Skip to content

vpa - target recommendations not applied when using tls certificates managed by cert-manager #9332

New issue
New issue
Open
Open
vpa - target recommendations not applied when using tls certificates managed by cert-manager#9332
Labels
area/helm-chartsarea/vertical-pod-autoscalerkind/bugCategorizes issue or PR as related to a bug.
@aelbretonactility

Description

@aelbretonactility
aelbretonactility
opened on Mar 6, 2026

/area helm-charts
/area vertical-pod-autoscaler

Component version:
vertical-pod-autoscaler-1.6.0 installed with vertical-pod-autoscaler-chart-0.8.1

On an EKS cluster running with kubernetes-1.35

What did you expect to happen?:

Target recommendations should be applied to resources targeted by VPA

What happened instead?:

Vertical-pod-autoscaler-admission-controller does not apply target recommendations
TLS errors are displayed in vertical-pod-autoscaler-admission-controller logs:

2026/03/06 13:51:25 http: TLS handshake error from x.x.x.x:37838: remote error: tls: bad certificate
2026/03/06 13:51:57 http: TLS handshake error from x.x.x.x:50202: remote error: tls: bad certificate

How to reproduce it (as minimally and precisely as possible):

I'm using helm chart vertical-pod-autoscaler-chart-0.8.1 with values.yaml:

admissionController:
  registerWebhook: true
  certGen:
    enabled: false
  volumes:
    - name: tls-certs
      secret:
        defaultMode: 420
        secretName: vpa-tls-certs
        items:
          - key: ca.crt
            path: caCert.pem
          - key: tls.crt
            path: serverCert.pem
          - key: tls.key
            path: serverKey.pem

The secret vpa-tls-certs is created with cert-manager:

Name:         vpa-tls-certs
Namespace:    vpa
Labels:       controller.cert-manager.io/fao=true
Annotations:  cert-manager.io/alt-names: 
              cert-manager.io/certificate-name: vpa-tls-certs
              cert-manager.io/common-name: vpa-webhook.vpa.svc
              cert-manager.io/ip-sans: 
              cert-manager.io/issuer-group: 
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: selfsigned
              cert-manager.io/subject-organizations: cert-manager
              cert-manager.io/uri-sans: 

Type:  kubernetes.io/tls

Data
====
ca.crt:   1155 bytes
tls.crt:  1155 bytes
tls.key:  1679 bytes

(ca.crt = tls.crt)

The mutating webhook config vpa-webhook-config is:

Name:         vpa-webhook-config
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  admissionregistration.k8s.io/v1
Kind:         MutatingWebhookConfiguration
Metadata:
  Creation Timestamp:  2026-03-06T11:16:26Z
  Generation:          1
  Resource Version:    469534834
  UID:                 6d7ed5a2-b739-45c4-91f8-c54da27f6121
Webhooks:
  Admission Review Versions:
    v1
  Client Config:
    Ca Bundle:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVVnJUaENDZWVmcjhHTFQrYzdUa2FUWVd6MzY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd05URVZNQk1HQTFVRUNoTU1ZMlZ5ZEMxdFlXNWhaMlZ5TVJ3d0dnWURWUVFERXhOMmNHRXRkMlZpYUc5dgpheTUyY0dFdWMzWmpNQjRYRFRJMk1ETXdOakV3TVRRd05Wb1hEVEkyTURNd056RXdNVFF3TlZvd05URVZNQk1HCkExVUVDaE1NWTJWeWRDMXRZVzVoWjJWeU1Sd3dHZ1lEVlFRREV4TjJjR0V0ZDJWaWFHOXZheTUyY0dFdWMzWmoKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxTGozVUpqQUZqUGdWaUsxdUNVdgpMRGMwQk5mTW1mZ0FPSGd1U05rT1FKaGQ4RFU2M0ZuK25ERjloNlhrOW9vSHZMeWRYTG9hWUY2SXU3T0FzelQ5ClhJTmxseGpxbzI0TmtqQ1Mxd1gxb0w2aUJxV0dTVzBlZlNQWFExNEw5MEJobXIzcERNeU91STIzLzA1WWlzU1YKQmlHam01N1dlMUE5ZWRkY0dyUUZEY2FOYzVPYmpkQ0hzZ0pnVE04Q29ZNHRXeFV0WXpLNmJGNTdicWR0QW9rTQpjMytRbnFIOWtPS2FUdk5wdHFSNnBLSWJ0Q04vZnVFanloWXNMTnRXYVdsOVR3S0RTZnN2cTRNK1kya203RmpPClpkUXVxQVJ4SmJUbWpNVlYvUEZBeTFnQTFTMGNHQ3A2djZ2dlBteVRzSzBGWEgva1VkTUxRMmw2Y2tHZm42c3EKUndJREFRQUJveTh3TFRBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVApBUUgvQkFJd0FEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFWQ3dUN3VPOGlaMjNZTWp6dlZ6Wkp2cXJMQThsClFXaWZvcm5jbHFqWjZtdG1maFRLK01rWUJjRm8zVmtmZk1IWkZhYmVpMWJzbkFoY2NKVjNlMjJWT1dpbDVVSnkKWVJMV1ZOd0RnRUE1eDViSm4yUHVacEM4dlBXdFBEbzdwNTkrRUptelNXdDBhbDFEOGFYZVQ2VGtvd1BFc1VIVgpnR3VCbEl0L1RJcDVLL3RYSWt1aUZ4aVhuaVp0NnZSYzhDSkNYcTZXSVgrZExZVGdLM1Y0STJrZTdaeUVGQ0JoCmo4ajlJeEZUb3JGRUJsK05qeVdPbm1weGZGU0dqeDFEQnArWXNlQ1V6cmtYUXN3YXE4OG9iNk9iSTltRzMyelMKdGdheXpTYnpVdnVTdkYvUDFDdGtOYmtqWEJiMDdoZVFsQ1pjSTV3V1RucWJwZ0FnQ3VzdlpSWmlSdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    Service:
      Name:        vpa-webhook
      Namespace:   vpa
      Port:        443
  Failure Policy:  Ignore
  Match Policy:    Equivalent
  Name:            vpa.k8s.io
  Namespace Selector:
    Match Expressions:
      Key:       kubernetes.io/metadata.name
      Operator:  NotIn
      Values:
        
  Object Selector:
  Reinvocation Policy:  Never
  Rules:
    API Groups:
      
    API Versions:
      v1
    Operations:
      CREATE
    Resources:
      pods
    Scope:  *
    API Groups:
      autoscaling.k8s.io
    API Versions:
      *
    Operations:
      CREATE
      UPDATE
    Resources:
      verticalpodautoscalers
    Scope:          *
  Side Effects:     None
  Timeout Seconds:  30
Events:             <none>

Ca Bundle corresponds to ca.crt/tls.crt in vpa-tls-certs

I tested the service vpa-webhook from another pod:

$ curl --cacert /tmp/cacert -v https://vpa-webhook.vpa.svc
* Host vpa-webhook.vpa.svc:443 was resolved.
* IPv6: (none)
* IPv4: 172.20.184.43
*   Trying 172.20.184.43:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CAfile: /tmp/cacert
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*   subject: O=cert-manager; CN=vpa-webhook.vpa.svc
*   start date: Mar  6 10:14:05 2026 GMT
*   expire date: Mar  7 10:14:05 2026 GMT
*   issuer: O=cert-manager; CN=vpa-webhook.vpa.svc
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*  common name: vpa-webhook.vpa.svc (matched)
* SSL certificate verified via OpenSSL.
* Established connection to vpa-webhook.vpa.svc (172.20.184.43 port 443) from 10.142.2.214 port 50922 
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://vpa-webhook.vpa.svc/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: vpa-webhook.vpa.svc]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.18.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: vpa-webhook.vpa.svc
> User-Agent: curl/8.18.0
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< content-length: 0
< date: Fri, 06 Mar 2026 12:48:20 GMT
<

I would need some help to fix the errors "remote error: tls: bad certificate" in admission-controller as I suppose they are the reason why target recommendations are not applied correctly on pods.

Thanks in advance for your help/guidance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/helm-chartsarea/vertical-pod-autoscalerkind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions