-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-9.6.z, rhel-10.0
-
None
-
None
-
rhel-net-mgmt
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Trying to configure Libreswan via NCCP to encrypt ICMP traffic using leftprotoport and rightprotoport.
kind: NodeNetworkConfigurationPolicy apiVersion: nmstate.io/v1 metadata: name: left-node-ipsec-policy spec: nodeSelector: kubernetes.io/hostname: worker-0 desiredState: interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: leftrsasigkey: '%cert' left: 192.168.111.23 leftid: '%fromcert' leftcert: left_server leftmodecfgclient: false right: 192.168.111.24 rightrsasigkey: '%cert' rightid: '%fromcert' rightsubnet: 192.168.111.24/32 ike: aes_gcm256-sha2_256 esp: aes_gcm256 ikev2: insist type: transport leftprotoport: icmp rightprotoport: icmp
What is the impact of this issue to you?
nmstate-handler pod fails to configure Libreswan as it's not able to support leftprotoport and rightprotoport fields.
{"level":"info","ts":"2025-08-04T03:06:09.075Z","logger":"enactmentstatus","msg":"status: {DesiredState: DesiredStateMetaInfo:{Version: TimeStamp:0001-01-01 00:00:00 +0000 UTC} CapturedStates:map[] PolicyGeneration:1 Conditions:[{Type:Failing Status:True Reason:FailedToConfigure Message:failure generating desiredState and capturedStates: failed calling nmstatectl rollback: , [2025-08-04T03:06:09Z INFO nmstatectl] Nmstate version: 2.2.44\nNmstateError: InvalidArgument: unknown field `leftprotoport`, expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate`\n: failed to execute nmstatectl policy --current /tmp/currentState658254429 --json --output-captured /tmp/capturedState717063227 /tmp/policy1230028993: exit status 1 LastHeartbeatTime:2025-08-04 03:06:09.075823659 +0000 UTC m=+254378.488762970 LastTransitionTime:2025-08-04 03:06:09.075823659 +0000 UTC m=+254378.488762970} {Type:Available Status:False Reason:FailedToConfigure Message: LastHeartbeatTime:2025-08-04 03:06:09.075824112 +0000 UTC m=+254378.488763424 LastTransitionTime:2025-08-04 03:06:09.075824112 +0000 UTC m=+254378.488763424} {Type:Progressing Status:False Reason:FailedToConfigure Message: LastHeartbeatTime:2025-08-04 03:06:09.075824443 +0000 UTC m=+254378.488763752 LastTransitionTime:2025-08-04 03:06:09.075824443 +0000 UTC m=+254378.488763752} {Type:Pending Status:False Reason:FailedToConfigure Message: LastHeartbeatTime:2025-08-04 03:06:09.075824886 +0000 UTC m=+254378.488764194 LastTransitionTime:2025-08-04 03:06:09.075824886 +0000 UTC m=+254378.488764194} {Type:Aborted Status:False Reason:SuccessfullyConfigured Message: LastHeartbeatTime:2025-08-04 03:06:09.07582501 +0000 UTC m=+254378.488764320 LastTransitionTime:2025-08-04 03:06:09.07582501 +0000 UTC m=+254378.488764320}] Features:[]}","enactment":"worker-0.left-node-ipsec-policy"}
{"level":"error","ts":"2025-08-04T03:06:09.081Z","logger":"controllers.NodeNetworkConfigurationPolicy","msg":"failed filling in the NNCE status","nodenetworkconfigurationpolicy":{"name":"left-node-ipsec-policy"},"error":"failed calling nmstatectl rollback: , [2025-08-04T03:06:09Z INFO nmstatectl] Nmstate version: 2.2.44\nNmstateError: InvalidArgument: unknown field `leftprotoport`, expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate`\n: failed to execute nmstatectl policy --current /tmp/currentState658254429 --json --output-captured /tmp/capturedState717063227 /tmp/policy1230028993: exit status 1","errorVerbose":", [2025-08-04T03:06:09Z INFO nmstatectl] Nmstate version: 2.2.44\nNmstateError: InvalidArgument: unknown field `leftprotoport`, expected one of `right`, `rightid`, `rightrsasigkey`, `rightcert`, `left`, `leftid`, `leftrsasigkey`, `leftcert`, `ikev2`, `psk`, `ikelifetime`, `salifetime`, `ike`, `esp`, `dpddelay`, `dpdtimeout`, `dpdaction`, `ipsec-interface`, `authby`, `rightsubnet`, `leftsubnet`, `leftmodecfgclient`, `type`, `hostaddrfamily`, `clientaddrfamily`, `require-id-on-certificate`\n: failed to execute nmstatectl policy --current /tmp/currentState658254429 --json --output-captured /tmp/capturedState717063227 /tmp/policy1230028993: exit status 1\nfailed calling nmstatectl rollback\ngithub.com/nmstate/kubernetes-nmstate/pkg/nmstatectl.Policy\n\t/pkg/nmstatectl/nmstatectl.go:197\ngithub.com/nmstate/kubernetes-nmstate/pkg/nmpolicy.GenerateState\n\t/pkg/nmpolicy/generate.go:59\ngithub.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).fillInEnactmentStatus\n\t/controllers/handler/nodenetworkconfigurationpolicy_controller.go:350\ngithub.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).Reconcile\n\t/controllers/handler/nodenetworkconfigurationpolicy_controller.go:181\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:224\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1700","stacktrace":"github.com/nmstate/kubernetes-nmstate/controllers/handler.(*NodeNetworkConfigurationPolicyReconciler).Reconcile\n\t/controllers/handler/nodenetworkconfigurationpolicy_controller.go:183\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:224"}
Please provide the package NVR for which the bug is seen:
How reproducible is this bug?:
Always
Nmstate version: 2.2.44
Steps to reproduce
- Install OCP cluster.
- Deploy nmstate operator.
- Import IPsec certificates into nss db.
- Deploy NNCP.
Expected results
NNCP must be deployed successfully and Libreswan must get appropriate IKE SAs with the peer node.
Actual results
- is depended on by
-
OCPBUGS-59506 e2e-aws-ovn-serial-ipsec pod-to-host-disruption
-
- ASSIGNED
-
