XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.20.z, 4.21.z, 4.22
Component/s: Networking / cluster-network-operator
Labels:
- component-regression

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.19.z, 4.20.z, 4.22.0, 4.21.z
Target Version:

4.23.0
Release Blocker:
Approved
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Marketplace AI helper analysis

Summary

This is an installation failure, not a test failure. The cluster installation failed because the network cluster operator never completed its deployment. The root cause is an OpenSSL bug in the ovn-ipsec-host DaemonSet's ovn-keys init container.

Root Cause

The ovn-keys init container in all 6 ovn-ipsec-host pods is crashing with an OpenSSL error:

  openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:...' -subj /C=US/O=ovnkubernetes/OU=kind/CN=... -key ... -out ...
  Error adding request extensions defined via -addext
  error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute:crypto/x509/x509_att.c:194:

The issue: The openssl req command is failing because it's trying to add a duplicate attribute. When using -extensions v3_req -addext 'subjectAltName = ...', if the v3_req section in the OpenSSL config already defines subjectAltName, the -addext flag adds a duplicate, causing the error.

Evidence

  1. DaemonSet Status:
    - ovn-ipsec-host: 6 desired, 0 ready, 6 unavailable
  2. Pod Status: All 6 pods stuck in Pending state with:
    - ContainersNotInitialized (init container ovn-keys incomplete)
    - CrashLoopBackOff after 13+ restarts
  3. Init Container Logs:
  + openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:f6b21cdb-...' ...
  Error adding request extensions defined via -addext
  error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute
  4. Installer Log:
  DaemonSet "/openshift-ovn-kubernetes/ovn-ipsec-host" is not available (awaiting 6 nodes)
  Error checking cluster operator Progressing status: "context deadline exceeded"
  These cluster operators were not stable: [network]

—

Sippy AI helper analysis

⚠️ AI-Generated Content

Sippy AI-assisted description; please review details for accuracy.

Filed from: Test Regression Details

Test Name

verify operator conditions network

Brief Overview

Significant regression detected. Fishers Exact probability of a regression: 100.00%. Test pass rate dropped from 100.0
0% to 92.54%.

Statistics Section

Sample (being evaluated)

Release: 4.22
Time Period: 2026-01-19T00:00:00Z to 2026-01-26T08:00:00Z
Success Rate: 92.54%
Successes: 62
Failures: 5
Flakes: 0

Base (historical)

Release: 4.21
Time Period: 2025-12-27T00:00:00Z to 2026-01-26T08:00:00Z
Success Rate: 100.0%
Successes: 265
Failures: 0
Flakes: 0

Sample Failure Outputs

Job Run ID: 2014111034368856064
Error checking cluster operator Progressing status: "context deadline exceeded"
These cluster operators were not stable: [network]
Error executing test process: wrapped process failed: exit status 7

Job Run ID: 2014473429629014016
Error checking cluster operator Progressing status: "context deadline exceeded"
These cluster operators were not stable: [network]
Error executing test process: wrapped process failed: exit status 7

Job Run ID: 2014835990622900224
Error checking cluster operator Progressing status: "context deadline exceeded"
These cluster operators were not stable: [network]
Error executing test process: wrapped process failed: exit status 7

Job Run ID: 2015198382787661824
Error checking cluster operator Progressing status: "context deadline exceeded"
These cluster operators were not stable: [network]
Error executing test process: wrapped process failed: exit status 7

Job Run ID: 2015560776516898816
Error checking cluster operator Progressing status: "context deadline exceeded"
These cluster operators were not stable: [network]
Error executing test process: wrapped process failed: exit status 7

Links to Relevant Jobs

Patterns and Insights

The test "verify operator conditions network" has experienced a significant regression in OpenShift 4.22, with its pass rate dropping from 100% in 4.21 to 92.54%. The failures appear consistent across the observed job runs, all exhibiting similar error messages. The primary issue seems to be related to the `network` cluster operator failing to stabilize within the allotted time, leading to "context deadline exceeded" errors and the test process exiting with status 7. This indicates a potential problem with the network operator's readiness or a timing issue in the test environment for the `periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-ipsec` job. There is no indication of flake-to-failure conversion, as no flakes were observed in either the base or sample statistics.

Filed by: mkowalsk@redhat.com

is duplicated by

OCPBUGS-74402 Component Readiness: [Installer / openshift-installer] [Other] The ovn-ipsec-host DaemonSet failed to start because failed to generate IPsec certificates

Closed

links to

openshift/cluster-network-operator#2889: OCPBUGS-74401: Remove duplicated openssl parameter

Assignee:: Mat Kowalski

Reporter:: Mat Kowalski

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2026/01/26 9:11 AM

Updated:: 2026/02/03 11:19 AM

Details

Description

Marketplace AI helper analysis

Sippy AI helper analysis

Test Name

Brief Overview

Statistics Section

Sample Failure Outputs

Links to Relevant Jobs

Patterns and Insights

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates