From b5ebec363b7ef61e2496a2500d347019cde55033 Mon Sep 17 00:00:00 2001
From: Periyasamy Palanisamy <pepalani@redhat.com>
Date: Wed, 10 Dec 2025 09:37:10 +0100
Subject: [PATCH] Use custom layered image to test nm-libreswan fix

test duplicate key 'phase2alg' fix for nncp deployment

Signed-off-by: Periyasamy Palanisamy <pepalani@redhat.com>
---
 .../ovn-kubernetes/common/80-ipsec-master-extensions.yaml  | 7 ++++---
 .../ovn-kubernetes/common/80-ipsec-worker-extensions.yaml  | 7 ++++---
 pkg/network/ovn_kubernetes.go                              | 7 +++----
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml b/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml
index 830248503b..bff09188fb 100644
--- a/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml
+++ b/bindata/network/ovn-kubernetes/common/80-ipsec-master-extensions.yaml
@@ -4,8 +4,11 @@ kind: MachineConfig
 metadata:
   labels:
     machineconfiguration.openshift.io/role: master
+  annotations:
+    user-ipsec-machine-config: "true"
   name: 80-ipsec-master-extensions
 spec:
+  osImageURL: quay.io/pepalani/ipsec-rhcos-layered-image:nm-libreswan-fix
   config:
     ignition:
       version: 3.2.0
@@ -20,11 +23,9 @@ spec:
 
          [Service]
          Type=oneshot
-         ExecStartPre=rm -f /etc/ipsec.d/cno.conf
+         ExecStartPre=systemd-tmpfiles --create /usr/lib/rpm-ostree/tmpfiles.d/libreswan.conf
          ExecStart=systemctl enable --now ipsec.service
 
          [Install]
          WantedBy=multi-user.target
-  extensions:
-    - ipsec
 {{end}}
diff --git a/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml b/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml
index 5acb18ef72..a37e6f9e5d 100644
--- a/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml
+++ b/bindata/network/ovn-kubernetes/common/80-ipsec-worker-extensions.yaml
@@ -4,8 +4,11 @@ kind: MachineConfig
 metadata:
   labels:
     machineconfiguration.openshift.io/role: worker
+  annotations:
+    user-ipsec-machine-config: "true"
   name: 80-ipsec-worker-extensions
 spec:
+  osImageURL: quay.io/pepalani/ipsec-rhcos-layered-image:nm-libreswan-fix
   config:
     ignition:
       version: 3.2.0
@@ -20,11 +23,9 @@ spec:
 
          [Service]
          Type=oneshot
-         ExecStartPre=rm -f /etc/ipsec.d/cno.conf
+         ExecStartPre=systemd-tmpfiles --create /usr/lib/rpm-ostree/tmpfiles.d/libreswan.conf
          ExecStart=systemctl enable --now ipsec.service
 
          [Install]
          WantedBy=multi-user.target
-  extensions:
-    - ipsec
 {{end}}
diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
index f5d51de5cd..de0cb7a4ef 100644
--- a/pkg/network/ovn_kubernetes.go
+++ b/pkg/network/ovn_kubernetes.go
@@ -648,7 +648,7 @@ func shouldRenderIPsec(conf *operv1.OVNKubernetesConfig, bootstrapResult *bootst
 	isHypershiftHostedCluster := bootstrapResult.Infra.HostedControlPlane != nil
 	isOVNIPsecActiveOrRollingOut := bootstrapResult.OVN.IPsecUpdateStatus != nil && bootstrapResult.OVN.IPsecUpdateStatus.IsOVNIPsecActiveOrRollingOut
 	isCNOIPsecMachineConfigPresent := isCNOIPsecMachineConfigPresent(bootstrapResult.Infra)
-	isUserDefinedIPsecMachineConfigPresent := isUserDefinedIPsecMachineConfigPresent(bootstrapResult.Infra)
+	//isUserDefinedIPsecMachineConfigPresent := isUserDefinedIPsecMachineConfigPresent(bootstrapResult.Infra)
 	isIPsecMachineConfigActive := isIPsecMachineConfigActive(bootstrapResult.Infra)
 	isMachineConfigClusterOperatorReady := bootstrapResult.Infra.MachineConfigClusterOperatorReady
 
@@ -656,7 +656,7 @@ func shouldRenderIPsec(conf *operv1.OVNKubernetesConfig, bootstrapResult *bootst
 
 	// When OVN is rolling out, OVN IPsec might be fully or partially active or inactive.
 	// If MachineConfigs are not present, we know its inactive since we only stop rendering them once inactive.
-	isOVNIPsecActive := isOVNIPsecActiveOrRollingOut && (isCNOIPsecMachineConfigPresent || isUserDefinedIPsecMachineConfigPresent || isHypershiftHostedCluster)
+	isOVNIPsecActive := isOVNIPsecActiveOrRollingOut && (isCNOIPsecMachineConfigPresent || isHypershiftHostedCluster)
 
 	// We render the ipsec deployment if IPsec is already active in OVN
 	// or if EW IPsec config is enabled.
@@ -667,8 +667,7 @@ func shouldRenderIPsec(conf *operv1.OVNKubernetesConfig, bootstrapResult *bootst
 	// - not needed for the containerized deployment is used in hypershift
 	// hosted clusters
 	// - not needed if the user already created their own
-	renderCNOIPsecMachineConfig = (mode != operv1.IPsecModeDisabled || renderIPsecDaemonSet) && !isHypershiftHostedCluster &&
-		!isUserDefinedIPsecMachineConfigPresent
+	renderCNOIPsecMachineConfig = (mode != operv1.IPsecModeDisabled || renderIPsecDaemonSet) && !isHypershiftHostedCluster
 	// Wait for MCO to be ready unless we had already rendered the IPsec MachineConfig.
 	renderCNOIPsecMachineConfig = renderCNOIPsecMachineConfig && (isCNOIPsecMachineConfigPresent || isMachineConfigClusterOperatorReady)