Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-59992

[4.18] SNO with Multiple address on the primary interface, apiserver while trying to contact etcd is using an IP which is not present in cert.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 4.18.0
    • 4.18.z
    • Etcd
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      Previously, when deploying Single Node OpenShift (SNO) via ZTP in release 4.19 with multiple IP addresses configured on the primary interface, the apiserver pod would fail to connect to etcd. This was due to the etcd certificate not including all the configured IP addresses, leading to TLS authentication errors. This fix refactors the IP address handling to correctly preserve the order of IPs returned by the netlink library while maintaining deduplication, ensuring that ETCDCTL_ENDPOINTS matches the IP in the etcd certificate. As a result, apiserver can now successfully connect to etcd in these configurations, allowing SNO deployments with multiple primary interface IPs to initialize correctly.
      Show
      Previously, when deploying Single Node OpenShift (SNO) via ZTP in release 4.19 with multiple IP addresses configured on the primary interface, the apiserver pod would fail to connect to etcd. This was due to the etcd certificate not including all the configured IP addresses, leading to TLS authentication errors. This fix refactors the IP address handling to correctly preserve the order of IPs returned by the netlink library while maintaining deduplication, ensuring that ETCDCTL_ENDPOINTS matches the IP in the etcd certificate. As a result, apiserver can now successfully connect to etcd in these configurations, allowing SNO deployments with multiple primary interface IPs to initialize correctly.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-59285. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-55404. The following is the description of the original issue:

      Description of problem:

      When deploying Single Node OpenShift (SNO) via ZTP in release 4.18 with multiple IPs on the primary interface, the apiserver pod fails due to attempting to connect to etcd using an IP address that's not included in the etcd certificate. The `etcd-pod` ConfigMap contains mixed IPs. 

      Version-Release number of selected component (if applicable):

      4.18

      How reproducible:

      100% reproducible under described conditions.

      Steps to Reproduce:

      1. Deploy SNO via Assisted Install (ZTP) with multiple IPs assigned to the primary interface.  
      2. Observe apiserver pod failure during cluster initialization.  
      3. Check apiserver logs for TLS certificate validation errors.     

      Actual results:

      Apiserver logs show error:
      
      W0427 08:27:14.383902       1 logging.go:55] [core] [Channel #1 SubChannel #4]grpc: addrConn.createTransport failed to connect to {Addr: "<masked>.13:2379", ServerName: "<masked>.13:2379", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for <masked>.11, 127.0.0.1, ::1, not <masked>.13"

      Expected results:

      `ETCDCTL_ENDPOINTS` in the ConfigMap(IP used by APIserver to connect to etcd) should match the IP in the certificate

      Additional info:

          

              dwest@redhat.com Dean West
              rhn-support-sandyada Sandeep Yadav
              None
              None
              Ge Liu Ge Liu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: