I am trying to follow the instruction of AWS to create an ALB for EKS (Elastic K8s Services in AWS).
The instruction is here: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
I have problems at step 7 (Install the controller manually). When I try to apply a yaml file in substep 7-b-c, I get an error:
Error from server (InternalError): error when creating "v2_0_0_full.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s: x509: certificate is valid for ip-192-168-121-78.eu-central-1.compute.internal, not cert-manager-webhook.cert-manager.svc
Has anyone experienced similar kind of problem and what are the best ways to troubleshoot and solve the problem?
It seems that cert-manager doesn't run on Fargate as expected - #1606.
First option as a workaround is to install the helm chart which doesn't have the cert-manager dependency. Helm will generate the self-signed cert, and secret resources.
Different option is to remove all cert-manager stuff from the YAML manifest and provide your own self-signed certificate if you don't have helm as a dependency.
Take a look: alb-cert-manager, alb-eks-cert-manager.
Useful article: aws-fargate.
For EKS with Fargate, cert-manager-webhook server's port clashes with kubelet on the Fargate MicroVM.
Ref: https://github.com/jetstack/cert-manager/issues/3237#issuecomment-827523656
To remedy this, when installing the chart set the parameter webhook.securePort to a port that is not 10250 (e.g. 10260)
helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.3.1 \ --set webhook.securePort=10260 --set installCRDs=true
Or you could edit the cert-manager-webhook Deployment and Service to use this new port if cert-manager is already deployed.