-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
-
None
- Proposed title of this feature request
To be able to migrate Konnectivity endpointPublishing strategy to Loadbalancer or NodePort after HCP cluster is already created. - What is the nature and description of the request?
To be able to migrate Konnectivity endpointPublishing strategy to Loadbalancer or NodePort after HCP cluster is already created as HCP operator limitation is that servicePublishingStrategy is immutable. So, the HC needs be recreated to update the publishing strategy.
Customer for obvious reasons are not willing to take down all of their HCP clusters to apply a workaround to this bug . - Why does the customer need this? (List the business requirements here)
When a cluster hosting HCP control planes pods has an ingress VIP (VRRP) failover all egressip node health checks fail for any HCP nodes using egressIPs. The VIP failover causes the konnectivity-proxy > konectivity-agent proxy and thus the SOCKS5 proxy in the OVN-Kubernetes control-plane pod to stop working briefly. During this time, the egress IP healthcheck probes timed out, resulting in all nodes being marked as unhealthy and thus all egressIPs are unassigned.
This causes a full connectivity outage if the customer is using egressIPs for network ACLs.
Please refer bug for more details.
A same issue reported upstream https://github.com/openshift/hypershift/issues/5369
4. List any affected packages or components.
hosted control plane (HCP)
hypershift
konnectivity-server service
- account is impacted by
-
OCPBUGS-60582 (HCP) OVN-Kubernetes egressips healthcheck failures after hosting cluster VRRP failover.
-
- Verified
-
