diff --git a/helm/rest/nico-rest-site-agent/templates/temporal-certs-secret.yaml b/helm/rest/nico-rest-site-agent/templates/temporal-certs-secret.yaml
index eefc7c1b7a..6efa5b1e15 100644
--- a/helm/rest/nico-rest-site-agent/templates/temporal-certs-secret.yaml
+++ b/helm/rest/nico-rest-site-agent/templates/temporal-certs-secret.yaml
@@ -1,7 +1,9 @@
 # SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# Temporal client TLS certs for site-agent — placeholder values populated by bootstrap
+# Temporal client TLS certs for site-agent — placeholder values populated by bootstrap.
+# resource-policy: keep prevents helm upgrade from overwriting certs written by the
+# bootstrap process; deleting and re-installing the release creates a fresh placeholder.
 apiVersion: v1
 kind: Secret
 metadata:
@@ -9,6 +11,8 @@ metadata:
   namespace: {{ include "nico-rest-site-agent.namespace" . }}
   labels:
     {{- include "nico-rest-site-agent.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
 type: Opaque
 stringData:
   otp: ""
diff --git a/helm/rest/nico-rest-site-agent/values.yaml b/helm/rest/nico-rest-site-agent/values.yaml
index 1b11f7ba2b..39e3d08257 100644
--- a/helm/rest/nico-rest-site-agent/values.yaml
+++ b/helm/rest/nico-rest-site-agent/values.yaml
@@ -82,6 +82,8 @@ envConfig:
   ENABLE_TLS: "true"
   NICO_ADDRESS: ""
   NICO_SEC_OPT: "0"
+  FLOW_GRPC_ENABLED: "false"
+  FLOW_GRPC_SEC_OPT: "2"
   CLUSTER_ID: ""
   TEMPORAL_HOST: "temporal-frontend.temporal"
   TEMPORAL_PORT: "7233"
diff --git a/rest-api/site-workflow/pkg/grpc/client/flow_client.go b/rest-api/site-workflow/pkg/grpc/client/flow_client.go
index 18561b0faa..bde1ed5d78 100644
--- a/rest-api/site-workflow/pkg/grpc/client/flow_client.go
+++ b/rest-api/site-workflow/pkg/grpc/client/flow_client.go
@@ -158,9 +158,19 @@ func NewFlowGrpcClient(config *FlowGrpcClientConfig) (client *FlowGrpcClient, er
 		if !capool.AppendCertsFromPEM(cabytes) {
 			return nil, fmt.Errorf("FlowGrpcClient: Failed to append CA cert to CA pool")
 		}
+		// Use GetClientCertificate (not Certificates) to unconditionally present
+		// the client cert. With Certificates, Go's TLS stack only selects a cert
+		// whose issuer matches the acceptable CA list from the server's
+		// CertificateRequest; when no match is found it silently sends no cert,
+		// causing the server to reject with "tls: certificate required".
+		// GetClientCertificate bypasses that matching and always returns the cert,
+		// leaving verification to the server — the same approach used in
+		// rest-api/flow/pkg/certs/certs.go TLSConfig().
 		mutualTLSConfig := &tls.Config{
-			Certificates: []tls.Certificate{clientCert},
-			RootCAs:      capool,
+			GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+				return &clientCert, nil
+			},
+			RootCAs: capool,
 		}
 		creds := credentials.NewTLS(mutualTLSConfig)