Description of problem: As per recent errata[1], OCP is upgraded but while installing service catalog, the playbook is failing & throwing the errors:"Error: cluster doesn't provide requestheader-client-ca-file". After checking with the config-map "extension-apiserver-authentication" present in kube-system namespace only one cert is present there and others were not able to update. This is preventing installation of the service catalog. [1]https://access.redhat.com/errata/RHBA-2018:0636
I'm fixing this with https://github.com/openshift/openshift-ansible/pull/8311
https://github.com/openshift/openshift-ansible/pull/8311 merged just now
Verified step: 1. install v3.6 with service catalog 2. upgrade to v3.7 3. oc describe cm -n kube-system [root@qe-zhsun-36-gceeeemaster-etcd-1 ~]# oc describe cm -n kube-system Name: extension-apiserver-authentication Namespace: kube-system Labels: <none> Annotations: <none> Data ==== client-ca-file: ---- -----BEGIN CERTIFICATE----- MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu c2hpZnQtc2lnbmVyQDE1Mjc3NTk0NjIwHhcNMTgwNTMxMDkzNzQxWhcNMjMwNTMw MDkzNzQyWjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1Mjc3NTk0NjIw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4HApGi88o0HrkHNOhgHsN XjNQkEji9FMJFOHBecmcHhswdDEhSvKDgfmu6bicdswPXSv+Caa2TrwLKQdzBQK0 IX/bFhNrujAYyyMzQ7zweMgPP57hSHZVO7s6KcTxYqFwTUMV71sHK8zMPFVGFU/H nV+dLfSYGgMdOE1IR0TZEUYEYVi/8TRgGeTdYVRaaDpsogvTSwixapSFGWCyhcJK vFvIDj4v7hJ7iVbBIJM16VqvwACnSnY4VKByrjL348kjvxvDD1/Wh/6twCfMSgPW XjWtP0NXTqr0Dy4pxVMCFfIIkNR0m3odNp1skGtELkqWW9tvE/PDk08iz86uYUbv AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG SIb3DQEBCwUAA4IBAQCwDSTuxLD7OonwGsg2pxitAIW49cwbHvUhb/4np8xyrDY/ hvi5qxTXHQpWSh3pTm5r8+WVQ6ivBxCsfa7Nb1olRqQhVt9GvC5ht0xTsSWncTdv AhYEnptcN7RzHDCuT49Msw/YO+qVyJ4hcZyv4S+XUV+Iybp+HCA4H7DVt7oC+KIT V2gGpRwNtZulfCjFhIzFFWjUR49XC9l+oZw8eB/Bo6Zdrfxx8NjsiF9wXOIPnrIk adL8xzUbgqq8JpXxufBdU0k1HYcGQBxj0uQjt/uQ38T9Hfm1D3pFZt6OVmYD+g8i eDzbZYd5y62tW+kt0k8lWKMGg0lSIAYd5Th22SrI -----END CERTIFICATE----- requestheader-allowed-names: ---- ["aggregator-front-proxy"] requestheader-client-ca-file: ---- -----BEGIN CERTIFICATE----- MIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu c2hpZnQtc2lnbmVyQDE1Mjc3NjAzODYwHhcNMTgwNTMxMDk1MzA1WhcNMjMwNTMw MDk1MzA2WjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1Mjc3NjAzODYw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3CnPKN/+R3XQhhTcVeutq zI6sApLmulO1hKk/UFKpKipNdXY3O2170aTufJKKmjbfvDs2iBp2Cnrwdh+8/dr9 YSIt2fdU+WLK4V5w6bjCatnaqjyiT06ySmlgTE7WETpaJXYLxE5md468AnB/9YDS CN7zwiq6dw/ZLP2cAiTnoGSDK1lssQIR2Ceg6PKo3QOWGulCSWPw1RtbtEq1MOxj RFIAbX3nMYTneDJhwl7+9UNelY0aOJugLlOrREkDT/6lLnUqv0OEjfX6DTtA6N8/ 0rE9+VmBRxl8Oa4tw0tdPf4HxKH3Vzu6uFGA8p6//oGgu+fQA22vvUomJvA07bJv AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG SIb3DQEBCwUAA4IBAQAKIx5yiL368ZmrFT030geP3DP4Jj51ue97Qxj3X9XXK11r OXZmBIfj2PtnwnFjU0w9ryUkiob/bVDN3ZESmKDsAG1gef8VI2Ziqb2p7KMx1Qr3 MHZ1Qqrb+bGreoVqoO8L+nYoFkwVfDedpV1WLotfYCqKhFj+0/k3DnoT2p5ULpB2 GTyFxoKlPCBTKdbW0h/Kb5Q4A2nKISoD+mjeieAQS2Dsi2QkZlWrxu1wrFtZXeTu hxMu1kGKYo7IMYSNmme2GY4kcR8JTfohueqk+jmo9lKX52ywfFJK8Ld/Kvsgf8Bm OQaFAMeRtwslXfMJXlQbrmbFsbOpAw5gAwnHxVTt -----END CERTIFICATE----- requestheader-extra-headers-prefix: ---- ["X-Remote-Extra-"] requestheader-group-headers: ---- ["X-Remote-Group"] requestheader-username-headers: ---- ["X-Remote-User"] Name: kube-controller-manager Namespace: kube-system Labels: <none> Annotations: control-plane.alpha.kubernetes.io/leader={"holderIdentity":"qe-zhsun-36-gceeeemaster-etcd-1","leaseDurationSeconds":15,"acquireTime":"2018-05-31T10:12:42Z","renewTime":"2018-05-31T10:16:17Z","leaderTr... Data ==== Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 1h 1h 1 controller-manager Normal LeaderElection qe-zhsun-36-gcemaster-etcd-1 became leader 1h 1h 1 controller-manager Normal LeaderElection qe-zhsun-36-gcemaster-etcd-1 became leader Name: kube-scheduler Namespace: kube-system Labels: <none> Annotations: control-plane.alpha.kubernetes.io/leader={"holderIdentity":"qe-zhsun-36-gcemaster-etcd-1","leaseDurationSeconds":15,"acquireTime":"2018-05-31T09:07:16Z","renewTime":"2018-05-31T10:15:45Z","leaderTrans... Data ==== Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 1h 1h 1 default-scheduler Normal LeaderElection qe-zhsun-36-gcemaster-etcd-1 became leader 1h 1h 1 default-scheduler Normal LeaderElection qe-zhsun-36-gcemaster-etcd-1 became leader Name: openshift-master-controllers Namespace: kube-system Labels: <none> Annotations: control-plane.alpha.kubernetes.io/leader={"holderIdentity":"master-qe-zhsun-36-gcemaster-etcd-1-10.240.0.56-xxbfdthc","leaseDurationSeconds":15,"acquireTime":"2018-05-31T09:08:00Z","renewTime":"2018-0... Data ==== Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 1h 1h 1 openshift-master-controllers Normal LeaderElection master-qe-zhsun-36-gcemaster-etcd-1-10.240.0.56-wsb8bmmh became leader 1h 1h 1 openshift-master-controllers Normal LeaderElection master-qe-zhsun-36-gcemaster-etcd-1-10.240.0.56-xxbfdthc became leader
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1798