Feature Overview (aka. Goal Summary)

Ensure that IPsec encryption works with Hosted Clusters. This is to have traffic between nodes encrypted in transit, meeting compliance requirements.

https://docs.openshift.com/container-platform/4.16/networking/network_security/configuring-ipsec-ovn.html

Goals (aka. expected user outcomes)

Customers, primarily cluster administrators of OCP hosted clusters, will have the capability to enable IPsec encryption for node traffic. 

Requirements (aka. Acceptance Criteria)

In parity with standalone IPSec mode. 

Deployment Considerations

• Self-managed, managed, or both: Both
• Classic (standalone cluster): N/A
• Hosted control planes: Applicable
• Multi-node, Compact (three-node), or Single node (SNO), or all: N/A
• Connected / Restricted Network: Applicable to both connected and restricted network environments
• Architectures: x86_x64, ARM (aarch64)
• Operator compatibility: Ensure compatibility with existing cluster operators that manage networking and security
• Backport needed: Evaluate for versions 4.x and above
• UI need: Configuration option in OpenShift Console and OCM
• Other: N/A

Use Cases (Optional)

A cluster administrator enables IPsec encryption for a hosted cluster, and the cluster's traffic is successfully deployed with encrypted node-to-node (East-west) traffic (also North-South) similar to standalone. 

Customer Considerations

• Compliance: Customers in regulated industries (e.g., healthcare, finance) will particularly benefit from this feature, as it helps meet stringent data protection requirements.
• Cost: Customers should be aware of potential increases in resource utilization due to encryption overhead.

Documentation Considerations

If all goes well, standalone documentation can be re-used. Otherwise, if a new way to configure IPsec is exposed for hosted clusters, documentation will be needed.