Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30150

IPSec - ovn-ipsec-containerized ds typo

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the `ovn-ipsec-containerized` and the `ovn-ipsec-host` daemons contained a typographical error for a `openssl` parameter: `-checkedn` instead of `checkend`. This error caused certificate rotation to occur after every `ovn-ipsec` pod restart. Now, the parameter name is fixed, so that the certificate that the Internet Protocol Security (IPsec) automatically rotates as expected. (link:https://issues.redhat.com/browse/OCPBUGS-30150[*OCPBUGS-30150*])
      Show
      * Previously, the `ovn-ipsec-containerized` and the `ovn-ipsec-host` daemons contained a typographical error for a `openssl` parameter: `-checkedn` instead of `checkend`. This error caused certificate rotation to occur after every `ovn-ipsec` pod restart. Now, the parameter name is fixed, so that the certificate that the Internet Protocol Security (IPsec) automatically rotates as expected. (link: https://issues.redhat.com/browse/OCPBUGS-30150 [* OCPBUGS-30150 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-29390. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-29305. The following is the description of the original issue:

      Description of problem:

      There's a typo in the openssl commands within the ovn-ipsec-containerized/ovn-ipsec-host daemonsets. The correct parameter is "-checkend", not "-checkedn".

      Version-Release number of selected component (if applicable):

      # oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.14.10   True        False         7s      Cluster version is 4.14.10

      How reproducible:

      Steps to Reproduce:

      1. Enable IPsec encryption

      # oc patch networks.operator.openshift.io cluster --type=merge -p '{"spec": 
 {"defaultNetwork":{"ovnKubernetesConfig":{"ipsecConfig":{ }}}}}'

      Actual results:

      Examining the initContainer (ovn-keys) logs

      # oc logs ovn-ipsec-containerized-7bcd2 -c ovn-keys
...
+ openssl x509 -noout -dates -checkedn 15770000 -in /etc/openvswitch/keys/ipsec-cert.pem
x509: Use -help for summary.
      # oc get ds
NAME                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                 AGE
ovn-ipsec-containerized   1         1         0       1            0           beta.kubernetes.io/os=linux   159m
ovn-ipsec-host            1         1         1       1            1           beta.kubernetes.io/os=linux   159m
ovnkube-node              1         1         1       1            1           beta.kubernetes.io/os=linux   3h44m
      # oc get ds ovn-ipsec-containerized -o yaml | grep edn
if ! openssl x509 -noout -dates -checkedn 15770000 -in $cert_pem; then     

# oc get ds ovn-ipsec-host -o yaml | grep edn
if ! openssl x509 -noout -dates -checkedn 15770000 -in $cert_pem; then

              ykashtan Yuval Kashtan
              openshift-crt-jira-prow OpenShift Prow Bot
              Huiran Wang Huiran Wang
              Darragh Fitzmaurice Darragh Fitzmaurice
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: