diff --git a/bootstrap/scripts/plugin.py b/bootstrap/scripts/plugin.py
index 0178e7d8d40..57a0682bac1 100644
--- a/bootstrap/scripts/plugin.py
+++ b/bootstrap/scripts/plugin.py
@@ -6,10 +6,15 @@
 
 from typing import Any
 from netaddr import IPNetwork
+from bcrypt import hashpw, gensalt
 
 import makejinja
 import validation
 
+def encrypt(value: str) -> str:
+    return hashpw(value.encode(), gensalt(rounds=10)).decode("ascii")
+
+
 def nthhost(value: str, query: int) -> str:
     value = IPNetwork(value)
     try:
@@ -20,6 +25,7 @@ def nthhost(value: str, query: int) -> str:
         return False
     return value
 
+
 def import_filter(file: Path) -> Callable[[dict[str, Any]], bool]:
     module_path = file.relative_to(Path.cwd()).with_suffix("")
     module_name = str(module_path).replace("/", ".")
@@ -31,6 +37,7 @@ def import_filter(file: Path) -> Callable[[dict[str, Any]], bool]:
     spec.loader.exec_module(module)
     return module.main
 
+
 class Plugin(makejinja.plugin.Plugin):
     def __init__(self, data: dict[str, Any], config: makejinja.config.Config):
         self._data = data
@@ -45,12 +52,15 @@ def __init__(self, data: dict[str, Any], config: makejinja.config.Config):
 
         validation.validate(data)
 
+
     def filters(self) -> makejinja.plugin.Filters:
-        return [nthhost]
+        return [encrypt, nthhost]
+
 
     def path_filters(self):
         return [self._mjfilter_func]
 
+
     def _mjfilter_func(self, path: Path) -> bool:
         return not any(
             path.is_relative_to(excluded_dir) for excluded_dir in self._excluded_dirs
diff --git a/bootstrap/templates/kubernetes/apps/flux-system/.mjfilter.py b/bootstrap/templates/kubernetes/apps/flux-system/.mjfilter.py
deleted file mode 100644
index 8947ab6225f..00000000000
--- a/bootstrap/templates/kubernetes/apps/flux-system/.mjfilter.py
+++ /dev/null
@@ -1 +0,0 @@
-main = lambda data: data.get("flux", {}).get("github", {}).get("webhook", {}).get("enabled", False) == True
diff --git a/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2
index 10587f8c9fe..7c03d1c3a34 100644
--- a/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2
+++ b/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2
@@ -3,4 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./namespace.yaml
+  {% if flux.github.webhook.enabled %}
   - ./webhooks/ks.yaml
+  {% endif %}
diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/.mjfilter.py b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/.mjfilter.py
new file mode 100644
index 00000000000..7efae3a274c
--- /dev/null
+++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/.mjfilter.py
@@ -0,0 +1,6 @@
+main = lambda data: (
+    data.get("flux", {})
+        .get("github", {})
+        .get("webhook", {})
+        .get("enabled", False) == True
+)
diff --git a/config.sample.yaml b/config.sample.yaml
index 5dbc79df324..712412967bc 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -98,26 +98,26 @@ flux:
   #    > task sops:age-keygen
   # 2. Copy the public key and paste it below
   sops_age_public_key: ""
-  # (Required) Options for Github
+  # (Required) Options for GitHub
   github:
-    # (Required) Github repository URL (for private repos use the ssh:// URL)
+    # (Required) GitHub repository URL (for private repos use the ssh:// URL)
     address: ""
-    # (Required) Github repository branch
+    # (Required) GitHub repository branch
     branch: main
-    # (Required) Options for Flux Github webhook
+    # (Required) Options for Flux GitHub webhook
     webhook:
-      # (Required) Enable to use Github push-based sync
+      # (Required) Enable to setup GitHub push-based sync after cluster creation
       enabled: true
-      # Token for Github push-based sync
+      # Token for GitHub push-based sync
       # 1. Generate a new token with the following command:
       #    > openssl rand -hex 16
       # 2. Copy the token and paste it below
       token: ""
-    # (Required) Private key for Flux to access the Github repository
+    # (Required) Private key for Flux to access the GitHub repository
     private:
-      # (Required) Enable to use a private Github repository
+      # (Required) Enable to use a private GitHub repository
       enabled: false
-      # Private key for Flux to access the Github repository
+      # Private key for Flux to access the GitHub repository
       #   1. Generate a new key with the following command:
       #      > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
       #   2. Make sure to paste public key from "github-deploy.key.pub" into