What is the Nature and Description of the Request?

OpenShift Container Platform currently provides Libreswan/IPsec as the supported mechanism for encrypting data in motion between cluster nodes and external systems (as documented in the OpenShift 4.19 Network Security guide). While IPsec meets functional requirements, enterprise customers require an officially supported, production-ready WireGuard implementation as an alternative VPN technology for securing OpenShift network traffic.

Current State:

• WireGuard remains Technology Preview in RHEL 9.4 and RHEL 9.6 (underlying RHCOS for OCP 4.16-4.19)
• Technology Preview status excludes WireGuard from production use and compliance workloads
• Customers requiring PCI-DSS, FIPS, or other regulatory compliance cannot use Technology Preview features
• No GA timeline exists for WireGuard promotion in RHEL/RHCOS

Requested Enhancement: Promote WireGuard to fully supported, GA status for OpenShift Container Platform with:

1. Full support lifecycle matching other networking features
2. Integration with Cluster Network Operator (CNO) similar to existing IPsec implementation
3. NMState policy management for declarative WireGuard configuration
4. Documented encryption modes:
   • Disabled (default)
   • Full (pod-to-pod + optional external)
   • External-only
5. GitOps-compatible deployment via manifests and operators
6. Upgrade path support with proper version compatibility across OpenShift releases
7. FIPS mode compatibility for regulated environments
8. Complete documentation including installation, configuration, troubleshooting

Why Does the Customer Need This? (Business Requirements)

Compliance and Regulatory Requirements

PCI-DSS Compliance:

• Customers processing payment card data require cryptographic protection of cardholder data in transit
• Technology Preview features fail PCI compliance audits because Red Hat provides no production SLA
• Current status blocks OpenShift adoption for PCI-regulated workloads requiring modern VPN

Federal and Defense Sector:

• Government agencies increasingly standardize on WireGuard for its formal security verification
• DoD and intelligence community environments prefer WireGuard's smaller attack surface
• Current Technology Preview status prevents adoption in classified and controlled unclassified environments

Industry-Specific Regulations:

• Healthcare (HIPAA): ePHI transmission security requires supported encryption mechanisms
• Financial Services (SOX, GLBA): Audit requirements mandate vendor-supported security controls
• European Data Protection (GDPR): Data protection by design requires production-grade encryption

Technical and Operational Benefits

Performance Advantages:

• WireGuard demonstrates 15-30% lower CPU overhead compared to IPsec in benchmarks
• Reduced latency critical for high-frequency trading, real-time analytics, edge computing workloads
• Better throughput on resource-constrained edge nodes running MicroShift

Simplified Configuration:

• WireGuard's ~4,000 lines of code vs IPsec's ~400,000+ lines reduces configuration complexity
• Fewer configuration errors mean reduced security incidents and operational overhead
• Faster onboarding for platform teams managing multi-cluster environments

Security Posture:

• Smaller codebase reduces attack surface and CVE exposure
• Modern cryptographic primitives (Noise protocol framework, Curve25519, ChaCha20, Poly1305)
• Built-in key rotation simplifies compliance with cryptographic key management policies

Cloud-Native Integration:

• Container-friendly architecture aligns with Kubernetes networking model
• Easier integration with service mesh (Istio, OpenShift Service Mesh) for defense-in-depth
• Better support for hybrid and multi-cloud architectures requiring site-to-site encryption

Strategic Business Impact

Customer Retention:

• Multiple strategic accounts evaluating alternatives due to WireGuard availability in competing platforms
• Loss of competitive positioning against AWS EKS, Azure AKS offering WireGuard support
• Risk of customer churn to self-managed Kubernetes distributions with WireGuard

Market Expansion:

• Unlocks OpenShift sales in regulated industries currently blocked by compliance gaps
• Enables edge computing use cases where IPsec overhead is prohibitive
• Supports IoT and telemetry workloads requiring lightweight encryption

Total Cost of Ownership:

• Lower CPU/memory requirements reduce infrastructure costs 15-25% for encryption-heavy workloads
• Simplified operations reduce support escalations and mean-time-to-resolution
• Reduced training costs due to simpler configuration model

Competitive Landscape

OpenShift's Current Encryption Advantage:

OpenShift Container Platform currently offers native, fully-supported IPsec encryption for data in motion - a capability that AWS EKS does not provide natively. This represents a significant competitive advantage in the enterprise Kubernetes market.

