox Configuration
@@ -569,6 +587,9 @@ configmap:
           type: bucket
           rate: 10
           capacity: 100
+    webhook:
+      certDir: /etc/webhook/certs
+      serviceName: flyte-pod-webhook
     # -- For Workflow store use configuration [here](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/workflowstore#Config)
     #