self-signed certificate "http: TLS handshake error from IP:PORT remote error: tls: bad certificate "

[noamgreen]

HI
i upgrade my EKS 1.22 to 1.24 the environment was working fine no issues
after upgrade to eks 1.24 ( add vpc-cni - i dont think its issues but ... )

i am getting this error no meter what i do

"github-runner-actions-runner-controller-7bfd59885d-q8czn manager 2023/02/05 18:22:59 http: TLS handshake error from: remote error: tls: bad certificate"

'''json
{"severity":"error","ts":1675621681.176363,"message":"Reconciler error","controller":"runner-controller","controllerGroup":"actions.summerwind.dev","controllerKind":"Runner","Runner":{"name":"actions-runner-7w87f-sjrlr","namespace":"github-runner"},"namespace":"github-runner","name":"actions-runner-7w87f-sjrlr","reconcileID":"7d0a832a-9009-4346-b963-4df4af303dab","error":"Internal error occurred: failed calling webhook "mutate.runner.actions.summerwind.dev": failed to call webhook: Post "https://github-runner-actions-runner-controller-webhook.github-runner.svc:443/mutate-actions-summerwind-dev-v1alpha1-runner?timeout=10s\": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "actionrunners.XXX.io")","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:326\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234"}
'''

i was folling this link "https://josh-ops.com/posts/actions-runner-controller-without-cert-manager/" for the CA

non of the runners are starting as TLS issues

any help ? :-)

Controller Version
v0.27.0

Helm Chart Version
0.22.0

Thanks

[noamgreen]

So after many testing i found in the docs
"In Kubernetes 1.23 and earlier, kubelet serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. These unverifiable SANs are omitted from the provisioned certificate. In version 1.24 and later clusters, kubelet serving certificates aren't issued if any SAN can't be verified. This prevents kubectl exec and kubectl logs commands from working. For more information, see Certificate signing considerations before upgrading your cluster to Kubernetes 1.24."

so eks 1.23 and up will not support self sign CA .... i hope it will change

Thanks
@mumoshu