Bug 2039344 - When dual-stack is enabled, etcd operator go degraded as node receive additional ipv6 address
Summary: When dual-stack is enabled, etcd operator go degraded as node receive additio...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Etcd
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.10.0
Assignee: Allen Ray
QA Contact: Pedro Amoedo
URL:
Whiteboard:
Depends On:
Blocks: 2040092
TreeView+ depends on / blocked
 
Reported: 2022-01-11 14:25 UTC by Michal Fojtik
Modified: 2022-01-21 21:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-21 21:12:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-etcd-operator pull 727 0 None Merged Bug 2039344: Do not include ipv6 node address in cert 2022-01-18 18:10:24 UTC

Internal Links: 2043683

Description Michal Fojtik 2022-01-11 14:25:16 UTC
Description of problem:

After dual-stack is enabled in cluster, etcd operator will go degraded as it checks the validity of the current certs against node ip's. Since the node receive new ipv6 IP, the check will fail, because the certificate is not valid for that IP...

There are two options, we either regenerate the certificates and include additional IPv6 address in the cert OR we just skip ipv6 address, because we don't really need it for internal communication (ipv4 is still working).

xref: https://bugzilla.redhat.com/show_bug.cgi?id=2039235

Version-Release number of selected component (if applicable):

4.10 (but will require backport down to 4.8)

Steps to Reproduce:
1. enable dual-stack
2. watch etcd go degraded on certificate check
3.

Actual results:


Expected results:


Additional info:

Comment 4 Scott Dodson 2022-01-18 19:43:09 UTC
We should be setting the Version to the version we believe first introduced or have confirmed the problem exists in and intend to fix. Target version gets set to the relevant branch where it's being fixed. This ensures that even looking just at the bug metadata it's clear which version range is affected.


Note You need to log in before you can comment on or make changes to this bug.