Fix IPsec for IPv6 overlays

[antoninbas]

When using IPv6, the IPsec configuration (ipsec.conf) generated by
ovs-monitor-ipsec for strongSwan is currently not correct. A patch has
been submitted upstream, but until it is accepted and merged, we apply a
temporary version of the patch.

This was tested for a VXLAN overlay in an IPv6-only cluster.

Fixes #3151

Signed-off-by: Antonin Bas abas@vmware.com

[codecov-commenter]

Codecov Report

Merging #3155 (62598ee) into main (4db3c18) will decrease coverage by 10.33%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main    #3155       +/-   ##
===========================================
- Coverage   65.32%   54.99%   -10.34%     
===========================================
  Files         268      374      +106     
  Lines       26903    51533    +24630     
===========================================
+ Hits        17574    28339    +10765     
- Misses       7417    20747    +13330     
- Partials     1912     2447      +535     

Flag	Coverage Δ
e2e-tests	53.56% <ø> (?)
integration-tests	35.83% <ø> (?)
kind-e2e-tests	55.86% <ø> (+0.13%)	⬆️
unit-tests	42.44% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/cniserver/pod_configuration_linux.go	26.31% <0.00%> (-40.36%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	48.71% <0.00%> (-31.57%)	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	61.46% <0.00%> (-29.97%)	⬇️
pkg/controller/egress/controller.go	62.19% <0.00%> (-26.26%)	⬇️
pkg/controller/ipam/validate.go	57.95% <0.00%> (-24.31%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam.go	55.55% <0.00%> (-23.62%)	⬇️
pkg/agent/cniserver/ipam/antrea_ipam_controller.go	55.93% <0.00%> (-23.59%)	⬇️
pkg/agent/util/iptables/lock.go	60.00% <0.00%> (-21.82%)	⬇️
pkg/controller/egress/store/egressgroup.go	37.93% <0.00%> (-21.80%)	⬇️
pkg/controller/externalippool/validate.go	55.17% <0.00%> (-21.02%)	⬇️
... and 335 more

[luolanzone]

should we also check the OVS version here for this patch?

[luolanzone]

one question which is not related with this PR, I am wondering which one is the correct IPsec or IPSec? I saw both in our documents or codes.

[antoninbas]

• I think this patch can be applied to all OVS versions currently supported by this script
• I believe the most "correct" one is IPsec, and we should try to standardize on this one

[luolanzone]

thanks, I will check and update IPSec to IPsec in a separate PR. I am thinking maybe we can standardize some abbrs words and common review rules and document them in our contributing.md, any suggestion? below are two main things I noticed:

1. Make sure all K8s related words start with upper case.
2. some abbrs. like IPsec Antrea etc.

[antoninbas]

Sounds good to me

[jianjuns]

Thanks for the fix!

[antoninbas]

Update on this: my OVS patch has been merged upstream and backported to the 2.15 release train (openvswitch/ovs@e59194b). I am tempted to drop this PR, wait until OVS 2.15.4 is released and then update the OVS version in Antrea to 2.15.4. I will make a decision before the Antrea v1.6 release freeze.

[antoninbas]

No OVS 2.15.4 release yet, so I'm merging this for v1.6

[antoninbas]

/test-all
/test-ipv6-only-all
/test-ipv6-all

[antoninbas]

/test-e2e
/test-ipv6-only-e2e

[antoninbas]

/test-ipv6-only-e2e

[antoninbas]

I forgot that jenkins-ipv6-only was broken because of #3437. Merging this.