aws-load-balancer-controller upgrade doesn't roll the deployment - x509: certificate signed by unknown authority

[projuri]

Describe the bug
Failed to create Ingress object after running upgrade helm upgrade aws-load-balancer-controller ... with cert manager disabled.

Resource: "networking.k8s.io/v1beta1, Resource=ingresses", GroupVersionKind: "networking.k8s.io/v1beta1, Kind=Ingress"
Name: ".....", Namespace: "....."
for: "STDIN": Internal error occurred: failed calling webhook "vingress.elbv2.k8s.aws": Post "https://aws-load-balancer-webhook-service.kube-system.svc:443/validate-networking-v1beta1-ingress?timeout=10s": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "aws-load-balancer-controller-ca")

Steps to reproduce

1. Execute helm upgrade aws-load-balancer-controller ...
2. Deploy Ingress manifest before certwatcher updates TLS certificates

Expected outcome
helm upgrade should automatically roll the deployment to guarantee the consistency (related doc https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments).

Environment

• Chart name: aws-load-balancer-controller
• Chart version: 1.2.3
• Kubernetes version: EKS v1.19

Additional Context:
As a workaround, a dynamic annotation can be set manually --set podAnnotations.rollme=$(openssl rand -base64 6)

[acim]

This may be a duplicate of kubernetes-sigs/aws-load-balancer-controller#2071. This other issue is for non-ALB ingresses but the error may be related.

[kishorj]

@projuri, we will include the ability to reuse TLS secrets on update via the upstream PR kubernetes-sigs/aws-load-balancer-controller#2264. I'm closing this issue.