TLS Error with Karpenter Liveness and Readiness Probes: remote error: tls: unrecognized name

[oluranticode]

Description

Observed Behavior:

I am deploying Karpenter on my EKS cluster via ArgoCD, and I am encountering TLS errors on the liveness and readiness probes. The errors are as follows:

Readiness probe failed: Get "https://10.0.x.x:8443/": remote error: tls: unrecognized name Liveness probe failed: Get "https://10.0.x.x:8443/": remote error: tls: unrecognized name

I have set up a wildcard DNS for *.mydomain.com, and Karpenter is using a TLS certificate with karpenter.mydomain.com as the common name (CN). Despite my configuration, the probes keep failing due to a TLS handshake issue.

Expected Behavior:

The probes should pass successfully without TLS errors, and the liveness and readiness checks should not fail due to mismatched certificate names.

Reproduction Steps (Please include YAML):

Deploy Karpenter using Helm via ArgoCD. Configure TLS with a cert-manager Certificate for karpenter.mydomian.com. Apply readiness and liveness probes using the service IP (10.0.x.x). Observe the repeated TLS errors in the pod logs.

apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: karpenter namespace: argocd spec: project: system source: repoURL: 'https://charts.karpenter.sh' chart: karpenter targetRevision: {{ index .Values "targetRevision" "karpenter" }} helm: values: | clusterName: "cliniify-cluster" clusterEndpoint: "https://A1B2C3D4E$%RF6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0.us-west-2.eks.amazonaws.com" defaultInstanceProfile: "KarpenterInstanceProfile" controller: livenessProbe: httpGet: scheme: HTTPS host: karpenter.kube-system.svc.cluster.local # Service DNS port: 8443 httpHeaders:

• name: Host value: karpenter.mydomain.com readinessProbe: httpGet: scheme: HTTPS host: karpenter.kube-system.svc.cluster.local port: 8443 httpHeaders:
• name: Host value: karpenter.mydomain.com tls: secretName: karpenter-tls serviceName: karpenter # Service name namespace: kube-system # Namespace of the secret keyFile: tls.key certFile: tls.crt destination: server: 'https://kubernetes.default.svc' namespace: kube-system syncPolicy: automated: prune: true # Optional: Automatically delete resources that are no longer defined in the source selfHeal: true # Optional: Automatically correct any deviations from the desired state syncOptions:
  • ApplyOutOfSyncOnly=true

Versions: karpenter: 0.16.3

• Chart Version: 1.0.0
• Kubernetes Version (kubectl version): 1.29

apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: karpenter-cert namespace: kube-system spec: secretName: karpenter-tls duration: 24h renewBefore: 12h commonName: karpenter.mydomain.com dnsNames:

• karpenter.mydomain.com
• karpenter.kube-system.svc.cluster.local issuerRef: name: letsencrypt-prod kind: ClusterIssuer privateKey: algorithm: RSA size: 2048

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[njtran]

Looks like you're on v1.0.0. You should try v1.0.2 as the latest patch version for v1.0.

Additionally, do you have this secret? https://github.com/aws/karpenter-provider-aws/blob/v1.0.2/charts/karpenter/templates/secret-webhook-cert.yaml