Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable IPsec #886

Merged
merged 4 commits into from Dec 4, 2020
Merged

Enable IPsec #886

merged 4 commits into from Dec 4, 2020

Commits on Dec 3, 2020

  1. vendor: Bump API version to use IPsec API changes 

    Bump API version to use IPsec API changes.

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
    @markdgray
    markdgray committed Dec 3, 2020
    Copy the full SHA
    5930537 View commit details
    Browse the repository at this point in the history

  2. Update CNO CRD to reflect API bump 

    Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
    @markdgray
    markdgray committed Dec 3, 2020
    Copy the full SHA
    cc40feb View commit details
    Browse the repository at this point in the history

  3. Add CertificateSigningRequest controller 

    In order to keep private keys private to nodes, this patch
introduces a basic CertificateSigningRequest controller to CNO. This
allows a client to generate a cert/private key pair locally
and request for the certificate to be signed by a CNO CA.

This signer used the OperatorPKI to generate a new CA (signer-ca)
that is rotated.

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
    @markdgray
    markdgray committed Dec 3, 2020
    Copy the full SHA
    6983d5c View commit details
    Browse the repository at this point in the history

  4. Enable IPsec 

    This patch introduces IPsec enablement for the Cluster Network
Operator using the OVN IPsec functionality.

A new Daemonset is created that hosts libreswan and ovs-monitor-ipsec
which watch for changes in OVN/OVS configuration and update the
Linux XFRM framework appropriately.

This patch also modifies the ovnkube-master Daemonset to enable IPsec across
the cluster. This is done by writing a configuration option to the NB DB.

The patch also modifies the the ovs-node Daemonset to generate
a key pair on initialization, and request for that keypair to be
signed by the signer-ca.

IPsec should only be configurable at cluster installation time.

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
    @markdgray
    markdgray committed Dec 3, 2020
    Copy the full SHA
    f8a0217 View commit details
    Browse the repository at this point in the history