Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11180

No ARP reply in case of HAproxy vIP and EgressIP assigned to the same INFRA node


    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • 4.12.z
    • None

      Description of problem:

      • In a scenario where the ingress INFRA HAproxy vIP is assigned to the same INFRA node where also the EgressIP of the openshift-gitops (ArgoCD) is allocated, any ARP request for the EgressIP address (ARP request sent from the node that is hosting the HAproxy vIP) won't be answered at all.

      Version-Release number of selected component (if applicable):

      • Red Hat OpenShift 4 with the OVN-Kubernetes Container Network Interface (CNI) plugin.
      • openshift-gitops operator 1.7.1

      How reproducible:
      It's systematic if the ingress HAProxy vIP and the EgressIP are assigned to the same node.

      Steps to Reproduce:

      • OpenShift 4.12 deployed, on top of vSphere, with ingress HAProxy vIP configured and managed in the INFRA nodes.
      • OpenShift 4.12 installed with the OVN-Kubernetes Container Network Interface (CNI) plugin
      • openshift-gitops operator 1.7.1 installed
      • Egress IP configured and associated to the openshift-gitops namespace.
      • INFRA nodes labeled as egress-assignable
      • The EgressIP and the ingress HAProxy vIP was assigned to the same INRA node

      Actual results:

      • As result of the behaviour above described, the authentication in openshift-gitops (ArgoCD integrated with OpenShift) will systematically fail because from the INFRA node isn't possible to resolve the EgressIP.

      Expected results:

      • Not clear what should be because a similar case isn't described in the 4.12 manual.
      • In the official document there is only the comment below [1] that doesn't match the customer environment where this issue is happening:
        1. The Application PODs are running on Worker nodes.
        2. The Ingress HA proxy and the EgressIP are assigned to the same INFRA node.

      In some cluster configurations, application pods and ingress router pods run on the same node. If you configure an egress IP address for an application project in this scenario, the IP address is not used when you send a request to a route from the application project.

      From: https://docs.openshift.com/container-platform/4.12/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html

      Additional info:
      As tracked in the draft solution https://access.redhat.com/solutions/7005218,
      the right ARP workflow is observed only if the HAproxy vIP is managed by three different nodes from the ones labelled as egress-assignable.
      This means that the EgressIPs have to be assigned to a set of nodes different from the INFRA nodes used for handle the ingress HAproxy vIP.

            jcaamano@redhat.com Jaime CaamaƱo Ruiz
            rhn-support-rbruzzon Riccardo Bruzzone
            Huiran Wang Huiran Wang
            1 Vote for this issue
            8 Start watching this issue