There is a bug due to a typo introduced in the source code of IPSec deamon of OVNK. A customer upgraded the cluster from 4.12 to 4.13 and now is hitting this bug.

The typo is the below in the IPSec deamon definition file [0]:
~~~
ovs-vsctl --retry -t 60 set Open_vSwitch . other_config:certificate=$cert_pem/g \  <--------------
                                                     other_config:private_key=/etc/openvswitch/keys/ipsec-privkey.pem \
                                                     other_config:ca_cert=/etc/openvswitch/keys/ipsec-cacert.pem
~~~

This makes the daemon pods stay in this state:

~~~
2023-12-13T18:44:53.954542627Z 2023-12-13T18:44:53Z |  20 | ovs-monitor-ipsec | WARN | ovn-bd15b8-0 contains invalid configuration: must set 'certificate' as local certificate when using CA-signed certificate or self-signed certificate to authenticate peers
~~~ 

In more detail the PR that is fixing this is this [1] but is for v4.14. As i don't see any bug to backport the fix to v4.13 i open this bug with the goal to fix that for v4.13.

[0] https://github.com/openshift/cluster-network-operator/blob/02159feb9a41ffdaa5133a7923712e0b745d7144/bindata/network/ovn-kubernetes/common/ipsec.yaml#L127
[1] https://github.com/openshift/cluster-network-operator/pull/1997

    IPSec daemon OVNK

    Upgrade the cluster to v4.13 or enable the IPSec functionality on a v4.13 cluster 

    1. Create a cluster with IPSec in version 4.13
    2.
    3.
    

    The IPSec funcionality is broken

    The IPSec functionality should work fine

    N/A