2103144 – [IPv6] apiVIP and ingressVIP non-equality validation doesn't account for synonyms

Bug 2103144 - [IPv6] apiVIP and ingressVIP non-equality validation doesn't account for synonyms

Summary: [IPv6] apiVIP and ingressVIP non-equality validation doesn't account for syno...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	4.12.0
Assignee:	Pierre Prinetti
QA Contact:	Itay Matza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-01 14:22 UTC by Pierre Prinetti
Modified:	2023-01-17 19:51 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	* Previously, the installation program would incorrectly allow the `apiVIP` and `ingressVIP` parameters to use the same IPv6 address if they represented the address differently, such as listing the address in an abbreviated format. In this update, the installer validates these two parameters correctly regardless of their formatting, requiring separate IP addresses for each parameter. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2103144[BZ#2103144])
Clone Of:
Environment:
Last Closed:	2023-01-17 19:51:19 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift installer pull 6067	0	None	open	Bug 2103144: openstack: validate apiVIP and ingressVIP to be semantically different	2022-07-01 15:04:09 UTC
Red Hat Product Errata	RHSA-2022:7399	0	None	None	None	2023-01-17 19:51:37 UTC

Description Pierre Prinetti 2022-07-01 14:22:05 UTC

Version:

$ openshift-install version
openshift-install-linux-4.11.0-0.nightly-2022-06-22-015220 4.11.0-0.nightly-2022-06-22-015220
built from commit f912534f12491721e3874e2bf64f7fa8d44aa7f5
release image quay.io/openshift-release-dev/ocp-release-nightly@sha256:9c2e9cafaaf48464a0d27652088d8fb3b2336008a615868aadf8223202bdc082
release architecture amd64

Platform: OpenStack

Please specify:
* IPI

What happened?

openshift-install validates that the IPs in install-config's properties platform.openstack.apiVIP and platform.openstack.ingressVIP are different.

However, passing two different representations of the same IP trumps the check. The installer successfully validates this install-config.yaml:

apiVersion: v1
baseDomain: <base_domain>
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  platform:
    openstack:
      type: m1.s2.xlarge
  replicas: 3
controlPlane:
  architecture: amd64
  hyperthreading: Enabled
  name: master
  platform:
    openstack:
      type: m1.s2.xlarge
  replicas: 3
metadata:
  creationTimestamp: null
  name: ocp1
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10::/17
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  openstack:
    apiFloatingIP: <omitted>
    apiVIP: 10::5
    cloud: <cloud>
    externalDNS: null
    externalNetwork: external
    ingressFloatingIP: <omitted>
    ingressVIP: 10::0:5
publish: External
pullSecret: <omitted>

Comment 3 Itay Matza 2022-08-11 15:00:18 UTC

Verified with openshift-install 4.12.0-0.nightly-2022-08-10-034842 -


1. Set equivalent representations of the same ipv6 address, and the validation raises an appropriate error:
	1.1.
	```
		$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml                                                                                             
		  machineNetwork:
			- cidr: "2001:cb0::/64"
			apiVIP: "2001:0cb0:0000:0000:0fc0:0000:0000:0abc"
			ingressVIP: "2001:cb0::fc0:0:0:abc"
		$ cp install-config.yaml install-config.yaml.bck
		$ openshift-install create manifests
		ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: platform.openstack.ingressVIP: Invalid value: "2001:cb0::fc0:0:0:abc": ingressVIP can not be the same as apiVIP
	```

	1.2.
	```
		$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml                                                                                             
		  machineNetwork:
			- cidr: "2001:cb0::/64"
			apiVIP: "2001:0cb0:0000:0000:0fc0:0000:0000:0abc"
			ingressVIP: "2001:cb0:0:0:fc0::abc"
		$ openshift-install create manifests                                                                                                                                           
		ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: platform.openstack.ingressVIP: Invalid value: "2001:cb0:0:0:fc0::abc": ingressVIP can not be the same as apiVIP
	```

	1.3.
	```
		$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml                                                                                             
		  machineNetwork:
			- cidr: "2001:cb0::/64"
			apiVIP: "2001:0cb0:0000:0000:0fc0:0000:0000:0abc"
			ingressVIP: "2001:cb0:0:0:0fc0::abc"
		$ openshift-install create manifests
		ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: platform.openstack.ingressVIP: Invalid value: "2001:cb0:0:0:0fc0::abc": ingressVIP can not be the same as apiVIP
	```

	1.4.
	```
		$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml
		  machineNetwork:
			- cidr: "2001:cb0::/64"
			apiVIP: "2001:cb0::fc0:0:0:abc"
			ingressVIP: "2001:cb0:0:0:0fc0::abc"
		$ openshift-install create manifests
		ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: platform.openstack.ingressVIP: Invalid value: "2001:cb0:0:0:0fc0::abc": ingressVIP can not be the same as apiVIP 
	```

2. Set an invalid IPv6 address, and a validation raises an appropriate error:
```
	$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml
	  machineNetwork:
		- cidr: "2001:cb0::/64"
		apiVIP: "2001:0cb0:0000:0000:0fc0:0000:0000:0abc"
		ingressVIP: "2001:cb0::fc0::abc"
	$ openshift-install create manifests
	ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: platform.openstack.ingressVIP: Invalid value: "2001:cb0::fc0::abc": "2001:cb0::fc0::abc" is not a valid IP 
```


3. Set an IP that is not in the machineNetwork, and a validation raises an appropriate error:
```
	$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml
	  machineNetwork:
		- cidr: "2001:cb0::/64"
		apiVIP: "2001:0cb0:0000:0000:0fc0:0000:0000:0abc"
		ingressVIP: "2001:cb::fc:0:0:abc"
	$ openshift-install create manifests
	ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: platform.openstack.ingressVIP: Invalid value: "2001:cb::fc:0:0:abc": IP is not in the machineNetwork 
```


4. Set different VIPs and the Manifests created: 
```
	$ grep -A 1 "machineNetwork" install-config.yaml && grep "VIP" install-config.yaml
	  machineNetwork:
		- cidr: "2001:cb0::/64"
		apiVIP: "2001:0cb0:0000:0000:0fc0:0000:0000:0abc"
		ingressVIP: "2001:cb0::fc:0:0:abc"
	$ openshift-install create manifests
	INFO Credentials loaded from file "/home/stack/clouds.yaml" 
	INFO Consuming Install Config from target directory 
	INFO Manifests created in: manifests and openshift
```

Comment 6 errata-xmlrpc 2023-01-17 19:51:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399

Note You need to log in before you can comment on or make changes to this bug.