Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-2055

Submariner gateway: Error creating AWS security group if already exists

    XMLWordPrintable

Details

    • False
    • None
    • False
    • No
    • Important

    Description

      Description of problem:

      Trying to apply the SubmarinerConfig on an existing Submariner setup has:

      Failed to prepare submariner cluster environment: unable to create gateway: error creating AWS security group: operation error EC2: CreateSecurityGroup, https response error StatusCode: 400,

      Api error InvalidGroup.Duplicate: The security group 'aws-nmanos-a1-dwpw6-submariner-gw-sg' already exists for VPC 'vpc-0b6d6fdf114918517'

       

      Version-Release number of selected component (if applicable):

      OCP 4.11.0

      ACM 2.7.0

      Submariner 0.14.0

      How reproducible:

      Few times

      Steps to Reproduce:

      Create SubmarinerConfig on an existing ACM managed cluster that already has existing Submariner installation.

      Full scenario:

      https://qe-jenkins-csb-skynet.apps.ocp-c1.prod.psi.redhat.com/view/ACM%202.7/job/ACM-2.7.0-Submariner-0.14.0-AWS-GCP-Globalnet/27/Test-Report/

      Actual results:

       

      $ oc  describe submarinerconfig "submariner" -n "acm-aws-nmanos-a1"
Name:         submariner
Namespace:    acm-aws-nmanos-a1
Labels:       <none>
Annotations:  <none>
API Version:  submarineraddon.open-cluster-management.io/v1alpha1
Kind:         SubmarinerConfig
Metadata:
  Creation Timestamp:  2022-11-11T19:51:55Z
  Finalizers:
    submarineraddon.open-cluster-management.io/config-cleanup
  Generation:  3
  Managed Fields:
    API Version:  submarineraddon.open-cluster-management.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"submarineraddon.open-cluster-management.io/config-cleanup":
      f:spec:
        f:gatewayConfig:
          f:azure:
            .:
            f:instanceType:
          f:gcp:
            .:
            f:instanceType:
          f:rhos:
            .:
            f:instanceType:
    Manager:      submariner
    Operation:    Update
    Time:         2022-11-11T19:51:55Z
    API Version:  submarineraddon.open-cluster-management.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:managedClusterInfo:
          .:
          f:clusterName:
          f:infraId:
          f:platform:
          f:region:
          f:vendor:
          f:vendorVersion:
    Manager:      submariner
    Operation:    Update
    Subresource:  status
    Time:         2022-11-11T19:51:59Z
    API Version:  submarineraddon.open-cluster-management.io/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:IPSecIKEPort:
        f:IPSecNATTPort:
        f:NATTDiscoveryPort:
        f:NATTEnable:
        f:airGappedDeployment:
        f:cableDriver:
        f:credentialsSecret:
          .:
          f:name:
        f:gatewayConfig:
          .:
          f:aws:
            .:
            f:instanceType:
          f:gateways:
        f:imagePullSpecs:
          .:
          f:lighthouseAgentImagePullSpec:
          f:lighthouseCoreDNSImagePullSpec:
          f:submarinerImagePullSpec:
          f:submarinerRouteAgentImagePullSpec:
        f:loadBalancerEnable:
        f:subscriptionConfig:
          .:
          f:channel:
          f:source:
          f:sourceNamespace:
          f:startingCSV:
    Manager:         kubectl-client-side-apply
    Operation:       Update
    Time:            2022-11-11T21:38:01Z
  Resource Version:  622901
  UID:               7004d36d-16d5-413d-be05-53b21d21a608
Spec:
  IP Sec IKE Port:        501
  IP Sec NATT Port:       4501
  NATT Discovery Port:    4900
  NATT Enable:            true
  Air Gapped Deployment:  false
  Cable Driver:           libreswan
  Credentials Secret:
    Name:  acm-aws-nmanos-a1-aws-creds
  Gateway Config:
    Aws:
      Instance Type:  c5d.large
    Azure:
      Instance Type:  Standard_D4s_v3
    Gateways:         1
    Gcp:
      Instance Type:  n1-standard-4
    Rhos:
      Instance Type:  PnTAE.CPU_16_Memory_32768_Disk_80
  Image Pull Specs:
    Lighthouse Agent Image Pull Spec:        
    Lighthouse Core DNS Image Pull Spec:     
    Submariner Image Pull Spec:              
    Submariner Route Agent Image Pull Spec:  
  Load Balancer Enable:                      false
  Subscription Config:
    Channel:           stable-0.14
    Source:            submariner-stable-0-14-catalog
    Source Namespace:  submariner-operator
    Starting CSV:      submariner.v0.14.0
Status:
  Conditions:
    Last Transition Time:  2022-11-11T21:33:21Z
    Message:               Failed to prepare submariner cluster environment: unable to create gateway: error creating AWS security group: operation error EC2: CreateSecurityGroup, https response error StatusCode: 400, RequestID: b113a49a-5c3e-4cdf-875b-c4e5633e210c, api error InvalidGroup.Duplicate: The security group 'aws-nmanos-a1-dwpw6-submariner-gw-sg' already exists for VPC 'vpc-0b6d6fdf114918517'
    Reason:                SubmarinerClusterEnvPreparationFailed
    Status:                False
    Type:                  SubmarinerClusterEnvironmentPrepared
    Last Transition Time:  2022-11-11T19:55:05Z
    Message:               1 node(s) ("ip-10-16-8-148.us-west-1.compute.internal") are labeled as gateways
    Reason:                Success
    Status:                True
    Type:                  SubmarinerGatewaysLabeled
  Managed Cluster Info:
    Cluster Name:    acm-aws-nmanos-a1
    Infra Id:        aws-nmanos-a1-dwpw6
    Platform:        AWS
    Region:          us-west-1
    Vendor:          OpenShift
    Vendor Version:  4.11.13
Events:              <none>

       

      Expected results:

      SubmarinerConfig should be created successfully, even if it was already applied before.

      Additional info:

       

      Attachments

        Activity

          People

            mkolesni@redhat.com Michael Kolesnik (Inactive)
            nmanos@redhat.com Noam Manos
            Noam Manos Noam Manos
            ACM QE Team
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: