Implement IPsec NAT-Traversal encapsulation option

There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This commit consumes new API to enable or disable encap option and applies to OVN to configure east west ipsec tunnel connections accordingly. Signed-off-by: Periyasamy Palanisamy <[email protected]>
openshift · Dec 18, 2024 · ff55dc6 · ff55dc6
1 parent cc632a5
commit ff55dc6
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -332,6 +332,13 @@ data:
         ipsec_encapsulation=true
       fi
 {{ end }}
+
+{{ if eq .OVNIPsecEncap "Always" }}
+      ipsec_encapsulation=true
+{{ else if eq .OVNIPsecEncap "Never" }}
+      ipsec_encapsulation=false
+{{ end }}
+
       IPSEC_OPTION="ipsec=${ipsec} options:ipsec_encapsulation=${ipsec_encapsulation}"
 
       # set all the NB_GLOBAL options

diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go
@@ -291,6 +291,10 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
 	data.Data["IPsecMachineConfigEnable"] = IPsecMachineConfigEnable
 	data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable
 	data.Data["OVNIPsecEnable"] = OVNIPsecEnable
+	data.Data["OVNIPsecEncap"] = operv1.EncapsulationAuto
+	if OVNIPsecEnable && c.IPsecConfig.Full != nil {
+		data.Data["OVNIPsecEncap"] = c.IPsecConfig.Full.Encapsulation
+	}
 
 	// Set progressing to true until IPsec DaemonSet is rendered when EW IPsec config is enabled.
 	// TODO Do a poor man's job mapping machine config pool status to CNO progressing state for now.