k8s clusters missing requestheader-client-ca-file

[jackfrancis]

---

Is this an ISSUE or FEATURE REQUEST? (choose one): FEATURE REQUEST

---

What version of acs-engine?: n/a

---

Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm) Kubernetes v1.7

What happened: aggregated API servers need both client-ca-file and requestheader-client-ca-file keys, current acs-engine-built kubernetes 1.7 clusters are missing requestheader-client-ca-file

Ref:

https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts/auth.md#requestheader-authentication

Starting up the API server with --requestheader-client-ca-file <string> option engaged should fix this.

[sabbour]

Was this fixed? I'm getting hit by this in Azure/helm-charts#102 using acs-engine 0.11.0.

I configured the Orchestrator Profile with the below as the Aggregated API is not enabled by default:

"orchestratorProfile": {
      "orchestratorType": "Kubernetes",
      "orchestratorRelease": "1.8",
      "kubernetesConfig": {
        "enableRBAC": true,
        "enableAggregatedAPIs": true
      }
    }

The Service Catalog API server is not coming up and below is the log:

kc logs catalog-catalog-apiserver-74cff45684-sbbc4 -c apiserver --namespace catalog
I0102 09:01:14.336868       1 run_server.go:59] Preparing to run API server
I0102 09:01:16.628707       1 round_trippers.go:417] curl -k -v -XGET  -H "User-Agent: service-catalog/v0.1.3 (linux/amd64) kubernetes/bb3e4a1" -H "Accept: application/json, */*" -H "Authorization: Bearer <token redacted>
 https://10.0.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication
I0102 09:01:16.685719       1 round_trippers.go:436] GET https://10.0.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication 403 Forbidden in 56 milliseconds
I0102 09:01:16.685766       1 round_trippers.go:442] Response Headers:
I0102 09:01:16.685771       1 round_trippers.go:445]     Content-Type: application/json
I0102 09:01:16.685775       1 round_trippers.go:445]     X-Content-Type-Options: nosniff
I0102 09:01:16.685848       1 round_trippers.go:445]     Content-Length: 373
I0102 09:01:16.685859       1 round_trippers.go:445]     Date: Tue, 02 Jan 2018 09:01:16 GMT
I0102 09:01:16.685906       1 request.go:836] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"configmaps \"extension-apiserver-authentication\" is forbidden: User \"system:serviceaccount:catalog:service-catalog-apiserver\" cannot get configmaps in the namespace \"kube-system\"","reason":"Forbidden","details":{"name":"extension-apiserver-authentication","kind":"configmaps"},"code":403}
W0102 09:01:16.686300       1 authentication.go:229] Unable to get configmap/extension-apiserver-authentication in kube-system.  Usually fixed by 'kubectl create rolebinding -n kube-system ROLE_NAME --role=extension-apiserver-authentication-reader --serviceaccount=YOUR_NS:YOUR_SA'
Error: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:catalog:service-catalog-apiserver" cannot get configmaps in the namespace "kube-system"

[sabbour]

I was trying to provision the Service Catalog API with rbacEnabled=false
When using rbacEnabled=true (the default), it worked.

[jackfrancis]

Thanks for providing this color, @sabbour. Yes, we expect service catalog to be fully functional w/ an orchestratorProfile that looks like the one you pasted. Let us know if you run into any further trouble.