feat: Enable Kube-OVN IPsec #1263

awfabian-rs · 2025-10-27T18:38:54Z

JIRA:OSPC-1624

cloudnull · 2025-10-27T19:16:25Z

while this adds encryption to the kube-ovn side, I think we'll need the neutron components updated to speak TLS - RE: https://opendev.org/openstack/neutron/commit/babab3261ec249ea2c4122b9773099e72e319287

awfabian-rs · 2025-11-05T19:11:31Z

I tried enabling this on a fresh hyperconverged lab with Kube-OVN 1.14.11 . With ping going between two instances, this went smoothly and caused about 12 seconds of data plane disruption in the pings.

This particular setting should run orthogonal to anything we need to do with Neutron and should work fine on fresh deployments. I recommend enabling this immediately and merging this PR if we want to encrypt the Geneve tunnels in the infrastructure while we continue to turn on other TLS/SSL/IPSEC settings in Neutron and OVN. However, previous testing suggests that will cost some bandwidth and latency through the tunnels

feat: Enable Kube-OVN IPsec

116ea43

JIRA:OSPC-1624

awfabian-rs marked this pull request as draft October 27, 2025 19:50

awfabian-rs marked this pull request as ready for review November 5, 2025 19:07

awfabian-rs requested review from aedan, cloudnull and rackerchris November 5, 2025 19:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: Enable Kube-OVN IPsec #1263

feat: Enable Kube-OVN IPsec #1263

Uh oh!

awfabian-rs commented Oct 27, 2025

Uh oh!

cloudnull commented Oct 27, 2025

Uh oh!

awfabian-rs commented Nov 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

feat: Enable Kube-OVN IPsec #1263

Are you sure you want to change the base?

feat: Enable Kube-OVN IPsec #1263

Uh oh!

Conversation

awfabian-rs commented Oct 27, 2025

Uh oh!

cloudnull commented Oct 27, 2025

Uh oh!

awfabian-rs commented Nov 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants