1919072 – [AWS] use protocol number 50 instead of protocol name esp in AWS cloudformation template

Bug 1919072 - [AWS] use protocol number 50 instead of protocol name esp in AWS cloudformation template

Summary: [AWS] use protocol number 50 instead of protocol name esp in AWS cloudformati...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Mark Gray
QA Contact:	Yunfei Jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-22 03:59 UTC by Yunfei Jiang
Modified:	2021-02-10 09:53 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-10 09:53:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift installer pull 4583	0	None	closed	Bug 1919072: AWS cloudformation change protocol from ESP to 50	2021-02-10 09:53:05 UTC

Description Yunfei Jiang 2021-01-22 03:59:17 UTC

Got following error when creating security group ingress rule with esp protocol using AWS cloudformation:
`Invalid value ‘esp’ for IP protocol. Unknown protocol.`


AWS Cloudformation does not support protocol name `esp`,  but it does support protocol number [1], and the esp protocol number is 50 [2]

Replace `IpProtocol: esp` with `IpProtocol: 50` in the following lines
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L163
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L191
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L359
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L387


[1][AWS::EC2::SecurityGroupIngress - AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-ipprotocol)
[2][Protocol Numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)

Comment 1 Matthew Staebler 2021-01-22 05:26:43 UTC

This was introduced in the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1916373. Assigning to Mark.

Comment 2 Mark Gray 2021-01-22 13:56:45 UTC

Hi, did this fail the installation or did the installation proceed?

Comment 4 Yunfei Jiang 2021-01-25 04:10:29 UTC

(In reply to Mark Gray from comment #2)
> Hi, did this fail the installation or did the installation proceed?

The cloudformation stack can not been created successfully due to error `Invalid value ‘esp’ for IP protocol. Unknown protocol.`
It blocks the installation process.

Comment 5 Yunfei Jiang 2021-01-25 04:13:37 UTC

verified. PASS.
OCP version: 4.7.0-0.nightly-2021-01-21-090809

Note You need to log in before you can comment on or make changes to this bug.