EKS Encryption Reality:

• ✅ OpenShift: Native IPsec with full Red Hat support lifecycle
• ❌ EKS: NO native encryption for pod-to-pod traffic
• ❌ EKS: WireGuard ONLY available through unsupported third-party CNI plugins (Cilium, Calico)
• ❌ EKS: Customers must replace entire CNI stack or accept no support from AWS

Amazon Linux WireGuard Status:

• Amazon Linux 2023 has kernel support for WireGuard
• But: No userland tools (wg-quick, wg) installed by default
• Result: Manual configuration required with no AWS support

Strategic Opportunity:

Adding WireGuard to OpenShift creates a dual encryption advantage:

1. Choice: Customers can select IPsec (proven, FIPS-certified) OR WireGuard (modern, lightweight) based on workload requirements
2. Support: Red Hat supports BOTH encryption technologies under production SLA
3. Simplicity: Single platform, multiple encryption options vs EKS's fragmented ecosystem
4. Differentiation: "OpenShift offers more native encryption options than AWS EKS"

Market Positioning Impact:

Instead of playing catch-up to EKS (which has no native encryption), OpenShift can leapfrog by offering:

• Proven IPsec for conservative/regulated workloads
• Modern WireGuard for performance-sensitive edge computing
• Full Red Hat support for both technologies
• Documented migration paths between encryption technologies

This transforms the narrative from "we're missing WireGuard" to "we offer the most comprehensive encryption choice in enterprise Kubernetes."

Competitive Risk Mitigation:

Current State (2025-11-03):

• OpenShift: Native IPsec (supported), WireGuard (Tech Preview)
• EKS: No native encryption, WireGuard via unsupported third-party CNI only
• OpenShift advantage: 3+ years and counting

Potential Threat: AWS could eventually add native WireGuard support, but:

• Amazon Linux 2023 has had kernel support for 2+ years with no action on userland tools
• EKS has shown no movement toward native encryption in 3+ years
• AWS's CNI architecture makes native integration complex
• Historical pattern: AWS relies on third-party ecosystem for advanced networking

Our Mitigation:

• Proactively add WireGuard BEFORE AWS acts
• Maintain encryption leadership across multiple technologies
• Build customer lock-in through superior encryption choice and support
• Document OpenShift encryption advantages in competitive materials

Sales Enablement:

This RFE enables competitive positioning:

• "Unlike EKS, OpenShift offers TWO native, fully-supported encryption technologies"
• "EKS customers must choose between no encryption or unsupported third-party solutions"
• "Red Hat supports your encryption choice; AWS makes you choose support OR features"
• "OpenShift: Encryption built-in. EKS: Encryption bolted-on (maybe)."

4. List Any Affected Packages or Components

Core OpenShift Components

Cluster Network Operator (CNO):

• New WireGuard configuration API in Network custom resource
• WireGuard mode selection alongside existing IPsec modes
• MachineConfig generation for WireGuard package deployment
• Systemd unit coordination for WireGuard services

Machine Config Operator (MCO):

• Package installation: wireguard-tools, kmod-wireguard (or kernel module)
• Configuration file management: /etc/wireguard/*.conf
• Service management: wg-quick@.service, systemd-networkd integration
• Upgrade coordination: package version alignment across node updates

NMState Kubernetes-NMState Operator:

• WireGuard interface definitions in NMState policies
• Secret management for private keys and pre-shared keys (PSK)
• Connection profile management for WireGuard tunnels
• State reconciliation and drift detection

OpenShift API Server:

• API schema updates for WireGuard configuration fields
• Validation logic for WireGuard-specific parameters
• Admission webhooks for configuration safety checks

RHCOS / RHEL Dependencies

Kernel Module:

• WireGuard kernel module (kmod-wireguard or in-tree kernel support)
• Kernel version compatibility across OpenShift lifecycle
• FIPS mode certification for cryptographic operations

Userspace Tools:

• wg CLI tool for manual debugging and troubleshooting
• wg-quick for streamlined interface configuration
• Integration with NetworkManager for persistent configuration

SELinux Policy:

• WireGuard-specific SELinux contexts and rules
• Proper labeling for /etc/wireguard/ directory and files
• Audit policy for security event logging

Documentation

Installation Guides:

• Day 1: Installing OpenShift with WireGuard enabled (install manifests)
• Day 2: Enabling WireGuard on existing clusters (NMState workflows)
• Migration: Transitioning from IPsec to WireGuard (zero-downtime procedure)

Configuration Reference:

• WireGuard modes and their use cases
• NMState policy examples for common topologies
• Encryption algorithm selection and FIPS considerations
• MTU sizing for WireGuard overhead

Operations Guides:

• Key rotation procedures and automation
• Monitoring and observability (metrics, logs, alerts)
• Troubleshooting common WireGuard issues
• Performance tuning recommendations

Security Guides:

• Integration with compliance frameworks (PCI, HIPAA, FedRAMP)
• Multi-tenancy considerations and network isolation
• External connectivity patterns (cloud VPN integration)
• Certificate vs PSK authentication models

Testing and Quality Assurance

Functional Tests:

• Pod-to-pod encryption verification across nodes
• External connectivity through WireGuard tunnels
• Mode transitions (disabled → full → external-only)
• Multi-cluster federation scenarios

Performance Tests:

• Throughput benchmarks vs IPsec baseline
• CPU/memory overhead measurements
• Latency impact analysis
• Scale testing (number of peers, connection churn)

Security Tests:

• FIPS mode validation
• Cryptographic algorithm verification
• Key management security audit
• CVE scanning and vulnerability assessment

Upgrade Tests:

• Version compatibility across OpenShift releases
• Package upgrade coordination with MCO
• Configuration preservation during upgrades
• Rollback procedures and data safety