diff --git a/deploy/Chart/templates/_helpers.tpl b/deploy/Chart/templates/_helpers.tpl
index 58f408a5d5..95e5c79945 100644
--- a/deploy/Chart/templates/_helpers.tpl
+++ b/deploy/Chart/templates/_helpers.tpl
@@ -12,3 +12,32 @@
 {{- end -}}
 {{- print $version }}
 {{- end -}}
+
+{{/*
+Reuses the value from an existing secret, otherwise sets its value to a default value.
+
+Usage:
+{{ include "secrets.lookup" (dict "secret" "secret-name" "namespace" "ns-name" "key" "key-name" "defaultValue" "default-secret") }}
+
+Params:
+  - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+  - namespace - String - Required - Namespace of the 'Secret' resource where the password is stored.
+  - key - String - Required - Name of the key in the secret.
+  - defaultValue - String - Required - Default value to use if the secret does not exist.
+
+References:
+  - https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_secrets.tpl
+*/}}
+{{- define "secrets.lookup" -}}
+{{- $value := "" -}}
+{{- $namespace := .namespace | toString -}}
+{{- $secretData := (lookup "v1" "Secret" $namespace .secret).data -}}
+{{- if and $secretData (hasKey $secretData .key) -}}
+  {{- $value = index $secretData .key -}}
+{{- else if .defaultValue -}}
+  {{- $value = .defaultValue | toString | b64enc -}}
+{{- end -}}
+{{- if $value -}}
+{{- printf "%s" $value -}}
+{{- end -}}
+{{- end -}}
diff --git a/deploy/Chart/templates/controller/webhook.yaml b/deploy/Chart/templates/controller/validating-webhook-configuration.yaml
similarity index 66%
rename from deploy/Chart/templates/controller/webhook.yaml
rename to deploy/Chart/templates/controller/validating-webhook-configuration.yaml
index 2f9272686d..93e8399b2b 100644
--- a/deploy/Chart/templates/controller/webhook.yaml
+++ b/deploy/Chart/templates/controller/validating-webhook-configuration.yaml
@@ -1,5 +1,3 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "controller-cert"}}
-{{- $existingWebhook := lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" .Release.Namespace "recipe-webhook.radapp.io"}}
 {{- $ca := genCA "controller-ca" 3650 }}
 {{- $cn := printf "controller" }}
 {{- $altName1 := printf "controller.%s" .Release.Namespace }}
@@ -15,14 +13,11 @@ metadata:
   labels:
     app.kubernetes.io/name: controller
     app.kubernetes.io/part-of: radius
+type: kubernetes.io/tls
 data:
-  {{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
-  {{ else }}tls.crt: {{ b64enc $cert.Cert }}
-  {{ end }}
-
-  {{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
-  {{ else }}tls.key: {{ b64enc $cert.Key }}
-  {{ end }}
+  tls.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.crt" "defaultValue" $cert.Cert) }}
+  tls.key: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "tls.key" "defaultValue" $cert.Key) }}
+  ca.crt: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -32,7 +27,7 @@ webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
-    caBundle: {{ b64enc $ca.Cert }}
+    caBundle: {{ include "secrets.lookup" (dict "secret" "controller-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
     service:
       name: controller
       namespace: {{ .Release.Namespace }}
diff --git a/deploy/Chart/templates/ucp/apiservice.yaml b/deploy/Chart/templates/ucp/apiservice.yaml
index 75bec2c745..df5c3f046b 100644
--- a/deploy/Chart/templates/ucp/apiservice.yaml
+++ b/deploy/Chart/templates/ucp/apiservice.yaml
@@ -1,5 +1,3 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "ucp-cert"}}
-{{- $existingApiService := lookup "apiregistration.k8s.io/v1" "APIService" .Release.Namespace "v1alpha3.api.ucp.dev"}}
 {{- $ca := genCA "ucp-ca" 3650 }}
 {{- $cn := printf "ucp" }}
 {{- $altName1 := printf "ucp.%s" .Release.Namespace }}
@@ -15,14 +13,11 @@ metadata:
   labels:
     app.kubernetes.io/name: ucp
     app.kubernetes.io/part-of: radius
+type: kubernetes.io/tls
 data:
-  {{ if $existingSecret }}tls.crt: {{ index $existingSecret.data "tls.crt" }}
-  {{ else }}tls.crt: {{ b64enc $cert.Cert }}
-  {{ end }}
-
-  {{ if $existingSecret }}tls.key: {{ index $existingSecret.data "tls.key" }}
-  {{ else }}tls.key: {{ b64enc $cert.Key }}
-  {{ end }}
+  tls.crt: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "tls.crt" "defaultValue" $cert.Cert) }}
+  tls.key: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "tls.key" "defaultValue" $cert.Key) }}
+  ca.crt: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
@@ -39,4 +34,4 @@ spec:
     name: ucp
     namespace: {{ .Release.Namespace }}
   version: v1alpha3
-  caBundle: {{ if $existingApiService }}{{ $existingApiService.spec.caBundle }}{{ else }}{{ b64enc $ca.Cert }}{{ end }}
\ No newline at end of file
+  caBundle: {{ include "secrets.lookup" (dict "secret" "ucp-cert" "namespace" .Release.Namespace "key" "ca.crt" "defaultValue" $ca.Cert) }}
\ No newline at end of file