Error : no client CA cert available for apiextension-server

Hi,

I installed Linkerd2 (stable-2.6.0) in my K8S v1.16.2 Cluster and i got the following error on “linkerd-tap”, “tap” container :
"no client CA cert available for apiextension-server "

Does someone know how to resolve this ?

Ty for help

@pierreilki

That particular error message is displayed when tap attempts to read from the extensions-apiserver-authentication ConfigMap in the kube-system namespace.

The specific implementation is here.

Can you run the following kubectl command and make sure it returns a value?

kubectl -n kube-system get cm/extension-apiserver-authentication -ojsonpath='{.data.requestheader-client-ca-file}'

One of two things is likely happening:

  1. RBAC is preventing the Linkerd components from accessing the ConfigMap in the kube-system namespace
  2. The ConfigMap doesn’t have the requestheader-client-ca-file value set

Is your cluster running in a managed environment like GKE or AKS?

Charles

Hi Charles,

Thanks for your reply.

I tried the command, and nothing is returned.

My ConfigMap is available at : https://raw.githubusercontent.com/pierreilki/debug/master/debug

The value “requestheader-client-ca-file” is not set, and i don’t understand why because the other values are present…

Do you have any idea of why it is happening ?

My K8S cluster is not in AKS, EKS or GKE managed clusters. I installed it by myself with my own distribution (Agorakube).

I will try to add some flags ( --requestheader-client-ca-file ) to my “kube-apiservers” to enable this flag in my ConfigMap. I think i need extend my Api-Servers with " aggregation layer"…

Have a good day :slight_smile:

@pierreilki

I just took a look at Agorakube and it looks like an interesting project.

It looks like you need to add the --requestheader-client-ca-file parameter to the template that start kube-apiserver: https://github.com/ilkilab/agorakube/blob/c8e5b934854ac2225a273e1c63668ace993301b3/roles/setup-master/templates/kube-apiserver.service.j2

It’s likely that you will have to add more than just the --requestheader-client-ca-file parameter. You can find a full list of parameters here: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

Hi @cpretzer

I solved my problem by adding the following fields to my kube-apiserver.service file:

–requestheader-client-ca-file=/etc/kubernetes/pki/kubernetes-front-proxy-ca.crt
–requestheader-allowed-names=front-proxy-client
–requestheader-extra-headers-prefix=X-Remote-Extra-
–requestheader-group-headers=X-Remote-Group
–requestheader-username-headers=X-Remote-User
–proxy-client-cert-file=/etc/kubernetes/pki/proxy/front-proxy-client.crt
–proxy-client-key-file=/etc/kubernetes/pki/proxy/front-proxy-client.key

It was easier than expected to solve :stuck_out_tongue:

Thank you for your help !! :slight_smile:

Have a nice day

@pierreilki

That’s great to hear! Thanks for the update.

I hope your Agorakube is successful!

Charles