[nri-bundle] Helm Upgrade Fails w/ TLS Failed to Verify Certificate

[ben851]

Bug description

We are using helmfile to manage our EKS environment. When doing a global helmfile apply after the initial install of the NRI-Bundle chart, the caBundles are reporting as changed. When this happens, we intermittently receive this error

  Error: UPGRADE FAILED: could not get information about the resource: conversion webhook for 
newrelic.com/v1beta1, Kind=Instrumentation failed: Post "[https://newrelic-k8s-agents-operator-webhook-
service.newrelic.svc:443/convert?timeout=30s](https://newrelic-k8s-agents-operator-webhook-
service.newrelic.svc/convert?timeout=30s)": tls: failed to verify certificate: x509: certificate signed by 
unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate 
authority certificate "k8s-agents-operator-operator-ca")

If we re-run the apply it will work.

Is there a way to "lock in" the caBundle so that it's not always reporting as changed? I suspect that would solve this issue

Version of Helm and Kubernetes

EKS 1.32
Helmfile 0.171.0
Helm 3.17.3

Which chart?

nri-bundle chart, latest

What happened?

Helmfile Apply fails with invalid TLS certificate

What you expected to happen?

Ideally, since there are no changes happening on the New Relic chart, the CABundle should not be changed. If that's not possible, then the chart should be able to gracefully upgrade the caBundle without failing

How to reproduce it?

Steps to reproduce the problem, as minimally and precisely as possible.