Uploaded image for project: 'OpenShift SDN'
  1. OpenShift SDN
  2. SDN-4034

OpenShift North-South IPsec Implementation Enhancement and GA

    XMLWordPrintable

Details

    • OpenShift North-South IPsec Implementation
    • False
    • None
    • False
    • Red
    • In Progress
    • OCPSTRAT-937 - OVN IPSec support between an OCP cluster and an external provider [N-S] - GA
    • 100
    • 100% 100%
    • M
    • Hide

      Feb 19,2024

      QE:

      • Workaround tested for bug OCPBUGS-27839 to be included in RN. Functional QE is done with testing at this point. Waiting for scale team inputs if they can comment before this epic moves to RELEASE_PENDING

      Feb 15,2024

      QE

      • Based on further testing, QE has identified OCPBUGS-27839 as a RHEL/nmstate bug rather than OCP. We need a workaround to document regarding restoring network connectivity issue between hosts.

      Feb 13, 2024

      QE

      • IPsec EW blocker has been verified. QE just waiting for dev inputs on OCPBUGS-27839: [IPSEC] Restarting ipsec service/ovn-ipsec-host pod would cause ipsec traffic broken between worker node and external host

       

      Feb 6, 2024

      QE

      Feb 1, 2024

      QE

      • All required critical fixes are in prod builds now. QE have verified crticial fixes and testing looks green now. Regression issue of RHEL nodes EW has been verified along with pre-merge. Few non-critical bugs under post-merge task SDN-4200 still needs dev triage.

      Jan 24, 2024

      QE

      • QE has tested nmstate rpms and corresponding IPsec configs on GCP with nmstate (custom rpms) in last couple of weeks which looks good with exception of few bugs mentioned in SDN-4200: post-merge testing. QE still waiting for `nmstate-2.2.23-1.el9_2` to land in RHCOS along with rpms (with few fixes). QE will do additional testing once all required rpms  lands in production builds.

       

      Jan 16, 2024

      QE

      • Testing continued using scratch builds for nmstate, NetworkManager-libreswan.
      • Unable to test transport mode due to RHEL-21532: Cannot configure ipsec mode with 'type' in nmstate config
      • Upgrade from 4.14 OCPBUGS-26952: no ipsec on cluster post NS mc's deletion during ipsecConfig mode `Full`
      • Above bugs can be verified with scratch builds once available.
      • Plan: Once the build is available in OCP, QE will run regression tests with ipsec enabled.

       

      Jan 09, 2024

      QE

      • TestBlocker bug RHEL-20690: Cannot setup point-to-point ipsec tunnel in-progress
      • Pre-merge testing complete cluster-network-operator/pull/2144 for IPsec runtime modes Full and external. Looks good on standalone build.
      • Full and External runtime modes are not working if cluster is upgraded from 4.14 to bot build (with 2144).
      • Hypershift is out of scope for this feature.

       

      Jan 05, 2024

      QE

      • Testing blocked due to RHEL-20690: Cannot setup point-to-point ipsec tunnel

      API PR is ready to merge
      CNO PR is in code-review and likely to merge soon
      must-gather work has not started yet

      Show
      Feb 19,2024 QE: Workaround tested for bug OCPBUGS-27839 to be included in RN. Functional QE is done with testing at this point. Waiting for scale team inputs if they can comment before this epic moves to RELEASE_PENDING Feb 15,2024 QE Based on further testing, QE has identified OCPBUGS-27839 as a RHEL/nmstate bug rather than OCP. We need a workaround to document regarding restoring network connectivity issue between hosts. Feb 13, 2024 QE IPsec EW blocker has been verified. QE just waiting for dev inputs on OCPBUGS-27839 : [IPSEC] Restarting ipsec service/ovn-ipsec-host pod would cause ipsec traffic broken between worker node and external host   Feb 6, 2024 QE https://issues.redhat.com/browse/OCPBUGS-28676 is release blocker now. Libreswan package needs to be installed on RHEL node hosts by openshift-ansible which is not part of the OCP payload, but is delivered via rpms. This is being addressed via https://github.com/openshift/openshift-ansible/pull/12477 and https://github.com/openshift/openshift-ansible/pull/12478 . QE need to test this hack by either execute `sudo dnf install libreswan` on ansible pre-hook playbooks during RHEL nodes update or manually on RHEL node before pre-hook.  Fixes should be validated by Feb 9 to make it in RC Feb 1, 2024 QE All required critical fixes are in prod builds now. QE have verified crticial fixes and testing looks green now. Regression issue of RHEL nodes EW has been verified along with pre-merge. Few non-critical bugs under post-merge task SDN-4200 still needs dev triage. Jan 24, 2024 QE QE has tested nmstate rpms and corresponding IPsec configs on GCP with nmstate (custom rpms) in last couple of weeks which looks good with exception of few bugs mentioned in SDN-4200 : post-merge testing. QE still waiting for `nmstate-2.2.23-1.el9_2` to land in RHCOS along with rpms (with few fixes). QE will do additional testing once all required rpms  lands in production builds.   Jan 16, 2024 QE Testing continued using scratch builds for nmstate, NetworkManager-libreswan. Unable to test transport mode due to  RHEL-21532 : Cannot configure ipsec mode with 'type' in nmstate config Upgrade from 4.14 OCPBUGS-26952 : no ipsec on cluster post NS mc's deletion during ipsecConfig mode `Full` Above bugs can be verified with scratch builds once available. Plan: Once the build is available in OCP, QE will run regression tests with ipsec enabled.   Jan 09, 2024 QE TestBlocker bug  RHEL-20690 : Cannot setup point-to-point ipsec tunnel in-progress Pre-merge testing complete cluster-network-operator/pull/2144  for IPsec runtime modes Full and external. Looks good on standalone build. Full and External runtime modes are not working if cluster is upgraded from 4.14 to bot build (with 2144). Hypershift is out of scope for this feature.   Jan 05, 2024 QE Testing blocked due to RHEL-20690 : Cannot setup point-to-point ipsec tunnel — API PR is ready to merge CNO PR is in code-review and likely to merge soon must-gather work has not started yet
    • ---
    • 0
    • 0

    Description

      Epic Goal

      • Add an API extension for North-South IPsec.
      • close gaps from SDN-3604 - mainly around upgrade
      • add telemetry

      Why is this important?

      • without API, customers are forced to use MCO. this brings with it a set of limitations (mainly reboot per change and the fact that config is shared among each pool, can't do per node configuration)
      • better upgrade solution will give us the ability to support a single host based implementation
      • telemetry will give us more info on how widely is ipsec used.

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • Must allow for the possibility of offloading the IPsec encryption to a SmartNIC.

       

      • nmstate
      • k8s-nmstate
      • easier mechanism for cert injection (??)
      • telemetry
      •  

      Dependencies (internal and external)

      1.  

      Related:

      • ITUP-44 - OpenShift support for North-South OVN IPSec
      • HATSTRAT-33 - Encrypt All Traffic to/from Cluster (aka IPSec as a Service)

      Previous Work (Optional):

      1. SDN-717 - Support IPSEC on ovn-kubernetes
      2. SDN-3604 - Fully supported non-GA N-S IPSec implementation using machine config.

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          clones

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. SDN-3604 OpenShift North-South IPsec Implementation

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Release Pending
          is blocked by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHEL-20690 Cannot setup point-to-point ipsec tunnel

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Release Pending

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHEL-1605 Support IPsec via libreswan in nmstate

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Release Pending
          is cloned by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. SDN-4502 OpenShift North-South IPsec Post-GA tasks

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • In Progress
          links to

          Web Link demo

          GitHub openshift/origin#28658: SDN-4168: Add IPsec e2e tests

          Activity

            People

              ykashtan Yuval Kashtan
              mcurry@redhat.com Marc Curry
              Huiran Wang Huiran Wang
              Jason Boxman Jason Boxman
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: