MutatingWebhook is failing due to wrong or untrusted certificate

[GerbenWelter]

I have tried this operator before and was using the Patch CR. That worked great. Now I want to use the MutatingWebhook as described in this project's documentation. I'm using the operator through OperatorHub so I created the OLM version adjusted for the resource it needs to patch:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: patch-operator-inject
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: patch-operator-webhook-service
      namespace: patch-operator
      path: /inject
  failurePolicy: Fail
  name: patch-operator-inject.redhatcop.redhat.io
  rules:
    - apiGroups:   ["cert-manager.io"]
      apiVersions: ["v1"]
      operations:  ["CREATE"]
      resources:   ["certificates"]
  sideEffects: None

When trying to create the resource it needs to patch I get the following error message:

Error from server (InternalError): error when creating "gitops-cert.yaml": Internal error occurred: failed calling webhook "patch-operator-inject.redhatcop.redhat.io": failed to call webhook: Post "https://patch-operator-webhook-service.patch-operator.svc:443/inject?timeout=10s": x509: certificate is valid for patch-operator-controller-manager-service.patch-operator, patch-operator-controller-manager-service.patch-operator.svc, not patch-operator-webhook-service.patch-operator.svc

It seems that the 'patch-operator-webhook-service' Service is s running with the certs of the 'patch-operator-controller-manager-service' Service.

I tried adjusting the MutatingWebhook to use 'patch-operator-controller-manager-service' but that resulted in untrusted certificate:

Error from server (InternalError): error when creating "gitops-cert.yaml": Internal error occurred: failed calling webhook "patch-operator-inject.redhatcop.redhat.io": failed to call webhook: Post "https://patch-operator-controller-manager-service.patch-operator.svc:443/inject?timeout=10s": x509: certificate signed by unknown authority

Am I missing something or is this a bug in the operator installation?

[raffaelespazzoli]

you are right there is a problem there and the doc is wrong. We are looking into this. For now you have to manually inject the CA based on what OLM generates. Not ideal.