Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55404

SNO with Multiple address on the primary interface, apiserver while trying to contact etcd is using an IP which is not present in cert.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.20.0
    • 4.18.z
    • Etcd
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      Before this update, when you deployed single-node OpenShift with many IPs on the primary interface, the IP in the etcd certificate mismatched with the IP in the config map that the API server used to connect to etcd. As a consequence, the API server pod failed during single-node OpenShift deployment, causing cluster initialization issues. With this release, a fix ensures that the single IP in the etcd config map matches the IP in the certificate for single-node OpenShift deployments. As a result, the API server connects to etcd by using the correct IP included in the etcd certificate, preventing pod failure during cluster initialization.
      Show
      Before this update, when you deployed single-node OpenShift with many IPs on the primary interface, the IP in the etcd certificate mismatched with the IP in the config map that the API server used to connect to etcd. As a consequence, the API server pod failed during single-node OpenShift deployment, causing cluster initialization issues. With this release, a fix ensures that the single IP in the etcd config map matches the IP in the certificate for single-node OpenShift deployments. As a result, the API server connects to etcd by using the correct IP included in the etcd certificate, preventing pod failure during cluster initialization.
    • None
    • None
    • None
    • None

      Description of problem:

      When deploying Single Node OpenShift (SNO) via ZTP in release 4.18 with multiple IPs on the primary interface, the apiserver pod fails due to attempting to connect to etcd using an IP address that's not included in the etcd certificate. The `etcd-pod` ConfigMap contains mixed IPs.

      Version-Release number of selected component (if applicable):

      4.18

      How reproducible:

      100% reproducible under described conditions.

      Steps to Reproduce:

      1. Deploy SNO via Assisted Install (ZTP) with multiple IPs assigned to the primary interface.  
2. Observe apiserver pod failure during cluster initialization.  
3. Check apiserver logs for TLS certificate validation errors.    

      Actual results:

      Apiserver logs show error:

W0427 08:27:14.383902       1 logging.go:55] [core] [Channel #1 SubChannel #4]grpc: addrConn.createTransport failed to connect to {Addr: "<masked>.13:2379", ServerName: "<masked>.13:2379", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for <masked>.11, 127.0.0.1, ::1, not <masked>.13"

      Expected results:

      `ETCDCTL_ENDPOINTS` in the ConfigMap(IP used by APIserver to connect to etcd) should match the IP in the certificate

      Additional info:

              tjungblu@redhat.com Thomas Jungblut
              rhn-support-sandyada Sandeep Yadav
              None
              None
              Ge Liu Ge Liu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: