VPA: 'bad certificate' error when using cert-manger self-signed cert

I'm trying to use the vpa chart with a cert-manger certificate. The recommender and update appear to work fine, but the admission controller does't seem to start the web hook properly, producing a bad certificate error. As far as I able to tell the generated certificate looks like it has been correctly generated, but clearly something is amiss that is beyond my ability to debug. I'm not sure if this is an issue with the chart or with VPA itself, but hopefully you can point me in the right direction! Many thanks

Admission Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "3"
  creationTimestamp: "2024-09-11T17:13:36Z"
  generation: 3
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/component-instance: vertical-pod-autoscaler-admission-controller
    app.kubernetes.io/instance: vertical-pod-autoscaler
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vertical-pod-autoscaler
    app.kubernetes.io/version: 1.2.1
    argocd.argoproj.io/instance: vertical-pod-autoscaler
    helm.sh/chart: vertical-pod-autoscaler-1.7.1
  name: vertical-pod-autoscaler-admission-controller
  namespace: kube-system
  resourceVersion: "25725578"
  uid: 1d05aed9-accb-4b1d-9486-16d8403f6040
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: admission-controller
      app.kubernetes.io/instance: vertical-pod-autoscaler
      app.kubernetes.io/name: vertical-pod-autoscaler
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        kubectl.kubernetes.io/restartedAt: "2024-09-15T08:42:19+01:00"
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: vertical-pod-autoscaler
        app.kubernetes.io/name: vertical-pod-autoscaler
    spec:
      containers:
      - args:
        - --v=5
        - --port=8000
        - --address=:8944
        - --register-webhook=false
        - --client-ca-file=/etc/tls-certs/ca.crt
        - --tls-cert-file=/etc/tls-certs/tls.crt
        - --tls-private-key=/etc/tls-certs/tls.key
        - --reload-cert
        env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: registry.k8s.io/autoscaling/vpa-admission-controller:1.2.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 10
          httpGet:
            path: /health-check
            port: http-metrics
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: admission-controller
        ports:
        - containerPort: 8000
          name: http
          protocol: TCP
        - containerPort: 8944
          name: http-metrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 10
          httpGet:
            path: /health-check
            port: http-metrics
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/tls-certs
          name: tls-certs
          readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 65534
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      serviceAccount: vertical-pod-autoscaler-admission-controller
      serviceAccountName: vertical-pod-autoscaler-admission-controller
      terminationGracePeriodSeconds: 30
      volumes:
      - name: tls-certs
        secret:
          defaultMode: 420
          secretName: vertical-pod-autoscaler-admission-controller-cert
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2024-09-11T17:13:43Z"
    lastUpdateTime: "2024-09-11T17:13:43Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2024-09-11T17:13:36Z"
    lastUpdateTime: "2024-09-15T08:01:36Z"
    message: ReplicaSet "vertical-pod-autoscaler-admission-controller-67f87bf7f5"
      has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 3
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

This is my values.yaml:

#updater:
#  extraArgs:
#  - "--min-replicas=1"

logLevel: 5

admissionController:
  certManager:
    enabled: true
  extraArgs:
  - "--reload-cert"

The certificate issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  creationTimestamp: "2024-09-11T17:13:37Z"
  generation: 1
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/component-instance: vertical-pod-autoscaler-admission-controller
    app.kubernetes.io/instance: vertical-pod-autoscaler
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vertical-pod-autoscaler
    app.kubernetes.io/version: 1.2.1
    argocd.argoproj.io/instance: vertical-pod-autoscaler
    helm.sh/chart: vertical-pod-autoscaler-1.7.1
  name: vertical-pod-autoscaler-admission-controller-cert
  namespace: kube-system
  resourceVersion: "21981204"
  uid: af501a24-83a1-4a45-b7b9-8a8fd99b1657
spec:
  selfSigned: {}
status:
  conditions:
  - lastTransitionTime: "2024-09-11T17:13:37Z"
    observedGeneration: 1
    reason: IsReady
    status: "True"
    type: Ready

The generated certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  creationTimestamp: "2024-09-11T17:13:37Z"
  generation: 1
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/component-instance: vertical-pod-autoscaler-admission-controller
    app.kubernetes.io/instance: vertical-pod-autoscaler
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vertical-pod-autoscaler
    app.kubernetes.io/version: 1.2.1
    argocd.argoproj.io/instance: vertical-pod-autoscaler
    helm.sh/chart: vertical-pod-autoscaler-1.7.1
  name: vertical-pod-autoscaler-admission-controller
  namespace: kube-system
  resourceVersion: "21981196"
  uid: f1e7e2d6-6924-4a77-8bc7-e4f9ee4d7d79
spec:
  dnsNames:
  - vertical-pod-autoscaler-admission-controller.kube-system
  - vertical-pod-autoscaler-admission-controller.kube-system.svc
  - vertical-pod-autoscaler-admission-controller.kube-system.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: vertical-pod-autoscaler-admission-controller-cert
  secretName: vertical-pod-autoscaler-admission-controller-cert
status:
  conditions:
  - lastTransitionTime: "2024-09-11T17:13:37Z"
    message: Certificate is up to date and has not expired
    observedGeneration: 1
    reason: Ready
    status: "True"
    type: Ready
  notAfter: "2024-12-09T15:34:13Z"
  notBefore: "2024-09-10T15:34:13Z"
  renewalTime: "2024-11-09T15:34:13Z"

And the resulting secret:

apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lSQUo1UnZRbUFEQ0ZpQVcraHR3YktjOEF3RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlOREE1TVRBeE5UTTBNVE5hRncweU5ERXlNRGt4TlRNME1UTmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURjQjRTRFdFQkltRCtPL3BjYUp4bXN0VXZyWFZadzA4bGNhNTZRCnBXU1pVUndVd0xpcURVS1FMdENrWk9ubzFCM1BGQTg3ak55emQwa2JFb1UxSTJqK3Fsd2dCZzQyQ2hlSnFFaTIKNXk1RHl2TDRoL08zaXVDTjdjZlUvbldxMVEvN3J4ZTRSU0xYS3FxMXV5ZWx5RzBSR3ZGeE1RN1dEMHFOL2NhVwowNTdmdmQyOE5QUCs4MGVWaFNrR0tsUzF6My8zcjlpeVpDRllEUitGLzlaT3lHY2NNbWVkTnF3TEpNQ0hHckY2Ckc4eXdTV2pZRGxRMEZCb1VidXdKSFhCR0Q1UHA1d2hrbzJEL0k5dnFabGErVXh2Rk1FQjhKL2xuMGJZZ2JHbEMKZTBKK3Nkcmt6L296UTNWZDFyRWVBaS9oTlRHSUZuN1FUNEMrSTJsM3dzYnFVTmNsQWdNQkFBR2pnZll3Z2ZNdwpEZ1lEVlIwUEFRSC9CQVFEQWdXZ01Bd0dBMVVkRXdFQi93UUNNQUF3Z2RJR0ExVWRFUUVCL3dTQnh6Q0J4SUk0CmRtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0WVdSdGFYTnphVzl1TFdOdmJuUnliMnhzWlhJdWEzVmkKWlMxemVYTjBaVzJDUEhabGNuUnBZMkZzTFhCdlpDMWhkWFJ2YzJOaGJHVnlMV0ZrYldsemMybHZiaTFqYjI1MApjbTlzYkdWeUxtdDFZbVV0YzNsemRHVnRMbk4yWTRKS2RtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0CllXUnRhWE56YVc5dUxXTnZiblJ5YjJ4c1pYSXVhM1ZpWlMxemVYTjBaVzB1YzNaakxtTnNkWE4wWlhJdWJHOWoKWVd3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLK25UeWUyRWFkcGdSZ3BHTWlEcEVaclJ4VDBhcGZpcVBPLwpNbmpQS3JLbWYyNm90cjNvS3pxM0RmWkxJbXl0djRFcmdzVjR5d3A1S3R5UFNUdzhZTlBMLzNQWk9Xc1RyN2p1CnIwTXlWdXJNSlN3aGVOaXBDY0FtMFl2L2xmVjdTSVB5U0lhZHplUmxpUlFHMExBcGNkcDJvVUtkNEl4Wjc0THEKdEtjVEtScHlRbVpleFI3SzRvQ3BaQi9yeE45a0YyTkVWQk9FejlKZjZ1cXFNb1gvbXl3YjJQNWI3clEwdFd1MgpOb09WdDJkL0loL3U2N2oreUlkbko3QTJkbTg4QjNoVC8vaWZJc3Z6Ny96T3NJQ1dIVjlhYWsybUJQMFBGcVpHCnFFalZNMEl2V1NXZkVlV2R4NW1HVlNuRHBveFJJU2tBdnhXa2RZeVRFY0luTDlDbFU0TT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lSQUo1UnZRbUFEQ0ZpQVcraHR3YktjOEF3RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlOREE1TVRBeE5UTTBNVE5hRncweU5ERXlNRGt4TlRNME1UTmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURjQjRTRFdFQkltRCtPL3BjYUp4bXN0VXZyWFZadzA4bGNhNTZRCnBXU1pVUndVd0xpcURVS1FMdENrWk9ubzFCM1BGQTg3ak55emQwa2JFb1UxSTJqK3Fsd2dCZzQyQ2hlSnFFaTIKNXk1RHl2TDRoL08zaXVDTjdjZlUvbldxMVEvN3J4ZTRSU0xYS3FxMXV5ZWx5RzBSR3ZGeE1RN1dEMHFOL2NhVwowNTdmdmQyOE5QUCs4MGVWaFNrR0tsUzF6My8zcjlpeVpDRllEUitGLzlaT3lHY2NNbWVkTnF3TEpNQ0hHckY2Ckc4eXdTV2pZRGxRMEZCb1VidXdKSFhCR0Q1UHA1d2hrbzJEL0k5dnFabGErVXh2Rk1FQjhKL2xuMGJZZ2JHbEMKZTBKK3Nkcmt6L296UTNWZDFyRWVBaS9oTlRHSUZuN1FUNEMrSTJsM3dzYnFVTmNsQWdNQkFBR2pnZll3Z2ZNdwpEZ1lEVlIwUEFRSC9CQVFEQWdXZ01Bd0dBMVVkRXdFQi93UUNNQUF3Z2RJR0ExVWRFUUVCL3dTQnh6Q0J4SUk0CmRtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0WVdSdGFYTnphVzl1TFdOdmJuUnliMnhzWlhJdWEzVmkKWlMxemVYTjBaVzJDUEhabGNuUnBZMkZzTFhCdlpDMWhkWFJ2YzJOaGJHVnlMV0ZrYldsemMybHZiaTFqYjI1MApjbTlzYkdWeUxtdDFZbVV0YzNsemRHVnRMbk4yWTRKS2RtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0CllXUnRhWE56YVc5dUxXTnZiblJ5YjJ4c1pYSXVhM1ZpWlMxemVYTjBaVzB1YzNaakxtTnNkWE4wWlhJdWJHOWoKWVd3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLK25UeWUyRWFkcGdSZ3BHTWlEcEVaclJ4VDBhcGZpcVBPLwpNbmpQS3JLbWYyNm90cjNvS3pxM0RmWkxJbXl0djRFcmdzVjR5d3A1S3R5UFNUdzhZTlBMLzNQWk9Xc1RyN2p1CnIwTXlWdXJNSlN3aGVOaXBDY0FtMFl2L2xmVjdTSVB5U0lhZHplUmxpUlFHMExBcGNkcDJvVUtkNEl4Wjc0THEKdEtjVEtScHlRbVpleFI3SzRvQ3BaQi9yeE45a0YyTkVWQk9FejlKZjZ1cXFNb1gvbXl3YjJQNWI3clEwdFd1MgpOb09WdDJkL0loL3U2N2oreUlkbko3QTJkbTg4QjNoVC8vaWZJc3Z6Ny96T3NJQ1dIVjlhYWsybUJQMFBGcVpHCnFFalZNMEl2V1NXZkVlV2R4NW1HVlNuRHBveFJJU2tBdnhXa2RZeVRFY0luTDlDbFU0TT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM0FlRWcxaEFTSmcvanY2WEdpY1pyTFZMNjExV2NOUEpYR3Vla0tWa21WRWNGTUM0CnFnMUNrQzdRcEdUcDZOUWR6eFFQTzR6Y3MzZEpHeEtGTlNOby9xcGNJQVlPTmdvWGlhaEl0dWN1UThyeStJZnoKdDRyZ2plM0gxUDUxcXRVUCs2OFh1RVVpMXlxcXRic25wY2h0RVJyeGNURU8xZzlLamYzR2x0T2UzNzNkdkRUegovdk5IbFlVcEJpcFV0YzkvOTYvWXNtUWhXQTBmaGYvV1RzaG5IREpublRhc0N5VEFoeHF4ZWh2TXNFbG8yQTVVCk5CUWFGRzdzQ1Ixd1JnK1Q2ZWNJWktOZy95UGI2bVpXdmxNYnhUQkFmQ2Y1WjlHMklHeHBRbnRDZnJIYTVNLzYKTTBOMVhkYXhIZ0l2NFRVeGlCWiswRStBdmlOcGQ4TEc2bERYSlFJREFRQUJBb0lCQVFDbVY2Q2MwN2sxcUxSVQpYTERMZXNmMFE5T3ppb3J4SFl2YnJSamhiY2lTQ0RuY2pwNk5JUjB6ZDlFUWw2SW0vVVhUNmV4aUx1b2pXNGtQClNIOGdYemJmWU5mbzllc0VlN2l6djEvSnR4akk4OE9nbE5keDZUSSsyb2I2eGEwYmk1eGJ3RkdFWS9BbER3S2sKQld2Qjc3WlUrak9TU1c1WDhwT0FxVnpiWmYxMFUrVlF6cmJlbkZTY1M2cDM3aWdvdXpZVEozejMyWE4wWE9sdApFWW5BY1lYZVFBdGZUNkxYSHVjNkpXOHdRQ1NRTmVrQWdrUDg1VCsxQkJPSVZZc1N2R0x6MWlqNDFuSnNaMEVVCllYUEpBODRNNmJLY05XbkxYT2FjY1ByVHd1akdTSko2WEsvS2Z1cVNzb1d2YTVyelhVdzRSbXhjVVBuRFpPWjUKTDF0OXordjVBb0dCQU9ybzRJaGhKNzdVTFNYQmdqNE9YbUlFSVdrS1lQNkV0RDlLaGVmU0RJYmVWMU52bXg4Sgo3RjVyOTJQb05OaDM3WmZjUUg4NEtmMVd6VDBnUWl4SGxyL3BTc3hhVExyczJtdmxDOGF0c0NCQTJDZ1VIcnNhCnd2NFVUVHlvNXlDR3IwSGxWWmFYWFVoWnNwT3Vmc2Y0NXJ1SWZGbUpZUndkaXM0TUdmUGc2UG5mQW9HQkFPL0kKb2xRc0l5dEs5K1RUcWNzSmJqV0N1VHBZOU01OS9PS2Vtby9FZHZxSzJvWFNsNlRTQVp5MEtHbE92RmZvcHNCQwo1T3p1am9xRUF1RmpZN2R4TU0yTmpEUGNkWkpFZFpOM3hHYW5xRW5mN0lCLzR1K1M2UjAvL1VoMHdyUmFCNmhFCk83NmZqYnUvd2FiNnJCNklRSk1NanJQcFA0WUk0Ymc3RjJIdFNsZDdBb0dCQUp4Ym9ZaGxVclU4T1VqV1FzRFgKZzQ4dVBLYlVGN2VSMFFBSHRKV1hSR3RJOTBzOEVENWF0cEFxd1NJbzMzUHViNkVUSTRNS2VUaDlYR01CWThwaApaRUFkSW9KZTRJL1RNNWQ1ZjVzZzVRaXk0SzNjcG8vWHdrNm9hTGlsbkNJVVEvZFNsT09Gb0x1VnFMMlAraWRVCnp3K29TMHkxbW9QQ1RpL1Q4anBZUy9wMUFvR0FUck1sUkVjd1M5ZFJRWk9QR1FyQlYyTE9kSzRadTJSeWlkYlEKbC9zOXFjSEZNME1KYnBsVzJoM3ZYWkR3RkZKUjJLeWNBbi9SM1BpekVWTFR1Yk8yOXVCTWNnRWJ2YVFtaXY0MgpRaE1wRXdZaDA1TWw0c2Z2SnlDSGV5NkhjVFpUYVJEc0l3YXZPRDRaeXpwZkg2NU1zM2JkcDRNWXpGOUI1bnZPCmt0K1ZGTjBDZ1lBYThFZFJ2WnRPTVQxaUxLc3BweVZEZGVtMFFsOW1wUHBOZEdwMkNiNmUrblc5YmdWKzkyRUsKVHJDeWhobm01U1lzV0k4OHk4MHc1eDVHQzdMc0taUnpKc2ZTOXJTQkQ5OWt0RE00RVpGaDVyTmR3MVREcUZURwoxTG12c2tpZEM0Mk9TQUVNaFZjUVpqZ2NqeEczODdHcFp6S1BKRkpqTFlEQXlUeXcwcUtJaWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  annotations:
    cert-manager.io/alt-names: vertical-pod-autoscaler-admission-controller.kube-system,vertical-pod-autoscaler-admission-controller.kube-system.svc,vertical-pod-autoscaler-admission-controller.kube-system.svc.cluster.local
    cert-manager.io/certificate-name: vertical-pod-autoscaler-admission-controller
    cert-manager.io/common-name: ""
    cert-manager.io/ip-sans: ""
    cert-manager.io/issuer-group: ""
    cert-manager.io/issuer-kind: Issuer
    cert-manager.io/issuer-name: vertical-pod-autoscaler-admission-controller-cert
    cert-manager.io/uri-sans: ""
  creationTimestamp: "2024-09-08T07:44:32Z"
  labels:
    controller.cert-manager.io/fao: "true"
  name: vertical-pod-autoscaler-admission-controller-cert
  namespace: kube-system
  resourceVersion: "20891073"
  uid: 48f2a61a-1476-4319-a4a9-38a718d4795e
type: kubernetes.io/tls

This is the log from the admission controller:

I0915 08:01:35.491726       1 flags.go:57] FLAG: --add-dir-header="false"
I0915 08:01:35.492953       1 flags.go:57] FLAG: --address=":8944"
I0915 08:01:35.492966       1 flags.go:57] FLAG: --alsologtostderr="false"
I0915 08:01:35.492976       1 flags.go:57] FLAG: --client-ca-file="/etc/tls-certs/ca.crt"
I0915 08:01:35.492985       1 flags.go:57] FLAG: --ignored-vpa-object-namespaces=""
I0915 08:01:35.492994       1 flags.go:57] FLAG: --kube-api-burst="10"
I0915 08:01:35.493006       1 flags.go:57] FLAG: --kube-api-qps="5"
I0915 08:01:35.493026       1 flags.go:57] FLAG: --kubeconfig=""
I0915 08:01:35.493035       1 flags.go:57] FLAG: --log-backtrace-at=":0"
I0915 08:01:35.493058       1 flags.go:57] FLAG: --log-dir=""
I0915 08:01:35.493068       1 flags.go:57] FLAG: --log-file=""
I0915 08:01:35.493076       1 flags.go:57] FLAG: --log-file-max-size="1800"
I0915 08:01:35.493088       1 flags.go:57] FLAG: --logtostderr="true"
I0915 08:01:35.493096       1 flags.go:57] FLAG: --min-tls-version="tls1_2"
I0915 08:01:35.493105       1 flags.go:57] FLAG: --one-output="false"
I0915 08:01:35.493114       1 flags.go:57] FLAG: --port="8000"
I0915 08:01:35.493124       1 flags.go:57] FLAG: --register-by-url="false"
I0915 08:01:35.493132       1 flags.go:57] FLAG: --register-webhook="false"
I0915 08:01:35.493142       1 flags.go:57] FLAG: --reload-cert="true"
I0915 08:01:35.493151       1 flags.go:57] FLAG: --skip-headers="false"
I0915 08:01:35.493159       1 flags.go:57] FLAG: --skip-log-headers="false"
I0915 08:01:35.493170       1 flags.go:57] FLAG: --stderrthreshold="2"
I0915 08:01:35.493178       1 flags.go:57] FLAG: --tls-cert-file="/etc/tls-certs/tls.crt"
I0915 08:01:35.493193       1 flags.go:57] FLAG: --tls-ciphers=""
I0915 08:01:35.493202       1 flags.go:57] FLAG: --tls-private-key="/etc/tls-certs/tls.key"
I0915 08:01:35.493212       1 flags.go:57] FLAG: --v="5"
I0915 08:01:35.493221       1 flags.go:57] FLAG: --vmodule=""
I0915 08:01:35.493237       1 flags.go:57] FLAG: --vpa-object-namespace=""
I0915 08:01:35.493246       1 flags.go:57] FLAG: --webhook-address=""
I0915 08:01:35.493256       1 flags.go:57] FLAG: --webhook-port=""
I0915 08:01:35.493264       1 flags.go:57] FLAG: --webhook-service="vpa-webhook"
I0915 08:01:35.493272       1 flags.go:57] FLAG: --webhook-timeout-seconds="30"
I0915 08:01:35.494562       1 main.go:87] Vertical Pod Autoscaler 1.2.1 Admission Controller
I0915 08:01:35.504175       1 reflector.go:289] Starting reflector *v1.VerticalPodAutoscaler (1h0m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/vpa/api.go:90
I0915 08:01:35.504371       1 reflector.go:325] Listing and watching *v1.VerticalPodAutoscaler from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/vpa/api.go:90
I0915 08:01:35.697590       1 shared_informer.go:341] caches populated
I0915 08:01:35.697649       1 api.go:94] Initial VPA synced successfully
I0915 08:01:35.717300       1 discovery.go:214] Invalidating discovery information
I0915 08:01:35.718598       1 reflector.go:289] Starting reflector *v1.Job (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:35.718652       1 reflector.go:325] Listing and watching *v1.Job from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:35.919350       1 shared_informer.go:341] caches populated
I0915 08:01:35.919468       1 fetcher.go:99] Initial sync of Job completed
I0915 08:01:35.919834       1 reflector.go:289] Starting reflector *v1.CronJob (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:35.919869       1 reflector.go:325] Listing and watching *v1.CronJob from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.020312       1 shared_informer.go:341] caches populated
I0915 08:01:36.020361       1 fetcher.go:99] Initial sync of CronJob completed
I0915 08:01:36.020719       1 reflector.go:289] Starting reflector *v1.DaemonSet (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.020740       1 reflector.go:325] Listing and watching *v1.DaemonSet from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.121330       1 shared_informer.go:341] caches populated
I0915 08:01:36.121382       1 fetcher.go:99] Initial sync of DaemonSet completed
I0915 08:01:36.121727       1 reflector.go:289] Starting reflector *v1.Deployment (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.121760       1 reflector.go:325] Listing and watching *v1.Deployment from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.221553       1 shared_informer.go:341] caches populated
I0915 08:01:36.221604       1 fetcher.go:99] Initial sync of Deployment completed
I0915 08:01:36.221901       1 reflector.go:289] Starting reflector *v1.ReplicaSet (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.221938       1 reflector.go:325] Listing and watching *v1.ReplicaSet from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.527384       1 shared_informer.go:341] caches populated
I0915 08:01:36.527431       1 fetcher.go:99] Initial sync of ReplicaSet completed
I0915 08:01:36.527743       1 reflector.go:289] Starting reflector *v1.StatefulSet (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.527777       1 reflector.go:325] Listing and watching *v1.StatefulSet from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.628785       1 shared_informer.go:341] caches populated
I0915 08:01:36.628853       1 fetcher.go:99] Initial sync of StatefulSet completed
I0915 08:01:36.629272       1 reflector.go:289] Starting reflector *v1.ReplicationController (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.629304       1 reflector.go:325] Listing and watching *v1.ReplicationController from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.729855       1 shared_informer.go:341] caches populated
I0915 08:01:36.729897       1 fetcher.go:99] Initial sync of ReplicationController completed
I0915 08:01:36.730363       1 shared_informer.go:341] caches populated
I0915 08:01:36.730434       1 controller_fetcher.go:141] Initial sync of Deployment completed
I0915 08:01:36.730462       1 shared_informer.go:341] caches populated
I0915 08:01:36.730491       1 controller_fetcher.go:141] Initial sync of ReplicaSet completed
I0915 08:01:36.730507       1 shared_informer.go:341] caches populated
I0915 08:01:36.730518       1 controller_fetcher.go:141] Initial sync of StatefulSet completed
I0915 08:01:36.730530       1 shared_informer.go:341] caches populated
I0915 08:01:36.730542       1 controller_fetcher.go:141] Initial sync of ReplicationController completed
I0915 08:01:36.730553       1 shared_informer.go:341] caches populated
I0915 08:01:36.730578       1 controller_fetcher.go:141] Initial sync of Job completed
I0915 08:01:36.730591       1 shared_informer.go:341] caches populated
I0915 08:01:36.730602       1 controller_fetcher.go:141] Initial sync of CronJob completed
I0915 08:01:36.730614       1 shared_informer.go:341] caches populated
I0915 08:01:36.730626       1 controller_fetcher.go:141] Initial sync of DaemonSet completed
I0915 08:01:36.730737       1 discovery.go:214] Invalidating discovery information
W0915 08:01:36.730794       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730807       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730822       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730850       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730856       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730860       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730950       1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
I0915 08:01:36.731314       1 reflector.go:289] Starting reflector *v1.LimitRange (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange/limit_range_calculator.go:60
I0915 08:01:36.731346       1 reflector.go:325] Listing and watching *v1.LimitRange from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange/limit_range_calculator.go:60
I0915 08:01:36.831153       1 shared_informer.go:341] caches populated
2024/09/15 08:03:58 http: TLS handshake error from 10.42.0.0:36068: remote error: tls: bad certificate
I0915 08:06:35.718484       1 discovery.go:214] Invalidating discovery information
I0915 08:06:36.731460       1 discovery.go:214] Invalidating discovery information
I0915 08:07:16.941518       1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.CronJob total 6 items received
I0915 08:07:17.074882       1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.DaemonSet total 7 items received
I0915 08:07:30.842187       1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.Job total 13 items received
I0915 08:08:10.657361       1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.ReplicationController total 8 items received
I0915 08:08:18.769606       1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange/limit_range_calculator.go:60: Watch close - *v1.LimitRange total 8 items received
I0915 08:08:51.451660       1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.ReplicaSet total 13 items received
2024/09/15 08:10:00 http: TLS handshake error from 10.42.0.0:37660: remote error: tls: bad certificate
2024/09/15 08:10:00 http: TLS handshake error from 10.42.0.0:37676: remote error: tls: bad certificate
2024/09/15 08:10:00 http: TLS handshake error from 10.42.0.0:37666: remote error: tls: bad certificate
2024/09/15 08:10:01 http: TLS handshake error from 10.42.0.0:37692: remote error: tls: bad certificate
2024/09/15 08:10:01 http: TLS handshake error from 10.42.0.0:37694: remote error: tls: bad certificate

And finally, this is what happens when I unpack the certificate from the secret and try to validate it:

+ kubectl -n kube-system get secret vertical-pod-autoscaler-admission-controller-cert -o json '-o=jsonpath={.data.ca\.crt}'
+ base64 -d
+ kubectl -n kube-system get secret vertical-pod-autoscaler-admission-controller-cert -o json '-o=jsonpath={.data.tls\.crt}'
+ base64 -d
+ kubectl -n kube-system get secret vertical-pod-autoscaler-admission-controller-cert -o json '-o=jsonpath={.data.tls\.key}'
+ base64 -d
+ openssl x509 -in ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9e:51:bd:09:80:0c:21:62:01:6f:a1:b7:06:ca:73:c0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: 
        Validity
            Not Before: Sep 10 15:34:13 2024 GMT
            Not After : Dec  9 15:34:13 2024 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dc:07:84:83:58:40:48:98:3f:8e:fe:97:1a:27:
                    19:ac:b5:4b:eb:5d:56:70:d3:c9:5c:6b:9e:90:a5:
                    64:99:51:1c:14:c0:b8:aa:0d:42:90:2e:d0:a4:64:
                    e9:e8:d4:1d:cf:14:0f:3b:8c:dc:b3:77:49:1b:12:
                    85:35:23:68:fe:aa:5c:20:06:0e:36:0a:17:89:a8:
                    48:b6:e7:2e:43:ca:f2:f8:87:f3:b7:8a:e0:8d:ed:
                    c7:d4:fe:75:aa:d5:0f:fb:af:17:b8:45:22:d7:2a:
                    aa:b5:bb:27:a5:c8:6d:11:1a:f1:71:31:0e:d6:0f:
                    4a:8d:fd:c6:96:d3:9e:df:bd:dd:bc:34:f3:fe:f3:
                    47:95:85:29:06:2a:54:b5:cf:7f:f7:af:d8:b2:64:
                    21:58:0d:1f:85:ff:d6:4e:c8:67:1c:32:67:9d:36:
                    ac:0b:24:c0:87:1a:b1:7a:1b:cc:b0:49:68:d8:0e:
                    54:34:14:1a:14:6e:ec:09:1d:70:46:0f:93:e9:e7:
                    08:64:a3:60:ff:23:db:ea:66:56:be:53:1b:c5:30:
                    40:7c:27:f9:67:d1:b6:20:6c:69:42:7b:42:7e:b1:
                    da:e4:cf:fa:33:43:75:5d:d6:b1:1e:02:2f:e1:35:
                    31:88:16:7e:d0:4f:80:be:23:69:77:c2:c6:ea:50:
                    d7:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: critical
                DNS:vertical-pod-autoscaler-admission-controller.kube-system, DNS:vertical-pod-autoscaler-admission-controller.kube-system.svc, DNS:vertical-pod-autoscaler-admission-controller.kube-system.svc.cluster.local
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        af:a7:4f:27:b6:11:a7:69:81:18:29:18:c8:83:a4:46:6b:47:
        14:f4:6a:97:e2:a8:f3:bf:32:78:cf:2a:b2:a6:7f:6e:a8:b6:
        bd:e8:2b:3a:b7:0d:f6:4b:22:6c:ad:bf:81:2b:82:c5:78:cb:
        0a:79:2a:dc:8f:49:3c:3c:60:d3:cb:ff:73:d9:39:6b:13:af:
        b8:ee:af:43:32:56:ea:cc:25:2c:21:78:d8:a9:09:c0:26:d1:
        8b:ff:95:f5:7b:48:83:f2:48:86:9d:cd:e4:65:89:14:06:d0:
        b0:29:71:da:76:a1:42:9d:e0:8c:59:ef:82:ea:b4:a7:13:29:
        1a:72:42:66:5e:c5:1e:ca:e2:80:a9:64:1f:eb:c4:df:64:17:
        63:44:54:13:84:cf:d2:5f:ea:ea:aa:32:85:ff:9b:2c:1b:d8:
        fe:5b:ee:b4:34:b5:6b:b6:36:83:95:b7:67:7f:22:1f:ee:eb:
        b8:fe:c8:87:67:27:b0:36:76:6f:3c:07:78:53:ff:f8:9f:22:
        cb:f3:ef:fc:ce:b0:80:96:1d:5f:5a:6a:4d:a6:04:fd:0f:16:
        a6:46:a8:48:d5:33:42:2f:59:25:9f:11:e5:9d:c7:99:86:55:
        29:c3:a6:8c:51:21:29:00:bf:15:a4:75:8c:93:11:c2:27:2f:
        d0:a5:53:83
+ openssl x509 -noout -modulus -in ca.crt
+ openssl md5
MD5(stdin)= 41d30e57a951435349447219a22b0b8c
+ openssl x509 -noout -modulus -in tls.crt
+ openssl md5
MD5(stdin)= 41d30e57a951435349447219a22b0b8c
+ openssl rsa -noout -modulus -in tls.key
+ openssl md5
MD5(stdin)= 41d30e57a951435349447219a22b0b8c
+ openssl rsa -check -in tls.key
writing RSA key
RSA key ok
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcB4SDWEBImD+O
/pcaJxmstUvrXVZw08lca56QpWSZURwUwLiqDUKQLtCkZOno1B3PFA87jNyzd0kb
EoU1I2j+qlwgBg42CheJqEi25y5DyvL4h/O3iuCN7cfU/nWq1Q/7rxe4RSLXKqq1
uyelyG0RGvFxMQ7WD0qN/caW057fvd28NPP+80eVhSkGKlS1z3/3r9iyZCFYDR+F
/9ZOyGccMmedNqwLJMCHGrF6G8ywSWjYDlQ0FBoUbuwJHXBGD5Pp5whko2D/I9vq
Zla+UxvFMEB8J/ln0bYgbGlCe0J+sdrkz/ozQ3Vd1rEeAi/hNTGIFn7QT4C+I2l3
wsbqUNclAgMBAAECggEBAKZXoJzTuTWotFRcsMt6x/RD07OKivEdi9utGOFtyJII
OdyOno0hHTN30RCXoib9RdPp7GIu6iNbiQ9IfyBfNt9g1+j16wR7uLO/X8m3GMjz
w6CU13HpMj7ahvrFrRuLnFvAUYRj8CUPAqQFa8HvtlT6M5JJblfyk4CpXNtl/XRT
5VDOtt6cVJxLqnfuKCi7NhMnfPfZc3Rc6W0RicBxhd5AC19Potce5zolbzBAJJA1
6QCCQ/zlP7UEE4hVixK8YvPWKPjWcmxnQRRhc8kDzgzpspw1actc5pxw+tPC6MZI
knpcr8p+6pKyha9rmvNdTDhGbFxQ+cNk5nkvW33P6/kCgYEA6ujgiGEnvtQtJcGC
Pg5eYgQhaQpg/oS0P0qF59IMht5XU2+bHwnsXmv3Y+g02Hftl9xAfzgp/VbNPSBC
LEeWv+lKzFpMuuzaa+ULxq2wIEDYKBQeuxrC/hRNPKjnIIavQeVVlpddSFmyk65+
x/jmu4h8WYlhHB2KzgwZ8+Do+d8CgYEA78iiVCwjK0r35NOpywluNYK5Olj0zn38
4p6aj8R2+orahdKXpNIBnLQoaU68V+imwELk7O6OioQC4WNjt3EwzY2MM9x1kkR1
k3fEZqeoSd/sgH/i75LpHT/9SHTCtFoHqEQ7vp+Nu7/BpvqsHohAkwyOs+k/hgjh
uDsXYe1KV3sCgYEAnFuhiGVStTw5SNZCwNeDjy48ptQXt5HRAAe0lZdEa0j3SzwQ
Plq2kCrBIijfc+5voRMjgwp5OH1cYwFjymFkQB0igl7gj9Mzl3l/myDlCLLgrdym
j9fCTqhouKWcIhRD91KU44Wgu5WovY/6J1TPD6hLTLWag8JOL9PyOlhL+nUCgYBO
syVERzBL11FBk48ZCsFXYs50rhm7ZHKJ1tCX+z2pwcUzQwlumVbaHe9dkPAUUlHY
rJwCf9Hc+LMRUtO5s7b24ExyARu9pCaK/jZCEykTBiHTkyXix+8nIId7LodxNlNp
EOwjBq84PhnLOl8frkyzdt2ngxjMX0Hme86S35UU3QKBgBrwR1G9m04xPWIsqymn
JUN16bRCX2ak+k10anYJvp76db1uBX73YQpOsLKGGeblJixYjzzLzTDnHkYLsuwp
lHMmx9L2tIEP32S0MzgRkWHms13DVMOoVMbUua+ySJ0LjY5IAQyFVxBmOByPEbfz
salnMo8kUmMtgMDJPLDSooiK
-----END PRIVATE KEY-----
+ openssl x509 -noout -dates -in ca.crt
notBefore=Sep 10 15:34:13 2024 GMT
notAfter=Dec  9 15:34:13 2024 GMT
+ openssl x509 -noout -dates -in tls.crt
notBefore=Sep 10 15:34:13 2024 GMT
notAfter=Dec  9 15:34:13 2024 GMT

stevehipwell / helm-charts

VPA: 'bad certificate' error when using cert-manger self-signed cert #1046