Need help configuring dashboard correctly

[AlainRoy]

I'm developing a new kube-up implementation for VMware's Photon Controller. While the basics work fine (I can deploy pods and services), I can't get the UI to work. I have the same symptom as in Issue #374. That is, when I connect to the UI through my web browser, I get an error that it can't connect to localhost:8080. If I pass --apiserver-host, I get an error like:

Get https://10.146.37.191/api/v1/replicationcontrollers: x509: failed to load system roots and no roots provided

I'm experiencing this with both the 1.2 release of Kubernetes as well as the head of the master branch. I've used both dashboard 1.0.0 and 1.0.1

Unfortunately, a combination of studying issue #374 and lots of experimentation hasn't helped. (I've mounted /etc/ssl/certs and ensured a .kube/config file was in place, among other things.) I'm sure the fault is all mine: I must not have the configuration set up correctly.

Instead of asking you "what's wrong?", I'd prefer to ask you how the dashboard knows how to connect to the API server. How does it normally discover the IP address and the correct way to authenticate?

I've noticed that the dashboard container doesn't mount any of the standard places to find a kubeconfig file, so it must be getting the configuration another way. Is it via the environment? What environment variables is it looking for? I'm guessing it might use KUBERNETES_MASTER to find the IP address, but I don't know how it finds the authentication configuration. I've looked at the Kubernetes client code a bit, but it wasn't immediately obvious.

Like many of the kube-up implementations--but unlike the AWS and GCE implementations--my Kubernetes nodes's kubeconfig files for kubelet and kube-proxy use tokens instead of certificates. Could the fact that I haven't set up certificates be a problem? If I do set them up, where does the dashboard expect to find them?

Thanks!

[AlainRoy]

After some research, I think the answer might be:

• The dashboard uses a service account with a service account token
• It assumes that the kubernetes apiserver has been configured with the ServiceAccount admission control. This will mount a volume that contains a file (/var/run/secrets/kubernetes.io/serviceaccount/token) with the service account token.
• Unless the dashboard has been started with the --apiserver-host option, it will use the KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to know how to contact the apiserver. These are set by default for the dashboard container by Kubernetes

Is this accurate? Did I miss anything?

[bryk]

This is all correct. The code we use is kubernetes client package located at: https://github.com/kubernetes/kubernetes/blob/dae5ac482861382e18b1e7b2943b1b7f333c6a2a/pkg/client/unversioned/clientcmd/doc.go

Can you help us adding this to the documentation? Or fixing the initialization phase to automatically start on your setup?

Do other addons, like Heapster, work out of the box?

[AlainRoy]

I'm fixing my setup. I think it'd be useful to document as well, so other people can figure it out more easily.

I'm happy to write some docs on it: where would you suggest they go, exactly?

[bryk]

Awesome, thank you! In this repository it is best to put is in docs/user-guide/foo.md. foo.md may be troubleshooting.md, certificates.md, or installation.md. Depending on the scope of your contribution :) I'll let you chose this. Just use common sense.

[AlainRoy]

I wrote some docs. I would have written something with a larger scope, but I don't yet know enough. I'm happy to tweak this in any way that you want, so it fits into the existing docs well. I hope this helps.
#648