Unauthorized about fissile HOT 6 OPEN

It is hard to say without actually seeing the rolemanifest.

If you use RBAC on the cluster, did you set the kube.auth setting in your values.yaml file to rbac to enable correct service accounts and role bindings?

Do you have the PodSecurityPolicy admission controller enabled on that cluster?

from fissile.

Okay, so RBAC is not enabled on the Cluster.
I'm not sure how to set authentication is there documentation on that?

from fissile.

Authentication defaults to none, which is correct when you don't have RBAC enabled.

Is there a way you can share the rolemanifest and bosh release so we can take a look? Or create a simplified test case if this is private code?

from fissile.

Okay I've tried with the nats example and I'm getting the same issue

from fissile.

This is the same error when I curl my kube-api directly without and client x509 cert.
is it possible to include a client cert in the yaml to use to authorize configgin?

from fissile.

I'm not sure we ever tested fissile with user accounts requiring client certs, so I'm not sure how to configure it (and if it would work).

The configgin code assumes that all pods have a service account with sufficient access (look at templates/auth-role-configgin-role.yaml inside the generated helm chart).

The configgin code to fetch the auth token from its service account is at https://github.com/SUSE/configgin/blob/8b4b33ebc34fd494c2b90bfb03aae1534e40761b/bin/configgin#L24-L35

BTW, it looks like RBAC is now the default, you would have to switch this to none to disable it (in values.yaml):

kube:
...
  auth: "rbac"

But I expect it to continue to fail for you because you would still need to provide an authenticated token to the default service account somehow.

from fissile.