Description of problem:
- In a scenario where the ingress INFRA HAproxy vIP is assigned to the same INFRA node where also the EgressIP of the openshift-gitops (ArgoCD) is allocated, any ARP request for the EgressIP address (ARP request sent from the node that is hosting the HAproxy vIP) won't be answered at all.
Version-Release number of selected component (if applicable):
- Red Hat OpenShift 4 with the OVN-Kubernetes Container Network Interface (CNI) plugin.
- openshift-gitops operator 1.7.1
It's systematic if the ingress HAProxy vIP and the EgressIP are assigned to the same node.
Steps to Reproduce:
- OpenShift 4.12 deployed, on top of vSphere, with ingress HAProxy vIP configured and managed in the INFRA nodes.
- OpenShift 4.12 installed with the OVN-Kubernetes Container Network Interface (CNI) plugin
- openshift-gitops operator 1.7.1 installed
- Egress IP configured and associated to the openshift-gitops namespace.
- INFRA nodes labeled as egress-assignable
- The EgressIP and the ingress HAProxy vIP was assigned to the same INRA node
- As result of the behaviour above described, the authentication in openshift-gitops (ArgoCD integrated with OpenShift) will systematically fail because from the INFRA node isn't possible to resolve the EgressIP.
- Not clear what should be because a similar case isn't described in the 4.12 manual.
- In the official document there is only the comment below  that doesn't match the customer environment where this issue is happening:
1. The Application PODs are running on Worker nodes.
2. The Ingress HA proxy and the EgressIP are assigned to the same INFRA node.
In some cluster configurations, application pods and ingress router pods run on the same node. If you configure an egress IP address for an application project in this scenario, the IP address is not used when you send a request to a route from the application project.
As tracked in the draft solution https://access.redhat.com/solutions/7005218,
the right ARP workflow is observed only if the HAproxy vIP is managed by three different nodes from the ones labelled as egress-assignable.
This means that the EgressIPs have to be assigned to a set of nodes different from the INFRA nodes used for handle the ingress HAproxy vIP.