Submariner unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized

[BhavaniYalamanchili]

ISSUE:

The submariner is looks well from site 2, but from Site 1 there seems to be an issue. When using v0.16.3 seen the below error
✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized. So, we have installed the Submariner v0.18.0 version. Still not able to see the error resolution.

SETUP:

Site 1: OCP 4.15
Site 2: OCP 4.14

Submariner: 0.16.3, 0.18.0

Outputs from Site 1

The gather command is also outputting the same issue.

sh-4.4$ /root/.local/bin/subctl show all --kubeconfig /tmp/local-kubeconfig 
Cluster "local-config"
 ✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized

subctl version: v0.16.3

sh-4.4$ /root/.local/bin/subctl diagnose all --kubeconfig /tmp/local-kubeconfig 
Cluster "local-config"
 ✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized
Skipping inter-cluster firewall check as it requires two kubeconfigs. Please run "subctl diagnose firewall inter-cluster" command manually.

subctl version: v0.16.3

sh-4.4$ /root/.local/bin/subctl show all --kubeconfig /connection/kube-config/f6f23ccf99/kubeconfig 
Cluster "default-cluster"
 ✓ Detecting broker(s)
 ✓ No brokers found

 ✓ Showing Connections
GATEWAY                          CLUSTER   REMOTE IP       NAT   CABLE DRIVER   SUBNETS                        STATUS      RTT avg.     
control-1-ru4.rackae7.mydomain   site1     172.20.107.27   no    libreswan      172.30.0.0/16, 10.128.0.0/14   connected   212.062µs    

 ✓ Showing Endpoints
CLUSTER   ENDPOINT IP     PUBLIC IP     CABLE DRIVER   TYPE     
site2     172.20.4.25     129.41.87.2   libreswan      local    
site2     172.20.4.26     129.41.87.2   libreswan      local    
site2     172.20.4.27     172.20.4.27   libreswan      local    
site1     172.20.107.27   129.41.87.3   libreswan      remote   

 ✓ Showing Gateways
NODE                             HA STATUS   SUMMARY                               
control-1-ru2.gen2004.mydomain   passive     There are no connections              
control-1-ru3.gen2004.mydomain   passive     There are no connections              
control-1-ru4.gen2004.mydomain   active      All connections (1) are established   

 ✓ Showing Network details
    Discovered network details via Submariner:
        Network plugin:  OVNKubernetes
        Service CIDRs:   [172.31.0.0/16]
        Cluster CIDRs:   [10.132.0.0/14]

 ✓ Showing versions 
COMPONENT                       REPOSITORY           CONFIGURED   RUNNING                     ARCH    
submariner-gateway              quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   
submariner-routeagent           quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   
submariner-metrics-proxy        quay.io/submariner   0.18.0       release-0.18-011349c6f17e   amd64   
submariner-operator             quay.io/submariner   0.18.0       release-0.18-68fefdd74105   amd64   
submariner-lighthouse-agent     quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   
submariner-lighthouse-coredns   quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   


sh-4.4$ /root/.local/bin/subctl gather --kubeconfig /tmp/local-kubeconfig
Cluster "local-config"
 ✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized

subctl version: v0.16.3


sh-4.4$ /tmp/new_subctl/bin/subctl gather --kubeconfig /tmp/local-kubeconfig
Cluster "local-config"
 ✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized

subctl version: v0.18.0

sh-4.4$ /tmp/new_subctl/bin/subctl show all --kubeconfig /tmp/local-kubeconfig
Cluster "local-config"
 ✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized

subctl version: v0.18.0

sh-4.4$ /tmp/new_subctl/bin/subctl diagnose all --kubeconfig /tmp/local-kubeconfig
Cluster "local-config"
 ✗ Error building the cluster.Info for the default configuration: error retrieving Submariner: failed to get API group resources: unable to retrieve the complete list of server APIs: submariner.io/v1alpha1: Unauthorized
Skipping inter-cluster firewall check as it requires two kubeconfigs. Please run "subctl diagnose firewall inter-cluster" command manually.

subctl version: v0.18.0

Outputs from Site 2

sh-4.4$ ./subctl show all --kubeconfig /connection/kube-config/655759e819/kubeconfig 
Cluster "default-cluster"
 ✓ Detecting broker(s)
NAMESPACE               NAME                COMPONENTS                        GLOBALNET   GLOBALNET CIDR   DEFAULT GLOBALNET SIZE   DEFAULT DOMAINS   
submariner-k8s-broker   submariner-broker   service-discovery, connectivity   no          242.0.0.0/8      65536                                      

 ✓ Showing Connections
GATEWAY                          CLUSTER   REMOTE IP     NAT   CABLE DRIVER   SUBNETS                        STATUS      RTT avg.     
control-1-ru4.gen2004.mydomain   site2     172.20.4.27   no    libreswan      172.31.0.0/16, 10.132.0.0/14   connected   312.197µs    

 ✓ Showing Endpoints
CLUSTER   ENDPOINT IP     PUBLIC IP     CABLE DRIVER   TYPE     
site1     172.20.107.25   129.41.87.3   libreswan      local    
site1     172.20.107.26   129.41.87.3   libreswan      local    
site1     172.20.107.27   129.41.87.3   libreswan      local    
site2     172.20.4.27     172.20.4.27   libreswan      remote   

 ✓ Showing Gateways
NODE                             HA STATUS   SUMMARY                               
control-1-ru2.rackae7.mydomain   passive     There are no connections              
control-1-ru3.rackae7.mydomain   passive     There are no connections              
control-1-ru4.rackae7.mydomain   active      All connections (1) are established   

 ✓ Showing Network details
    Discovered network details via Submariner:
        Network plugin:  OVNKubernetes
        Service CIDRs:   [172.30.0.0/16]
        Cluster CIDRs:   [10.128.0.0/14]

 ✓ Showing versions 
COMPONENT                       REPOSITORY           CONFIGURED   RUNNING                     ARCH    
submariner-gateway              quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   
submariner-routeagent           quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   
submariner-metrics-proxy        quay.io/submariner   0.18.0       release-0.18-011349c6f17e   amd64   
submariner-operator             quay.io/submariner   0.18.0       release-0.18-68fefdd74105   amd64   
submariner-lighthouse-agent     quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   
submariner-lighthouse-coredns   quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   


sh-4.4$ ./subctl show all --kubeconfig /tmp/local-kubeconfig                         
Cluster "local-config"
 ✓ Detecting broker(s)
 ✓ No brokers found

 ✓ Showing Connections
GATEWAY                          CLUSTER   REMOTE IP       NAT   CABLE DRIVER   SUBNETS                        STATUS      RTT avg.     
control-1-ru4.rackae7.mydomain   site1     172.20.107.27   no    libreswan      172.30.0.0/16, 10.128.0.0/14   connected   211.018µs    

 ✓ Showing Endpoints
CLUSTER   ENDPOINT IP     PUBLIC IP     CABLE DRIVER   TYPE     
site2     172.20.4.25     129.41.87.2   libreswan      local    
site2     172.20.4.26     129.41.87.2   libreswan      local    
site2     172.20.4.27     172.20.4.27   libreswan      local    
site1     172.20.107.27   129.41.87.3   libreswan      remote   

 ✓ Showing Gateways
NODE                             HA STATUS   SUMMARY                               
control-1-ru2.gen2004.mydomain   passive     There are no connections              
control-1-ru3.gen2004.mydomain   passive     There are no connections              
control-1-ru4.gen2004.mydomain   active      All connections (1) are established   

 ✓ Showing Network details
    Discovered network details via Submariner:
        Network plugin:  OVNKubernetes
        Service CIDRs:   [172.31.0.0/16]
        Cluster CIDRs:   [10.132.0.0/14]

 ✓ Showing versions 
COMPONENT                       REPOSITORY           CONFIGURED   RUNNING                     ARCH    
submariner-gateway              quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   
submariner-routeagent           quay.io/submariner   0.18.0       release-0.18-e3f3e56b57fe   amd64   
submariner-metrics-proxy        quay.io/submariner   0.18.0       release-0.18-011349c6f17e   amd64   
submariner-operator             quay.io/submariner   0.18.0       release-0.18-68fefdd74105   amd64   
submariner-lighthouse-agent     quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   
submariner-lighthouse-coredns   quay.io/submariner   0.18.0       release-0.18-02b6a5b37266   amd64   

sh-4.4$ 

[tpantelis]

Unauthorized error means the kubeconfig you supplied to subctl does not have proper permissions to access the target resource on the K8s API server. This is not an issue with Submariner.