Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28208

Typo "/g" in source code braking IPSec deamonset.

XMLWordPrintable

      Description of problem:

      There is a bug due to a typo introduced in the source code of IPSec deamon of OVNK. A customer upgraded the cluster from 4.12 to 4.13 and now is hitting this bug.
      
      The typo is the below in the IPSec deamon definition file [0]:
      ~~~
      ovs-vsctl --retry -t 60 set Open_vSwitch . other_config:certificate=$cert_pem/g \  <--------------
                                                           other_config:private_key=/etc/openvswitch/keys/ipsec-privkey.pem \
                                                           other_config:ca_cert=/etc/openvswitch/keys/ipsec-cacert.pem
      ~~~
      
      This makes the daemon pods stay in this state:
      
      ~~~
      2023-12-13T18:44:53.954542627Z 2023-12-13T18:44:53Z |  20 | ovs-monitor-ipsec | WARN | ovn-bd15b8-0 contains invalid configuration: must set 'certificate' as local certificate when using CA-signed certificate or self-signed certificate to authenticate peers
      ~~~ 
      
      In more detail the PR that is fixing this is this [1] but is for v4.14. As i don't see any bug to backport the fix to v4.13 i open this bug with the goal to fix that for v4.13.
      
      [0] https://github.com/openshift/cluster-network-operator/blob/02159feb9a41ffdaa5133a7923712e0b745d7144/bindata/network/ovn-kubernetes/common/ipsec.yaml#L127
      [1] https://github.com/openshift/cluster-network-operator/pull/1997

      Version-Release number of selected component (if applicable):

          IPSec daemon OVNK

      How reproducible:

          Upgrade the cluster to v4.13 or enable the IPSec functionality on a v4.13 cluster 

      Steps to Reproduce:

          1. Create a cluster with IPSec in version 4.13
          2.
          3.
          

      Actual results:

          The IPSec funcionality is broken

      Expected results:

          The IPSec functionality should work fine

      Additional info:

          N/A

            ykashtan Yuval Kashtan
            rhn-support-nstamate Nikolaos Stamatelopoulos
            Huiran Wang Huiran Wang
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: