From ff55dc68260821278e804988bbd9bcf3e11784c6 Mon Sep 17 00:00:00 2001 From: Periyasamy Palanisamy Date: Thu, 21 Nov 2024 06:32:14 +0100 Subject: [PATCH] Implement IPsec NAT-Traversal encapsulation option There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This commit consumes new API to enable or disable encap option and applies to OVN to configure east west ipsec tunnel connections accordingly. Signed-off-by: Periyasamy Palanisamy --- bindata/network/ovn-kubernetes/common/008-script-lib.yaml | 7 +++++++ pkg/network/ovn_kubernetes.go | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml index 7e0bcea88a..389e6bbf4a 100644 --- a/bindata/network/ovn-kubernetes/common/008-script-lib.yaml +++ b/bindata/network/ovn-kubernetes/common/008-script-lib.yaml @@ -332,6 +332,13 @@ data: ipsec_encapsulation=true fi {{ end }} + +{{ if eq .OVNIPsecEncap "Always" }} + ipsec_encapsulation=true +{{ else if eq .OVNIPsecEncap "Never" }} + ipsec_encapsulation=false +{{ end }} + IPSEC_OPTION="ipsec=${ipsec} options:ipsec_encapsulation=${ipsec_encapsulation}" # set all the NB_GLOBAL options diff --git a/pkg/network/ovn_kubernetes.go b/pkg/network/ovn_kubernetes.go index 651fb303a9..8c507f93d7 100644 --- a/pkg/network/ovn_kubernetes.go +++ b/pkg/network/ovn_kubernetes.go @@ -291,6 +291,10 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo data.Data["IPsecMachineConfigEnable"] = IPsecMachineConfigEnable data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable data.Data["OVNIPsecEnable"] = OVNIPsecEnable + data.Data["OVNIPsecEncap"] = operv1.EncapsulationAuto + if OVNIPsecEnable && c.IPsecConfig.Full != nil { + data.Data["OVNIPsecEncap"] = c.IPsecConfig.Full.Encapsulation + } // Set progressing to true until IPsec DaemonSet is rendered when EW IPsec config is enabled. // TODO Do a poor man's job mapping machine config pool status to CNO progressing state for now.