Description of problem:

OVN IPsec seems to be broken after upgrading to 4.13 or when installing a new cluster on 4.13 and then enable IPsec following the official documentation.

Looking at the logs it looks like the certificates are broken and can't be loaded. Ipsec status shows there is no tunnels nor connections established between the nodes. And the certutil seems to show there is a problem with the cert database which none happens on 4.12.

So far I have been able to reproduce this on a 4.12 cluster that had ipsec enabled during installation, disabled before upgrade and then enable it again after installation and I was able to reproduce on a new installation of 4.13.30 and enable ipsec afterwards.

The must-gather and sosreport are from my cluster but this may start affecting many customers.

https://drive.google.com/file/d/1PQslEn3_tEyfxo9wpLUIfdrARxK4po2S/view?usp=sharing

https://drive.google.com/file/d/1IkYa-rw6mW1AgHjgMvCTAl5mZ7kA6x5a/view?usp=sharing

It looks like connections are working as normal, but if ipsec is not actually working it may lead customers to think everything is working fine when in fact ipsec is not enabled. 

Version-Release number of selected component (if applicable):

OCP 4.13.29+

How reproducible:

Always

Steps to Reproduce:

    1. Install a new cluster with Ipsec or enable it afterwards or install a new cluster on 4.12 and then upgrade to 4.13
    2. check ipsec status in the ovn-ipsec pods.  

Actual results:

Expected results:

Additional info: