CORENET-5972: Add openvswitch-ipsec package into ipsec plugin #4878
Conversation
|
/retest-required |
1 similar comment
|
/retest-required |
pperiyasamy
force-pushed
the
openvswitch-ipsec
branch
from
e71356f to
d7215d0
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pperiyasamy The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @igsilya |
pperiyasamy
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@pperiyasamy: This pull request references SDN-5330 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
pperiyasamy
force-pushed
the
openvswitch-ipsec
branch
3 times, most recently
from
be4805f to
752fd3c
Compare
|
/assign @jcaamano |
|
/retest |
pperiyasamy
force-pushed
the
openvswitch-ipsec
branch
from
752fd3c to
3b34da7
Compare
|
/assign @huiran0826 @anuragthehatter @tssurya |
|
@pperiyasamy: This pull request references SDN-5330 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
pperiyasamy
force-pushed
the
openvswitch-ipsec
branch
from
3b34da7 to
7c78630
Compare
| if systemctl is-active --quiet $ovsipsecsvc; then | ||
| # When openvswitch-ipsec.service is active (i.e. IPsec is enabled for | ||
| # east west traffic), the service may be just started before | ||
| # wait-for-ipsec-connect.service, it may take a while to populate | ||
| # /etc/ipsec.d/openshift.conf with IPsec connection entries. | ||
| # so retrieve connection names from ovs. | ||
| desiredconn=$(ovs-vsctl --columns=name find interface type=geneve | awk -F': ' '/name/ {print $2}' | sort | awk '{print $0"-in-1", $0"-out-1"}' | tr '\n' ' ') | ||
| else | ||
| desiredconn=$(grep -E '^\s*conn\s+' /etc/ipsec.d/openshift.conf | grep -v '%default' | awk '{print $2}' | tr ' ' '\n' | sort | tr '\n' ' ') | ||
| fi |
There was a problem hiding this comment.
The ovs-vsctl method should work in both cases, so maybe just always use it instead of parsing openshift.conf?
There was a problem hiding this comment.
@igsilya when ipsec is disabled, openvswitch-ipsec.service is stopped, openvswitch3.5-ipsec package is removed, but /etc/ipsec.d/openshift.conf file is not removed (though file doesn't have ipsec conn entries). so using ovs-vsctl method would just unnecessarily checking for established ipsec connections for 60s which is not configured anyway. that is the reason parsing openshift.conf for this case.
now thinking about moving from Full->External ipsec scenario, node will keep openvswitch-ipsec.service running, script uses ovs-vsctl method and unnecessarily adds 60s delay.
There was a problem hiding this comment.
If ipsec is disabled in OVN, then those tunnels should not have ipsec configuration. Can we filter by remote_cert being non-empty, for example? Something like:
ovs-vsctl --columns=name find interface type=geneve options:remote_cert!='""'
?
There was a problem hiding this comment.
yes @igsilya, filtering tunnels on remote_name would handle both cases, thanks ! updated the script.
pperiyasamy
force-pushed
the
openvswitch-ipsec
branch
3 times, most recently
from
c8463d1 to
969b039
Compare
|
/retest |
pperiyasamy
changed the title
|
@pperiyasamy: This pull request references CORENET-5972 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
The ipsec os extension is updated to install openvswitch-ipsec package in addition to libreswan and NetworkManager-libreswan packages, so this commit updates supported extension map with openvswitch-ipsec package. Note that this openvswitch-ipsec package name must be updated for every OVS x.y version bump which may be done for every OCP release. Signed-off-by: Periyasamy Palanisamy <[email protected]>
The openvswitch-ipsec must be started only after ipsec.service and it has to be up before crio and kubelet service, so add appropriate systemd service dependencies for openvswitch-ipsec.service. It also removes a workaround that was needed in ipsec-connect-wait script to explicitly trigger pluto to establish IPSec IKE SAs with peer nodes when openvswitch-ipsec.service is already running on the node. Signed-off-by: Periyasamy Palanisamy <[email protected]>
pperiyasamy
force-pushed
the
openvswitch-ipsec
branch
from
969b039 to
815640a
Compare
When openvswith-ipsec systemd service is already configured for OVN, then let wait-for-ipsec-connect.service start it immediately and then start waiting for IKE SA to be established. Signed-off-by: Periyasamy Palanisamy <[email protected]>
|
@pperiyasamy: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
The ipsec os extension (openshift/os#1718) is updated to include
openvswitch3.5-ipsecpackage in addition tolibreswanandNetworkManager-libreswanpackages in the ipsec os extension, so this PR updates supported extension map withopenvswitch3.5-ipsecpackage so that it would be installed on the node ipsec extension is rolled out with a machine config. Note that thisopenvswitch3.5-ipsecpackage name must be updated for every OVS version bump which we may need to look out for every OCP major release. We should also explore possibility of using wildcard stringopenvswitch*-ipsecto see if it works. This can avoid update on MCO for every OVS version bump. We are discussing it here: https://redhat-internal.slack.com/archives/C02CZNQHGN8/p1743594990076039.The commit 978484b only gets
openvswitch3.5-ipsecpackage installed on the node, So the CNO PR openshift/cluster-network-operator#2662 getsopenvswitch-ipsec.servicedeployed on the node only when required (i.e. at the time of IPsec deployment). So the commit 3b34da7 adds required service dependencies foropenvswitch-ipsec.service(it must be started only after ipsec.service and it has to be up before crio and kubelet service). It also removes a workaround that was needed in ipsec-connect-wait script to explicitly trigger pluto to establish IPSec IKE SAs withpeer nodes when openvswitch-ipsec.service is already running on the node and adds required wait until
openvswitch-ipsec.servicepopulates/etc/ipsec.d/openshift.conffile.