Issue

What were you trying to do that didn't work? Tried to load libreswan config via k8s-nmstate NNCP CR for enabling IPsec connection between two OCP 4.16 worker nodes.  But it fails unfortunately. Please provide the package NVR for which bug is seen: How reproducible: Steps to reproduce Install OCP 4.16 (which is under development) Rollout IPsec mode 'External', generate and import certificates onto relevant worker node needed for IPSec connection. Install kubernetes-nmstate from redhat-operators. # cat nmstate-deploy.yaml  apiVersion: v1 kind: Namespace metadata: labels: openshift.io/cluster-monitoring: "true" name: openshift-nmstate --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: kubernetes-nmstate-operator-operatorgroup namespace: openshift-nmstate spec: targetNamespaces: - openshift-nmstate --- apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: kubernetes-nmstate-operator namespace: openshift-nmstate spec: channel: "stable" name: kubernetes-nmstate-operator source: redhat-operators sourceNamespace: openshift-marketplace # cat nmstate-crd.yaml  apiVersion: nmstate.io/v1 kind: NMState metadata: name: nmstate Create NNCP targeting relevant worker nodes. kind: NodeNetworkConfigurationPolicy apiVersion: nmstate.io/v1 metadata: name: left-node-ipsec-policy spec: nodeSelector: kubernetes.io/hostname: ip-10-0-117-52.ec2.internal desiredState: interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: leftrsasigkey: '%cert' left: 10.0.117.52 leftid: '%fromcert' leftcert: left_server leftmodecfgclient: false right: 10.0.18.71 rightrsasigkey: '%cert' rightid: '%fromcert' rightsubnet: 10.0.18.71/32 ike: aes_gcm256-sha2_256 esp: aes_gcm256 ikev2: insist type: transport --- kind: NodeNetworkConfigurationPolicy apiVersion: nmstate.io/v1 metadata: name: right-node-ipsec-policy spec: nodeSelector: kubernetes.io/hostname: ip-10-0-18-71.ec2.internal desiredState: interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: leftrsasigkey: '%cert' left: 10.0.18.71 leftid: '%fromcert' leftcert: right_server leftmodecfgclient: false right: 10.0.117.52 rightrsasigkey: '%cert' rightid: '%fromcert' rightsubnet: 10.0.117.52/32 ike: aes_gcm256-sha2_256 esp: aes_gcm256 ikev2: insist type: transport Expected results NNCP should get configured on the node. Actual results NNCP failed to configure. # oc get NodeNetworkConfigurationPolicy NAME STATUS REASON left-node-ipsec-policy Degraded FailedToConfigure right-node-ipsec-policy Degraded FailedToConfigure ignoring\n[2024-04-09T08:53:23Z INFO nmstate::nm::show] Got unsupported interface type ip-tunnel: ip_vti0, ignoring\n[2024-04-09T08:53:23Z ERROR nmstate::ifaces::inter_ifaces] InvalidArgument: Failed to find unknown type interface hosta_conn in current state\nNmstateError: InvalidArgument: Failed to find unknown type interface hosta_conn in current state\n'" Note: The same NNCP config worked fine on OCP 4.15 worker node. The difference is 4.16 node has libreswan 4.12 whereas 4.15 node has libreswan 4.9.

Release Notes

No. of Comments

Resolution

Not a Bug