OCPBUGS-74401: Remove duplicated openssl parameter

[mkowalski]

We are getting the following error

  openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:...' -subj /C=US/O=ovnkubernetes/OU=kind/CN=... -key ... -out ...
  Error adding request extensions defined via -addext
  error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute:crypto/x509/x509_att.c:194:

so we are removing the v3_req from the openssl call as it seems to be now a default in openssl.cnf

A respective change in ovn-kubernetes upstream is
ovn-kubernetes/ovn-kubernetes#5574.

In order to preserve backwards compatibility, we are handling both
scenarios.

Fixes: OCPBUGS-74401

[openshift-ci-robot]

@mkowalski: This pull request references Jira Issue OCPBUGS-74401, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

We are getting the following error

 openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:...' -subj /C=US/O=ovnkubernetes/OU=kind/CN=... -key ... -out ...
 Error adding request extensions defined via -addext
 error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute:crypto/x509/x509_att.c:194:

so we are removing the v3_req from the openssl call as it seems to be now a default in openssl.cnf

A respective change in ovn-kubernetes upstream is
ovn-kubernetes/ovn-kubernetes#5574.

Fixes: OCPBUGS-74401

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Added a conditional retry around OpenSSL CSR generation in two OVN-Kubernetes IPsec YAMLs: the script first attempts openssl req with -extensions v3_req and, on failure, logs a retry message and runs a fallback openssl req without -extensions v3_req. All other CSR parameters unchanged.

Changes

Cohort / File(s)	Summary
IPsec OpenSSL CSR retry bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml, bindata/network/ovn-kubernetes/common/ipsec-host.yaml	Introduced a conditional retry for CSR creation: first call uses -extensions v3_req; if it fails, emits a diagnostic message and retries the openssl req without -extensions v3_req. Subject, SAN, key, and base64 encoding steps unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mkowalski]

/jira refresh

[openshift-ci-robot]

@mkowalski: This pull request references Jira Issue OCPBUGS-74401, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-ipsec

[openshift-ci]

@mkowalski: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-ipsec

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9017c5b0-fa9a-11f0-8c95-ed7ffe5308d5-0

[tssurya]

/assign @pperiyasamy for review

[openshift-ci]

@tssurya: GitHub didn't allow me to assign the following users: for, review.

Note that only openshift members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

Details

In response to this:

/assign @pperiyasamy for review

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mkowalski]

Job passed -- https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-cluster-network-operator-2889-nightly-4.22-e2e-aws-ovn-serial-ipsec/2015720658675175424. The PR fixes the issue

[mkowalski]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-ipsec

[openshift-ci]

@mkowalski: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-serial-ipsec

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9def9d40-fabb-11f0-8b7d-fbf569dc0895-0

[openshift-ci-robot]

@mkowalski: This pull request references Jira Issue OCPBUGS-74401, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

We are getting the following error

 openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:...' -subj /C=US/O=ovnkubernetes/OU=kind/CN=... -key ... -out ...
 Error adding request extensions defined via -addext
 error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute:crypto/x509/x509_att.c:194:

so we are removing the v3_req from the openssl call as it seems to be now a default in openssl.cnf

A respective change in ovn-kubernetes upstream is
ovn-kubernetes/ovn-kubernetes#5574.

In order to preserve backwards compatibility, we are handling both
scenarios.

Fixes: OCPBUGS-74401

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pperiyasamy]

/lgtm

The e2e-aws-ovn-upgrade-ipsec job has already started and is consuming a broken build for the initial cluster installation. We need to get this PR merged so that the upgrade job will pass once it starts consuming the fixed image.

The metal IPsec failures are caused by an ansible galaxy download issue and may pass on a retry.

