Merge pull request #2201 from pperiyasamy/render-cno-ipsec-mc

openshift-merge-bot[bot] · web-flow · commit 2e23c8224812 · 2024-01-22T10:55:20.000Z
OCPBUGS-26952: Deploy CNO IPsec MC even if user already have one
diff --git a/pkg/bootstrap/types.go b/pkg/bootstrap/types.go
@@ -91,11 +91,11 @@ type InfraStatus struct {
 	// NetworkNodeIdentityEnabled define if the network node identity feature should be enabled
 	NetworkNodeIdentityEnabled bool
 
-	// MasterIPsecMachineConfig contains ipsec machine config object of master nodes.
-	MasterIPsecMachineConfig *mcfgv1.MachineConfig
+	// MasterIPsecMachineConfigs contains ipsec machine config objects of master nodes.
+	MasterIPsecMachineConfigs []*mcfgv1.MachineConfig
 
-	// WorkerIPsecMachineConfig contains ipsec machine config object of worker nodes.
-	WorkerIPsecMachineConfig *mcfgv1.MachineConfig
+	// WorkerIPsecMachineConfigs contains ipsec machine config objects of worker nodes.
+	WorkerIPsecMachineConfigs []*mcfgv1.MachineConfig
 
 	// MasterMCPStatus contains machine config pool status of master nodes.
 	MasterMCPStatus mcfgv1.MachineConfigPoolStatus
diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
@@ -39,6 +39,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 	utilnet "k8s.io/utils/net"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -537,7 +538,7 @@ func getIPsecMode(conf *operv1.OVNKubernetesConfig) operv1.IPsecMode {
 
 // shouldRenderIPsec method ensures the have following IPsec states for upgrade path from 4.14 to 4.15 or later versions:
 // When 4.14 cluster is already installed with MachineConfig for IPsec extension and ipsecConfig is set in network operator
-// config (i.e. IPsec for NS+EW), then reuse the installed MC extension and render ipsec-host daemonset.
+// config (i.e. IPsec for NS+EW), then render CNO's IPsec MC extension and ipsec-host daemonset.
 // When 4.14 cluster is just running with ipsecConfig set in network operator config (i.e. IPsec for EW only), then activate
 // IPsec MachineConfig and render ipsec-host daemonset.
 // When 4.14 cluster is just installed with MachineConfig for IPsec extension (i.e. IPsec for NS only), then just keep MachineConfig
@@ -561,11 +562,10 @@ func shouldRenderIPsec(conf *operv1.OVNKubernetesConfig, bootstrapResult *bootst
 	// On upgrade, we will just remove any existing ipsec deployment without making any
 	// change to them. So during upgrade, we must keep track if IPsec MachineConfigs are
 	// active or not for non Hybrid hosted cluster.
-	isUserIPsecMachineConfigPresent := isUserIPsecMachineConfigPresent(bootstrapResult.Infra)
-	isIpsecMachineConfigActive := isIPsecMachineConfigActive(bootstrapResult.Infra)
-	isIPsecMachineConfigNotActiveOnUpgrade := isIpsecUpgrade && !isIpsecMachineConfigActive && !isHypershiftHostedCluster
+	isIPsecMachineConfigActive := isIPsecMachineConfigActive(bootstrapResult.Infra)
+	isIPsecMachineConfigNotActiveOnUpgrade := isIpsecUpgrade && !isIPsecMachineConfigActive && !isHypershiftHostedCluster
 	isMachineConfigClusterOperatorReady := bootstrapResult.Infra.MachineConfigClusterOperatorReady
-	isCNOIPsecMachineConfigPresent := isIPsecMachineConfigPresent(bootstrapResult.Infra) && !isUserIPsecMachineConfigPresent
+	isCNOIPsecMachineConfigPresent := isCNOIPsecMachineConfigPresent(bootstrapResult.Infra)
 
 	// We render the ipsec deployment if IPsec is already active in OVN
 	// or if EW IPsec config is enabled.
@@ -576,19 +576,15 @@ func shouldRenderIPsec(conf *operv1.OVNKubernetesConfig, bootstrapResult *bootst
 	// extensions to be active first. We must also render host ipsec deployment
 	// at the time of upgrade though user created IPsec Machine Config is not
 	// present/active.
-	renderIPsecHostDaemonSet = (renderIPsecDaemonSet && isIpsecMachineConfigActive && !isHypershiftHostedCluster) || isIPsecMachineConfigNotActiveOnUpgrade
+	renderIPsecHostDaemonSet = (renderIPsecDaemonSet && isIPsecMachineConfigActive && !isHypershiftHostedCluster) || isIPsecMachineConfigNotActiveOnUpgrade
 
 	// The containerized ipsec deployment is only rendered during upgrades or
 	// for hypershift hosted clusters.
 	renderIPsecContainerizedDaemonSet = (renderIPsecDaemonSet && isHypershiftHostedCluster) || isIPsecMachineConfigNotActiveOnUpgrade
 
 	// MachineConfig IPsec extensions rollout is needed for the ipsec enablement and are used in both External and Full modes.
 	// except  when the containerized deployment is used in hypershift hosted clusters.
-	// We will rollout unless the user has rolled out its own.
-	renderCNOIPsecMachineConfig = (mode != operv1.IPsecModeDisabled ||
-		renderIPsecDaemonSet) &&
-		!isUserIPsecMachineConfigPresent &&
-		!isHypershiftHostedCluster
+	renderCNOIPsecMachineConfig = (mode != operv1.IPsecModeDisabled || renderIPsecDaemonSet) && !isHypershiftHostedCluster
 	// Wait for MCO to be ready unless we had already rendered the IPsec MachineConfig
 	renderCNOIPsecMachineConfig = renderCNOIPsecMachineConfig && (isCNOIPsecMachineConfigPresent || isMachineConfigClusterOperatorReady)
 
@@ -1455,11 +1451,19 @@ func shouldUpdateOVNKonPrepull(ovn bootstrap.OVNBootstrapResult, releaseVersion
 	return true, false
 }
 
-// isUserIPsecMachineConfigPresent returns true if user owned MachineConfigs for IPsec plugin
-// are already present either in master or worker nodes, otherwise returns false.
-func isUserIPsecMachineConfigPresent(infra bootstrap.InfraStatus) bool {
-	return (infra.MasterIPsecMachineConfig != nil && !containsNetworkOwnerRef(infra.MasterIPsecMachineConfig.OwnerReferences)) ||
-		(infra.WorkerIPsecMachineConfig != nil && !containsNetworkOwnerRef(infra.WorkerIPsecMachineConfig.OwnerReferences))
+// isCNOIPsecMachineConfigPresent returns true if CNO owned MachineConfigs for IPsec plugin
+// are already present in both master and worker nodes, otherwise returns false.
+func isCNOIPsecMachineConfigPresent(infra bootstrap.InfraStatus) bool {
+	isCNOIPsecMachineConfigPresentIn := func(mcs []*mcfgv1.MachineConfig) bool {
+		for _, mc := range mcs {
+			if containsNetworkOwnerRef(mc.OwnerReferences) {
+				return true
+			}
+		}
+		return false
+	}
+	return isCNOIPsecMachineConfigPresentIn(infra.MasterIPsecMachineConfigs) &&
+		isCNOIPsecMachineConfigPresentIn(infra.WorkerIPsecMachineConfigs)
 }
 
 func containsNetworkOwnerRef(ownerRefs []metav1.OwnerReference) bool {
@@ -1475,28 +1479,28 @@ func containsNetworkOwnerRef(ownerRefs []metav1.OwnerReference) bool {
 // isIPsecMachineConfigActive returns true if both master and worker's machine config pool are ready with
 // ipsec machine config extension rolled out, otherwise returns false.
 func isIPsecMachineConfigActive(infra bootstrap.InfraStatus) bool {
-	if infra.MasterIPsecMachineConfig == nil || infra.WorkerIPsecMachineConfig == nil {
+	if infra.MasterIPsecMachineConfigs == nil || infra.WorkerIPsecMachineConfigs == nil {
 		// One of the IPsec MachineConfig is not created yet, so return false.
 		return false
 	}
-	ipSecPluginOnMasterNodes := hasSourceInMachineConfigStatus(infra.MasterMCPStatus, infra.MasterIPsecMachineConfig.Name)
-	ipSecPluginOnWorkerNodes := hasSourceInMachineConfigStatus(infra.WorkerMCPStatus, infra.WorkerIPsecMachineConfig.Name)
+	ipSecPluginOnMasterNodes := hasSourceInMachineConfigStatus(infra.MasterMCPStatus, infra.MasterIPsecMachineConfigs)
+	ipSecPluginOnWorkerNodes := hasSourceInMachineConfigStatus(infra.WorkerMCPStatus, infra.WorkerIPsecMachineConfigs)
 	return ipSecPluginOnMasterNodes && ipSecPluginOnWorkerNodes
 }
 
-func hasSourceInMachineConfigStatus(machineConfigStatus mcfgv1.MachineConfigPoolStatus, sourceName string) bool {
+func hasSourceInMachineConfigStatus(machineConfigStatus mcfgv1.MachineConfigPoolStatus, machineConfigs []*mcfgv1.MachineConfig) bool {
+	sourceNames := sets.New[string]()
+	for _, machineConfig := range machineConfigs {
+		sourceNames.Insert(machineConfig.Name)
+	}
 	for _, source := range machineConfigStatus.Configuration.Source {
-		if source.Name == sourceName {
+		if sourceNames.Has(source.Name) {
 			return true
 		}
 	}
 	return false
 }
 
-func isIPsecMachineConfigPresent(infra bootstrap.InfraStatus) bool {
-	return infra.MasterIPsecMachineConfig != nil && infra.WorkerIPsecMachineConfig != nil
-}
-
 // shouldUpdateOVNKonUpgrade determines if we should roll out changes to
 // the node daemonset and the control plane deployment upon upgrades.
 // We roll out node first, then control plane. In downgrades, we do the opposite.
diff --git a/pkg/network/ovn_kubernetes_test.go b/pkg/network/ovn_kubernetes_test.go
@@ -2200,12 +2200,12 @@ func TestRenderOVNKubernetesEnableIPsec(t *testing.T) {
 		t.Errorf("The MachineConfig %s must exist, but it's not available", workerMachineConfigIPsecExtName)
 	}
 
-	bootstrapResult.Infra.MasterIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.MasterIPsecMachineConfig.Name = masterMachineConfigIPsecExtName
-	bootstrapResult.Infra.MasterIPsecMachineConfig.OwnerReferences = networkOwnerRef()
-	bootstrapResult.Infra.WorkerIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.Name = workerMachineConfigIPsecExtName
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.OwnerReferences = networkOwnerRef()
+	bootstrapResult.Infra.MasterIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].Name = masterMachineConfigIPsecExtName
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].OwnerReferences = networkOwnerRef()
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].Name = workerMachineConfigIPsecExtName
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].OwnerReferences = networkOwnerRef()
 	objs, _, err = renderOVNKubernetes(config, bootstrapResult, manifestDirOvn, fakeClient, featureGatesCNO)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
@@ -2470,14 +2470,13 @@ func TestRenderOVNKubernetesIPsecUpgradeWithMachineConfig(t *testing.T) {
 		},
 	}
 
-	// Start the upgrade and it's going rollout only ovn-ipsec-host DS without any changes into
-	// installed IPsec MachineConfigs.
+	// Start the upgrade and it's going rollout ovn-ipsec-host DS with CNO IPsec MachineConfigs.
 	bootstrapResult.Infra = bootstrap.InfraStatus{}
 	bootstrapResult.Infra.MachineConfigClusterOperatorReady = true
-	bootstrapResult.Infra.MasterIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.MasterIPsecMachineConfig.Name = masterMachineConfigIPsecExtName
-	bootstrapResult.Infra.WorkerIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.Name = workerMachineConfigIPsecExtName
+	bootstrapResult.Infra.MasterIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].Name = masterMachineConfigIPsecExtName
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].Name = workerMachineConfigIPsecExtName
 	bootstrapResult.Infra.MasterMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
 		Configuration: mcfgv1.MachineConfigPoolStatusConfiguration{Source: []v1.ObjectReference{{Name: masterMachineConfigIPsecExtName}}}}
 	bootstrapResult.Infra.WorkerMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
@@ -2491,12 +2490,12 @@ func TestRenderOVNKubernetesIPsecUpgradeWithMachineConfig(t *testing.T) {
 	}
 	// Ensure renderOVNKubernetes doesn't roll out its own MachineConfigs
 	renderedMasterIPsecExtension := findInObjs("machineconfiguration.openshift.io", "MachineConfig", masterMachineConfigIPsecExtName, "", objs)
-	if renderedMasterIPsecExtension != nil {
-		t.Errorf("The MachineConfig %s must not exist, but it's available", masterMachineConfigIPsecExtName)
+	if renderedMasterIPsecExtension == nil {
+		t.Errorf("The MachineConfig %s must exist, but it's not available", masterMachineConfigIPsecExtName)
 	}
 	renderedWorkerIPsecExtension := findInObjs("machineconfiguration.openshift.io", "MachineConfig", workerMachineConfigIPsecExtName, "", objs)
-	if renderedWorkerIPsecExtension != nil {
-		t.Errorf("The MachineConfig %s must not exist, but it's available", workerMachineConfigIPsecExtName)
+	if renderedWorkerIPsecExtension == nil {
+		t.Errorf("The MachineConfig %s must exist, but it's  not available", workerMachineConfigIPsecExtName)
 	}
 	// Ensure only ipsec host daemonset exists now.
 	renderedIPsec := findInObjs("apps", "DaemonSet", "ovn-ipsec-host", "openshift-ovn-kubernetes", objs)
@@ -2636,12 +2635,12 @@ func TestRenderOVNKubernetesIPsecUpgradeWithNoMachineConfig(t *testing.T) {
 	}
 
 	// After IPsec Machine Configs rollout is complete, it must have only ovn-ipsec-host DS.
-	bootstrapResult.Infra.MasterIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.MasterIPsecMachineConfig.Name = masterMachineConfigIPsecExtName
-	bootstrapResult.Infra.MasterIPsecMachineConfig.OwnerReferences = networkOwnerRef()
-	bootstrapResult.Infra.WorkerIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.OwnerReferences = networkOwnerRef()
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.Name = workerMachineConfigIPsecExtName
+	bootstrapResult.Infra.MasterIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].Name = masterMachineConfigIPsecExtName
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].OwnerReferences = networkOwnerRef()
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].OwnerReferences = networkOwnerRef()
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].Name = workerMachineConfigIPsecExtName
 	bootstrapResult.Infra.MasterMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
 		Configuration: mcfgv1.MachineConfigPoolStatusConfiguration{Source: []v1.ObjectReference{{Name: masterMachineConfigIPsecExtName}}}}
 	bootstrapResult.Infra.WorkerMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
@@ -2858,12 +2857,12 @@ func TestRenderOVNKubernetesDisableIPsec(t *testing.T) {
 	fakeClient := cnofake.NewFakeClient()
 	bootstrapResult.Infra = bootstrap.InfraStatus{}
 	bootstrapResult.Infra.MachineConfigClusterOperatorReady = true
-	bootstrapResult.Infra.MasterIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.MasterIPsecMachineConfig.Name = masterMachineConfigIPsecExtName
-	bootstrapResult.Infra.MasterIPsecMachineConfig.OwnerReferences = networkOwnerRef()
-	bootstrapResult.Infra.WorkerIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.Name = workerMachineConfigIPsecExtName
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.OwnerReferences = networkOwnerRef()
+	bootstrapResult.Infra.MasterIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].Name = masterMachineConfigIPsecExtName
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].OwnerReferences = networkOwnerRef()
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].Name = workerMachineConfigIPsecExtName
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].OwnerReferences = networkOwnerRef()
 	bootstrapResult.Infra.MasterMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
 		Configuration: mcfgv1.MachineConfigPoolStatusConfiguration{Source: []v1.ObjectReference{{Name: masterMachineConfigIPsecExtName}}}}
 	bootstrapResult.Infra.WorkerMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
@@ -2991,10 +2990,10 @@ func TestRenderOVNKubernetesDisableIPsecWithUserInstalledIPsecMachineConfigs(t *
 
 	fakeClient := cnofake.NewFakeClient()
 	bootstrapResult.Infra = bootstrap.InfraStatus{}
-	bootstrapResult.Infra.MasterIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.MasterIPsecMachineConfig.Name = masterMachineConfigIPsecExtName
-	bootstrapResult.Infra.WorkerIPsecMachineConfig = &mcfgv1.MachineConfig{}
-	bootstrapResult.Infra.WorkerIPsecMachineConfig.Name = workerMachineConfigIPsecExtName
+	bootstrapResult.Infra.MasterIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.MasterIPsecMachineConfigs[0].Name = masterMachineConfigIPsecExtName
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs = []*mcfgv1.MachineConfig{{}}
+	bootstrapResult.Infra.WorkerIPsecMachineConfigs[0].Name = workerMachineConfigIPsecExtName
 	bootstrapResult.Infra.MasterMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
 		Configuration: mcfgv1.MachineConfigPoolStatusConfiguration{Source: []v1.ObjectReference{{Name: masterMachineConfigIPsecExtName}}}}
 	bootstrapResult.Infra.WorkerMCPStatus = mcfgv1.MachineConfigPoolStatus{MachineCount: 1, ReadyMachineCount: 1,
diff --git a/pkg/platform/platform.go b/pkg/platform/platform.go
@@ -144,19 +144,19 @@ func InfraStatus(client cnoclient.Client) (*bootstrap.InfraStatus, error) {
 	// The IPsecMachineConfig in 4.14 is created by user and can be created with any name and also is not managed by network operator, so find it by using the label
 	// and looking for the extension.
 
