Implement IPsec NAT-Traversal encapsulation option

There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This commit consumes new API to enable or disable encap option and applies to OVN to configure east west ipsec tunnel connections accordingly. Signed-off-by: Periyasamy Palanisamy <[email protected]>
openshift · Nov 21, 2024 · 0aa71c5 · 0aa71c5
1 parent 7a87d20
commit 0aa71c5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -332,6 +332,11 @@ data:
         ipsec_encapsulation=true
       fi
 {{ end }}
+
+{{ if .OVNIPsecEncapEnable }}
+      ipsec_encapsulation=true
+{{ end }}
+
       IPSEC_OPTION="ipsec=${ipsec} options:ipsec_encapsulation=${ipsec_encapsulation}"
 
       # set all the NB_GLOBAL options

diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
@@ -290,6 +290,8 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["IPsecMachineConfigEnable"] = IPsecMachineConfigEnable
 	data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable
 	data.Data["OVNIPsecEnable"] = OVNIPsecEnable
+	data.Data["OVNIPsecEncapEnable"] = OVNIPsecEnable && c.IPsecConfig.Full != nil &&
+		c.IPsecConfig.Full.Encap == operv1.EnableEncapsulation
 
 	// Set progressing to true until IPsec DaemonSet is rendered when EW IPsec config is enabled.
 	// TODO Do a poor man's job mapping machine config pool status to CNO progressing state for now.