TLS handshake error when following README in local cluster

[Jenson3210]

Summary

When executing the readme (manual deployment) in a rancher desktop local environment to get to know the product, I am receiving Internal error occurred: failed calling webhook "sidecar-injector.conjur.org": failed to call webhook: Post "https://cyberark-sidecar-injector.injectors.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority:Deployment does not have minimum availability. in my deployment of the testing app.

In the logs of the mutating webhook pod I am seeing multiple http: TLS handshake error from 10.42.0.1:42142: remote error: tls: bad certificate error lines.
This is being tested by bypassing the conjur setup locally as I expect the mutation to happen ( authentication sidecar gets injected) and only then the conjur connection not being available would cause errors.

We decided to give it a go and test this in our openshift test environment using the helm chart, but are getting exactly same issue over there. In that environment conjur is set up and working. Would love to get it running locally first so that we can test the product in a "playground" environment.

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

latest/master

Environment setup

Rancher desktop on MAC + Openshift

[Jenson3210]

When you change CA_BUNDLE of webhook with output of kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}'
logs change to

Mutation policy for sidecar-test/: status: "" required:false
Skipping mutation for sidecar-test/ due to policy check

apiVersion: apps/v1
kind: Deployment
metadata:
  name: application
  namespace: sidecar-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: application
  template:
    metadata:
      labels:
        app: application
      annotations:
        conjur.org/conjurAuthConfig: conjur
        conjur.org/conjurConnConfig: conjur
        conjur.org/container-mode: sidecar
        conjur.org/conjur-token-receivers: "application"
        conjur.org/inject: "y"
        conjur.org/inject-type: authenticator
        conjur.org/container-name: application
    spec:
      containers:
        - name: application
          image: googlecontainer/echoserver:1.1
          imagePullPolicy: IfNotPresent

[Jenson3210]

This issue got resolved by changing the latest image to 'edge' image.
This indicates this repo is not really the one behind the images as edge image is updated some hours ago, latest image is from 3 years ago and no code was pushed here in these timestamps.
Makes set-up quite confusing.
Can we get some clarity on this? Is the real code versioned on internal atlantis git repo?

helm --namespace injectors \
 install \
 --set "caBundle=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')" \
 --set "sidecarInjectorImage=cyberark/sidecar-injector:edge"
 ./helm/cyberark-sidecar-injector/  --generate-name

For openshift we decided to use the service signer built in injecting a secret into our namespace based on this repo

[Jenson3210]

As this repo is quite old without any updates, would you be open for PR's?
After getting it to run, we have some issues discovered in documentation, examples, but also some optimization discovered for the go app. For now, we are just using our own sidecar injector based on this one.