Properly publish the requestheader CA and authentication info

services/apiserver.go

@@ -363,7 +363,15 @@ func buildApiConfig(c *Cluster, config server.Config, clients *k8s.Clients) (*co
 			APIResourceConfigSource:  generic.MergedResourceConfig,
 			StorageFactory:           restOptionsGetter.StorageFactory,
 			ClusterAuthenticationInfo: clusterauthenticationtrust.ClusterAuthenticationInfo{
-				ClientCA: config.SecureServing.ClientCA,
+				// This is duplicated information from the authentication layer, so that
+				// the start-cluster-authentication-info-controller controller properly
+				// populates the extension-apiserver-authentication ConfigMap with
+				// authentication info
+				ClientCA:                         config.SecureServing.ClientCA,
+				RequestHeaderCA:                  config.Authentication.RequestHeaderConfig.CAContentProvider,
+				RequestHeaderUsernameHeaders:     config.Authentication.RequestHeaderConfig.ExtraHeaderPrefixes,
+				RequestHeaderGroupHeaders:        config.Authentication.RequestHeaderConfig.GroupHeaders,
+				RequestHeaderExtraHeaderPrefixes: config.Authentication.RequestHeaderConfig.ExtraHeaderPrefixes,
 			},
 		},
 	}, nil