cert-manager: Cannot create http01 ClusterIssuer with DigitalOcean provider using new static manifests

Describe the bug:

Following documentation to install with static manifests, then attempting to create an Issuer or ClusterIssuer on a fresh DO k8s cluster results in the following error:

Error from server (InternalError): error when creating "30-staging-clusterissuer.yml": Internal error occurred: failed calling admission webhook "clusterissuers.admission.certmanager.k8s.io": the server is currently unable to handle the request

Issue seems quite different from #1103.

Expected behaviour:

An Issuer or ClusterIssuer should be able to be created after following documentation instructions for static manifests.

Steps to reproduce the bug:

• create a k8s cluster on Digital Ocean
• follow cert-manager static manifest installation instructions
• attempt to create an Issuer or ClusterIssuer

Anything else we need to know?:

I first tried to setup cert-manager 0.5.2 with static manifests but the documentation is severely lacking, CRDs are absent, and there are a number of other missing things, like pods failing to start with log output missing secret "webhook-ca".

While looking for a way to solve it I noticed that there seems to be quite a refactoring with much better documentation and manifests on master. With CRDs set up and namespace created, everything seemed to be in order except that I had to apply -f with --validate=false due to #1143.

I then proceeded to create a ClusterIssuer following this part of the documentation:

$ kubectl apply -f 30-staging-clusterissuer.yml 
Error from server (InternalError): error when creating "30-staging-clusterissuer.yml": Internal error occurred: failed calling admission webhook "clusterissuers.admission.certmanager.k8s.io": the server is currently unable to handle the request

Nothing of significance appears in the pod logs.

Since there were no match in cert-manager issues I looked for similar errors in other kubernetes projects involving admission webhooks and found this.

Check that your cluster has aggregate api server enabled. Test that the configmap extension-apiserver-authentication-reader in kube-system namespace has key requestheader-client-ca-file

by running kubectl describe configmap -n kube-system extension-apiserver-authentication, which does contain requestheader-client-ca-file.

So I ran kubectl get apiservice clusterissuers.admission.certmanager.k8s.io -o yaml which I suppose is expected to return something along the lines of:

status:
  conditions:
  - lastTransitionTime: 2018-02-27T07:59:50Z
    message: all checks passed
    reason: Passed
    status: "True"
    type: Available

But returns this error instead:

Error from server (NotFound): apiservices.apiregistration.k8s.io "clusterissuers.admission.certmanager.k8s.io" not found

So I tried a more general kubectl get apiservice for which the output contains a single reference to anything related to certmanager.k8s.io:

v1beta1.admission.certmanager.k8s.io   cert-manager/cert-manager-webhook   False (FailedDiscoveryCheck)   26m

with no trace of issuers.admission.certmanager.k8s.io, clusterissuers.admission.certmanager.k8s.io, or certificates.admission.certmanager.k8s.io.

The output of kubectl describe apiservice v1beta1.admission.certmanager.k8s.io contains:

Status:
  Conditions:
    Last Transition Time:  2018-12-14T14:34:51Z
    Message:               no response from https://10.245.20.156:443: Get https://10.245.20.156:443: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
    Reason:                FailedDiscoveryCheck
    Status:                False
    Type:                  Available

Environment details::

• Kubernetes version (e.g. v1.10.2): v1.12.3
• Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): DigitalOcean
• cert-manager version (e.g. v0.4.0): v0.6.0 (master)
• Install method (e.g. helm or static manifests): static manifests

/kind bug