-
Epic
-
Resolution: Done
-
Major
-
None
-
OpenShift North-South IPsec Implementation
-
Strategic Product Work
-
False
-
None
-
False
-
Red
-
In Progress
-
OCPSTRAT-937 - OVN IPSec support between an OCP cluster and an external provider [N-S] - GA
-
0% To Do, 0% In Progress, 100% Done
-
M
-
-
---
-
0
-
0
Epic Goal
- Add an API extension for North-South IPsec.
- close gaps from
SDN-3604- mainly around upgrade - add telemetry
Why is this important?
- without API, customers are forced to use MCO. this brings with it a set of limitations (mainly reboot per change and the fact that config is shared among each pool, can't do per node configuration)
- better upgrade solution will give us the ability to support a single host based implementation
- telemetry will give us more info on how widely is ipsec used.
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- Must allow for the possibility of offloading the IPsec encryption to a SmartNIC.
- nmstate
- k8s-nmstate
- easier mechanism for cert injection (??)
- telemetry
Dependencies (internal and external)
Related:
- ITUP-44 - OpenShift support for North-South OVN IPSec
- HATSTRAT-33 - Encrypt All Traffic to/from Cluster (aka IPSec as a Service)
Previous Work (Optional):
- SDN-717 - Support IPSEC on ovn-kubernetes
SDN-3604- Fully supported non-GA N-S IPSec implementation using machine config.
Open questions::
- …
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- clones
-
SDN-3604 OpenShift North-South IPsec Implementation
- Closed
- is blocked by
-
RHEL-20690 Cannot setup point-to-point ipsec tunnel
- Closed
-
RHEL-1605 Support IPsec via libreswan in nmstate
- Closed
- is cloned by
-
SDN-4502 OpenShift North-South IPsec Post-GA tasks
- Release Pending
- links to
(1 links to)