-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.13.z
-
+
-
Important
-
Yes
-
False
-
-
-
-
-
Description of problem:
There is a bug due to a typo introduced in the source code of IPSec deamon of OVNK. A customer upgraded the cluster from 4.12 to 4.13 and now is hitting this bug. The typo is the below in the IPSec deamon definition file [0]: ~~~ ovs-vsctl --retry -t 60 set Open_vSwitch . other_config:certificate=$cert_pem/g \ <-------------- other_config:private_key=/etc/openvswitch/keys/ipsec-privkey.pem \ other_config:ca_cert=/etc/openvswitch/keys/ipsec-cacert.pem ~~~ This makes the daemon pods stay in this state: ~~~ 2023-12-13T18:44:53.954542627Z 2023-12-13T18:44:53Z | 20 | ovs-monitor-ipsec | WARN | ovn-bd15b8-0 contains invalid configuration: must set 'certificate' as local certificate when using CA-signed certificate or self-signed certificate to authenticate peers ~~~ In more detail the PR that is fixing this is this [1] but is for v4.14. As i don't see any bug to backport the fix to v4.13 i open this bug with the goal to fix that for v4.13. [0] https://github.com/openshift/cluster-network-operator/blob/02159feb9a41ffdaa5133a7923712e0b745d7144/bindata/network/ovn-kubernetes/common/ipsec.yaml#L127 [1] https://github.com/openshift/cluster-network-operator/pull/1997
Version-Release number of selected component (if applicable):
IPSec daemon OVNK
How reproducible:
Upgrade the cluster to v4.13 or enable the IPSec functionality on a v4.13 cluster
Steps to Reproduce:
1. Create a cluster with IPSec in version 4.13
2.
3.
Actual results:
The IPSec funcionality is broken
Expected results:
The IPSec functionality should work fine
Additional info:
N/A
- depends on
-
-
- Closed
-
- links to
-
RHBA-2024:0741
OpenShift Container Platform 4.13.z bug fix update
