Merge pull request #2889 from mkowalski/OCPBUGS-74401

openshift-merge-bot[bot] · web-flow · commit 2b7b23c47f7d · 2026-02-03T09:00:53.000Z
OCPBUGS-74401: Remove duplicated openssl parameter
diff --git a/bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml b/bindata/network/ovn-kubernetes/common/ipsec-containerized.yaml
@@ -126,12 +126,19 @@ spec:
 
             # Generate an SSL private key and use the key to create a certitificate signing request
             umask 077 && openssl genrsa -out /etc/openvswitch/keys/ipsec-privkey.pem 2048
-            openssl req -new -text \
+            if ! openssl req -new -text \
                         -extensions v3_req \
                         -addext "subjectAltName = DNS:${cn}" \
                         -subj "/C=US/O=ovnkubernetes/OU=kind/CN=${cn}" \
                         -key /etc/openvswitch/keys/ipsec-privkey.pem \
-                        -out /etc/openvswitch/keys/ipsec-req.pem
+                        -out /etc/openvswitch/keys/ipsec-req.pem; then
+              echo "openssl req failed with -extensions v3_req, retrying without it"
+              openssl req -new -text \
+                          -addext "subjectAltName = DNS:${cn}" \
+                          -subj "/C=US/O=ovnkubernetes/OU=kind/CN=${cn}" \
+                          -key /etc/openvswitch/keys/ipsec-privkey.pem \
+                          -out /etc/openvswitch/keys/ipsec-req.pem
+            fi
 
             csr_64=$(base64 -w0 /etc/openvswitch/keys/ipsec-req.pem) # -w0 to avoid line-wrap
 
diff --git a/bindata/network/ovn-kubernetes/common/ipsec-host.yaml b/bindata/network/ovn-kubernetes/common/ipsec-host.yaml
@@ -122,12 +122,19 @@ spec:
 
             # Generate an SSL private key and use the key to create a certitificate signing request
             umask 077 && openssl genrsa -out /etc/openvswitch/keys/ipsec-privkey.pem 2048
-            openssl req -new -text \
+            if ! openssl req -new -text \
                         -extensions v3_req \
                         -addext "subjectAltName = DNS:${cn}" \
                         -subj "/C=US/O=ovnkubernetes/OU=kind/CN=${cn}" \
                         -key /etc/openvswitch/keys/ipsec-privkey.pem \
-                        -out /etc/openvswitch/keys/ipsec-req.pem
+                        -out /etc/openvswitch/keys/ipsec-req.pem; then
+              echo "openssl req failed with -extensions v3_req, retrying without it"
+              openssl req -new -text \
+                          -addext "subjectAltName = DNS:${cn}" \
+                          -subj "/C=US/O=ovnkubernetes/OU=kind/CN=${cn}" \
+                          -key /etc/openvswitch/keys/ipsec-privkey.pem \
+                          -out /etc/openvswitch/keys/ipsec-req.pem
+            fi
 
             csr_64=$(base64 -w0 /etc/openvswitch/keys/ipsec-req.pem) # -w0 to avoid line-wrap
 