+(./01_install_requirements.sh:166): ansible-galaxy install -r vm-setup/requirements.yml
ERROR! Error when getting collection version metadata for kubernetes.core:6.2.0 from default (https://galaxy.ansible.com/api/) (HTTP Code: 500, Message: Internal Server Error Code: Unknown)
Starting galaxy role install process

[mkowalski]

The 2nd attempt for payload test is also OK -- https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-cluster-network-operator-2889-nightly-4.22-e2e-aws-ovn-serial-ipsec/2015780194219986944

[mkowalski]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[jcaamano]

/retest-required

[mkowalski]

/retest-required

[mkowalski]

/pj-rehearse periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6-ipsec

[openshift-ci]

@mkowalski: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	756a7ea	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kyrtapz]

/override ci/prow/e2e-aws-ovn-upgrade-ipsec

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f5b8490 and 2 for PR HEAD 756a7ea in total

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-aws-ovn-upgrade-ipsec

Details

In response to this:

/override ci/prow/e2e-aws-ovn-upgrade-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

/override ci/prow/e2e-aws-ovn-upgrade-ipsec

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-aws-ovn-upgrade-ipsec

Details

In response to this:

/override ci/prow/e2e-aws-ovn-upgrade-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@mkowalski: Jira Issue Verification Checks: Jira Issue OCPBUGS-74401
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-74401 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

We are getting the following error

 openssl req -new -text -extensions v3_req -addext 'subjectAltName = DNS:...' -subj /C=US/O=ovnkubernetes/OU=kind/CN=... -key ... -out ...
 Error adding request extensions defined via -addext
 error:0580008C:x509 certificate routines:X509at_add1_attr_by_NID:duplicate attribute:crypto/x509/x509_att.c:194:

so we are removing the v3_req from the openssl call as it seems to be now a default in openssl.cnf

A respective change in ovn-kubernetes upstream is
ovn-kubernetes/ovn-kubernetes#5574.

In order to preserve backwards compatibility, we are handling both
scenarios.

Fixes: OCPBUGS-74401

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/jira cherry-pick release-4.22,release-4.21,release-4.20,release-4.19

It came from RHEL9.6

[mkowalski]

/jira backport release-4.22,release-4.21,release-4.20,release-4.19

[openshift-ci-robot]

@mkowalski: Missing required branches for backport chain:

• release-4.23 OR openshift-4.23,

Details

In response to this:

/jira backport release-4.22,release-4.21,release-4.20,release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/jira backport release-4.23,release-4.22,release-4.21,release-4.20,release-4.19

[openshift-ci-robot]

@mkowalski: Missing required branches for backport chain:

• branch with one of the following target versions: [4.24.0]

Details

In response to this:

/jira backport release-4.23,release-4.22,release-4.21,release-4.20,release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/jira backport main,release-4.23,release-4.22,release-4.21,release-4.20,release-4.19

[openshift-ci-robot]

@mkowalski: Missing required branches for backport chain:

• branch with one of the following target versions: [4.24.0]

Details

In response to this:

/jira backport main,release-4.23,release-4.22,release-4.21,release-4.20,release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/jira backport release-4.22,release-4.21,release-4.20,release-4.19

[openshift-ci-robot]

@mkowalski: Missing required branches for backport chain:

• openshift-4.23 OR release-4.23,

Details

In response to this:

/jira backport release-4.22,release-4.21,release-4.20,release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/jira backport release-4.23,release-4.22,release-4.21,release-4.20,release-4.19

[openshift-ci-robot]

@mkowalski: Missing required branches for backport chain:

• branch with one of the following target versions: [4.24.0]

Details

In response to this:

/jira backport release-4.23,release-4.22,release-4.21,release-4.20,release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/jira refresh

[openshift-ci-robot]

@mkowalski: Jira Issue OCPBUGS-74401 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mkowalski]

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19

[openshift-cherrypick-robot]

@mkowalski: new pull request could not be created: failed to create pull request against openshift/cluster-network-operator#release-4.22 from head openshift-cherrypick-robot:cherry-pick-2889-to-release-4.22: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"No commits between openshift:release-4.22 and openshift-cherrypick-robot:cherry-pick-2889-to-release-4.22"}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"}

Details

In response to this:

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sdodson]

/cherry-pick release-4.21, release-4.20

[sdodson]

/cherrypick release-4.22 release-4.21 release-4.20 release-4.19

master fast forwards to release-4.22 only need to pick back to release-4.21 and release-4.20

[openshift-cherrypick-robot]

@sdodson: cannot checkout release-4.21,: error checking out "release-4.21,": exit status 1 error: pathspec 'release-4.21,' did not match any file(s) known to git

Details

In response to this:

/cherry-pick release-4.21, release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sdodson]

/cherry-pick release-4.21 release-4.20

[openshift-cherrypick-robot]

@sdodson: new pull request created: #2899

Details

In response to this:

/cherry-pick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.