Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-3604

OpenShift North-South IPsec Implementation


    • OpenShift North-South IPsec Implementation
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-254 - OVN IPSec support between an OCP cluster and an external provider [N-S]
    • 0% To Do, 0% In Progress, 100% Done
    • ---
    • 0
    • 0

      Epic Goal

      Full support of North-South (cluster egress-ingress) IPsec that shares an encryption back-end with the current East-West implementation, allows for IPsec offload to capable SmartNICs, can be enabled and disabled at runtime, and allows for FIPS compliance (including install-time configuration and disabling of runtime configuration).

      Why is this important?

      • Customers went end-to-end default encryption with external servers and/or clients. 

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • Must allow for the possibility of offloading the IPsec encryption to a SmartNIC.

      Dependencies (internal and external)



      • ITUP-44 - OpenShift support for North-South OVN IPSec
      • HATSTRAT-33 - Encrypt All Traffic to/from Cluster (aka IPSec as a Service)

      Previous Work (Optional):

      1. SDN-717 - Support IPSEC on ovn-kubernetes

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            ykashtan Yuval Kashtan
            mcurry@redhat.com Marc Curry
            Ross Brattain Ross Brattain
            Jason Boxman Jason Boxman
            0 Vote for this issue
            18 Start watching this issue