-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.13
-
No
-
False
-
This is a clone of issue OCPBUGS-29305. The following is the description of the original issue:
—
Description of problem:
There's a typo in the openssl commands within the ovn-ipsec-containerized/ovn-ipsec-host daemonsets. The correct parameter is "-checkend", not "-checkedn".
Version-Release number of selected component (if applicable):
# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.14.10 True False 7s Cluster version is 4.14.10
How reproducible:
Steps to Reproduce:
1. Enable IPsec encryption
# oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec": {"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'
Actual results:
Examining the initContainer (ovn-keys) logs
# oc logs ovn-ipsec-containerized-7bcd2 -c ovn-keys
...
+ openssl x509 -noout -dates -checkedn 15770000 -in /etc/openvswitch/keys/ipsec-cert.pem
x509: Use -help for summary.
# oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE ovn-ipsec-containerized 1 1 0 1 0 beta.kubernetes.io/os=linux 159m ovn-ipsec-host 1 1 1 1 1 beta.kubernetes.io/os=linux 159m ovnkube-node 1 1 1 1 1 beta.kubernetes.io/os=linux 3h44m
# oc get ds ovn-ipsec-containerized -o yaml | grep edn if ! openssl x509 -noout -dates -checkedn 15770000 -in $cert_pem; then # oc get ds ovn-ipsec-host -o yaml | grep edn if ! openssl x509 -noout -dates -checkedn 15770000 -in $cert_pem; then
- blocks
-
OCPBUGS-30100 IPSec - ovn-ipsec-containerized ds typo
- Closed
- clones
-
OCPBUGS-29305 IPSec - ovn-ipsec-containerized ds typo
- Closed
- is blocked by
-
OCPBUGS-29305 IPSec - ovn-ipsec-containerized ds typo
- Closed
- is cloned by
-
OCPBUGS-30100 IPSec - ovn-ipsec-containerized ds typo
- Closed
- links to
-
RHSA-2024:1210 OpenShift Container Platform 4.15.z security update