From e25809c4ed0aa8e4ce4e71fcf394fa260450b38d Mon Sep 17 00:00:00 2001 From: Michael Cambria Date: Wed, 17 May 2023 10:44:40 -0400 Subject: [PATCH] Add encapsulation flag to IPsecConfig struct Signed-off-by: Michael Cambria Signed-off-by: Periyasamy Palanisamy --- .../generated_openapi/zz_generated.openapi.go | 41 +++++++++++++++++++ openapi/openapi.json | 22 ++++++++++ operator/v1/types_network.go | 38 +++++++++++++++++ ...twork_01_networks-CustomNoUpgrade.crd.yaml | 27 ++++++++++++ ...00_70_network_01_networks-Default.crd.yaml | 27 ++++++++++++ ...k_01_networks-DevPreviewNoUpgrade.crd.yaml | 27 ++++++++++++ ..._01_networks-TechPreviewNoUpgrade.crd.yaml | 27 ++++++++++++ operator/v1/zz_generated.deepcopy.go | 23 ++++++++++- .../AAA_ungated.yaml | 27 ++++++++++++ .../AdditionalRoutingCapabilities.yaml | 27 ++++++++++++ .../NetworkLiveMigration.yaml | 27 ++++++++++++ .../RouteAdvertisements.yaml | 27 ++++++++++++ .../v1/zz_generated.swagger_doc_generated.go | 10 +++++ 13 files changed, 349 insertions(+), 1 deletion(-) diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 7df0a7b456b..999c75a4c6b 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -942,6 +942,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.IPAMConfig": schema_openshift_api_operator_v1_IPAMConfig(ref), "github.com/openshift/api/operator/v1.IPFIXConfig": schema_openshift_api_operator_v1_IPFIXConfig(ref), "github.com/openshift/api/operator/v1.IPsecConfig": schema_openshift_api_operator_v1_IPsecConfig(ref), + "github.com/openshift/api/operator/v1.IPsecFullModeConfig": schema_openshift_api_operator_v1_IPsecFullModeConfig(ref), "github.com/openshift/api/operator/v1.IPv4GatewayConfig": schema_openshift_api_operator_v1_IPv4GatewayConfig(ref), "github.com/openshift/api/operator/v1.IPv4OVNKubernetesConfig": schema_openshift_api_operator_v1_IPv4OVNKubernetesConfig(ref), "github.com/openshift/api/operator/v1.IPv6GatewayConfig": schema_openshift_api_operator_v1_IPv6GatewayConfig(ref), @@ -48267,6 +48268,46 @@ func schema_openshift_api_operator_v1_IPsecConfig(ref common.ReferenceCallback) Format: "", }, }, + "full": { + SchemaProps: spec.SchemaProps{ + Description: "full defines configuration parameters for the IPsec `Full` mode. This is permitted only when mode is configured with `Full`, and forbidden otherwise.", + Ref: ref("github.com/openshift/api/operator/v1.IPsecFullModeConfig"), + }, + }, + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "mode", + "fields-to-discriminateBy": map[string]interface{}{ + "full": "Full", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1.IPsecFullModeConfig"}, + } +} + +func schema_openshift_api_operator_v1_IPsecFullModeConfig(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "IPsecFullModeConfig defines configuration parameters for the IPsec `Full` mode.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "encapsulation": { + SchemaProps: spec.SchemaProps{ + Description: "encapsulation option to configure libreswan on how inter-pod traffic across nodes are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 for the encapsulation. Valid values are Always, Never, Auto and omitted. Always means enable UDP encapsulation regardless of whether NAT is detected. Disable means never enable UDP encapsulation even if NAT is present. Auto means enable UDP encapsulation based on the detection of NAT. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Auto.", + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, diff --git a/openapi/openapi.json b/openapi/openapi.json index cf2679e0d6b..1b5dbae181d 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -28122,10 +28122,32 @@ "com.github.openshift.api.operator.v1.IPsecConfig": { "type": "object", "properties": { + "full": { + "description": "full defines configuration parameters for the IPsec `Full` mode. This is permitted only when mode is configured with `Full`, and forbidden otherwise.", + "$ref": "#/definitions/com.github.openshift.api.operator.v1.IPsecFullModeConfig" + }, "mode": { "description": "mode defines the behaviour of the ipsec configuration within the platform. Valid values are `Disabled`, `External` and `Full`. When 'Disabled', ipsec will not be enabled at the node level. When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), this is left to the user to configure.", "type": "string" } + }, + "x-kubernetes-unions": [ + { + "discriminator": "mode", + "fields-to-discriminateBy": { + "full": "Full" + } + } + ] + }, + "com.github.openshift.api.operator.v1.IPsecFullModeConfig": { + "description": "IPsecFullModeConfig defines configuration parameters for the IPsec `Full` mode.", + "type": "object", + "properties": { + "encapsulation": { + "description": "encapsulation option to configure libreswan on how inter-pod traffic across nodes are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 for the encapsulation. Valid values are Always, Never, Auto and omitted. Always means enable UDP encapsulation regardless of whether NAT is detected. Disable means never enable UDP encapsulation even if NAT is present. Auto means enable UDP encapsulation based on the detection of NAT. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Auto.", + "type": "string" + } } }, "com.github.openshift.api.operator.v1.IPv4GatewayConfig": { diff --git a/operator/v1/types_network.go b/operator/v1/types_network.go index ba2f3b4712f..b4b0a6d6d61 100644 --- a/operator/v1/types_network.go +++ b/operator/v1/types_network.go @@ -550,6 +550,8 @@ type HybridOverlayConfig struct { } // +kubebuilder:validation:XValidation:rule="self == oldSelf || has(self.mode)",message="ipsecConfig.mode is required" +// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Full' ? true : !has(self.full)",message="full is forbidden when mode is not Full" +// +union type IPsecConfig struct { // mode defines the behaviour of the ipsec configuration within the platform. // Valid values are `Disabled`, `External` and `Full`. @@ -561,7 +563,43 @@ type IPsecConfig struct { // this is left to the user to configure. // +kubebuilder:validation:Enum=Disabled;External;Full // +optional + // +unionDiscriminator Mode IPsecMode `json:"mode,omitempty"` + + // full defines configuration parameters for the IPsec `Full` mode. + // This is permitted only when mode is configured with `Full`, + // and forbidden otherwise. + // +unionMember,optional + // +optional + Full *IPsecFullModeConfig `json:"full,omitempty"` +} + +type Encapsulation string + +const ( + // EncapsulationAlways always enable UDP encapsulation regardless of whether NAT is detected. + EncapsulationAlways = "Always" + // EncapsulationNever never enable UDP encapsulation even if NAT is present. + EncapsulationNever = "Never" + // EncapsulationAuto enable UDP encapsulation based on the detection of NAT. + EncapsulationAuto = "Auto" +) + +// IPsecFullModeConfig defines configuration parameters for the IPsec `Full` mode. +// +kubebuilder:validation:MinProperties:=1 +type IPsecFullModeConfig struct { + // encapsulation option to configure libreswan on how inter-pod traffic across nodes + // are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + // for the encapsulation. + // Valid values are Always, Never, Auto and omitted. + // Always means enable UDP encapsulation regardless of whether NAT is detected. + // Disable means never enable UDP encapsulation even if NAT is present. + // Auto means enable UDP encapsulation based on the detection of NAT. + // When omitted, this means no opinion and the platform is left to choose a reasonable + // default, which is subject to change over time. The current default is Auto. + // +kubebuilder:validation:Enum:=Always;Never;Auto + // +optional + Encapsulation Encapsulation `json:"encapsulation,omitempty"` } type IPForwardingMode string diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml index 904e37149dd..2fbc8d62fcd 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml @@ -412,6 +412,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -431,6 +455,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml index de48ddd6d30..513d6b73392 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-Default.crd.yaml @@ -412,6 +412,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -431,6 +455,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml index 75bfc47bf07..86128eaf40d 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml @@ -412,6 +412,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -431,6 +455,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml index 7e01730245f..5990e706386 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml @@ -412,6 +412,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -431,6 +455,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 3b984f2a618..700ae5e6957 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -1912,6 +1912,11 @@ func (in *IPFIXConfig) DeepCopy() *IPFIXConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IPsecConfig) DeepCopyInto(out *IPsecConfig) { *out = *in + if in.Full != nil { + in, out := &in.Full, &out.Full + *out = new(IPsecFullModeConfig) + **out = **in + } return } @@ -1925,6 +1930,22 @@ func (in *IPsecConfig) DeepCopy() *IPsecConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IPsecFullModeConfig) DeepCopyInto(out *IPsecFullModeConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPsecFullModeConfig. +func (in *IPsecFullModeConfig) DeepCopy() *IPsecFullModeConfig { + if in == nil { + return nil + } + out := new(IPsecFullModeConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IPv4GatewayConfig) DeepCopyInto(out *IPv4GatewayConfig) { *out = *in @@ -3950,7 +3971,7 @@ func (in *OVNKubernetesConfig) DeepCopyInto(out *OVNKubernetesConfig) { if in.IPsecConfig != nil { in, out := &in.IPsecConfig, &out.IPsecConfig *out = new(IPsecConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.PolicyAuditConfig != nil { in, out := &in.PolicyAuditConfig, &out.PolicyAuditConfig diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AAA_ungated.yaml index 5bb23cda045..b72217bfc8c 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AAA_ungated.yaml @@ -379,6 +379,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -398,6 +422,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AdditionalRoutingCapabilities.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AdditionalRoutingCapabilities.yaml index 4ba0583b73c..095fde774db 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AdditionalRoutingCapabilities.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/AdditionalRoutingCapabilities.yaml @@ -412,6 +412,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -431,6 +455,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/NetworkLiveMigration.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/NetworkLiveMigration.yaml index 15b084cda49..cb2d2110b3f 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/NetworkLiveMigration.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/NetworkLiveMigration.yaml @@ -379,6 +379,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -398,6 +422,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/RouteAdvertisements.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/RouteAdvertisements.yaml index 7f7dadd1706..da8146f44ef 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/RouteAdvertisements.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/networks.operator.openshift.io/RouteAdvertisements.yaml @@ -379,6 +379,30 @@ spec: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster. properties: + full: + description: |- + full defines configuration parameters for the IPsec `Full` mode. + This is permitted only when mode is configured with `Full`, + and forbidden otherwise. + minProperties: 1 + properties: + encapsulation: + description: |- + encapsulation option to configure libreswan on how inter-pod traffic across nodes + are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 + for the encapsulation. + Valid values are Always, Never, Auto and omitted. + Always means enable UDP encapsulation regardless of whether NAT is detected. + Disable means never enable UDP encapsulation even if NAT is present. + Auto means enable UDP encapsulation based on the detection of NAT. + When omitted, this means no opinion and the platform is left to choose a reasonable + default, which is subject to change over time. The current default is Auto. + enum: + - Always + - Never + - Auto + type: string + type: object mode: description: |- mode defines the behaviour of the ipsec configuration within the platform. @@ -398,6 +422,9 @@ spec: x-kubernetes-validations: - message: ipsecConfig.mode is required rule: self == oldSelf || has(self.mode) + - message: full is forbidden when mode is not Full + rule: 'has(self.mode) && self.mode == ''Full'' ? true : + !has(self.full)' ipv4: description: |- ipv4 allows users to configure IP settings for IPv4 connections. When ommitted, diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index dace7ed4f29..d02bb37efef 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -1650,12 +1650,22 @@ func (IPFIXConfig) SwaggerDoc() map[string]string { var map_IPsecConfig = map[string]string{ "mode": "mode defines the behaviour of the ipsec configuration within the platform. Valid values are `Disabled`, `External` and `Full`. When 'Disabled', ipsec will not be enabled at the node level. When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), this is left to the user to configure.", + "full": "full defines configuration parameters for the IPsec `Full` mode. This is permitted only when mode is configured with `Full`, and forbidden otherwise.", } func (IPsecConfig) SwaggerDoc() map[string]string { return map_IPsecConfig } +var map_IPsecFullModeConfig = map[string]string{ + "": "IPsecFullModeConfig defines configuration parameters for the IPsec `Full` mode.", + "encapsulation": "encapsulation option to configure libreswan on how inter-pod traffic across nodes are encapsulated to handle NAT traversal. When configured it uses UDP port 4500 for the encapsulation. Valid values are Always, Never, Auto and omitted. Always means enable UDP encapsulation regardless of whether NAT is detected. Disable means never enable UDP encapsulation even if NAT is present. Auto means enable UDP encapsulation based on the detection of NAT. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Auto.", +} + +func (IPsecFullModeConfig) SwaggerDoc() map[string]string { + return map_IPsecFullModeConfig +} + var map_IPv4GatewayConfig = map[string]string{ "": "IPV4GatewayConfig holds the configuration paramaters for IPV4 connections in the GatewayConfig for OVN-Kubernetes", "internalMasqueradeSubnet": "internalMasqueradeSubnet contains the masquerade addresses in IPV4 CIDR format used internally by ovn-kubernetes to enable host to service traffic. Each host in the cluster is configured with these addresses, as well as the shared gateway bridge interface. The values can be changed after installation. The subnet chosen should not overlap with other networks specified for OVN-Kubernetes as well as other networks used on the host. Additionally the subnet must be large enough to accommodate 6 IPs (maximum prefix length /29). When omitted, this means no opinion and the platform is left to choose a reasonable default which is subject to change over time. The current default subnet is 169.254.169.0/29 The value must be in proper IPV4 CIDR format",