Merge pull request #1667 from JoshSalomon/ipsec-api

add-IPsecExternal

openapi/openapi.json

@@ -27044,7 +27044,13 @@
       }
     },
     "com.github.openshift.api.operator.v1.IPsecConfig": {
-      "type": "object"
+      "type": "object",
+      "properties": {
+        "mode": {
+          "description": "mode defines the behaviour of the ipsec configuration within the platform. Valid values are `Disabled`, `External` and `Full`. When 'Disabled', ipsec will not be enabled at the node level. When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), this is left to the user to configure.",
+          "type": "string"
+        }
+      }
     },
     "com.github.openshift.api.operator.v1.IPv4GatewayConfig": {
       "description": "IPV4GatewayConfig holds the configuration paramaters for IPV4 connections in the GatewayConfig for OVN-Kubernetes",
@@ -29088,6 +29094,9 @@
         },
         "ipsecConfig": {
           "description": "ipsecConfig enables and configures IPsec for pods on the pod network within the cluster.",
+          "default": {
+            "mode": "Disabled"
+          },
           "$ref": "#/definitions/com.github.openshift.api.operator.v1.IPsecConfig"
         },
         "mtu": {

operator/v1/0000_70_cluster-network-operator_01-CustomNoUpgrade.crd.yaml

@@ -269,6 +269,19 @@ spec:
                         ipsecConfig:
                           description: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster.
                           type: object
+                          default:
+                            mode: Disabled
+                          properties:
+                            mode:
+                              description: mode defines the behaviour of the ipsec configuration within the platform. Valid values are `Disabled`, `External` and `Full`. When 'Disabled', ipsec will not be enabled at the node level. When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), this is left to the user to configure.
+                              type: string
+                              enum:
+                                - Disabled
+                                - External
+                                - Full
+                          x-kubernetes-validations:
+                            - rule: self == oldSelf || has(self.mode)
+                              message: ipsecConfig.mode is required
                         mtu:
                           description: mtu is the MTU to use for the tunnel interface. This must be 100 bytes smaller than the uplink mtu. Default is 1400
                           type: integer

operator/v1/0000_70_cluster-network-operator_01-Default.crd.yaml

@@ -269,6 +269,19 @@ spec:
                         ipsecConfig:
                           description: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster.
                           type: object
+                          default:
+                            mode: Disabled
+                          properties:
+                            mode:
+                              description: mode defines the behaviour of the ipsec configuration within the platform. Valid values are `Disabled`, `External` and `Full`. When 'Disabled', ipsec will not be enabled at the node level. When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), this is left to the user to configure.
+                              type: string
+                              enum:
+                                - Disabled
+                                - External
+                                - Full
+                          x-kubernetes-validations:
+                            - rule: self == oldSelf || has(self.mode)
+                              message: ipsecConfig.mode is required
                         mtu:
                           description: mtu is the MTU to use for the tunnel interface. This must be 100 bytes smaller than the uplink mtu. Default is 1400
                           type: integer

operator/v1/0000_70_cluster-network-operator_01-TechPreviewNoUpgrade.crd.yaml

@@ -269,6 +269,19 @@ spec:
                         ipsecConfig:
                           description: ipsecConfig enables and configures IPsec for pods on the pod network within the cluster.
                           type: object
+                          default:
+                            mode: Disabled
+                          properties:
+                            mode:
+                              description: mode defines the behaviour of the ipsec configuration within the platform. Valid values are `Disabled`, `External` and `Full`. When 'Disabled', ipsec will not be enabled at the node level. When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters. This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator. When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured. Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), this is left to the user to configure.
+                              type: string
+                              enum:
+                                - Disabled
+                                - External
+                                - Full
+                          x-kubernetes-validations:
+                            - rule: self == oldSelf || has(self.mode)
+                              message: ipsecConfig.mode is required
                         mtu:
                           description: mtu is the MTU to use for the tunnel interface. This must be 100 bytes smaller than the uplink mtu. Default is 1400
                           type: integer

