Changes to enable IPSEC Network Configuration (#395)

suman-jainkeri · root · jpattara · web-flow · commit 8fb902432949 · 2025-04-29T15:57:13.000+02:00
This PR handles the changes to enable IPSEC Network Config changes
during the installation.
- The boolean flag - **ipsec_enabled** - is added in the all.yaml to
enable IPSEC configuration. Default value if False.
- Maintain the Network config manifest -
**cluster-network-03-config.yml** - in the **files/** directory of
**get_ocp** role.
- After the manifests are created, an additional Network manifest -
**cluster-network-03-config.yml** - which has the configuration for
enabling IPSEC is copied to the manifests directory, only when
**ipsec_enabled flag is True**.

---------

Signed-off-by: suman-jainkeri &lt;sjainker@redhat.com&gt;
Signed-off-by: root &lt;root@m1318008.lnxero1.boe&gt;
Co-authored-by: root &lt;root@m1303078.lnxero1.boe&gt;
Co-authored-by: jpattara &lt;Jibin.Pattara@ibm.com&gt;
Co-authored-by: root &lt;root@m1318008.lnxero1.boe&gt;
Co-authored-by: root &lt;root@m13lp39.lnxero1.boe&gt;
diff --git a/docs/set-variables-group-vars.md b/docs/set-variables-group-vars.md
@@ -166,6 +166,7 @@
 **env.jumphost.user** | (Optional) The user name to login to the jumphost. | admin
 **env.jumphost.pass** | (Optional) The password for user to login to the jumphost. | ch4ngeMe!
 **env.jumphost.path_to_keypair** | (Optional) The absolute path to the public key file on the jumphost to be copied to the bastion. | /home/admin/.ssh/id_rsa.pub
+**env.ipsec_enabled** | (Optional) If IPSEC network configuration has to be enabled, this flag should be set to true | 
 
 ## 12 - OCP and RHCOS (CoreOS)
 * These parameters are responsible which version of OCP, RHCOS and os variant AOP is using. The default value is 'latest' for s390x architecture. I you want to install a different version or a different architecture you need to specify specify the following parameters in all.yaml file:
diff --git a/inventories/default/group_vars/all.yaml.template b/inventories/default/group_vars/all.yaml.template
@@ -201,6 +201,9 @@ env:
   use_dhcp: False
   setup_openvpn: False
 
+# Uncomment the line below to enable IPSec network configuration.
+# ipsec_enabled: true
+
 #jumphost if network mode is NAT
   jumphost:
     name:
diff --git a/roles/get_ocp/files/cluster-network-03-config.yml b/roles/get_ocp/files/cluster-network-03-config.yml
@@ -0,0 +1,9 @@
+apiVersion: operator.openshift.io/v1
+kind: Network
+metadata:
+  name: cluster
+spec:
+  defaultNetwork:
+    ovnKubernetesConfig:
+      ipsecConfig:
+        mode: Full
diff --git a/roles/get_ocp/tasks/main.yaml b/roles/get_ocp/tasks/main.yaml
@@ -92,6 +92,24 @@
     /root/ocpinst/openshift-install create manifests --dir=/root/ocpinst/
   become: true
 
+- name: Copy the file when ipsec flag is enabled
+  tags: get_ocp
+  become: true
+  copy:
+    src: cluster-network-03-config.yml
+    dest: /root/ocpinst/manifests/cluster-network-03-config.yml
+  when: env.ipsec_enabled is defined and env.ipsec_enabled != None and env.ipsec_enabled
+
+- name: List the files in the manifests directory
+  tags: get_ocp
+  become: true
+  command: "ls -lrt /root/ocpinst/manifests/"
+  register: manifests_list
+
+- debug:
+    msg: "{{ manifests_list }}"    
+
+
 - name: Set masters schedulable parameter to false
   tags: get_ocp
   become: true
