openshift · dfitzmau · Dec 10, 2024 · Nov 28, 2024
diff --git a/modules/nw-ovn-ipsec-disable.adoc b/modules/nw-ovn-ipsec-disable.adoc
@@ -8,6 +8,11 @@
 
 As a cluster administrator, you can disable IPsec encryption only if you enabled IPsec after cluster installation.
 
+[IMPORTANT]
+====
+After disabling IPsec, you must delete the associated IPsec daemonsets pods. If you do not delete these pods, you might experience issues with your cluster.
+====
+
 .Prerequisites
 
 * Install the OpenShift CLI (`oc`).
@@ -23,24 +28,47 @@ $ oc patch networks.operator.openshift.io/cluster --type=json \
   -p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]'
 ----
 
-. Optional: You can increase the size of your cluster MTU by `46` bytes because there is no longer any overhead from the IPsec ESP header in IP packets.
+. To find the name of the OVN-Kubernetes data plane pod that exists on the `master` node in your cluster, enter the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-ovn-kubernetes -l=app=ovnkube-master
+----
++
+.Example output
+[source,terminal]
+----
+ovnkube-master-5xqbf                      8/8     Running   0              28m
+...
+----
 
-. Verify that IPsec is disabled on your cluster:
+. Verify that the `master` node in your cluster has IPsec disabled by entering the following command. The command output must state `false` to indicate that the node has IPsec disabled.
 +
 [source,terminal]
 ----
-$ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-master-<XXXXX> \
-  ovn-nbctl --no-leader-only get nb_global . ipsec
+$ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-master-<pod_number_sequence> \// <1>
+  ovn-nbctl --no-leader-only get nb_global . ipsec 
 ----
+<1> Replace `<pod_number_sequence>` with the random sequence of letters, such as `5xqbf`, for the data plane pod from the previous step.
+
+. To remove the IPsec `ovn-ipsec` daemonset pod from the `openshift-ovn-kubernetes` namespace on the node, enter the following command:
 +
---
-where:
+[source,terminal]
+----
+$ oc delete daemonset ovn-ipsec -n openshift-ovn-kubernetes <1>
+----
+<1> The `ovn-ipsec` daemonset configures IPsec connections for east-west traffic on the node.
 
-`<XXXXX>`:: Specifies the random sequence of letters for a pod from the previous step.
---
+. Verify that the `ovn-ipsec` daemonset pod was removed from the all nodes in your cluster by entering the following command. If the command output does not list the pod, the removal operation is successful.
 +
-.Example output
-[source,text]
+[source,terminal]
+----
+$ oc get pods -n openshift-ovn-kubernetes -l=app=ovn-ipsec
 ----
-false
-----
++
+[NOTE]
+====
+You might need to re-run the command for deleting the pod because sometimes the initial command attempt might not delete the pod.
+====
+
+. Optional: You can increase the size of your cluster MTU by `46` bytes because there is no longer any overhead from the IPsec ESP header in IP packets.
diff --git a/modules/nw-ovn-ipsec-enable.adoc b/modules/nw-ovn-ipsec-enable.adoc
@@ -11,8 +11,8 @@ As a cluster administrator, you can enable IPsec encryption after cluster instal
 .Prerequisites
 
 * Install the OpenShift CLI (`oc`).
-* Log in to the cluster with a user with `cluster-admin` privileges.
-* You have reduced the size of your cluster MTU by `46` bytes to allow for the overhead of the IPsec ESP header.
+* Log in to the cluster as a user with `cluster-admin` privileges.
+* You have reduced the size of your cluster maximum transmission unit (MTU) by `46` bytes to allow for the overhead of the IPsec ESP header.
 
 .Procedure
 
@@ -42,22 +42,11 @@ ovnkube-master-hsgmm   6/6     Running   0          122m
 ovnkube-master-qcmdc   6/6     Running   0          122m
 ----
 
-. Verify that IPsec is enabled on your cluste by running the following command:
+. Verify that IPsec is enabled on your cluster by entering the following command. The command output must state `true` to indicate that the node has IPsec enabled.
 +
 [source,terminal]
 ----
-$ oc -n openshift-ovn-kubernetes rsh ovnkube-master-<XXXXX> \
+$ oc -n openshift-ovn-kubernetes rsh ovnkube-master-<pod_number_sequence> \ <1>
   ovn-nbctl --no-leader-only get nb_global . ipsec
 ----
-+
---
-where:
-
-`<XXXXX>`:: Specifies the random sequence of letters for a pod from the previous step.
---
-+
-.Example output
-[source,text]
-----
-true
-----
+<1> Replace `<pod_number_sequence>` with the random sequence of letters, `fvtnh`, for a data plane pod from the previous step.