Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.12.z
Component/s: Networking / ovn-kubernetes
Labels:
None

Test Coverage:

+
Test Link:
https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-72336
Severity:
Moderate
Regression:
No
Sprint:
SDN Sprint 234, SDN Sprint 235, SDN Sprint 236, SDN Sprint 237, SDN Sprint 238
sprint_count:
5
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

In a scenario where the ingress INFRA HAproxy vIP is assigned to the same INFRA node where also the EgressIP of the openshift-gitops (ArgoCD) is allocated, any ARP request for the EgressIP address (ARP request sent from the node that is hosting the HAproxy vIP) won't be answered at all.

Version-Release number of selected component (if applicable):

Red Hat OpenShift 4 with the OVN-Kubernetes Container Network Interface (CNI) plugin.
openshift-gitops operator 1.7.1

How reproducible:
It's systematic if the ingress HAProxy vIP and the EgressIP are assigned to the same node.

Steps to Reproduce:

OpenShift 4.12 deployed, on top of vSphere, with ingress HAProxy vIP configured and managed in the INFRA nodes.
OpenShift 4.12 installed with the OVN-Kubernetes Container Network Interface (CNI) plugin
openshift-gitops operator 1.7.1 installed
Egress IP configured and associated to the openshift-gitops namespace.
INFRA nodes labeled as egress-assignable
The EgressIP and the ingress HAProxy vIP was assigned to the same INRA node

Actual results:

As result of the behaviour above described, the authentication in openshift-gitops (ArgoCD integrated with OpenShift) will systematically fail because from the INFRA node isn't possible to resolve the EgressIP.

Expected results:

Not clear what should be because a similar case isn't described in the 4.12 manual.
In the official document there is only the comment below [1] that doesn't match the customer environment where this issue is happening:
1. The Application PODs are running on Worker nodes.
2. The Ingress HA proxy and the EgressIP are assigned to the same INFRA node.

[1]
In some cluster configurations, application pods and ingress router pods run on the same node. If you configure an egress IP address for an application project in this scenario, the IP address is not used when you send a request to a route from the application project.

From: https://docs.openshift.com/container-platform/4.12/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html

Additional info:
As tracked in the draft solution https://access.redhat.com/solutions/7005218,
the right ARP workflow is observed only if the HAproxy vIP is managed by three different nodes from the ones labelled as egress-assignable.
This means that the EgressIPs have to be assigned to a set of nodes different from the INFRA nodes used for handle the ingress HAproxy vIP.