RBAC error in latest published catalog Helm chart

[migmartri]

Bug Report

What happened:

The latest version of the catalog chart released here does not seem to work correctly in neither GKE nor Minikube.

This issue seems to be fixed in the chart existing in the Git repository, so releasing that chart upstream should fix the issue.

See error below:

k logs catalog-catalog-controller-manager-d6bf74d9f-ggpcb -n catalog 

...
I0809 17:00:07.205504       1 round_trippers.go:405] GET https://10.15.240.1:443/apis/servicecatalog.k8s.io/v1beta1/servicebrokers?limit=500&resourceVersion=0 403 Forbidden in 15 milliseconds
I0809 17:00:07.205548       1 round_trippers.go:411] Response Headers:
I0809 17:00:07.205555       1 round_trippers.go:414]     Content-Type: application/json
I0809 17:00:07.205560       1 round_trippers.go:414]     X-Content-Type-Options: nosniff
I0809 17:00:07.205565       1 round_trippers.go:414]     Content-Length: 459
I0809 17:00:07.205569       1 round_trippers.go:414]     Date: Thu, 09 Aug 2018 17:00:07 GMT
I0809 17:00:07.205574       1 round_trippers.go:414]     Audit-Id: b06b9e09-b289-43a6-b171-1451c6f5e0e3
I0809 17:00:07.205594       1 request.go:897] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"servicebrokers.servicecatalog.k8s.io is forbidden: User \"system:serviceaccount:catalog:service-catalog-controller-manager\" cannot list servicebrokers.servicecatalog.k8s.io at the cluster scope: Unknown user \"system:serviceaccount:catalog:service-catalog-controller-manager\"","reason":"Forbidden","details":{"group":"servicecatalog.k8s.io","kind":"servicebrokers"},"code":403}
E0809 17:00:07.205655       1 reflector.go:205] github.com/kubernetes-incubator/service-catalog/pkg/client/informers_generated/externalversions/factory.go:118: Failed to list *v1beta1.ServiceBroker: servicebrokers.servicecatalog.k8s.io is forbidden: User "system:serviceaccount:catalog:service-catalog-controller-manager" cannot list servicebrokers.servicecatalog.k8s.io at the cluster scope: Unknown user "system:serviceaccount:catalog:service-catalog-con

What you expected to happen:

By deploying the chart in the git repo https://github.com/kubernetes-incubator/service-catalog/tree/master/charts/catalog the call returns 200.

k logs catalog-catalog-controller-manager-d6bf74d9f-ggpcb -n catalog | grep "GET 
https://10.15.240.1:443/apis/servicecatalog.k8s.io/v1beta1/servicebrokers" -A 2
I0809 17:08:09.775997       1 round_trippers.go:405] GET https://10.15.240.1:443/apis/servicecatalog.k8s.io/v1beta1/servicebrokers?limit=500&resourceVersion=0 200 OK in 174 milliseconds

How to reproduce it (as minimally and precisely as possible):

# Install upstream chart
$ helm install svc-cat/catalog --name catalog --namespace catalog \
   --set apiserver.storage.etcd.persistence.enabled=true

$ helm list
NAME    REVISION    UPDATED                     STATUS      CHART                           NAMESPACE
catalog 1           Thu Aug  9 09:58:01 2018    DEPLOYED    catalog-0.1.28                  catalog  

$ k logs catalog-catalog-controller-manager-d6bf74d9f-ggpcb -n catalog 
# You can see 403 errors.
...
I0809 17:00:07.205504       1 round_trippers.go:405] GET https://10.15.240.1:443/apis/servicecatalog.k8s.io/v1beta1/servicebrokers?limit=500&resourceVersion=0 403 Forbidden in 15 milliseconds...

# Upgrade the release to use the chart in the repository fixes it
$ git clone git@github.com:kubernetes-incubator/service-catalog.git

$ helm upgrade catalog service-catalog/charts/catalog/

# Upgraded to rev 2
$ helm list
NAME    REVISION    UPDATED                     STATUS      CHART                           NAMESPACE
catalog 2           Thu Aug  9 10:07:12 2018    DEPLOYED    catalog-0.1.28                  catalog  

# And now it returns 200
$ k logs catalog-catalog-controller-manager-d6bf74d9f-ggpcb -n catalog | grep "GET 
https://10.15.240.1:443/apis/servicecatalog.k8s.io/v1beta1/servicebrokers" -A 2
I0809 17:08:09.775997       1 round_trippers.go:405] GET https://10.15.240.1:443/apis/servicecatalog.k8s.io/v1beta1/servicebrokers?limit=500&resourceVersion=0 200 OK in 174 milliseconds

Anything else we need to know?:

Environment:

• Kubernetes version (use kubectl version):

  Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:53:20Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"9+", GitVersion:"v1.9.7-gke.3", GitCommit:"9b5b719c5f295c99de68ffb5b63101b0e0175376", GitTreeState:"clean", BuildDate:"2018-05-31T18:32:23Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

• service-catalog version:
• Cloud provider or hardware configuration: Reproduced in Minikube (v0.28.2) and GKE.
• Do you have api aggregation enabled?
  • Do you see the configmap in kube-system?
  • Does it have all the necessary fields?
  • kubectl get cm -n kube-system extension-apiserver-authentication -o yaml and look for requestheader-XXX fields
• Install tools:
  • Did you use helm? What were the helm arguments? Did you --set any extra values?
• Are you trying to use ALPHA features? Did you enable them?

[jboyd01]

thanks for the report @migmartri, we just got this reported & fixed earlier this week by https://github.com/kubernetes-incubator/service-catalog/pull/2263 and it will be in the next release of catalog we do today.