From c3e86cc920abf014d74f415fd904a530716cf3c2 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 14 Mar 2025 11:07:17 +0100 Subject: [PATCH 01/10] Changes for enabling IPSEC Network Config Signed-off-by: suman-jainkeri --- .../default/group_vars/all.yaml.template | 1 + .../files/cluster-network-03-config.yml | 8 ++++++++ roles/get_ocp/tasks/main.yaml | 18 ++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 roles/get_ocp/files/cluster-network-03-config.yml diff --git a/inventories/default/group_vars/all.yaml.template b/inventories/default/group_vars/all.yaml.template index c4804acb..28c1fa55 100644 --- a/inventories/default/group_vars/all.yaml.template +++ b/inventories/default/group_vars/all.yaml.template @@ -200,6 +200,7 @@ env: use_ipv6: True use_dhcp: False setup_openvpn: False + ipsec_enabled: False #jumphost if network mode is NAT jumphost: diff --git a/roles/get_ocp/files/cluster-network-03-config.yml b/roles/get_ocp/files/cluster-network-03-config.yml new file mode 100644 index 00000000..e824ee0a --- /dev/null +++ b/roles/get_ocp/files/cluster-network-03-config.yml @@ -0,0 +1,8 @@ +apiVersion: operator.openshift.io/v1 +kind: Network +metadata: + name: cluster +spec: + defaultNetwork: + ovnKubernetesConfig: + ipsecConfig: {} diff --git a/roles/get_ocp/tasks/main.yaml b/roles/get_ocp/tasks/main.yaml index acf61262..0d9d6925 100644 --- a/roles/get_ocp/tasks/main.yaml +++ b/roles/get_ocp/tasks/main.yaml @@ -92,6 +92,24 @@ /root/ocpinst/openshift-install create manifests --dir=/root/ocpinst/ become: true +- name: Copy the file when ipsec flag is enabled + tags: get_ocp + become: true + copy: + src: cluster-network-03-config.yml + dest: /root/ocpinst/manifests/cluster-network-03-config.yml + when: env.ipsec_enabled + +- name: List the files in the manifests directory + tags: get_ocp + become: true + command: "ls -lrt /root/ocpinst/manifests/" + register: manifests_list + +- debug: + msg: "{{ manifests_list }}" + + - name: Set masters schedulable parameter to false tags: get_ocp become: true From e76d0a02ad0d83065bd408a10032a8471724fd20 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 14 Mar 2025 11:07:17 +0100 Subject: [PATCH 02/10] Changes for enabling IPSEC Network Config Signed-off-by: suman-jainkeri --- docs/set-variables-group-vars.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/set-variables-group-vars.md b/docs/set-variables-group-vars.md index d74c6830..f0b27bba 100644 --- a/docs/set-variables-group-vars.md +++ b/docs/set-variables-group-vars.md @@ -166,6 +166,7 @@ **env.jumphost.user** | (Optional) The user name to login to the jumphost. | admin **env.jumphost.pass** | (Optional) The password for user to login to the jumphost. | ch4ngeMe! **env.jumphost.path_to_keypair** | (Optional) The absolute path to the public key file on the jumphost to be copied to the bastion. | /home/admin/.ssh/id_rsa.pub +**env.ipsec_enabled** | If IPSEC network configuration has to be enabled, this flag should be set to True, default value is set to False. | False ## 12 - OCP and RHCOS (CoreOS) * These parameters are responsible which version of OCP, RHCOS and os variant AOP is using. The default value is 'latest' for s390x architecture. I you want to install a different version or a different architecture you need to specify specify the following parameters in all.yaml file: From 6472e990d94d5b10e3df91c5701e3292a84844df Mon Sep 17 00:00:00 2001 From: jpattara Date: Thu, 13 Mar 2025 16:28:17 +0530 Subject: [PATCH 03/10] Retries updation of hcp pods (#394) Updated the retries to 40 for all pods to be in Running State in Hosted Control Plane Namespace. --------- Signed-off-by: root Co-authored-by: root Co-authored-by: root Signed-off-by: suman-jainkeri --- roles/create_hcp_InfraEnv/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/create_hcp_InfraEnv/tasks/main.yaml b/roles/create_hcp_InfraEnv/tasks/main.yaml index ab4274bf..eee8be68 100644 --- a/roles/create_hcp_InfraEnv/tasks/main.yaml +++ b/roles/create_hcp_InfraEnv/tasks/main.yaml @@ -93,7 +93,7 @@ shell: oc get pods -n {{ hosted_control_plane_namespace }} --no-headers | grep -v 'Running\|Completed\|Terminating' | wc -l register: pod_status until: pod_status.stdout == '0' - retries: 30 + retries: 40 delay: 10 - name: Create Pull Secret for Agents From ad80b9a782c8d5532c11e934d5f573294710407d Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Thu, 3 Apr 2025 20:35:30 +0530 Subject: [PATCH 04/10] Update main.yaml to handle the netset_network_dev Signed-off-by: suman-jainkeri --- roles/boot_LPAR/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/boot_LPAR/tasks/main.yaml b/roles/boot_LPAR/tasks/main.yaml index 34fab680..365e2ab9 100644 --- a/roles/boot_LPAR/tasks/main.yaml +++ b/roles/boot_LPAR/tasks/main.yaml @@ -65,7 +65,7 @@ --netset_ip {{ node.networking.ip }} \ --netset_gateway {{ node.networking.gateway }} \ --netset_network_type osa \ - --netset_network_device "{{ node.lpar.networking.nic.card1.dev_num }}" \ + --netset_network_device "{{ node.lpar.networking.nic.osa_card.dev_num }}" \ --netset_password {{ node.lpar.livedisk.livedisk_root_pass }} \ --netset_dns "{{ node.networking.nameserver1 }},{{ node.networking.nameserver2 }}" \ --log_level DEBUG \ From 4d0318e5e449c00e89a991b919188f528e3aa709 Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Thu, 3 Apr 2025 20:39:58 +0530 Subject: [PATCH 05/10] Update main.yaml Signed-off-by: suman-jainkeri --- roles/boot_LPAR/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/boot_LPAR/tasks/main.yaml b/roles/boot_LPAR/tasks/main.yaml index 365e2ab9..54ea837c 100644 --- a/roles/boot_LPAR/tasks/main.yaml +++ b/roles/boot_LPAR/tasks/main.yaml @@ -95,7 +95,7 @@ --netset_ip {{ node.networking.ip }} \ --netset_gateway {{ node.networking.gateway }} \ --netset_network_type osa \ - --netset_network_device "{{ node.lpar.networking.nic.card1.dev_num }}" \ + --netset_network_device "{{ node.lpar.networking.nic.osa_card.dev_num }}" \ --netset_password {{ node.lpar.livedisk.livedisk_root_pass }} \ --netset_dns "{{ node.networking.nameserver1 }},{{ node.networking.nameserver2 }}" \ --log_level DEBUG \ From 651eb5685f8567f86ab6e525f97ad41037ee8772 Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Tue, 29 Apr 2025 14:13:42 +0530 Subject: [PATCH 06/10] Update cluster-network-03-config.yml I verified IPSec with configuring ipsec mode as Full. Briefly, Full mode is to encrypt pod-to-pod traffic and, optionally, traffic to external hosts. Cluster came up and verified if IPSEC is enabled [root@t313lp32 ~]# oc -n openshift-ovn-kubernetes rsh ovnkube-node-2vgkm ovn-nbctl --no-leader-only get nb_global . ipsec Defaulted container "ovn-controller" out of: ovn-controller, ovn-acl-logging, kube-rbac-proxy-node, kube-rbac-proxy-ovn-metrics, northd, nbdb, sbdb, ovnkube-controller, kubecfg-setup (init) true From above output it's evident that IPSec is enabled. With the above verification procedure, you can verify that IPsec is enabled between pods on your cluster when IPsec is configured in Full mode. Signed-off-by: suman-jainkeri --- roles/get_ocp/files/cluster-network-03-config.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/get_ocp/files/cluster-network-03-config.yml b/roles/get_ocp/files/cluster-network-03-config.yml index e824ee0a..4fb53bd2 100644 --- a/roles/get_ocp/files/cluster-network-03-config.yml +++ b/roles/get_ocp/files/cluster-network-03-config.yml @@ -5,4 +5,5 @@ metadata: spec: defaultNetwork: ovnKubernetesConfig: - ipsecConfig: {} + ipsecConfig: + mode: Full From d4f2dfe7fe694066da52ddd7e9636063ba69ca12 Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Tue, 29 Apr 2025 14:15:12 +0530 Subject: [PATCH 07/10] Update main.yaml Signed-off-by: suman-jainkeri --- roles/boot_LPAR/tasks/main.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/boot_LPAR/tasks/main.yaml b/roles/boot_LPAR/tasks/main.yaml index 54ea837c..34fab680 100644 --- a/roles/boot_LPAR/tasks/main.yaml +++ b/roles/boot_LPAR/tasks/main.yaml @@ -65,7 +65,7 @@ --netset_ip {{ node.networking.ip }} \ --netset_gateway {{ node.networking.gateway }} \ --netset_network_type osa \ - --netset_network_device "{{ node.lpar.networking.nic.osa_card.dev_num }}" \ + --netset_network_device "{{ node.lpar.networking.nic.card1.dev_num }}" \ --netset_password {{ node.lpar.livedisk.livedisk_root_pass }} \ --netset_dns "{{ node.networking.nameserver1 }},{{ node.networking.nameserver2 }}" \ --log_level DEBUG \ @@ -95,7 +95,7 @@ --netset_ip {{ node.networking.ip }} \ --netset_gateway {{ node.networking.gateway }} \ --netset_network_type osa \ - --netset_network_device "{{ node.lpar.networking.nic.osa_card.dev_num }}" \ + --netset_network_device "{{ node.lpar.networking.nic.card1.dev_num }}" \ --netset_password {{ node.lpar.livedisk.livedisk_root_pass }} \ --netset_dns "{{ node.networking.nameserver1 }},{{ node.networking.nameserver2 }}" \ --log_level DEBUG \ From 292df62a2794cc8df58ecca4c79d8b5eb1f077d0 Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Tue, 29 Apr 2025 18:47:21 +0530 Subject: [PATCH 08/10] Update all.yaml.template Signed-off-by: suman-jainkeri --- inventories/default/group_vars/all.yaml.template | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/inventories/default/group_vars/all.yaml.template b/inventories/default/group_vars/all.yaml.template index 28c1fa55..aa4e5f46 100644 --- a/inventories/default/group_vars/all.yaml.template +++ b/inventories/default/group_vars/all.yaml.template @@ -200,7 +200,9 @@ env: use_ipv6: True use_dhcp: False setup_openvpn: False - ipsec_enabled: False + +# Uncomment the line below to enable IPSec network configuration. +# ipsec_enabled: true #jumphost if network mode is NAT jumphost: From b77eb54582c9e643fa9a0c1c16d812b2d0d02b08 Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Tue, 29 Apr 2025 18:53:12 +0530 Subject: [PATCH 09/10] Update main.yaml Signed-off-by: suman-jainkeri --- roles/get_ocp/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/get_ocp/tasks/main.yaml b/roles/get_ocp/tasks/main.yaml index 0d9d6925..53066679 100644 --- a/roles/get_ocp/tasks/main.yaml +++ b/roles/get_ocp/tasks/main.yaml @@ -98,7 +98,7 @@ copy: src: cluster-network-03-config.yml dest: /root/ocpinst/manifests/cluster-network-03-config.yml - when: env.ipsec_enabled + when: env.ipsec_enabled is defined and env.ipsec_enabled != None and env.ipsec_enabled - name: List the files in the manifests directory tags: get_ocp From 7f3d22ded4521ee67ef0be0bfe3978c300008e35 Mon Sep 17 00:00:00 2001 From: suman-jainkeri Date: Tue, 29 Apr 2025 18:58:36 +0530 Subject: [PATCH 10/10] Update set-variables-group-vars.md Signed-off-by: suman-jainkeri --- docs/set-variables-group-vars.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/set-variables-group-vars.md b/docs/set-variables-group-vars.md index f0b27bba..1baac707 100644 --- a/docs/set-variables-group-vars.md +++ b/docs/set-variables-group-vars.md @@ -166,7 +166,7 @@ **env.jumphost.user** | (Optional) The user name to login to the jumphost. | admin **env.jumphost.pass** | (Optional) The password for user to login to the jumphost. | ch4ngeMe! **env.jumphost.path_to_keypair** | (Optional) The absolute path to the public key file on the jumphost to be copied to the bastion. | /home/admin/.ssh/id_rsa.pub -**env.ipsec_enabled** | If IPSEC network configuration has to be enabled, this flag should be set to True, default value is set to False. | False +**env.ipsec_enabled** | (Optional) If IPSEC network configuration has to be enabled, this flag should be set to true | ## 12 - OCP and RHCOS (CoreOS) * These parameters are responsible which version of OCP, RHCOS and os variant AOP is using. The default value is 'latest' for s390x architecture. I you want to install a different version or a different architecture you need to specify specify the following parameters in all.yaml file: