Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33573

ZTP for IPSec N-S should enable local gateway mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.16.0
    • GitOps ZTP
    • None
    • Important
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When a SNO cluster is deployed with ZTP with IPSec N-S, it is not possible for packets originating from a workload to get encapsulated on the IPSec tunnel.

      Version-Release number of selected component (if applicable):

      4.16

      How reproducible:

          100%

      Steps to Reproduce:

          1.  Follow the example in ZTP to configure ipsec: https://github.com/openshift-kni/cnf-features-deploy/blob/master/README.md  
    2.  Create a service and deployment for a workload pod.
    3.  Try to ping an IP on the VPN subnet on the Security Gateway.

      Actual results:

          It is not possible for packets originating from this pod to get encapsulated on the IPSec tunnel, which is managed on the host.

      Expected results:

          It should be possible for packets originating from this pod to get encapsulated on the IPSec tunnel, which is managed on the host.

      Additional info:

          Setting Local gateway mode would resolve this problem:

oc get network.operator/cluster -o json
...
{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"routingViaHost":true}}}}}

            saledort Sabina Aledort
            bradyjoh@redhat.com Brady Johnson
            Brady Johnson Brady Johnson
            Sabina Aledort
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: