Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-40906: Implement IPsec NAT-Traversal encapsulation option #2573

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

OCPBUGS-40906: Implement IPsec NAT-Traversal encapsulation option #2573

wants to merge 3 commits into from

Conversation

pperiyasamy
Copy link
Member

@pperiyasamy pperiyasamy commented Nov 21, 2024
edited
Loading

There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This PR consumes new API to enable or disable encap option and applies to
OVN to configure east west ipsec tunnel connections accordingly.

API PRs:
openshift/api#1472
openshift/api#2199

Depends on openshift/machine-config-operator#4797 for openshift/api bump (which needed kube v0.32.2 update).

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Nov 21, 2024
@openshift-ci-robot
Copy link
Contributor

@pperiyasamy: This pull request references Jira Issue OCPBUGS-40906, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.0) matches configured target version for branch (4.18.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This commit consumes new API to enable or disable encap option and applies to
OVN to configure east west ipsec tunnel connections accordingly.

Depends on: openshift/api#1472

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pperiyasamy pperiyasamy marked this pull request as draft November 21, 2024 13:32
@openshift-ci openshift-ci bot requested review from dougbtv and kyrtapz November 21, 2024 13:32
@pperiyasamy pperiyasamy mentioned this pull request Nov 21, 2024
Merged
@openshift-ci-robot
Copy link
Contributor

@pperiyasamy: This pull request references Jira Issue OCPBUGS-40906, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.0) matches configured target version for branch (4.18.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This PR consumes new API to enable or disable encap option and applies to
OVN to configure east west ipsec tunnel connections accordingly.

Depends on: openshift/api#1472

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 21, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 18, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 18, 2024
@openshift-ci-robot openshift-ci-robot added jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Dec 18, 2024
@openshift-ci-robot
Copy link
Contributor

@pperiyasamy: This pull request references Jira Issue OCPBUGS-40906, which is invalid:

  • expected the bug to target either version "4.19." or "openshift-4.19.", but it targets "4.18.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T so that those packets are compatible with intermediate NAT device(s) if present. This PR consumes new API to enable or disable encap option and applies to
OVN to configure east west ipsec tunnel connections accordingly.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pperiyasamy pperiyasamy marked this pull request as ready for review December 18, 2024 16:53
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 18, 2024
@openshift-ci openshift-ci bot requested a review from abhat December 18, 2024 16:54
@pperiyasamy
Copy link
Member Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 18, 2024
@openshift-ci-robot
Copy link
Contributor

@pperiyasamy: This pull request references Jira Issue OCPBUGS-40906, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pperiyasamy
Copy link
Member Author

/retest

@pperiyasamy
Copy link
Member Author

/assign @jcaamano @trozet @huiran0826

@pperiyasamy
Copy link
Member Author

/testwith openshift/origin#29232

@jluhrsen
Copy link
Contributor

jluhrsen commented Jan 8, 2025

/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/origin#29232

@pperiyasamy
Copy link
Member Author

/testwith openshift/cluster-network-operator/master/e2e-ovn-ipsec-step-registry openshift/origin#29232

@pperiyasamy
Copy link
Member Author

/assign @huiran0826

@martinkennelly
Copy link
Contributor

/assign @martinkennelly

@pperiyasamy
Copy link
Member Author

/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-upgrade openshift/machine-config-operator#4854

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 17, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pperiyasamy
Once this PR has been reviewed and has the lgtm label, please ask for approval from jcaamano. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@martinkennelly
Copy link
Contributor

dependent PR isnt merged [1] do you need it? openshift/machine-config-operator#4797

@pperiyasamy
Copy link
Member Author

dependent PR isnt merged [1] do you need it? openshift/machine-config-operator#4797

yes @martinkennelly , we need openshift/machine-config-operator#4797 to be merged. @yuqi-zhang is aware of this already. but still this PR is ready for review now.

@martinkennelly
Copy link
Contributor

This is the first time happening to me but the first commit keeps crashing and freezing on my chrome browser because its so gigantic because of the vendor imports. I normally like having full func commits but I ask you to split the vendoring out into a seperate commit so i can actually review

@pperiyasamy
Bump openshift/api version
f552712 
1. Update with:

go get -u github.com/openshift/build-machinery-go
go get -u k8s.io/api
go get -u k8s.io/apimachinery
go get -u k8s.io/code-generator
go get -u k8s.io/component-base
go get -u k8s.io/klog/v2
go get -u k8s.io/kube-proxy
go get -u k8s.io/utils
go get -u sigs.k8s.io/controller-runtime
go get -u github.com/openshift/api
go get -u github.com/openshift/client-go
go get -u github.com/openshift/library-go
go get -u github.com/openshift/machine-config-operator
go get -u k8s.io/apiextensions-apiserver
go get -u k8s.io/client-go
go get -u sigs.k8s.io/controller-tools
go get -u github.com/openshift/api

2. Update go.mod file with following:

replace (
	github.com/google/cel-go => github.com/google/cel-go v0.22.0
	github.com/openshift/machine-config-operator => github.com/RishabhSaini/machine-config-operator v0.0.1-0.20250130013234-f25892323bb7
)

3. go mod tidy
   go mod vendor

4. Adapt CNO code with dependency updates.

This commit skips vendor directory changes because it is too big, makes chrome to hang and difficult to review the actual changes.

