Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3855

[4.8][Dual Stack] ovn-ipsec crashlooping due to cert signing issues

XMLWordPrintable

    • Important
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      # ogp -l=app=ovn-ipsec
      NAME              READY   STATUS                  RESTARTS         AGE
      ovn-ipsec-6nfhl   0/1     Init:CrashLoopBackOff   20 (4m18s ago)   84m
      ovn-ipsec-b82hb   1/1     Running                 0                84m
      ovn-ipsec-btcvr   0/1     Init:CrashLoopBackOff   18 (41s ago)     68m
      ovn-ipsec-l4mxd   0/1     Init:CrashLoopBackOff   20 (3m53s ago)   84m
      ovn-ipsec-m4wxv   0/1     Init:CrashLoopBackOff   18 (43s ago)     68m
      
      # oc logs -n openshift-ovn-kubernetes ovn-ipsec-btcvr --all-containers | cut -b-100 | tail
      Error from server (BadRequest): container "ovn-ipsec" in pod "ovn-ipsec-btcvr" is waiting to start: PodInitializing
      certificatesigningrequest.certificates.k8s.io "worker-00.ipsec-debug7.qe.devcluster.openshift.com" d
      + cat
      + kubectl apply -f -
      ++ hostname
      certificatesigningrequest.certificates.k8s.io/worker-00.ipsec-debug7.qe.devcluster.openshift.com cre
      + counter=0
      +++ hostname
      ++ kubectl get csr/worker-00.ipsec-debug7.qe.devcluster.openshift.com -o 'jsonpath={.status.certific
      + '[' '!' -z ']'
      + (( counter++ ))
       
      Mist-gather on 4.9 - http://shell.lab.bos.redhat.com/~anusaxen/must-gather.tar.gz 
      Must-gather on 4.12 - http://shell.lab.bos.redhat.com/~anusaxen/must-gather-4_12.tar.gz

      Version-Release number of selected component (if applicable):

      4.9.51

      How reproducible:

      Always

      Steps to Reproduce:

      1.Bring OVNK cluster with IPsec enabled
      2.
      3.
      

      Actual results:

      cluster install failed

      Expected results:

      cluster install should be fine

      Additional info:

       ovs-vsctl --retry -t 60 set Open_vSwitch . other_config:certificate=/etc/openvswitch/keys/ipsec-cert.pem \
                                                       other_config:private_key=/etc/openvswitch/keys/ipsec-privkey.pem \
                                                       other_config:ca_cert=/etc/openvswitch/keys/ipsec-cacert.pem
            
          State:       Waiting
            Reason:    CrashLoopBackOff
          Last State:  Terminated
            Reason:    Error
            Message:   k6Mzc6MzI6ZDQ6ZDc6MmI6YjI6YTM6ZDE6ZDU6OTk6CiAgICAgICAgIDk3OjgyOmE2OjhlCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCk1JSUM2akNDQWRJQ0FRQXdZekVMTUFrR0ExVUVCaE1DVlZNeEZqQVVCZ05WQkFvTURXOTJibXQxWW1WeWJtVjAKWlhNeERUQUxCZ05WQkFzTUJHdHBibVF4TFRBckJnTlZCQU1NSkdJMU5EVTFNakV4TFRKaE1UVXROREl5WXkxaQpPV0kzTFRWak4yVmhZVE5pWkRRek9EQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFMSTZsczkzbjYyY3kwazVUa3Z5SWcrZk1jN2Z0anBPNkhaODlmMWJvMFlOU3dJbXN0dGhZbWhBd29rSzNwWm8KTUt0NHl2MnJ1NkNXbU9IUWlXTlprbGU5WGVMRGowNmZsN3EvSVlCQjJRbVVlajRGcUd0RHBXelNxNjNZelRJVApleHloZm0wUm1oWDR6YlBIeCtQd2o3M01ZWnlNK1EzVDZJVER2ejgrMElrSzBERkY3dlZUWFg5U3dHcGpOLzQzCmlhTUZNVUg3a09CK2E5RnFCVllBMWNRcS9tZUdQV0pqN1ZTMVVGWGRLZUZvNTBCQXp6czYrZXgyWVZUU1hkQkwKdTljV2JyaWw5MUp5TkF3TmVmRlVtR2p2elRoVS9MUGNaeHlEMFNERDV0VjBoS2Jyd0tycDZVWEpGR2lvT292Tgp1a3dJMkdCc1Q0QThwRjY2RHRIcEd1VUNBd0VBQWFCQ01FQUdDU3FHU0liM0RRRUpEakV6TURFd0x3WURWUjBSCkJDZ3dKb0lrWWpVME5UVXlNVEV0TW1FeE5TMDBNakpqTFdJNVlqY3ROV00zWldGaE0ySmtORE00TUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQ1NoMUNvd0JnTFJ6SUEvSHMyU3J0b0RicHE1ZDRRL2FoSFNCVDFSYWdxM0p1bAphVXlGVnZvYTV6RDBrSTJMeEgrMGpZWmVOVGNSVDhOMTlpNEU0TnhEeUg3UldKaHlLbHFicytCcXlCR0J4RnhrCndVOGNxWVNZQmtud0xvRmxiODZUVmRWNjJMQjYwNlpWRXNIZXZtaVlFVjBRYjE5KzVLSGU1U1pWZHBaWEVKUWMKQ0RGQW1TNDhxWkJoRFNKNUdPeXZZWmFmcURjbVpkZFlWU1lFR1QxblpqRVNpL0gzaTUyK29ZWlA2WWZxM3MrKwpldnRVVFZVdU52YjIwWi9uWnRtK21IbUMyb3R4TjQ3K2tiQ0x2MEdvaWUxYTJaMjg2U1RhdUEyS05jdS9GMWt4CllGejZMOFh5MWZwTFVPQXk3TUpCQ1RjeTFOY3JzcVBSMVptWGdxYU8KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
      ++ hostname
      + kubectl delete --ignore-not-found=true csr/worker-00.ipsec-debug7.qe.devcluster.openshift.com
      certificatesigningrequest.certificates.k8s.io "worker-00.ipsec-debug7.qe.devcluster.openshift.com" deleted
      + cat
      + kubectl apply -f -
      ++ hostname
      certificatesigningrequest.certificates.k8s.io/worker-00.ipsec-debug7.qe.devcluster.openshift.com created
      + counter=0
      +++ hostname
      ++ kubectl get csr/worker-00.ipsec-debug7.qe.devcluster.openshift.com -o 'jsonpath={.status.certificate}'
      + '[' '!' -z ']'
      + (( counter++ ))

       

       

       

       

              akaris@redhat.com Andreas Karis
              anusaxen Anurag Saxena
              Anurag Saxena Anurag Saxena
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: