Webhook error in Argocd

[jeremy-allen3]

I am pretty new to this so forgive me if this is a dumb question. I am using a managed cluster on EKS and my test-orchestra-openunison stays in a Completed state of the openunison namespace. I keep running into this error message within Argocd and I can't figure out how to solve it.

Failed sync attempt to 86a05cdaf1f3e7df580c416e574b71654b0ef085: one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "authmechs-openunison.tremolo.io": failed to call webhook: Post "https://openunison-openunison.openunison.svc:443/k8s/webhooks/v1/authmechs?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority,Internal error occurred: failed calling webhook "authchains-openunison.tremolo.io": failed to call webhook: Post "https://openunison-openunison.openunison.svc:443/k8s/webhooks/v1/authchains?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority,Internal error occurred: failed calling webhook "workflows-openunison.tremolo.io": failed to call webhook: Post "https://openunison-openunison.openunison.svc:443/k8s/webhooks/v1/workflows?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority,Internal error occurred: failed calling webhook "applications-openunison.tremolo.io": failed to call webhook: Post "https://openunison-openunison.openunison.svc:443/k8s/webhooks/v1/applications?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority

Any guidance you can provide is greatly appreciated.

[mlbiam]

can you please post your Application object?

[jeremy-allen3]

Is this what you are looking for?

{{- if ((.Values.toolConfig.openunison).enabled) }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison
  namespace: argocd
spec:
  project: tooling
  source:
    repoURL: 'redacted'
    path: .
    targetRevision: {{ .Values.toolConfig.openunison.revision }}
    helm:
      parameters:
{{ include "argocd_apps.global_helm_parameters" . | indent 8}}
      valueFiles:
{{ include "argocd_apps.global_helm_valueFiles" . | indent 8 }}
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: openunison
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
{{ end }}

[mlbiam]

Yes. Here's the link to the Application object that we use for deployments: https://openunison.github.io/assets/yaml/argocd-application.yaml A couple of things that's important:

1. disable selfHeal and prune - OpenUnison generates several objects that you don't want to be pruning
2. It's important to tell ArgoCD not to update the admission controlelrs - OpenUnison generates certificates, and keeps them up to date. Unfortunately, you have to supply a certificate when the object gets created so what happens is that there can be a mis-fire when argo and the operator sync at different points.

[mlbiam]

closing do to inactivity. feel free to re-open if you revist