From eeaa9d809bba033efc0758cc8ecf5c0059c6dd8b Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 29 Jan 2022 18:37:53 +0100
Subject: [PATCH] fix(kube-system): Run insecure metrics-server

This patch runs the metrics-server without CA validation since kubeadm
doesn't create proper certificates for kubelets by default. Therefore,
until this is fixed, this patch will work around the issue.

References:
https://v1-21.docs.kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#renew-certificates-with-the-kubernetes-certificates-api
---
 README.md                                      | 1 +
 infrastructure/kube-system/metrics-server.yaml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4bbc8b5da..ab0b384c6 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ This toolchain is still under development. Before it will be used in production
 - [x] Automate system configuration using Kubernetes (system-upgrade-controller)
 - [x] Provide an fully encrypted (handled on host level) storage class (longhorn)
 - [x] Deploy cert-manager
+- [ ] Deploy kubelet with proper certificates
 - [ ] Deploy credentials for cert-manager
 - [ ] Automate ingress-controller default certificate deployment
 - [ ] Automate ingress-controller configuration for proxy-protocol
diff --git a/infrastructure/kube-system/metrics-server.yaml b/infrastructure/kube-system/metrics-server.yaml
index 567342943..363f8fcd7 100644
--- a/infrastructure/kube-system/metrics-server.yaml
+++ b/infrastructure/kube-system/metrics-server.yaml
@@ -30,7 +30,7 @@ spec:
       - --cert-dir=/tmp
       - --kubelet-use-node-status-port
       - --metric-resolution=15s
-      - --kubelet-certificate-authority=/ca/ca.crt
+      - --kubelet-insecure-tls
     rbac:
       pspEnabled: true
     podDisruptionBudget:
-- 
GitLab