Cluster autoscaler is not working with EKS because of missing certificate

[dirknilius]

I tried to use Bottlerocket in my EKS node group(s) as shown here: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-eks-readme.html#bottlerocket

The worker nodes are just fine but I cannot get the cluster autoscaler working as is misses the certificate. I followed the official docs: https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html

The applied volumes expects a cert in /etc/ssl/certs/ca-bundle.crt but it's missing. See: https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml

Amazon Linux 2 workers have it in place.

I found an issue in the autoscaler project. But the solution did not work out for me. See: kubernetes/autoscaler#3513

[bcressey]

The path on Bottlerocket is /etc/pki/tls/certs/ca-bundle.crt. Relative to that example, I'd expect it to change in the hostPath volume definition, rather than where the comment about Amazon Linux appears.

The /usr/share/factory path mentioned in the issue you linked is one place to find the file, but it's copied into /etc by systemd-tmpfiles at boot.

To avoid confusion, we can add a compat symlink, like Amazon Linux has:

/etc/ssl/certs -> /etc/pki/tls/certs

[dirknilius]

To avoid confusion, we can add a compat symlink, like Amazon Linux has:

/etc/ssl/certs -> /etc/pki/tls/certs

I'd like that as it doesn't require any change and it would just work out of the box.