Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-40906: Implement IPsec NAT-Traversal encapsulation option #2573

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

OCPBUGS-40906: Implement IPsec NAT-Traversal encapsulation option #2573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc632a5
Bump openshift api version
pperiyasamy Nov 21, 2024
ff55dc6
Implement IPsec NAT-Traversal encapsulation option
pperiyasamy Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions bindata/network/ovn-kubernetes/common/008-script-lib.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,13 @@ data:
ipsec_encapsulation=true
fi
{{ end }}

{{ if eq .OVNIPsecEncap "Always" }}
ipsec_encapsulation=true
{{ else if eq .OVNIPsecEncap "Never" }}
ipsec_encapsulation=false
{{ end }}

IPSEC_OPTION="ipsec=${ipsec} options:ipsec_encapsulation=${ipsec_encapsulation}"

# set all the NB_GLOBAL options
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ require (
)

require (
github.com/openshift/api v0.0.0-20241206130210-831aaaf072a9
github.com/openshift/api v0.0.0-20241218150726-a3fb7a21b00b
github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f
github.com/openshift/library-go v0.0.0-20241022153911-4c1f8b43679f
github.com/openshift/machine-config-operator v0.0.1-0.20231002195040-a2469941c0dc
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,8 +274,8 @@ github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4
github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag=
github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
github.com/openshift/api v0.0.0-20241206130210-831aaaf072a9 h1:CX1UFcrVqLNgGIlsykD5hEPUSOwJOBj6Dq/1T8kEqo4=
github.com/openshift/api v0.0.0-20241206130210-831aaaf072a9/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
github.com/openshift/api v0.0.0-20241218150726-a3fb7a21b00b h1:Ujz3g/YvVluMHuPg5DtUAxLrma3ZsoxNGZg4nrAyPvs=
github.com/openshift/api v0.0.0-20241218150726-a3fb7a21b00b/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
github.com/openshift/build-machinery-go v0.0.0-20240910153727-5725581bdf8f h1:JMEDso3xFUIDULgFJmcrTfyPpigF3NyyaP07Yy8tHmI=
github.com/openshift/build-machinery-go v0.0.0-20240910153727-5725581bdf8f/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f h1:FRc0bVNWprihWS0GqQWzb3dY4dkCwpOP3mDw5NwSoR4=
Expand Down
27 changes: 27 additions & 0 deletions manifests/0000_70_network_01_networks-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,30 @@ spec:
ipsecConfig enables and configures IPsec for pods on the pod network within the
cluster.
properties:
full:
description: |-
full defines configuration parameters for the IPsec `Full` mode.
This is permitted only when mode is configured with `Full`,
and forbidden otherwise.
minProperties: 1
properties:
encapsulation:
description: |-
encapsulation option to configure libreswan on how inter-pod traffic across nodes
are encapsulated to handle NAT traversal. When configured it uses UDP port 4500
for the encapsulation.
Valid values are Always, Never, Auto and omitted.
Always means enable UDP encapsulation regardless of whether NAT is detected.
Disable means never enable UDP encapsulation even if NAT is present.
Auto means enable UDP encapsulation based on the detection of NAT.
When omitted, this means no opinion and the platform is left to choose a reasonable
default, which is subject to change over time. The current default is Auto.
enum:
- Always
- Never
- Auto
type: string
type: object
mode:
description: |-
mode defines the behaviour of the ipsec configuration within the platform.
Expand All @@ -432,6 +456,9 @@ spec:
x-kubernetes-validations:
- message: ipsecConfig.mode is required
rule: self == oldSelf || has(self.mode)
- message: full is forbidden when mode is not Full
rule: 'has(self.mode) && self.mode == ''Full'' ? true :
!has(self.full)'
ipv4:
description: |-
ipv4 allows users to configure IP settings for IPv4 connections. When ommitted,
Expand Down
27 changes: 27 additions & 0 deletions manifests/0000_70_network_01_networks-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,30 @@ spec:
ipsecConfig enables and configures IPsec for pods on the pod network within the
cluster.
properties:
full:
description: |-
full defines configuration parameters for the IPsec `Full` mode.
This is permitted only when mode is configured with `Full`,
and forbidden otherwise.
minProperties: 1
properties:
encapsulation:
description: |-
encapsulation option to configure libreswan on how inter-pod traffic across nodes
are encapsulated to handle NAT traversal. When configured it uses UDP port 4500
for the encapsulation.
Valid values are Always, Never, Auto and omitted.
Always means enable UDP encapsulation regardless of whether NAT is detected.
Disable means never enable UDP encapsulation even if NAT is present.
Auto means enable UDP encapsulation based on the detection of NAT.
When omitted, this means no opinion and the platform is left to choose a reasonable
default, which is subject to change over time. The current default is Auto.
enum:
- Always
- Never
- Auto
type: string
type: object
mode:
description: |-
mode defines the behaviour of the ipsec configuration within the platform.
Expand All @@ -432,6 +456,9 @@ spec:
x-kubernetes-validations:
- message: ipsecConfig.mode is required
rule: self == oldSelf || has(self.mode)
- message: full is forbidden when mode is not Full
rule: 'has(self.mode) && self.mode == ''Full'' ? true :
!has(self.full)'
ipv4:
description: |-
ipv4 allows users to configure IP settings for IPv4 connections. When ommitted,
Expand Down
27 changes: 27 additions & 0 deletions manifests/0000_70_network_01_networks-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,30 @@ spec:
ipsecConfig enables and configures IPsec for pods on the pod network within the
cluster.
properties:
full:
description: |-
full defines configuration parameters for the IPsec `Full` mode.
This is permitted only when mode is configured with `Full`,
and forbidden otherwise.
minProperties: 1
properties:
encapsulation:
description: |-
encapsulation option to configure libreswan on how inter-pod traffic across nodes
are encapsulated to handle NAT traversal. When configured it uses UDP port 4500
for the encapsulation.
Valid values are Always, Never, Auto and omitted.
Always means enable UDP encapsulation regardless of whether NAT is detected.
Disable means never enable UDP encapsulation even if NAT is present.
Auto means enable UDP encapsulation based on the detection of NAT.
When omitted, this means no opinion and the platform is left to choose a reasonable
default, which is subject to change over time. The current default is Auto.
enum:
- Always
- Never
- Auto
type: string
type: object
mode:
description: |-
mode defines the behaviour of the ipsec configuration within the platform.
Expand All @@ -432,6 +456,9 @@ spec:
x-kubernetes-validations:
- message: ipsecConfig.mode is required
rule: self == oldSelf || has(self.mode)
- message: full is forbidden when mode is not Full
rule: 'has(self.mode) && self.mode == ''Full'' ? true :
!has(self.full)'
ipv4:
description: |-
ipv4 allows users to configure IP settings for IPv4 connections. When ommitted,
Expand Down
27 changes: 27 additions & 0 deletions manifests/0000_70_network_01_networks-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,30 @@ spec:
ipsecConfig enables and configures IPsec for pods on the pod network within the
cluster.
properties:
full:
description: |-
full defines configuration parameters for the IPsec `Full` mode.
This is permitted only when mode is configured with `Full`,
and forbidden otherwise.
minProperties: 1
properties:
encapsulation:
description: |-
encapsulation option to configure libreswan on how inter-pod traffic across nodes
are encapsulated to handle NAT traversal. When configured it uses UDP port 4500
for the encapsulation.
Valid values are Always, Never, Auto and omitted.
Always means enable UDP encapsulation regardless of whether NAT is detected.
Disable means never enable UDP encapsulation even if NAT is present.
Auto means enable UDP encapsulation based on the detection of NAT.
When omitted, this means no opinion and the platform is left to choose a reasonable
default, which is subject to change over time. The current default is Auto.
enum:
- Always
- Never
- Auto
type: string
type: object
mode:
description: |-
mode defines the behaviour of the ipsec configuration within the platform.
Expand All @@ -432,6 +456,9 @@ spec:
x-kubernetes-validations:
- message: ipsecConfig.mode is required
rule: self == oldSelf || has(self.mode)
- message: full is forbidden when mode is not Full
rule: 'has(self.mode) && self.mode == ''Full'' ? true :
!has(self.full)'
ipv4:
description: |-
ipv4 allows users to configure IP settings for IPv4 connections. When ommitted,
Expand Down
4 changes: 4 additions & 0 deletions pkg/network/ovn_kubernetes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,10 @@ func renderOVNKubernetes(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.Bo
data.Data["IPsecMachineConfigEnable"] = IPsecMachineConfigEnable
data.Data["OVNIPsecDaemonsetEnable"] = OVNIPsecDaemonsetEnable
data.Data["OVNIPsecEnable"] = OVNIPsecEnable
data.Data["OVNIPsecEncap"] = operv1.EncapsulationAuto
if OVNIPsecEnable && c.IPsecConfig.Full != nil {
data.Data["OVNIPsecEncap"] = c.IPsecConfig.Full.Encapsulation
}

// Set progressing to true until IPsec DaemonSet is rendered when EW IPsec config is enabled.
// TODO Do a poor man's job mapping machine config pool status to CNO progressing state for now.
Expand Down
8 changes: 7 additions & 1 deletion vendor/github.com/openshift/api/.golangci.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion vendor/github.com/openshift/api/config/v1/types_infrastructure.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions vendor/github.com/openshift/api/features.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading