Kubernetes: ingress-nginx-controller-admission error, x509 certificate signed by unknown authority

If you delete the entire nginx namespace and reinstall again via helm chart, your nginx admission controller may throw a “x509 certificate signed by unknown authority” message when you attempt to create an nginx ingress.

This will happen regardless if the ingress is using http only or secure https.  And also whether or not the TLS secret is self-signed or signed by a common certificate authority.

...failed to create resource: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission.default.svc:443/networking/v1beta1/ingresses?timeout=10s": x509: certificate signed by unknown authority...

This can be fixed by taking the CA data from the nginx admission secret, and patching it into the nginx validating web hook like below (provided by damienleger).

# adjust to your namespace
ns=default

CA=$(kubectl -n $ns get secret ingress-nginx-admission -ojsonpath='{.data.ca}')

kubectl patch validatingwebhookconfigurations ingress-nginx-admission -n $ns --type='json' -p='[{"op": "add", "path": "/webhooks/0/clientConfig/caBundle", "value":"'$CA'"}]'

REFERENCES

damienleger, provided this as answer

gitanswer.com, damienleger provided this workaround in his comment here

costela, provided original check of these objects, comparing secret to validatingwebhookconfiguration