SDN-5330: Wait enough for IPsec tunnels to establish before kubelet start #2606
Conversation
|
/test e2e-aws-ovn-ipsec-upgrade |
|
somehow |
|
/test e2e-aws-ovn-ipsec-upgrade |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pperiyasamy The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
3c4cbbd to
5a0f0e0
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
1 similar comment
|
/test e2e-aws-ovn-ipsec-upgrade |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
5b24c74 to
6566cf0
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
6566cf0 to
c7c8d24
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
c7c8d24 to
bb48347
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
pperiyasamy
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@pperiyasamy: This pull request references SDN-5330 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
bb48347 to
aba1a89
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
aba1a89 to
801abcc
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
801abcc to
8d0db5b
Compare
|
/test e2e-aws-ovn-ipsec-serial |
1 similar comment
|
/test e2e-aws-ovn-ipsec-serial |
|
/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/origin#29437 |
|
The |
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
1 similar comment
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
8d0db5b to
9b83a83
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
2 similar comments
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
|
/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/origin#29232 |
|
/test e2e-aws-ovn-ipsec-upgrade |
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
|
/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/origin#29232 |
|
/test e2e-aws-ovn-ipsec-upgrade |
|
/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/origin#29232 |
When node goes for a reboot on an IPsec enabled cluster, once it comes up, libreswan parses /etc/ipsec.d/openshift.conf file and establishes SAs with peers and it may be still in progress even after kubelet is started, pod scheduled on this node would fail communicating with other pods until IPsec tunnels are established. So this commit makes ipsecenabler systemd service to wait upto 2 minutes until IPsec tunnels are established and this would give better chance for ipsec CI lanes to run fine without disruptive events. The butane configs are translated into machine configs with command `butane <file>.bu -o <file>.yaml` and only storage portion is copied manually into IPsec machine config files. Signed-off-by: Periyasamy Palanisamy <[email protected]>
Signed-off-by: Periyasamy Palanisamy <[email protected]>
It's noticed that ipsec option is ovn is disabled when ipsec daemonset is not running due to known reasons, but it's disabling ipsec in ovn which causes ovs-monitor-ipsec to refresh exisiting ipsec connections unnecessarily as it is not able to find remote_name from tunnel. so this commit enables ovn ipsec option as long as API is set with Full mode. Signed-off-by: Periyasamy Palanisamy <[email protected]>
pperiyasamy
force-pushed
the
ipsec-post-start
branch
from
c44c4d6 to
1a6f3da
Compare
|
/test e2e-aws-ovn-ipsec-upgrade |
|
/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-serial openshift/origin#29437 |
|
@pperiyasamy: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
When node goes for a reboot on an IPsec enabled cluster, once it comes up, libreswan parses /etc/ipsec.d/openshift.conf file and establishes SAs with peers and it may be still in progress even after kubelet is started, pod scheduled on this node would fail communicating with other pods until IPsec tunnels are established. So this commit makes ipsecenabler systemd service to wait upto 2 minutes until IPsec tunnels are established and this would give better chance for ipsec CI lanes to run fine without disruptive events.
The butane configs are translated into machine configs with command
butane <file>.bu -o <file>.yamland only storage portion is copied manually into IPsec machine config files.