- Issued:
- 2024-10-01
- Updated:
- 2024-10-01
RHBA-2024:7466 - Bug Fix Advisory
Synopsis
Submariner-addon 0.16 hotfix
Type/Severity
Bug Fix Advisory
Topic
Submariner hotfix for the 0.16 release.
Description
Bug addressed:
- ACM-14391 submariner 0.16.0 - SubmarinerConfigController reconciliation failed.
Details:
The Submariner cloud preparation process makes the AWS cloud ready for the Submariner installation.
To prepare the AWS cloud, the procedure retrieves the virtual private cloud (VPC) subnets and security groups from the deployed AWS cluster. Submariner uses the halving convention that is used by Red Hat OpenShift for these resources to retrieve the information.
When using a custom VPC, most of these resources do not use the expected naming convention and the Submariner cloud preparation procedure fails.
Solution
Before applying this update, make sure the Submariner add-on is removed from all of the clusters.
Complete the following procedure:
1. Apply the hotfix to the hub cluster by completing the following steps:
A. Create and apply an image-override configmap in the open-cluster-management namespace similar to the following example:
kind: ConfigMap
apiVersion: v1
metadata:
name: <configmap-name>
namespace: open-cluster-management
data:
overrides.json: |-
[
{
“image-name”: “submariner-addon”,
“image-tag”: “2.9.5”,
“image-remote”: “registry.redhat.io”,
“image-key”: “submariner_addon”
}
]
Replace image-tag and image-remote fields with the desired values.
B. Update the MultiClusterHub custom resource instance and add the following annotation:
mch-imageOverridesCM: <configmap-name>
C. Save and exit. All of the submariner-addon pods that are on the hub cluster and managed clusters are restarted after the change propagates to the managed clusters.
2. Complete the following steps on each clusters that has a VPC:
A. Install the Submariner add-on on the cluster.
B. A SubmarinerConfig resource is created in the managed cluster namespace on the hub cluster.
C. Open the SubmarinerConfig resource for editing by entering the following command:
oc edit submarinerconfig -n <managed-cluster-ns> submariner
D. Add the following annotations in the metadata field:
annotations:
submariner.io/control-plane-sg-id: <control-plane-security-group-id>
# Usually takes the name <infra-id>-master-sg
submariner.io/subnet-id-list: <comma-separated list of public subnet IDs in the custom VPC>
submariner.io/vpc-id: <custom VPC ID>
submariner.io/worker-sg-id: <worker-security-group-id>
# Usually takes the name <infra-id>-worker-sg
E. Save the changes.
After a few minutes, a new EC2 instance is created with the name <infra-id>-submariner-gw-<zone>-xxxxx in the AWS console.
F. In the AWS console, click on the VM to view the details page.
G. On the details page, go to Actions -> Security -> Change Security Groups.
H. Add the worker security group if it is not already added. The security group usually takes the name <infra-id>-worker-sg.
I. Save the changes.
J. Repeat the steps for all the other clusters.
Important: This hotfix is a temporary fix that will be supported until 30 days after the date when the next z-stream version of the product is released. After the 30-day period ends, you must upgrade to the latest version of the product to request support.
Contact your CEE for assistance with installing this hotfix.
Affected Products
- Red Hat Advanced Cluster Management for Kubernetes 2 for RHEL 8 x86_64
Fixes
- ACM-14391 - submariner 0.16.0 - SubmarinerConfigController reconciliation failed
CVEs
(none)
References
(none)
aarch64
rhacm2/submariner-addon-rhel8@sha256:03aa392eaa7725e0c3222cda98592b7faf397a8201cef1dd26d3070b4bda9c1f |
ppc64le
rhacm2/submariner-addon-rhel8@sha256:746e0357b0711dca132bf6715961410cad4ed6c73c752b8daa8499d310d66650 |
s390x
rhacm2/submariner-addon-rhel8@sha256:cd66ae3a31ac4d640e8e74cfe05affbfb027107003d2f5e3b708994a78ac1a9d |
x86_64
rhacm2/submariner-addon-rhel8@sha256:2d60534799cf4f186731aad8540cd89e7506c4f1d4eb4d80ad83141883f01da2 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.