Skip to content

Changes to enable IPSEC Network Configuration #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 29, 2025
Merged

Changes to enable IPSEC Network Configuration #395

merged 11 commits into from
Apr 29, 2025

Conversation

suman-jainkeri
Copy link
Contributor

This PR handles the changes to enable IPSEC Network Config changes during the installation.

  • The boolean flag - ipsec_enabled - is added in the all.yaml to enable IPSEC configuration. Default value if False.
  • Maintain the Network config manifest - cluster-network-03-config.yml - in the files/ directory of get_ocp role.
  • After the manifests are created, an additional Network manifest - cluster-network-03-config.yml - which has the configuration for enabling IPSEC is copied to the manifests directory, only when ipsec_enabled flag is True.

@suman-jainkeri suman-jainkeri changed the title Changes to enabled IPSEC Network Configuration Changes to enable IPSEC Network Configuration Mar 17, 2025
AmadeusPodvratnik
AmadeusPodvratnik reviewed Mar 26, 2025
View reviewed changes
Copy link
Collaborator

@AmadeusPodvratnik AmadeusPodvratnik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @suman-jainkeri thank you for your PR. Pls see my comment about cluster-network-03-config.yml file.

AmadeusPodvratnik
AmadeusPodvratnik requested changes Apr 29, 2025
View reviewed changes
@AmadeusPodvratnik
Copy link
Collaborator

@suman-jainkeri Thank you for the PR. Pls see my comments. Thank you.

AmadeusPodvratnik
AmadeusPodvratnik approved these changes Apr 29, 2025
View reviewed changes
Copy link
Collaborator

@AmadeusPodvratnik AmadeusPodvratnik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @suman-jainkeri Thank you. The PR looks good.

@AmadeusPodvratnik
Copy link
Collaborator

@suman-jainkeri Pls fix the DCO and pls do a rebase to enable merge.

root and others added 10 commits April 29, 2025 13:49
@suman-jainkeri
Changes for enabling IPSEC Network Config
c3e86cc 
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Changes for enabling IPSEC Network Config
e76d0a0 
Signed-off-by: suman-jainkeri <[email protected]>
@jpattara @suman-jainkeri
Retries updation of hcp pods (#394)
6472e99 
Updated the retries to 40 for all pods to be in Running State in Hosted
Control Plane Namespace.

---------

Signed-off-by: root <[email protected]>
Co-authored-by: root <[email protected]>
Co-authored-by: root <[email protected]>
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update main.yaml to handle the netset_network_dev
ad80b9a 
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update main.yaml
4d0318e 
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update cluster-network-03-config.yml
651eb56 
I verified IPSec with configuring ipsec mode as Full.
Briefly, Full mode is to encrypt pod-to-pod traffic and, optionally, traffic to external hosts.
Cluster came up and verified if IPSEC is enabled

[root@t313lp32 ~]# oc -n openshift-ovn-kubernetes rsh ovnkube-node-2vgkm ovn-nbctl --no-leader-only get nb_global . ipsec
Defaulted container "ovn-controller" out of: ovn-controller, ovn-acl-logging, kube-rbac-proxy-node, kube-rbac-proxy-ovn-metrics, northd, nbdb, sbdb, ovnkube-controller, kubecfg-setup (init)
true

From above output it's evident that IPSec is enabled.
With the above verification procedure, you can verify that IPsec is enabled between pods on your cluster when IPsec is configured in Full mode.

Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update main.yaml
d4f2dfe 
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update all.yaml.template
292df62 
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update main.yaml
b77eb54 
Signed-off-by: suman-jainkeri <[email protected]>
@suman-jainkeri
Update set-variables-group-vars.md
7f3d22d 
Signed-off-by: suman-jainkeri <[email protected]>
@AmadeusPodvratnik AmadeusPodvratnik merged commit 8fb9024 into IBM:main Apr 29, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AmadeusPodvratnik AmadeusPodvratnik AmadeusPodvratnik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@suman-jainkeri @AmadeusPodvratnik @jpattara