Add crio dependency for ipsec.service

pperiyasamy · pperiyasamy · commit 1fa5eaa9bb06 · 2025-03-17T10:51:48.000+01:00
We noticed pluto is tearing down established IPsec connections in parallel
with crio stopping all pod containers which includes stopping api server
pod container. It happens when node reboot initiated for rendering new
machine configs at the time of OCP upgrade.
This creates api connection disruptions in the cluster, these disruptions are
generating events, caught by origin monitor tests and failing IPsec upgrade CI
lane and it may also cause noticeable temporary pod traffic failure during
upgrade for IPsec enabled cluster.
Hence this commit adds Before=crio.service dependency on the ipsec.service so
that pluto daemon is stopped after the shutdown of crio service, all pod
containers are stopped on the node. This gives enough room for clients to
gracefully move to another control plane node for API connections.

Signed-off-by: Periyasamy Palanisamy &lt;pepalani@redhat.com&gt;
diff --git a/templates/common/_base/units/ipsec.service.yaml b/templates/common/_base/units/ipsec.service.yaml
@@ -4,3 +4,4 @@ dropins:
     contents: |
       [Unit]
       After=ovs-configuration.service
+      Before=crio.service