Signed-off-by: Periyasamy Palanisamy <[email protected]>
@pperiyasamy
Add vendor changes
5928f5b 
Signed-off-by: Periyasamy Palanisamy <[email protected]>
@pperiyasamy
Implement IPsec NAT-Traversal encapsulation option
2355043 
There is a requirement to encapsulate IPsec east west traffic in UDP via NAT-T
so that those packets are compatible with intermediate NAT device(s) if present.
This commit consumes new API to enable encap option and applies to OVN to configure
east west ipsec tunnel connections accordingly.

Signed-off-by: Periyasamy Palanisamy <[email protected]>
martinkennelly
martinkennelly reviewed Feb 20, 2025
View reviewed changes
go.mod

replace (
github.com/google/cel-go => github.com/google/cel-go v0.22.0
github.com/openshift/machine-config-operator => github.com/RishabhSaini/machine-config-operator v0.0.1-0.20250130013234-f25892323bb7
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note t self; make sure this is removed in final review

bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -332,6 +332,11 @@ data:
ipsec_encapsulation=true
fi
{{ end }}

{{ if eq .OVNIPsecEncap "Always" }}
ipsec_encapsulation=true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isnt it possible this key-value is defined twice if on ibm platform and IPSec Full option set to Always?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldnt this be within the OVNIPsecEnable if block? I know your programming is fine here but it reads weird and id like checking OVNIPsecEncap eqs Always to be inside the OVNIPsecEnable bool.

bindata/network/ovn-kubernetes/common/008-script-lib.yaml
@@ -332,6 +332,11 @@ data:
ipsec_encapsulation=true
fi
{{ end }}

{{ if eq .OVNIPsecEncap "Always" }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

n00b question but this Key could be unset so what happens in that scenario - did you check?

@martinkennelly
Copy link
Contributor

do we've an e2e somewhere for the new Full modes?

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 20, 2025

@pperiyasamy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.18-upgrade-from-stable-4.17-e2e-azure-ovn-upgrade ff55dc6 link false /test 4.18-upgrade-from-stable-4.17-e2e-azure-ovn-upgrade
ci/prow/okd-scos-e2e-aws-ovn 2355043 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-hypershift-conformance 2355043 link true /test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-ovn-ipsec-step-registry 2355043 link true /test e2e-ovn-ipsec-step-registry
ci/prow/e2e-network-mtu-migration-ovn-ipv4 2355043 link false /test e2e-network-mtu-migration-ovn-ipv4
ci/prow/e2e-vsphere-ovn 2355043 link false /test e2e-vsphere-ovn
ci/prow/e2e-aws-ovn-single-node 2355043 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6 2355043 link false /test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec 2355043 link true /test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/4.19-upgrade-from-stable-4.18-e2e-azure-ovn-upgrade 2355043 link false /test 4.19-upgrade-from-stable-4.18-e2e-azure-ovn-upgrade
ci/prow/e2e-ovn-step-registry 2355043 link false /test e2e-ovn-step-registry
ci/prow/e2e-network-mtu-migration-ovn-ipv6 2355043 link false /test e2e-network-mtu-migration-ovn-ipv6
ci/prow/security 2355043 link false /test security
ci/prow/4.19-upgrade-from-stable-4.18-e2e-gcp-ovn-upgrade 2355043 link false /test 4.19-upgrade-from-stable-4.18-e2e-gcp-ovn-upgrade
ci/prow/e2e-gcp-ovn-techpreview 2355043 link true /test e2e-gcp-ovn-techpreview
ci/prow/e2e-gcp-ovn 2355043 link true /test e2e-gcp-ovn
ci/prow/e2e-vsphere-ovn-dualstack 2355043 link false /test e2e-vsphere-ovn-dualstack
ci/prow/e2e-aws-ovn-serial 2355043 link false /test e2e-aws-ovn-serial
ci/prow/4.19-upgrade-from-stable-4.18-e2e-aws-ovn-upgrade 2355043 link false /test 4.19-upgrade-from-stable-4.18-e2e-aws-ovn-upgrade
ci/prow/e2e-azure-ovn-upgrade 2355043 link true /test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-hypershift-ovn-kubevirt 2355043 link false /test e2e-aws-hypershift-ovn-kubevirt
ci/prow/e2e-azure-ovn 2355043 link false /test e2e-azure-ovn
ci/prow/e2e-aws-ovn-shared-to-local-gateway-mode-migration 2355043 link false /test e2e-aws-ovn-shared-to-local-gateway-mode-migration
ci/prow/e2e-aws-ovn-local-to-shared-gateway-mode-migration 2355043 link false /test e2e-aws-ovn-local-to-shared-gateway-mode-migration
ci/prow/e2e-metal-ipi-ovn-ipv6 2355043 link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-ovn-hybrid-step-registry 2355043 link false /test e2e-ovn-hybrid-step-registry
ci/prow/e2e-aws-ovn-windows 2355043 link true /test e2e-aws-ovn-windows
ci/prow/e2e-openstack-ovn 2355043 link false /test e2e-openstack-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinkennelly martinkennelly martinkennelly left review comments

@dougbtv dougbtv Awaiting requested review from dougbtv

@kyrtapz kyrtapz Awaiting requested review from kyrtapz

@abhat abhat Awaiting requested review from abhat

Assignees

@trozet trozet

@martinkennelly martinkennelly

@jcaamano jcaamano

@huiran0826 huiran0826

Labels
jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@pperiyasamy @openshift-ci-robot @jluhrsen @martinkennelly @trozet @openshift-merge-robot @jcaamano @huiran0826