-	masterIPsecMachineConfig, err := findIPsecMachineConfigWithLabel(client, "machineconfiguration.openshift.io/role=master")
+	masterIPsecMachineConfigs, err := findIPsecMachineConfigsWithLabel(client, "machineconfiguration.openshift.io/role=master")
 	if err != nil {
-		return nil, fmt.Errorf("failed to get ipsec machine config for master: %v", err)
+		return nil, fmt.Errorf("failed to get ipsec machine configs for master: %v", err)
 	}
-	res.MasterIPsecMachineConfig = masterIPsecMachineConfig
+	res.MasterIPsecMachineConfigs = masterIPsecMachineConfigs
 
-	workerIPsecMachineConfig, err := findIPsecMachineConfigWithLabel(client, "machineconfiguration.openshift.io/role=worker")
+	workerIPsecMachineConfigs, err := findIPsecMachineConfigsWithLabel(client, "machineconfiguration.openshift.io/role=worker")
 	if err != nil {
-		return nil, fmt.Errorf("failed to get ipsec machine config for worker: %v", err)
+		return nil, fmt.Errorf("failed to get ipsec machine configs for worker: %v", err)
 	}
-	res.WorkerIPsecMachineConfig = workerIPsecMachineConfig
+	res.WorkerIPsecMachineConfigs = workerIPsecMachineConfigs
 
-	if res.MasterIPsecMachineConfig != nil {
+	if res.MasterIPsecMachineConfigs != nil {
 		mcpMaster := &mcfgv1.MachineConfigPool{}
 		if err := client.Default().CRClient().Get(context.TODO(), types.NamespacedName{Name: "master"}, mcpMaster); err != nil {
 			if !apierrors.IsNotFound(err) {
@@ -166,7 +166,7 @@ func InfraStatus(client cnoclient.Client) (*bootstrap.InfraStatus, error) {
 		res.MasterMCPStatus = mcpMaster.Status
 	}
 
-	if res.WorkerIPsecMachineConfig != nil {
+	if res.WorkerIPsecMachineConfigs != nil {
 		mcpWorker := &mcfgv1.MachineConfigPool{}
 		if err := client.Default().CRClient().Get(context.TODO(), types.NamespacedName{Name: "worker"}, mcpWorker); err != nil {
 			if !apierrors.IsNotFound(err) {
@@ -185,7 +185,7 @@ func InfraStatus(client cnoclient.Client) (*bootstrap.InfraStatus, error) {
 	return res, nil
 }
 
-func findIPsecMachineConfigWithLabel(client cnoclient.Client, selector string) (*mcfgv1.MachineConfig, error) {
+func findIPsecMachineConfigsWithLabel(client cnoclient.Client, selector string) ([]*mcfgv1.MachineConfig, error) {
 	lSelector, err := labels.Parse(selector)
 	if err != nil {
 		return nil, err
@@ -195,13 +195,13 @@ func findIPsecMachineConfigWithLabel(client cnoclient.Client, selector string) (
 	if err != nil {
 		return nil, err
 	}
-	var ipsecMachineConfig *mcfgv1.MachineConfig
+	var ipsecMachineConfigs []*mcfgv1.MachineConfig
 	for i, machineConfig := range machineConfigs.Items {
 		if sets.New(machineConfig.Spec.Extensions...).Has("ipsec") {
-			ipsecMachineConfig = &machineConfigs.Items[i]
+			ipsecMachineConfigs = append(ipsecMachineConfigs, &machineConfigs.Items[i])
 		}
 	}
-	return ipsecMachineConfig, nil
+	return ipsecMachineConfigs, nil
 }
 
 func isMachineConfigClusterOperatorReady(client cnoclient.Client) (bool, error) {