operator/v1/stable.network.testsuite.yaml

@@ -35,6 +35,8 @@ tests:
               routingViaHost: false
               ipv4:
                 internalMasqueradeSubnet: "169.254.168.0/29"
+            ipsecConfig:
+              mode: Disabled
         disableNetworkDiagnostics: false
         logLevel: Normal
         operatorLogLevel: Normal
@@ -124,6 +126,8 @@ tests:
               ipv6:
                 internalMasqueradeSubnet: "abcd:ef01:2345:6789:abcd:ef01:2345:6789/125"
               routingViaHost: false
+            ipsecConfig:
+              mode: Disabled
         disableNetworkDiagnostics: false
         logLevel: Normal
         operatorLogLevel: Normal
@@ -147,6 +151,8 @@ tests:
               routingViaHost: false
               ipv6:
                 internalMasqueradeSubnet: "abcd:ef01:2345:6789::2345:6789/20"
+            ipsecConfig:
+              mode: Disabled
         disableNetworkDiagnostics: false
         logLevel: Normal
         operatorLogLevel: Normal
@@ -264,3 +270,139 @@ tests:
         logLevel: Normal
         operatorLogLevel: Normal
         migration: {}
+  - name: "IPsec - Empty ipsecConfig is allowed in initial state"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: {}
+    expected: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: {}
+        disableNetworkDiagnostics: false
+        logLevel: Normal
+        operatorLogLevel: Normal
+  - name: "IPsec - Populated ipsecConfig is allowed"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig:
+              mode: Full
+    expected: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig:
+              mode: Full
+        disableNetworkDiagnostics: false
+        logLevel: Normal
+        operatorLogLevel: Normal
+  - name: "IPsec - Start without setting ipsecConfig"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+    expected: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork: {}
+        disableNetworkDiagnostics: false
+        logLevel: Normal
+        operatorLogLevel: Normal
+  - name: "IPsec - empty string is not allowed"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: 
+              mode: ""
+    expectedError: "Unsupported value: \"\": supported values: \"Disabled\", \"External\", \"Full\""
+  onUpdate:
+  - name: "IPsec - Removing ipsecConfig.mode is not allowed"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig:
+              mode: Full
+    updated: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: {}
+    expectedError: "ipsecConfig.mode is required"
+  - name: "IPsec - Disabling IPsec"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig:
+              mode: Full
+    updated: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig:
+              mode: Disabled
+    expected: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig:
+              mode: Disabled
+        disableNetworkDiagnostics: false
+        logLevel: Normal
+        operatorLogLevel: Normal
+  - name: "IPsec - Empty ipsecConfig when changing other parameters"
+    initial: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: {}
+    updated: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec:
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: {}
+            mtu: 5888
+    expected: |
+      apiVersion: operator.openshift.io/v1
+      kind: Network
+      spec: 
+        defaultNetwork:
+          ovnKubernetesConfig:
+            ipsecConfig: {}
+            mtu: 5888
+        disableNetworkDiagnostics: false
+        logLevel: Normal
+        operatorLogLevel: Normal

operator/v1/types_network.go

@@ -390,6 +390,8 @@ type OVNKubernetesConfig struct {
 	// ipsecConfig enables and configures IPsec for pods on the pod network within the
 	// cluster.
 	// +optional
+	// +kubebuilder:default={"mode": "Disabled"}
+	// +default={"mode": "Disabled"}
 	IPsecConfig *IPsecConfig `json:"ipsecConfig,omitempty"`
 	// policyAuditConfig is the configuration for network policy audit events. If unset,
 	// reported defaults are used.
@@ -428,7 +430,19 @@ type HybridOverlayConfig struct {
 	HybridOverlayVXLANPort *uint32 `json:"hybridOverlayVXLANPort,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="self == oldSelf || has(self.mode)",message="ipsecConfig.mode is required"
 type IPsecConfig struct {
+	// mode defines the behaviour of the ipsec configuration within the platform.
+	// Valid values are `Disabled`, `External` and `Full`.
+	// When 'Disabled', ipsec will not be enabled at the node level.
+	// When 'External', ipsec is enabled on the node level but requires the user to configure the secure communication parameters.
+	// This mode is for external secure communications and the configuration can be done using the k8s-nmstate operator.
+	// When 'Full', ipsec is configured on the node level and inter-pod secure communication within the cluster is configured.
+	// Note with `Full`, if ipsec is desired for communication with external (to the cluster) entities (such as storage arrays), 
+	// this is left to the user to configure.
+	// +kubebuilder:validation:Enum=Disabled;External;Full
+	// +optional
+	Mode IPsecMode `json:"mode,omitempty"`
 }
 
 type IPForwardingMode string
@@ -691,3 +705,17 @@ const (
 	// IPAMTypeStatic uses static IP
 	IPAMTypeStatic IPAMType = "Static"
 )
+
+// IPsecMode enumerates the modes for IPsec configuration
+type IPsecMode string
+
+const (
+	// IPsecModeDisabled disables IPsec altogether
+	IPsecModeDisabled IPsecMode = "Disabled"
+	// IPsecModeExternal enables IPsec on the node level, but expects the user to configure it using k8s-nmstate or
+	// other means - it is most useful for secure communication from the cluster to external endpoints
+	IPsecModeExternal IPsecMode = "External"
+	// IPsecModeFull enables IPsec on the node level (the same as IPsecModeExternal), and configures it to secure communication
+	// between pods on the cluster network.
+	IPsecModeFull IPsecMode = "Full"
+)