Enhancement: Enable IPsec support in OVNKubernetes #473

markdgray · 2020-09-11T08:36:49Z

Signed-off-by: Mark Gray mark.d.gray@redhat.com

markdgray · 2020-09-11T08:38:16Z

/assign @stbenjam

enhancements/network/ovn-kubernetes-ipsec.md

markdgray · 2020-09-11T16:53:46Z

FYI: @mcurry-rh @knobunc @fepan

enhancements/network/ovn-kubernetes-ipsec.md

mccv1r0 · 2020-10-08T17:18:56Z

We don't want to rule out the possibility of non OVN interfaces used by multus also being able to use IPsec concurrently. Will there be separate copies of e.g. ipsec.conf or will some sort of serialization be needed when accessing the same files?

mccv1r0 · 2020-10-08T17:21:06Z

Will HW offload be a requirement now or in the future? With shared-gateway, when eth0 is inside br-int, will HW offload of IPsec even be possible?

jackevans43 · 2020-10-12T08:52:04Z

@mccv1r0 I would say now. For small webapps etc software IPsec is fine, but for anything serious it'll be a killer - easily take a 10Gbps link down into the hundreds,

markdgray · 2020-10-28T13:59:41Z

We don't want to rule out the possibility of non OVN interfaces used by multus also being able to use IPsec concurrently. Will there be separate copies of e.g. ipsec.conf or will some sort of serialization be needed when accessing the same files?

You can bind libreswan to a specific interface and have multiple "ipsec.conf" files so shouldn't be a problem

Will HW offload be a requirement now or in the future? With shared-gateway, when eth0 is inside br-int, will HW offload of IPsec even be possible?

I'd have to look to check how the shared gateway code works but it depends at what point in the IP stack OVS is sending the packets. Either way, I will test this. Thanks

markdgray · 2020-10-28T18:39:33Z

Accidently closed this.

markdgray · 2020-10-30T14:31:49Z

With @russellb 's help, I reopened this.

markdgray · 2020-12-04T18:29:24Z

@russellb You had changes requested on this. I reworked everything a while ago. Is it ok?

enhancements/network/ovn-kubernetes-ipsec.md

dcbw · 2020-12-08T15:52:14Z

/lgtm

markdgray · 2021-01-15T21:54:32Z

Can this be merged please?

russellb · 2021-02-11T15:14:54Z

/approve
/lgtm

openshift-ci-robot · 2021-02-11T15:15:09Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: russellb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [russellb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

russellb · 2021-02-11T15:15:22Z

/retest

markdgray · 2021-02-11T15:57:58Z

/retest

openshift-bot · 2021-02-11T17:49:17Z

/retest

Please review the full test history for this PR and help us cut down flakes.

russellb · 2021-02-11T17:57:26Z

/lgtm remove

russellb · 2021-02-11T21:03:45Z

@markdgray you'll have to fix the lint job

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>

markdgray · 2021-02-12T08:37:57Z

Thanks @russellb. Done.

russellb · 2021-02-12T13:35:18Z

/lgtm

markdgray · 2021-02-12T14:56:46Z

Hurray!

openshift-ci-robot requested review from dustymabe and jsafrane September 11, 2020 08:37

openshift-ci-robot assigned stbenjam Sep 11, 2020

russellb requested changes Sep 11, 2020

View reviewed changes

danwinship reviewed Sep 11, 2020

View reviewed changes

JAORMX reviewed Sep 14, 2020

View reviewed changes

mrogers950 reviewed Sep 14, 2020

View reviewed changes

enhancements/network/ovn-kubernetes-ipsec.md Outdated Show resolved Hide resolved

mrogers950 reviewed Sep 14, 2020

View reviewed changes

enhancements/network/ovn-kubernetes-ipsec.md Outdated Show resolved Hide resolved

lack reviewed Sep 16, 2020

View reviewed changes

enhancements/network/ovn-kubernetes-ipsec.md Outdated Show resolved Hide resolved

aojea reviewed Sep 20, 2020

View reviewed changes

enhancements/network/ovn-kubernetes-ipsec.md Outdated Show resolved Hide resolved

markdgray changed the title ~~Enhancement: Enable IPsec support in OVNKubernetes~~ [WIP] Enhancement: Enable IPsec support in OVNKubernetes Sep 23, 2020

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2020

jackevans43 reviewed Oct 8, 2020

View reviewed changes

enhancements/network/ovn-kubernetes-ipsec.md Show resolved Hide resolved

markdgray closed this Oct 28, 2020

markdgray changed the title ~~[WIP] Enhancement: Enable IPsec support in OVNKubernetes~~ Enhancement: Enable IPsec support in OVNKubernetes Oct 28, 2020

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 28, 2020

markdgray mentioned this pull request Oct 28, 2020

Enhancement: Enable IPsec support in OVNKubernetes #519

Closed

markdgray reopened this Oct 30, 2020

markdgray force-pushed the ovn-kubernetes-ipsec branch from 1436017 to 369d8ac Compare October 30, 2020 14:31

markdgray requested a review from russellb December 4, 2020 18:28

jboxman reviewed Dec 7, 2020

View reviewed changes

enhancements/network/ovn-kubernetes-ipsec.md Outdated Show resolved Hide resolved

markdgray force-pushed the ovn-kubernetes-ipsec branch from 369d8ac to 8805b3f Compare December 8, 2020 15:16

openshift-ci-robot assigned dcbw Dec 8, 2020

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 8, 2020

openshift-ci-robot assigned russellb Feb 11, 2021

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2021

russellb removed the lgtm Indicates that a PR is ready to be merged. label Feb 11, 2021

Enhancement: Enable IPsec support in OVNKubernetes

a182add

Signed-off-by: Mark Gray <mark.d.gray@redhat.com>

markdgray force-pushed the ovn-kubernetes-ipsec branch from 8805b3f to a182add Compare February 12, 2021 08:27

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 12, 2021

openshift-merge-robot merged commit ed05107 into openshift:master Feb 12, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enhancement: Enable IPsec support in OVNKubernetes #473

Enhancement: Enable IPsec support in OVNKubernetes #473

markdgray commented Sep 11, 2020

markdgray commented Sep 11, 2020

markdgray commented Sep 11, 2020

mccv1r0 commented Oct 8, 2020

mccv1r0 commented Oct 8, 2020

jackevans43 commented Oct 12, 2020

markdgray commented Oct 28, 2020

markdgray commented Oct 28, 2020

markdgray commented Oct 30, 2020

markdgray commented Dec 4, 2020

dcbw commented Dec 8, 2020

markdgray commented Jan 15, 2021

russellb commented Feb 11, 2021

openshift-ci-robot commented Feb 11, 2021

russellb commented Feb 11, 2021

markdgray commented Feb 11, 2021

openshift-bot commented Feb 11, 2021

russellb commented Feb 11, 2021

russellb commented Feb 11, 2021

markdgray commented Feb 12, 2021

russellb commented Feb 12, 2021

markdgray commented Feb 12, 2021

Enhancement: Enable IPsec support in OVNKubernetes #473

Enhancement: Enable IPsec support in OVNKubernetes #473

Conversation

markdgray commented Sep 11, 2020

markdgray commented Sep 11, 2020

markdgray commented Sep 11, 2020

mccv1r0 commented Oct 8, 2020

mccv1r0 commented Oct 8, 2020

jackevans43 commented Oct 12, 2020

markdgray commented Oct 28, 2020

markdgray commented Oct 28, 2020

markdgray commented Oct 30, 2020

markdgray commented Dec 4, 2020

dcbw commented Dec 8, 2020

markdgray commented Jan 15, 2021

russellb commented Feb 11, 2021

openshift-ci-robot commented Feb 11, 2021

russellb commented Feb 11, 2021

markdgray commented Feb 11, 2021

openshift-bot commented Feb 11, 2021

russellb commented Feb 11, 2021

russellb commented Feb 11, 2021

markdgray commented Feb 12, 2021

russellb commented Feb 12, 2021

markdgray commented Feb 12, 2021