How to enable IPsec during an OpenShift installation

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4.x

Issue

Resolution

  1. Create the manifests from the install-config.yaml file by running the command:

    $ openshift-install create manifests --dir=<installation_directory>

  2. Once the command is completed and the manifests are generated, create a stub manifest file for the advanced network configuration that is named cluster-network-03-config.yml in the <installation_directory>/manifests/ directory * with the following content:

    cluster-network-03-config.yml
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  name: cluster
spec:
  defaultNetwork:
    ovnKubernetesConfig:
      ipsecConfig:
        mode: Full

  3. And then continue the installation.

    $ openshift-install create cluster --dir=<installation_directory>

* Note: If using the Agent-Based installer, the manifests must be inside <installation dir>/openshift/ to be consumed by the agent.

Root Cause

  • According to the Openshift documentation, IPsec can be enabled either during or after installing the cluster.

  • However, there is no IPsec option in the install-config.yaml file to set it in the config file, so the IPsec needs to be added in the manifest to be enabled during the installation.

Diagnostic Steps

How to verify that IPsec is active:

  • Connect to the cluster and validate the IPsec settings:

    ### For OVN cluster version 4.13 and below, set the variable POD_LIST with:
$ POD_LIST=$(oc get pod -n openshift-ovn-kubernetes -l app=ovnkube-master -o name)

### For OVN cluster version 4.14 and above, set the variable POD_LIST with:
$ POD_LIST=$(oc get pod -n openshift-ovn-kubernetes -l app=ovnkube-node -o name)

### Then run the command:
$ for OVNPOD in ${POD_LIST};do echo -e "\n===== Pod $OVNPOD ====="; oc -n openshift-ovn-kubernetes -c nbdb rsh $OVNPOD ovn-nbctl --no-leader-only get nb_global . ipsec;echo;done

    If the result is true, IPsec is enabled.

  • Or refer to the Openshift Documentation for specific instructions.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments