Enable IPsec #886
Enable IPsec #886
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
markdgray
force-pushed
the
ipsec
branch
4 times, most recently
from
ea3bf7a
to
4b52955
Compare
|
@squeed @rcarrillocruz @trozet @alexanderConstantinescu @danwinship @abhat : @dcbw suggested adding you for review |
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
As per https://github.com/openshift/api/pull/783/files#r528769454, consider the |
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
How do we handle certificate rotation? What happens if a node misses its rotation deadline? |
We don't. I think we will need this but we can't use the cert rotation controller for this. I also don't think this was specified as part of the enhancement proposal. I could make the certificates have a long lifespan initially? Restarting the container will, of course, recreate and resign but as you mentioned, that Daemonset will be going away. |
|
@squeed Thanks for the quick review! |
@abhat openshift/api#794 I will update this PR when/if this gets accepted |
|
Handling all controller states is tricky - and it doesn't need to be perfect, since this isn't a user-facing API. In other words, we don't really need to worry about every possible invalid state. But we should handle the case where we find an approved, unsigned certificate. |
In order to keep private keys private to nodes, this patch introduces a basic CertificateSigningRequest controller to CNO. This allows a client to generate a cert/private key pair locally and request for the certificate to be signed by a CNO CA. This signer used the OperatorPKI to generate a new CA (signer-ca) that is rotated. Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
This patch introduces IPsec enablement for the Cluster Network Operator using the OVN IPsec functionality. A new Daemonset is created that hosts libreswan and ovs-monitor-ipsec which watch for changes in OVN/OVS configuration and update the Linux XFRM framework appropriately. This patch also modifies the ovnkube-master Daemonset to enable IPsec across the cluster. This is done by writing a configuration option to the NB DB. The patch also modifies the the ovs-node Daemonset to generate a key pair on initialization, and request for that keypair to be signed by the signer-ca. IPsec should only be configurable at cluster installation time. Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
|
/retest |
1 similar comment
|
/retest |
Also done |
Done |
dcbw
removed
the
do-not-merge/hold
|
/test e2e-aws-ovn-windows |
|
/test e2e-aws-ovn-windows |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw, markdgray The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/override ci/prow/e2e-ovn-ipsec-step-registry |
|
@dcbw: Overrode contexts on behalf of dcbw: ci/prow/e2e-ovn-ipsec-step-registry In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-openstack-ovn |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@markdgray: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This PR enables IPsec for the Cluster Network Operator. There are a number of components to this:
This PR is dependent on a number changes in other projects that have not been merged:
This PR has been minimally tested with IPsec enabled but will require the kernel patch for full testing by the CI (which may throw up some issues). However, this should pass the current CI as IPsec is disabled by default and cannot be enabled after cluster initialization.