What were you trying to do that didn't work?
Tried to load libreswan config via k8s-nmstate NNCP CR for enabling IPsec connection between two OCP 4.16 worker nodes. But it fails unfortunately.
Please provide the package NVR for which bug is seen:
How reproducible:
Steps to reproduce
- Install OCP 4.16 (which is under development)
- Rollout IPsec mode 'External', generate and import certificates onto relevant worker node needed for IPSec connection.
- Install kubernetes-nmstate from redhat-operators.
# cat nmstate-deploy.yaml apiVersion: v1 kind: Namespace metadata: labels: openshift.io/cluster-monitoring: "true" name: openshift-nmstate --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: kubernetes-nmstate-operator-operatorgroup namespace: openshift-nmstate spec: targetNamespaces: - openshift-nmstate --- apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: kubernetes-nmstate-operator namespace: openshift-nmstate spec: channel: "stable" name: kubernetes-nmstate-operator source: redhat-operators sourceNamespace: openshift-marketplace # cat nmstate-crd.yaml apiVersion: nmstate.io/v1 kind: NMState metadata: name: nmstate
- Create NNCP targeting relevant worker nodes.
kind: NodeNetworkConfigurationPolicy apiVersion: nmstate.io/v1 metadata: name: left-node-ipsec-policy spec: nodeSelector: kubernetes.io/hostname: ip-10-0-117-52.ec2.internal desiredState: interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: leftrsasigkey: '%cert' left: 10.0.117.52 leftid: '%fromcert' leftcert: left_server leftmodecfgclient: false right: 10.0.18.71 rightrsasigkey: '%cert' rightid: '%fromcert' rightsubnet: 10.0.18.71/32 ike: aes_gcm256-sha2_256 esp: aes_gcm256 ikev2: insist type: transport --- kind: NodeNetworkConfigurationPolicy apiVersion: nmstate.io/v1 metadata: name: right-node-ipsec-policy spec: nodeSelector: kubernetes.io/hostname: ip-10-0-18-71.ec2.internal desiredState: interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: leftrsasigkey: '%cert' left: 10.0.18.71 leftid: '%fromcert' leftcert: right_server leftmodecfgclient: false right: 10.0.117.52 rightrsasigkey: '%cert' rightid: '%fromcert' rightsubnet: 10.0.117.52/32 ike: aes_gcm256-sha2_256 esp: aes_gcm256 ikev2: insist type: transport
Expected results
NNCP should get configured on the node.
Actual results
NNCP failed to configure.
# oc get NodeNetworkConfigurationPolicy NAME STATUS REASON left-node-ipsec-policy Degraded FailedToConfigure right-node-ipsec-policy Degraded FailedToConfigure
ignoring\n[2024-04-09T08:53:23Z INFO nmstate::nm::show] Got unsupported interface type ip-tunnel: ip_vti0, ignoring\n[2024-04-09T08:53:23Z ERROR nmstate::ifaces::inter_ifaces] InvalidArgument: Failed to find unknown type interface hosta_conn in current state\nNmstateError: InvalidArgument: Failed to find unknown type interface hosta_conn in current state\n'"
Note: The same NNCP config worked fine on OCP 4.15 worker node.
The difference is 4.16 node has libreswan 4.12 whereas 4.15 node has libreswan 4.9.
- blocks
-
SDN-4168 Improve ipsec tests
- Code Review