Overview
This article covers the requirement for specific Helm Chart versions when using cert-manager to automate Aembit Agent Injector TLS certificate rotation. It ensures the caBundle is automatically synchronized across the cluster.
Relates To
Deployment Type: Kubernetes
Tooling: Helm,
cert-managerConfiguration:
values.yaml
Cause (Symptom)
This guide is the resolution for the x509 Unknown Authority error found in Article A. It applies specifically when:
You are using
cert-managerto manage Aembit secrets.You are running Aembit Helm Chart version lower than 1.25.494.
Changes to the
aembit-edge-tls-secretare not being reflected in theMutatingWebhookConfiguration.
Solution
1. Upgrade the Helm Chart The webhookAnnotations field, required for cert-manager integration, was introduced in later versions. Upgrade your chart to v1.25.494 or higher.
helm repo update
helm upgrade aembit aembit/aembit -n aembit --version 1.28.5072. Deploy with cert-manager Configurations When installing or upgrading, you must provide the specific annotations that allow cert-manager to take over certificate management.
Use the following helm install command, replacing the placeholders with your specific environment details. Make sure to leave the backslashes in cert-manager\.io and <namespace>\/<certificate name>, as they are important.
helm install aembit aembit/aembit \
-n <namespace> \
--create-namespace \
--set tenant=<tenantId> \
--set agentController.id=<agentControllerId> \
--set 'agent-Injector.webhookAnnotations.cert-manager\.io/inject-ca-from=<namespace>\/<certificate name>' \
--set agent-Injector.certificate.create=false \
--set agent-Injector.certificate.commonName=<certificate secret name>Key Value Breakdown:
webhookAnnotations: Explicitly tells the Aembit Webhook to trust the CA provided bycert-manager.certificate.create=false: Prevents the Aembit Helm chart from generating its own self-signed certificates, avoiding a conflict withcert-manager.certificate.commonName: Ensures the Agent Injector looks for the specific secret name managed by yourcert-managerissuer.
3. Verify Sync Once applied, the cert-manager CA-Injector will automatically populate the caBundle. Re-run the diagnostic commands in Kubernetes | Mutating Webhook Failure: x509 Unknown Authority to confirm the issuer and subject now match.