Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-76495

Ipsec ocp install is failing with 4.22.0-ec.2 on s390x because of network operator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • None
    • 4.22
    • Networking / ovn-kubernetes
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • s390x
    • None
    • None
    • Proposed
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Ipsec ocp install is failing with 4.22.0-ec.2 on s390x because of network operator

      Version-Release number of selected component (if applicable):
       

      Server Version: 4.22.0-ec.2
Kubernetes Version: v1.34.2

      How reproducible: Always

          Always

      Steps to Reproduce:

          1. Install OCP cluster with ipsec enabled 
        

      Actual results:

      oc get co network
NAME      VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
network             False       True          False      8h      The network is starting up

oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version             False       True          8h      Unable to apply 4.22.0-ec.2: the cluster operator network is not available
 
      ipsec pod fails with Init:CrashLoopBackOff 
      ovn-ipsec-host-55zf5                     0/2     Init:CrashLoopBackOff   6 (3m2s ago)    8m46s
ovn-ipsec-host-6kp5s                     0/2     Init:CrashLoopBackOff   6 (2m49s ago)   8m47s
ovn-ipsec-host-bms45                     0/2     Init:CrashLoopBackOff   6 (2m56s ago)   8m47s
ovn-ipsec-host-fmjqs                     0/2     Init:CrashLoopBackOff   6 (3m4s ago)    8m47s
ovn-ipsec-host-jwc8r                     0/2     Init:CrashLoopBackOff   6 (2m52s ago)   8m47s

 

      Expected results:
       ocp install should be successful

      network Operator should be available without errors

      Additional info:

      oc logs -f pod/ovn-ipsec-host-g4pg2 -c ovn-keys
Configuring IPsec keys
+ retries=0
+ tries=20
+ key_cert=/etc/ovn/ovnkube-node-certs/ovnkube-client-current.pem
+ '[' '!' -f /etc/ovn/ovnkube-node-certs/ovnkube-client-current.pem ']'
+ cat
+ export KUBECONFIG=/var/run/ovnkube-kubeconfig
+ KUBECONFIG=/var/run/ovnkube-kubeconfig
+ echo 'Configuring IPsec keys'
+ cert_pem=/etc/openvswitch/keys/ipsec-cert.pem
+ openssl x509 -noout -dates -checkend 15770000 -in /etc/openvswitch/keys/ipsec-cert.pem
Could not open file or uri for loading certificate from /etc/openvswitch/keys/ipsec-cert.pem: No such file or directory
++ tr -d '"'
++ ovs-vsctl --retry -t 60 get Open_vSwitch . external-ids:system-id
+ cn=a1a6db55-0b87-44e5-9a27-c52115468984
+ mkdir -p /etc/openvswitch/keys
+ umask 077
+ openssl genrsa -out /etc/openvswitch/keys/ipsec-privkey.pem 2048
+ openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:a1a6db55-0b87-44e5-9a27-c52115468984' -subj /C=US/O=ovnkubernetes/OU=kind/CN=a1a6db55-0b87-44e5-9a27-c52115468984 -key /etc/openvswitch/keys/ipsec-privkey.pem -out /etc/openvswitch/keys/ipsec-req.pem
Error adding request extensions defined via -addext
000003FFB39F4720:error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute:crypto/x509/x509_att.c:194:

      Ref code checkins that is causing this issue
      https://issues.redhat.com/browse/OCPBUGS-74401
      https://github.com/openshift/cluster-network-operator/commit/756a7ea1a1b168cf530733c33c6d4af895c3b3d4#diff-b01d90a1a4ea134df211e59aa501c9732a48ec46d22690d46b8ab8d1338cac8d

              mkowalsk@redhat.com Mat Kowalski
              apuranda Amrut Purandare
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: