Quickstart: create webhook autoscaler not working

[rorygarand]

What happened:

Following the quickstart docs to create a cluster on GKE. All steps work up until the HTTPS webhook fleetautoscaler section.

After running step 4:

kubectl apply -f ./webhookfleetautoscalertls.yaml

and

kubectl describe fleetautoscaler webhook-fleetautoscaler-tls

My output includes the warning:

  ----     ------           ----              ----                        -------
  Warning  FleetAutoscaler  1s (x8 over 11s)  fleetautoscaler-controller  Error calculating desired fleet size on FleetAutoscaler webhook-fleetautoscaler-tls. Error: 
Post "https://autoscaler-tls-service.default.svc:8000/scale": x509: certificate signed by unknown authority

What you expected to happen:

No warnings in the output.

How to reproduce it (as minimally and precisely as possible):

Following the quickstart instructions for creating a HTTPS webhook autoscaler should get you to the same state. Everything I'm using is pretty stock.

Anything else we need to know?:

Environment:

• Agones version: 1.7
• Kubernetes version (use kubectl version): v1.15.12-gke.13
• Cloud provider or hardware configuration: GKE
• Install method (yaml/helm): helm
• Troubleshooting guide log(s):
• Others:

[markmandel]

@rorygarand what OS did you create the certs on? Wondering if it's a cert generation issue?

[rorygarand]

Common name was set to: autoscaler-tls-service.default.svc on both created certs, and caBundle was set to the output of base64 -i ./rootCA.pem

@markmandel macOS 10.15.3

[aLekSer]

I will take a look on this issue.
An issue actually exists.
On the second attempt I got a bit different error:

x509: certificate signed by unknown authority

I need to update a doc on www.agones.dev.
Going to follow this guide to create a proper certificate:
https://stackoverflow.com/a/41366949

[aLekSer]

I assume that this must be the solution:
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/

[aLekSer]

Was able to reproduce the issue locally and its seems that we loose next RootCAs in setCABundle() method:

	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(cert)
	client := http.Client{
		Timeout: time.Minute * 3,
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				RootCAs: caCertPool,
                         },
		},
	}

https://gist.github.com/aLekSer/645f50f0d06c5b492faf5fe6a3d13595

[rorygarand]

Well I'm glad there's some evidence this is a bug. I was so sure I was just doing something wrong.