Creation of Supervisor Service with ID ca-clusterissuer.vsphere.vmware.com ist not allowed

• Tweet it
• Pin it
• Share it
• Email

The latest vSphere with Tanzu update from mid december 2022 brought us some Supervisor Services.
Some of you might remember MinIO, Cloudian and Velero as out of the box supervisor Services. Except of Velero, they where third-party solutions.
This time, VMware released three new services

• ca-clusterissuer
• Harbor (as replacement for the embedded Harbor registry (aka vRegistry)
• Contour

They are provided on git: https://github.com/vsphere-tmm/Supervisor-Services/blob/main/README.md

Problem

One of the Services, namely ca-clusterissuer will throw an error, when you try to install it:

Creation of Supervisor Service with ID ca-clusterissuer.vsphere.vmware.com is not allowed. Only service IDs defined in the allow-list file /etc/vmware/wcp/supervisor-services-allow-list.txt are allowed.

https://vraccoon.com/2023/01/creation-of-supervisor-service-with-id-ca-clusterissuer-vsphere-vmware-com-ist-not-allowed/#MDEtZXJyb3IucG5

Solution

Fixing this is rather simple. We need ssh to vCenter and open the file mentioned in the error message /etc/vmware/wcp/supervisor-services-allow-list.txt

https://vraccoon.com/2023/01/creation-of-supervisor-service-with-id-ca-clusterissuer-vsphere-vmware-com-ist-not-allowed/#MDItc3VwZXJ2aXN

As we can see, it is listing “ca-clusterissuer” as allowed service. But this name does not match the name in the ca-clusterissuer.yml downloaded from the github:

---
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: PackageMetadata
metadata:
  name: ca-clusterissuer.vsphere.vmware.com
spec:
  displayName: CA Cluster Issuer
  shortDescription: CA Cluster Issuer can sign CSRs from any namespace.
---
apiVersion: data.packaging.carvel.dev/v1alpha1
kind: Package
metadata:
  name: ca-clusterissuer.vsphere.vmware.com.0.0.1
spec:
  refName: ca-clusterissuer.vsphere.vmware.com
  version: 0.0.1
  releasedAt: 2022-10-26T09:46:06Z
  template: # type of App CR
    spec:
      fetch:
      # An imgpkg bundle is an OCI image that contains Kubernetes configurations.
      # Refer to carvel-imgpkg/README for steps of building a bundle.
      - imgpkgBundle:
          image: projects.registry.vmware.com/vsphere/ca-clusterissuer-bundle:v0.0.1 
      template:
        - ytt:
            paths:
              - config/
      deploy:
        - kapp: {}

In line 5, we see that the actual name is ca-clusterissuer.vsphere.vmware.com (also as mentioned in the initial error message).
So, the only thing to do is to change the entry in the supervisor-services-allow-list.txt:

https://vraccoon.com/2023/01/creation-of-supervisor-service-with-id-ca-clusterissuer-vsphere-vmware-com-ist-not-allowed/#MDMtY29ycmVjdC1

Save the file and you are good to go. No service or even vCenter restart required. Just re-apply the Service yaml.