Goal of this feature is to add support to 

• telemetry
• nmstate ipv6
• nmstate net2net

Why is this important?

• without API, customers are forced to use MCO. this brings with it a set of limitations (mainly reboot per change and the fact that config is shared among each pool, can't do per node configuration)
• better upgrade solution will give us the ability to support a single host based implementation
• telemetry will give us more info on how widely is ipsec used.

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• Must allow for the possibility of offloading the IPsec encryption to a SmartNIC.

• nmstate
• k8s-nmstate
• easier mechanism for cert injection (??)
• telemetry
• improve ci and test coverage
   

Dependencies (internal and external)

1.  nmstate tasks

Related:

• ITUP-44 - OpenShift support for North-South OVN IPSec
• HATSTRAT-33 - Encrypt All Traffic to/from Cluster (aka IPSec as a Service)

Previous Work (Optional):

1. SDN-717 - Support IPSEC on ovn-kubernetes
2. SDN-3604 - Fully supported non-GA N-S IPSec implementation using machine config.

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>